[
https://issues.apache.org/jira/browse/CB-14145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16538695#comment-16538695
]
ASF GitHub Bot commented on CB-14145:
-------------------------------------
brodybits commented on issue #451: CB-14145: cordova-common update to resolve
npm audit & other updates in patch release
URL: https://github.com/apache/cordova-android/pull/451#issuecomment-403845471
> I don't see why we need separate commits for removing an adding
node_modules contents.
As I explained in
<https://github.com/apache/cordova-windows/pull/281#issuecomment-403521072>: a
combination of updated dependencies and npm from non-deprecated version of
Node.js results in such a massive change to node_modules that it seems cleanest
to remove old node_modules before making the update.
> It seems you listed each transitive dependency in bundledDependencies.
According to this npm test we should not need to do that. Was there something
that made this necessary?
Yes, also explained in
<https://github.com/apache/cordova-windows/pull/281#issuecomment-403521072>:
With node_modules installed by newer version of npm (comes with non-deprecated
version of Node.js), additional libraries need to be listed to work on Node.js
4. We know that Node.js 4 is deprecated but should not be dropped in a patch
release:-(
Thanks for checking, will probably merge this really soon.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Resolve npm audit issues
> ------------------------
>
> Key: CB-14145
> URL: https://issues.apache.org/jira/browse/CB-14145
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-android, cordova-app-hello-world,
> cordova-browser, cordova-cli, cordova-coho, cordova-common, cordova-ios,
> cordova-js, cordova-lib, cordova-osx, cordova-plugman, cordova-windows
> Reporter: Chris Brody
> Assignee: Chris Brody
> Priority: Major
>
> From private discussions I discovered that running {{npm audit}} on a number
> of components would report dependencies with security issues. While we could
> not see any {{npm audit}} issues that may affect applications built using
> Cordova I think it is extremely important to resolve these issues as soon as
> possible. Most affect devDependencies used for testing of Cordova itself; a
> minority seem to affect Cordova scripts that may be run by Cordova
> application developers. Better safe than sorry!
> I would like to resolve this issue as follows:
> * patch release of common library components such as {{cordova-common}},
> {{cordova-lib}}, etc. (fixed in minor release branch)
> * patch or minor release of other affected components such as CLI, Cordova
> platform implementations, major plugins, etc. (expected to be fixed in minor
> release branch; do not want to pollute the master branch with extra reverts,
> updated node_modules committed, etc.)
> * {{npm audit}} issues resolved in master branch for next major release,
> which should NOT be shipped with any {{npm audit}} issues lurking
> * {{npm audit}} step added to CI for both patch release and next major release
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org
