Unfortunately I spotted a catch-22 situation while working on CLI
8.1.x WIP in https://github.com/apache/cordova-cli/pull/326:
* insight@0.8 (0.8.4) has the audit issue
* newer insight starting with 0.9 uses inquirer@5 which does not
support Node.js 4.
I can think of the following alternatives:
1. skip the proposed 8.1.0 minor release
2. publish 8.1.0 minor release with known audit issue in the CLI
3. drop use of insight in 8.1.0 minor release
4. ask insight to publish 0.8.5 release that resolves the audit issue
5. publish special fork of insight which resolves the audit issue for
8.1.0 minor release
Disadvantages of each alternative:
1: Users do not get some needed updates before the next major release.
I think the major ones are:
- use of cordova-android@~7.1.x by default
- use of cordova-windows@~6.0.x by default
2: Bad practice, with possible responsibility for unknown security
issues. While I would not expect any real security issues in practice,
I would say better safe than sorry.
3. I think this kind of behavior should not be dropped in minor
release, only to come back in next major release.
4. I highly doubt they would be motivated to do such a thing for us.
Support for deprecated Node.js 4 is not desired in other projects
unless absolutely necessary.
5. One more package for us to manage and maintain, on a temporary basis
To be honest I really wouldn't mind if we would just make the new
release to drop Node.js 4 support and abandon support for the existing
package releases.
On Fri, Sep 14, 2018 at 9:25 AM <raphine...@gmail.com> wrote:
>
> Am Fr., 14. Sep. 2018 um 14:15 Uhr schrieb Chris Brody <
> chris.br...@gmail.com>:
>
> > Thanks Raphael for the reminder about insight, which I overlooked. I
> > personally do not like the idea of an extra reminder message before the
> > next major release. I would like to consider this over the weekend
> >
>
> That could be resolved in a few ways:
>
> - rolling back to previous version (can't remember if it had audit
> issues)
> - Using insight's `config` option [1] with a config provider that uses
> the same file as before. The commit that changed the config store was [2]
>
> Cheers
>
> [1]: https://github.com/yeoman/insight#config
> [2]:
> https://github.com/yeoman/insight/commit/dae6dd4b73b9cebe3c1ad877f467b7b1c58c1d4c
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org
