Did anyone receive the warning e-mail?

This includes any code which passes arbitrary parameters to dynamic methods such as dlopen(), dlsym(), respondsToSelector:, performSelector:, method_exchangeImplementations(), and running remote scripts

Imported any framework for crash collections?

bang590/JSPatch#746 (comment)

I searched in all code of react native, the only risk which contain "arbitrary parameters to dynamic methods" is:

RCTUtils.m Line 337 & 354

From the data points I've heard: the developers who received this email were using a patching framework called Rollout.io (discussion here: https://forums.developer.apple.com/thread/73640). So please double-check to see whether your app is using a framework like that. Reading the message carefully, it's not describing React Native nor what React Native does.

Second, make sure that you aren't using custom, third-party React Native modules that call methods like dlopen() and other method calls like the ones listed in the message.

Last, please use the Subscribe button on GitHub if you wish to follow the conversation but don't have something meaningful to contribute. I'd prefer to leave it open but if the discussion isn't productive we'll have to close this issue and perhaps lock it.

Edit: there is also some discussion that the JSPatch library may be triggering this warning. I don't know if that is actually true or not, but please check all of the libraries that you are using in your apps.

I searched in all code of react native, the only risk which may contain "arbitrary parameters to dynamic methods" is:

RCTUtils.m Line 337 & 354

@ide any idea for this? Could we remove or change these code?

@tdzl2003 Thanks for providing the file and line numbers -- those functions (RCTSwapClassMethods and RCTSwapInstanceMethods) are used only internally within React Native and are not exposed to JavaScript, for example. The way React Native uses them for swizzling is the same as any other "regular" iOS app would. It's very normal, accepted, and not something to be concerned about.

3.3.2 of Apple Developer Program License:

An Application may not download or install executable code. Interpreted
code may only be used in an Application if all scripts, code and interpreters are
packaged in the Application and not downloaded. The only exception to the
foregoing is scripts and code downloaded and run by Apple's built-in WebKit
framework or JavascriptCore, provided that such scripts and code do not change
the primary purpose of the Application by providing features or functionality that are
inconsistent with the intended and advertised purpose of the Application as
submitted to the App Store.

explicitly mentions that:

An Application may not download or install executable code

React Native does none of these. And so, using React Native doesn't expose you to the aforementioned issue.

As @ide mentioned, there are reports this message is addressed to those using Rollout.io. My assumption is that it uses aforementioned methods to patch executable code.

With React Native, you can do so called OTA update, but this is updating Javascript, not native code. Whenever native code changes, you have to make a new release. That OTA update of Javascript code is explicitly allowed in the 3.3.2:

The only exception to the foregoing is scripts and code downloaded and run by Apple's built-in WebKit framework or JavascriptCore

I believe everyone should follow up on this issue with Apple and sort out what's exactly causing the warning.

@ide I know they are safe, but maybe apple's automatic check system may still consider a application use both script downloading AND arbitrary parameters to dynamic methods as a risk?

TL/DR:

🚫 Problem: Apps with the lib Rollout.io, JSPatch and similars are being rejected because they can dynamically change Swift / Objective-C code without passing through Apple Review process.

⚠️ Libraries like Code Push only updates JavaScript code and were not affected, at least not yet.

✅ React Native has nothing to do with this problem, don't worry about it.

Apple Developer Program License Agreement

This is the updated terms, from March 01st, 2017. No changes related to javascript code update 👍

Good news! My app just passed the review 5 minutes ago. And it contains the 'code-push'. BTW, I don‘t use JSPatch or Bugtags.

Anyone here using CodePush and had issues with Review ? I am the CodePush PM, so would like to know more if you have run into issues.