ASF subversion and git services commented on CB-14145:

Commit 64abf16a7bd7aa73e585eb64b19a6696b0f3753f in cordova-windows's branch 
refs/heads/6.0.x from Christopher J. Brody
[ https://gitbox.apache.org/repos/asf?p=cordova-windows.git;h=64abf16 ]

Merge pull request #281 from brodybits/cb-14145-patch

CB-14145 resolve npm audit issues in 6.0.x patch fix

> Resolve npm audit issues
> ------------------------
>                 Key: CB-14145
>                 URL: https://issues.apache.org/jira/browse/CB-14145
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: cordova-android, cordova-app-hello-world, 
> cordova-browser, cordova-cli, cordova-coho, cordova-common, cordova-ios, 
> cordova-js, cordova-lib, cordova-osx, cordova-plugman, cordova-windows
>            Reporter: Chris Brody
>            Assignee: Chris Brody
>            Priority: Major
> From private discussions I discovered that running {{npm audit}} on a number 
> of components would report dependencies with security issues. While we could 
> not see any {{npm audit}} issues that may affect applications built using 
> Cordova I think it is extremely important to resolve these issues as soon as 
> possible. Most affect devDependencies used for testing of Cordova itself; a 
> minority seem to affect Cordova scripts that may be run by Cordova 
> application developers. Better safe than sorry!
> I would like to resolve this issue as follows:
> * patch release of common library components such as {{cordova-common}}, 
> {{cordova-lib}}, etc. (fixed in minor release branch)
> * patch or minor release of other affected components such as CLI, Cordova 
> platform implementations, major plugins, etc. (expected to be fixed in minor 
> release branch; do not want to pollute the master branch with extra reverts, 
> updated node_modules committed, etc.)
> * {{npm audit}} issues resolved in master branch for next major release, 
> which should NOT be shipped with any {{npm audit}} issues lurking
> * {{npm audit}} step added to CI for both patch release and next major release

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org

Reply via email to