cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon MacDonald <simon.macdon...@gmail.com>
Subject Re: Request estimate for next release of cordova-plugin-globalization
Date Tue, 27 Mar 2018 14:38:28 GMT
Since this is a security issue that has already been merged I feel like we
should include globalization in the next plugin release.

John, you really should start planning to migrate away from this plugin as
we can't guarantee it will be updated in the future. There is a blog post
detailing an alternative that doesn't even require a plugin and aligns with
current web standard API's.

http://cordova.apache.org/news/2017/11/20/migrate-from-cordova-globalization-plugin.html


Simon Mac Donald
http://simonmacdonald.com

On Tue, Mar 27, 2018 at 9:27 AM, julio cesar sanchez <jcesarmobile@gmail.com
> wrote:

> We will probably do a plugins release after Easter with all plugins updated
> since the last release, so we can include this and some other deprecated
> plugins that also got an update.
>
> 2018-03-27 15:24 GMT+02:00 johnkgerken@gmail.com <johnkgerken@gmail.com>:
>
> >
> >
> > On 2018/03/26 21:23:26, Steven Gill <stevengill97@gmail.com> wrote:
> > > cordova-plugin-globalization was deprecated November 2017. See
> > > https://github.com/apache/cordova-plugin-globalization#
> > deprecation-notice
> > >
> > > We aren't planning on doing anymore releases as far as I'm aware. We
> > > recommend pointing your package.json & config.xml to the github repo
> > > instead if you want to continue using it. Another option is to fork the
> > > plugin and publish it under a different name with the fix you need.
> > >
> > > Cheers,
> > > -Steve
> > >
> > > On Mon, Mar 26, 2018 at 11:19 AM, johnkgerken@gmail.com <
> > > johnkgerken@gmail.com> wrote:
> > >
> > > > Hi Team,
> > > >
> > > > Pull request #64 (https://github.com/apache/
> > cordova-plugin-globalization/
> > > > pull/64) was committed on February 2 to address a ReDoS issue in
> > > > moment.js, which is shipped in cordova-plugin-globalization.  As this
> > is a
> > > > security issue, may I ask what the current plans are for releasing a
> > new
> > > > version of the plugin please?  We've tested the nightly build and
> > confirmed
> > > > that the issue has been addressed, but would obviously prefer to ship
> > with
> > > > a released version of the plugin as opposed to a nightly build.
> > > >
> > > > Thanks for your help,
> > > > John Gerken
> > > >
> > > > ------------------------------------------------------------
> ---------
> > > > To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> > > > For additional commands, e-mail: dev-help@cordova.apache.org
> > > >
> > > >
> > >
> > Hi Steve,
> >
> > Thanks for your reply.  That puts us in a very difficult spot because
> > migrating away from this plugin is a non-trivial task and we've got about
> > 600 enterprise customers to consider.  As this is a security issue, is
> > there any recourse for me to request that the decision to not release
> this
> > already committed fix be reconsidered?
> >
> > Thanks for your help,
> > John
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> > For additional commands, e-mail: dev-help@cordova.apache.org
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message