Since this is a security issue that has already been merged I feel like we should include globalization in the next plugin release.
John, you really should start planning to migrate away from this plugin as we can't guarantee it will be updated in the future. There is a blog post detailing an alternative that doesn't even require a plugin and aligns with current web standard API's. http://cordova.apache.org/news/2017/11/20/migrate-from-cordova-globalization-plugin.html Simon Mac Donald http://simonmacdonald.com On Tue, Mar 27, 2018 at 9:27 AM, julio cesar sanchez <[email protected] > wrote: > We will probably do a plugins release after Easter with all plugins updated > since the last release, so we can include this and some other deprecated > plugins that also got an update. > > 2018-03-27 15:24 GMT+02:00 [email protected] <[email protected]>: > > > > > > > On 2018/03/26 21:23:26, Steven Gill <[email protected]> wrote: > > > cordova-plugin-globalization was deprecated November 2017. See > > > https://github.com/apache/cordova-plugin-globalization# > > deprecation-notice > > > > > > We aren't planning on doing anymore releases as far as I'm aware. We > > > recommend pointing your package.json & config.xml to the github repo > > > instead if you want to continue using it. Another option is to fork the > > > plugin and publish it under a different name with the fix you need. > > > > > > Cheers, > > > -Steve > > > > > > On Mon, Mar 26, 2018 at 11:19 AM, [email protected] < > > > [email protected]> wrote: > > > > > > > Hi Team, > > > > > > > > Pull request #64 (https://github.com/apache/ > > cordova-plugin-globalization/ > > > > pull/64) was committed on February 2 to address a ReDoS issue in > > > > moment.js, which is shipped in cordova-plugin-globalization. As this > > is a > > > > security issue, may I ask what the current plans are for releasing a > > new > > > > version of the plugin please? We've tested the nightly build and > > confirmed > > > > that the issue has been addressed, but would obviously prefer to ship > > with > > > > a released version of the plugin as opposed to a nightly build. > > > > > > > > Thanks for your help, > > > > John Gerken > > > > > > > > ------------------------------------------------------------ > --------- > > > > To unsubscribe, e-mail: [email protected] > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > > > > Hi Steve, > > > > Thanks for your reply. That puts us in a very difficult spot because > > migrating away from this plugin is a non-trivial task and we've got about > > 600 enterprise customers to consider. As this is a security issue, is > > there any recourse for me to request that the decision to not release > this > > already committed fix be reconsidered? > > > > Thanks for your help, > > John > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > >
