[
https://issues.apache.org/jira/browse/CB-14145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16537080#comment-16537080
]
ASF GitHub Bot commented on CB-14145:
-------------------------------------
brodybits commented on issue #281: CB-14145 resolve npm audit issues in patch
fix
URL: https://github.com/apache/cordova-windows/pull/281#issuecomment-403521072
> > pin other dependencies in package.json in this patch fix
>
> Why?
Keep npm install behavior as predictable as possible.
> > update bundledDependencies to support deprecated Node.js 4 in this patch
fix
>
> Why are so many additional libraries now listed there?
With node_modules installed by newer version of npm (comes with
non-deprecated version of Node.js), additional libraries need to be listed to
work on Node.js 4. We know that Node.js 4 is deprecated but should not be
dropped in a patch release:-(
> > Commit: .gitignore ignore package-lock.json in 6.0.x
>
> was this somewhere decided to how Cordova should handle package-lock.json?
I think this was discussed in document on dev list for next major release
(not sure). But I think we do not want to introduce this file in patch release,
that is why I added it to .gitignore.
> > Commit: CB-14145 remove node_modules before patch fix
>
> Why?
A combination of updated dependencies and npm from non-deprecated version of
Node.js results in such a massive change to node_modules that it seems cleanest
to remove old node_modules before making the update.
> > Several commits: "... in 6.0.x"
>
> What does this mean? Won't these commits get merged to master as well?
The changes proposed here are tailored specifically to the patch release in
the 6.0.x branch. A number of changes are needed in node_modules since we
should not drop Node.js 4 in a patch release. But I think we do not want all of
these changes in the master branch.
I think we want to take a cleaner approach in the master branch: drop
Node.js 4 support, remove committed node_modules, and target the next major
release.
I would be happy to add a note to some of the commits with the reason why we
do not want them in the master branch.
> Is it correct that RELEASENOTES don't have a 6.0.1 entry here?
Yes I did not do that part yet. (I think it should be in another JIRA task
according to
<https://github.com/apache/cordova-coho/blob/master/docs/platforms-release-process.md>.)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Resolve npm audit issues
> ------------------------
>
> Key: CB-14145
> URL: https://issues.apache.org/jira/browse/CB-14145
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-android, cordova-app-hello-world,
> cordova-browser, cordova-cli, cordova-coho, cordova-common, cordova-ios,
> cordova-js, cordova-lib, cordova-osx, cordova-plugman, cordova-windows
> Reporter: Chris Brody
> Assignee: Chris Brody
> Priority: Major
>
> From private discussions I discovered that running {{npm audit}} on a number
> of components would report dependencies with security issues. While we could
> not see any {{npm audit}} issues that may affect applications built using
> Cordova I think it is extremely important to resolve these issues as soon as
> possible. Most affect devDependencies used for testing of Cordova itself; a
> minority seem to affect Cordova scripts that may be run by Cordova
> application developers. Better safe than sorry!
> I would like to resolve this issue as follows:
> * patch release of common library components such as {{cordova-common}},
> {{cordova-lib}}, etc. (fixed in minor release branch)
> * patch or minor release of other affected components such as CLI, Cordova
> platform implementations, major plugins, etc. (expected to be fixed in minor
> release branch; do not want to pollute the master branch with extra reverts,
> updated node_modules committed, etc.)
> * {{npm audit}} issues resolved in master branch for next major release,
> which should NOT be shipped with any {{npm audit}} issues lurking
> * {{npm audit}} step added to CI for both patch release and next major release
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
