[
https://issues.apache.org/jira/browse/CB-14145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16518900#comment-16518900
]
ASF GitHub Bot commented on CB-14145:
-------------------------------------
brodybits commented on issue #451: CB-14145: update to [email protected] to
resolve npm audit & other issues in patch release
URL: https://github.com/apache/cordova-android/pull/451#issuecomment-398971798
@raphinesse you convinced me about the first 2 commits you added:
- f05e61d - CB-13923 (android) fix -1 length for compressed files
- 5cd19a3 - CB-14127: (android) Move google maven repo ahead of jcenter
I am still not so convinced about the 3 commits:
- 056fe36 - change from #446 (CB-14101 Fix Java version check for Java >= 9)
more drastic than I would like to include in a security audit patch
- 7c278e3 - change from #452 (emit log event) looks straightforward enough,
would have liked a JIRA issue number before sticking it into this patch release.
552e4be - fix unsafe property access (ported from
1a8154c90e5defb6a67b8947e4940666521355bb) is even more ugly since it appears to
be a side effect of a PR to add more unit test coverage (#445).
I think it would be ideal to move the last 3 commits to a followup patch,
not sure if it is worth the effort to split them out or not.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Resolve npm audit issues
> ------------------------
>
> Key: CB-14145
> URL: https://issues.apache.org/jira/browse/CB-14145
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-android, cordova-app-hello-world,
> cordova-browser, cordova-cli, cordova-coho, cordova-common, cordova-fetch,
> cordova-ios, cordova-js, cordova-lib, cordova-osx, cordova-windows
> Reporter: Chris Brody
> Assignee: Chris Brody
> Priority: Major
>
> From private discussions I discovered that running {{npm audit}} on a number
> of components would report dependencies with security issues. While we could
> not see any {{npm audit}} issues that may affect applications built using
> Cordova I think it is extremely important to resolve these issues as soon as
> possible. Most affect devDependencies used for testing of Cordova itself; a
> minority seem to affect Cordova scripts that may be run by Cordova
> application developers. Better safe than sorry!
> I would like to resolve this issue as follows:
> * patch release of common library components such as {{cordova-common}},
> {{cordova-lib}}, etc. (fixed in minor release branch)
> * patch or minor release of other affected components such as CLI, Cordova
> platform implementations, major plugins, etc. (expected to be fixed in minor
> release branch; do not want to pollute the master branch with extra reverts,
> updated node_modules committed, etc.)
> * {{npm audit}} issues resolved in master branch for next major release,
> which should NOT be shipped with any {{npm audit}} issues lurking
> * {{npm audit}} step added to CI for both patch release and next major release
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
