breautek commented on issue #349: URL: https://github.com/apache/cordova/issues/349#issuecomment-1300690548
A fresh install shows different results (npm install -g cordova may not be a fresh install if you had an older version previously installed) ```npm install cordova npm WARN deprecated [email protected]: this library is no longer supported npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142 added 489 packages, and audited 490 packages in 1m 52 packages are looking for funding run `npm fund` for details 5 moderate severity vulnerabilities To address all issues, run: npm audit fix Run `npm audit` for details. ``` You can use `npm -g upgrade cordova` to upgrade global packages. The difference between `upgrade` and `install` and `install` will update the main package, but may not recursively update it's dependencies or child dependencies, if the version is already satisfactory, where as `upgrade` will upgrade all of the package's dependencies and child dependencies recursively to the latest version available that satisfies their declared semver version. This will resolve the deprecation warnings for receive for `uuid` and `stringify-package` Nonetheless, there are still 2 active deprecations used, which are: `har-validor` and `request` ``` npm ls har-validator [email protected] /home/norman/test/cdvtest └─┬ [email protected] └─┬ [email protected] └─┬ [email protected] └── [email protected] ``` As you can see, `har-validot` is used by `request`, soo... ``` npm ls request [email protected] /home/norman/test/cdvtest └─┬ [email protected] ├─┬ [email protected] │ └─┬ [email protected] │ └─┬ [email protected] │ └─┬ @npmcli/[email protected] │ └─┬ [email protected] │ └── [email protected] deduped └─┬ [email protected] └── [email protected] ``` There are 2 sub-dependencies that Cordova depends on that is including this dependency, `pacote` which is part of [NPM's codebase](https://www.npmjs.com/package/pacote) and insight. Pacote may need to wait for NodeJS's package [node-gyp](https://www.npmjs.com/package/node-gyp) to update first. There isn't anything Cordova can do directly to resolve these deprecation warnings. While these packages are deprecated they should work as is for the foreseeable future. Therefore I think it's fine to wait for updates of the underlying packages for the time being. As for the reported vulnerabilities, they are from the `update-notifier` package. There are ways to forcefully force cordova to use a different version, such as version `6.x` of `update-notifier` which resolves the moderate vulnerabilities, however 6.x includes breaking changes that a simple test causes Cordova not to work properly. You can use `npm audit` to find more information on vulnerability to determine the severity for you. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
