The vote has now closed. The results are: Positive Binding Votes: 3
- Bryan Ellis - Niklas Merz - Manuel Beck Negative Binding Votes: 0 Other Votes: 0 The vote has passed. On Tue, Nov 4, 2025 at 1:23 AM Manuel Beck <[email protected]> wrote: > I vote +1 > > I did the following: > - Verified pgp signature and sha-hash with `coho verify-archive` > - Verified git tag and commit hash by looking into GitHub > - Checked version in package.json: Ok, no `-dev` suffix > - Ran `npm install` > - Ran `npm audit`: > > * > Dist: No issues (Running on > https://dist.apache.org/repos/dist/dev/cordova/lib-13.0.0/cordova-lib-13.0.0.tgz > ) > * > GitHub: 1 moderate severity vulnerability: "node-tar has a race condition > leading to uninitialized memory exposure“ like already mentioned (Running > on > https://github.com/apache/cordova-lib/commit/6c2cdd9347b3ca3cd5dea8b1bc64e27c7e102d9b > ) > > - Ran `npm test` on checked out code from GitHub: No issues > - Checked GitHub actions are green for commit > > Von: Niklas Merz <[email protected]> > Datum: Mittwoch, 29. Oktober 2025 um 16:03 > An: [email protected] <[email protected]> > Betreff: Re: [VOTE] cordova-lib 13.0.0 Release > > I vote +1 > > * signature ok > * hash ok > * no audit issues > * tests pass locally > * tag ok > * licenses ok > * headers ok > * checked a few cli commands with lib installed > > > On October 29, 2025, Erisu <[email protected]> wrote: > > Please review and vote on this cordova-lib release v13.0.0 > > by replying to this email (and keep discussion on the DISCUSS thread) > > > > The archive has been published to dist/dev: > > > > https://dist.apache.org/repos/dist/dev/cordova/lib-13.0.0 > > > > The package was published from its corresponding git tag: > > > > cordova-lib: 13.0.0 (6c2cdd9347) > > > > Upon a successful vote I will upload the archive to dist/, publish it > > to > > npm, and post the blog post. > > > > Voting guidelines: > > https://github.com/apache/cordova-coho/blob/master/docs/release- > > voting.md > > > > Voting will go on for a minimum of 48 hours. > > > > ===== > > > > I vote +1: > > > > * Ran coho audit-license-headers over the relevant repos > > * Ran coho check-license to ensure all dependencies and sub- > > dependencies > > have Apache-compatible licenses > > * Ensured the continuous build was green when repo was tagged > > * Ran `npm test` > > * Ran various `cordova` test w/ sample app: > > * `cordova` > > * `cordova -v` > > * `cordova create` > > * `cordova info` > > * `cordova requirements` > > * `cordova help` > > * `cordova config` > > * `cordova platform` > > * `cordova platform add` > > * `cordova platform rm` > > * `cordova plugin --help` > > * `cordova plugin add` > > * `cordova plugin rm` > > * `cordova build` > > * `cordova prepare` > > * `cordova compile` > > * `cordova run` > > * `cordova serve` (confirmed as removed) > > * Tested rebuilding a project from a clean state. > > * Ran `npm audit` > > * found 0 vulnerabilities > > > > Note: There are a couple of deprecation warnings for two packages when > > running npm install, but they should not be an issue. One of them is a > > development dependency and won’t appear when installing the Cordova > > CLI. > > These warnings are not blockers for this release. >
