[
https://issues.apache.org/jira/browse/CB-14145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16520595#comment-16520595
]
ASF GitHub Bot commented on CB-14145:
-------------------------------------
brodybits opened a new pull request #374: [CB-14145 WIP] patch update to
resolve npm audit warnings - WIP PENDING upstream patches
URL: https://github.com/apache/cordova-ios/pull/374
<!--
Please make sure the checklist boxes are all checked before submitting the
PR. The checklist
is intended as a quick reference, for complete details please see our
Contributor Guidelines:
http://cordova.apache.org/contribute/contribute_guidelines.html
Thanks!
-->
### Platforms affected
iOS
### What does this PR do?
_TBD this proposed update is WIP pending patches to multiple dependencies as
proposed by @brodybits._
Proposed changes to `4.5.x` branch for patch update:
- Update version to `4.5.5-dev`
- include recent cordova-js update _- TBD still waiting for final VOTE
result_
- remove devDeps no longer needed
- update dependencies to resolve `npm audit` warnings without causing engine
warning on node 4:
- _`brodybits/cordova-common#plist-2-patch` as proposed in
apache/cordova-common#31_
- _`brodybits/ios-sim#plist-2-patch` as proposed in
ios-control/ios-sim#233_
- `plist@^2.1.0`
__WIP TODO items:__
- [ ] _verify that the recent cordova-js update is approved by the final
VOTE result_
- [ ] _`cordova-common` update with apache/cordova-common#31 fix from npm_
- [ ] _`ios-sim` update with ios-control/ios-sim#233 fix from npm_
### What testing has been done on this change?
- `npm install` on node 4 does not generate any engine warning messages
- `npm run unit-tests` passing (on node 4)
- `npm audit` shows no warnings on `[email protected]`
__TEST TODO items:__
- [ ] _verify that all `npm test` stages pass on Travis CI_
- [ ] _do `cordova platform add brodybits/cordova-ios#cb-14145-patch-update`
on new Cordova project and verify that it runs on iOS_
- [ ] _do `cordova platform add brodybits/cordova-ios#cb-14145-patch-update`
on cordova-sqlite-storage test suite (`cordova-sqlite-spec` project) and verify
that it succeeds on iOS (emulator or device)_
### Checklist
- [x] [Reported an issue](http://cordova.apache.org/contribute/issues.html)
in the JIRA database
- [x] Commit message follows the format: "CB-3232: (android) Fix bug with
resolving file paths", where CB-xxxx is the JIRA ID & "android" is the platform
affected.
- ~~Added automated test coverage as appropriate for this change.~~
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Resolve npm audit issues
> ------------------------
>
> Key: CB-14145
> URL: https://issues.apache.org/jira/browse/CB-14145
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-android, cordova-app-hello-world,
> cordova-browser, cordova-cli, cordova-coho, cordova-common, cordova-fetch,
> cordova-ios, cordova-js, cordova-lib, cordova-osx, cordova-plugman,
> cordova-windows
> Reporter: Chris Brody
> Assignee: Chris Brody
> Priority: Major
>
> From private discussions I discovered that running {{npm audit}} on a number
> of components would report dependencies with security issues. While we could
> not see any {{npm audit}} issues that may affect applications built using
> Cordova I think it is extremely important to resolve these issues as soon as
> possible. Most affect devDependencies used for testing of Cordova itself; a
> minority seem to affect Cordova scripts that may be run by Cordova
> application developers. Better safe than sorry!
> I would like to resolve this issue as follows:
> * patch release of common library components such as {{cordova-common}},
> {{cordova-lib}}, etc. (fixed in minor release branch)
> * patch or minor release of other affected components such as CLI, Cordova
> platform implementations, major plugins, etc. (expected to be fixed in minor
> release branch; do not want to pollute the master branch with extra reverts,
> updated node_modules committed, etc.)
> * {{npm audit}} issues resolved in master branch for next major release,
> which should NOT be shipped with any {{npm audit}} issues lurking
> * {{npm audit}} step added to CI for both patch release and next major release
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
