So I don't want to create any panic. I am not a cybersecurity expert.
Recap: The latest versions of Rstudio desktop do not seem to be installing correctly as myself and a few others have noticed - link to the earliest post . In my case, I immediately noticed the cause was related to anti-virus.
Lines 4332 "webpack": "^5.1.0"
Line 4493 "webpack": "^5.0.0"
Line 8363 "webpack": "^5.20.0"
Line 11110 "webpack": "^5.0.0"
Line 14066 "webpack": "^5.0.0"
Line 14554 "webpack": "^5.0.0"
LIne 15021 "webpack": "^4.1.0 || ^5.0.0-0"
If I understand correctly how this all works, that’s the one most worrying. The 5 major should pull the 5.76.0 or later, but I'm not entirely sure. The 4 major won't go on to 5 major. But I don't know how major 4 vs major 5 is selected. I didn't see this as a current open issue on the github repo but got a vague impression that it might be a Fedora-specific config. I checked the local install /Applications/RStudio.app/Contents/Resources/app-arm64/package-json and didn't see anything there. In the /Applications/RStudio.app/Contents/Resources/app-arm64/.webpack/main because it's minified.
I'm not the guy to file the issue on github, which is probably the best way to find out. Come back on whether you will be filing?
Yep, I already have an open github issue on Rstudio. I just not a cybersecurity expert, so I figured its better to ask questions then assume.
Right now the latest version of Rstudio won't install. In order to get the latest version of Rstudio installed, I need to show to evidence to my cybersecurity that the antivirus flagging either a false positive or if there is a legitimate concern that the developer has put out a patch for the issue. So, in a way, I kind of have to bring up a github issue.
Well, you know more about it than me for sure. As we are both not sure, I just will bring up Line 15021 as a possible typo, and Lines 15079 - 15081 to them. Thanks for the help figuring out how to bring it up.
The package-lock.json file specifies the exact version to use. It is a generated file from npm, the package manager. The line with 5.72.1 is what would be installed at build time. The other entries are what other dependencies specify the version that could be used. One of the other dependencies must have been holding back webpack to an older version. webpack is a dev dependency and is not shipped with RStudio. The CVE describes the attack vector is from using webpack magic comments, which this feature is not used to build RStudio.
As mentioned in the Github issue, RStudio failed to open because anti-virus software quarantined some files. It is not surprising that it crashed without those files. It's akin to removing a DLL and expecting a program to launch without any problems.