From issues-return-95856-archive-asf-public=cust-asf.ponee.io@cordova.apache.org Fri Jul 6 17:33:10 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 2FF98180674 for ; Fri, 6 Jul 2018 17:33:10 +0200 (CEST) Received: (qmail 2086 invoked by uid 500); 6 Jul 2018 15:33:09 -0000 Mailing-List: contact issues-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@cordova.apache.org Received: (qmail 2036 invoked by uid 99); 6 Jul 2018 15:33:09 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Jul 2018 15:33:09 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id B7938C71C0 for ; Fri, 6 Jul 2018 15:33:08 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.501 X-Spam-Level: X-Spam-Status: No, score=-109.501 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id S5ecJmYzG3sD for ; Fri, 6 Jul 2018 15:33:08 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 6598E5F2AA for ; Fri, 6 Jul 2018 15:33:07 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id ADAA7E1219 for ; Fri, 6 Jul 2018 15:33:06 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id B01822750B for ; Fri, 6 Jul 2018 15:33:05 +0000 (UTC) Date: Fri, 6 Jul 2018 15:33:05 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: issues@cordova.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CB-14145) Resolve npm audit issues MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CB-14145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16535001#comment-16535001 ] ASF GitHub Bot commented on CB-14145: ------------------------------------- brodybits commented on issue #374: [CB-14145 WIP] patch update to resolve npm audit warnings - WIP PENDING upstream patches URL: https://github.com/apache/cordova-ios/pull/374#issuecomment-403068587 Closing in favor of #379 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org > Resolve npm audit issues > ------------------------ > > Key: CB-14145 > URL: https://issues.apache.org/jira/browse/CB-14145 > Project: Apache Cordova > Issue Type: Bug > Components: cordova-android, cordova-app-hello-world, cordova-browser, cordova-cli, cordova-coho, cordova-common, cordova-ios, cordova-js, cordova-lib, cordova-osx, cordova-plugman, cordova-windows > Reporter: Chris Brody > Assignee: Chris Brody > Priority: Major > > From private discussions I discovered that running {{npm audit}} on a number of components would report dependencies with security issues. While we could not see any {{npm audit}} issues that may affect applications built using Cordova I think it is extremely important to resolve these issues as soon as possible. Most affect devDependencies used for testing of Cordova itself; a minority seem to affect Cordova scripts that may be run by Cordova application developers. Better safe than sorry! > I would like to resolve this issue as follows: > * patch release of common library components such as {{cordova-common}}, {{cordova-lib}}, etc. (fixed in minor release branch) > * patch or minor release of other affected components such as CLI, Cordova platform implementations, major plugins, etc. (expected to be fixed in minor release branch; do not want to pollute the master branch with extra reverts, updated node_modules committed, etc.) > * {{npm audit}} issues resolved in master branch for next major release, which should NOT be shipped with any {{npm audit}} issues lurking > * {{npm audit}} step added to CI for both patch release and next major release -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org For additional commands, e-mail: issues-help@cordova.apache.org