[
https://issues.apache.org/jira/browse/CB-14145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris Brody updated CB-14145:
-----------------------------
Description:
>From private discussions I discovered that running {{npm audit}} on a number
>of components would report dependencies with security issues. While we could
>not see any {{npm audit}} issues that may affect applications built using
>Cordova I think it is extremely important to resolve these issues as soon as
>possible. Most affect devDependencies used for testing of Cordova itself; a
>minority seem to affect Cordova scripts that may be run by Cordova application
>developers. Better safe than sorry!
I would like to resolve this issue as follows:
* patch release of common library components such as {{cordova-common}},
-{{cordova-lib}}, etc.- (fixed in minor release branch) _- solution for other
components to be tracked on GitHub, moved out of the scope of this issue_
* patch or minor release of -other affected components such as CLI,- Cordova
platform implementations, -major plugins, etc.- (expected to be fixed in minor
release branch; do not want to pollute the master branch with extra reverts,
updated node_modules committed, etc.) _- solution for other components to be
tracked on GitHub, moved out of the scope of this issue_
* -{{npm audit}} issues resolved in master branch for next major release, which
should NOT be shipped with any {{npm audit}} issues lurking- _- to be tracked
on GitHub, as part of general update of dependencies, moved out of the scope of
this issue_
* -{{npm audit}} step added to CI for both patch release and next major
release- _(not wanted)_
was:
>From private discussions I discovered that running {{npm audit}} on a number
>of components would report dependencies with security issues. While we could
>not see any {{npm audit}} issues that may affect applications built using
>Cordova I think it is extremely important to resolve these issues as soon as
>possible. Most affect devDependencies used for testing of Cordova itself; a
>minority seem to affect Cordova scripts that may be run by Cordova application
>developers. Better safe than sorry!
I would like to resolve this issue as follows:
* patch release of common library components such as {{cordova-common}},
{{cordova-lib}}, etc. (fixed in minor release branch)
* patch or minor release of other affected components such as CLI, Cordova
platform implementations, major plugins, etc. (expected to be fixed in minor
release branch; do not want to pollute the master branch with extra reverts,
updated node_modules committed, etc.)
* {{npm audit}} issues resolved in master branch for next major release, which
should NOT be shipped with any {{npm audit}} issues lurking
* {{npm audit}} step added to CI for both patch release and next major release
> Resolve npm audit issues in platforms - patch updates
> -----------------------------------------------------
>
> Key: CB-14145
> URL: https://issues.apache.org/jira/browse/CB-14145
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-android, cordova-browser, cordova-coho,
> cordova-common, cordova-ios, cordova-js, cordova-osx, cordova-windows
> Reporter: Chris Brody
> Assignee: Chris Brody
> Priority: Major
>
> From private discussions I discovered that running {{npm audit}} on a number
> of components would report dependencies with security issues. While we could
> not see any {{npm audit}} issues that may affect applications built using
> Cordova I think it is extremely important to resolve these issues as soon as
> possible. Most affect devDependencies used for testing of Cordova itself; a
> minority seem to affect Cordova scripts that may be run by Cordova
> application developers. Better safe than sorry!
> I would like to resolve this issue as follows:
> * patch release of common library components such as {{cordova-common}},
> -{{cordova-lib}}, etc.- (fixed in minor release branch) _- solution for other
> components to be tracked on GitHub, moved out of the scope of this issue_
> * patch or minor release of -other affected components such as CLI,- Cordova
> platform implementations, -major plugins, etc.- (expected to be fixed in
> minor release branch; do not want to pollute the master branch with extra
> reverts, updated node_modules committed, etc.) _- solution for other
> components to be tracked on GitHub, moved out of the scope of this issue_
> * -{{npm audit}} issues resolved in master branch for next major release,
> which should NOT be shipped with any {{npm audit}} issues lurking- _- to be
> tracked on GitHub, as part of general update of dependencies, moved out of
> the scope of this issue_
> * -{{npm audit}} step added to CI for both patch release and next major
> release- _(not wanted)_
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
