cordova-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CB-14145) Resolve npm audit issues
Date Fri, 06 Jul 2018 23:16:00 GMT

    [ https://issues.apache.org/jira/browse/CB-14145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16535469#comment-16535469
] 

ASF GitHub Bot commented on CB-14145:
-------------------------------------

brodybits opened a new pull request #50: CB-14145 resolve npm audit issues in patch fix
URL: https://github.com/apache/cordova-osx/pull/50
 
 
   <!--
   Please make sure the checklist boxes are all checked before submitting the PR. The checklist
   is intended as a quick reference, for complete details please see our Contributor Guidelines:
   
   http://cordova.apache.org/contribute/contribute_guidelines.html
   
   Thanks!
   -->
   
   ### Platforms affected
   
   mac OS ("osx")
   
   ### What does this PR do?
   
   - Set VERSION to 4.0.2-dev & update JS snapshot to version 4.0.2-dev via coho, using
local coho with apache/cordova-coho#176 for patch release support (another workaround fix
pushed to apache/cordova-coho#176 was needed to get the JS snapshot to work with old version
of cordova-js). Note that the indentation of package.json was changed by the recent version
of coho.
   - Update the following dependencies, pinned in this patch fix, to resolve the npm audit
issues:
     - cordova-common@2.2.5
     - xcode@1.0.0
   - explicit plist@2.1.0 dependency in this patch fix(wanted since plist is explicitly used
by code in bin)
   - pin other external dependencies in this patch fix
   - use jasmine-node@^1.5.0 in devDependencies to resolve npm audit warning in this patch
fix
   - completely reinstall node_modules in this patch fix (ignoring `node_modules/.bin`) using
the following command on npm@6.1.0: `npm install --only=production`:
   - Update `CordovaLib/cordova.js` from cordova-js@4.2.4 (4.2.0 .. 4.2.4)
   - update `bundledDependencies` to support deprecated Node.js 4 in this patch fix
   - remove extra `devDependencies`: coffee-script, nodeunit, uncrustify
   - fixes ported from master:
     - CB-12762: package.json reference repo on github
     - migrate jshint -> eslint, with some more eslint rules turned off in this patch fix
   - add line spacing to .eslintrc.yml
   - enable eslint in tests/spec (with some eslint rules turned off in tests/spec for now)
   
   ### What testing has been done on this change?
   
   - `npm audit` with npm@6.1.0 (latest release) shows 0 vulnerabilities
   - `cordova platform add brodybits/cordova-osx#cb-14145-patch` to new Cordova project and
then `cordova run osx` works on deprecated Node.js 4 and Node.js 8
   - `cordova platform add brodybits/cordova-osx#cb-14145-patch` to new Cordova project and
then run from Xcode works on deprecated Node.js 4
   - [ ] TODO: check that Travis CI which includes `npm test` task passes
   
   ### Checklist
   
   - [x] [Reported an issue](http://cordova.apache.org/contribute/issues.html) in the JIRA
database
   - [x] Commit message follows the format: "CB-3232: (android) Fix bug with resolving file
paths", where CB-xxxx is the JIRA ID & "android" is the platform affected. (with some
exceptions)
   - ~~Added automated test coverage as appropriate for this change.~~

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Resolve npm audit issues
> ------------------------
>
>                 Key: CB-14145
>                 URL: https://issues.apache.org/jira/browse/CB-14145
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: cordova-android, cordova-app-hello-world, cordova-browser, cordova-cli,
cordova-coho, cordova-common, cordova-ios, cordova-js, cordova-lib, cordova-osx, cordova-plugman,
cordova-windows
>            Reporter: Chris Brody
>            Assignee: Chris Brody
>            Priority: Major
>
> From private discussions I discovered that running {{npm audit}} on a number of components
would report dependencies with security issues. While we could not see any {{npm audit}} issues
that may affect applications built using Cordova I think it is extremely important to resolve
these issues as soon as possible. Most affect devDependencies used for testing of Cordova
itself; a minority seem to affect Cordova scripts that may be run by Cordova application developers.
Better safe than sorry!
> I would like to resolve this issue as follows:
> * patch release of common library components such as {{cordova-common}}, {{cordova-lib}},
etc. (fixed in minor release branch)
> * patch or minor release of other affected components such as CLI, Cordova platform implementations,
major plugins, etc. (expected to be fixed in minor release branch; do not want to pollute
the master branch with extra reverts, updated node_modules committed, etc.)
> * {{npm audit}} issues resolved in master branch for next major release, which should
NOT be shipped with any {{npm audit}} issues lurking
> * {{npm audit}} step added to CI for both patch release and next major release



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org


Mime
View raw message