From issues-return-95865-archive-asf-public=cust-asf.ponee.io@cordova.apache.org Fri Jul 6 22:16:05 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 97F6F180674 for ; Fri, 6 Jul 2018 22:16:04 +0200 (CEST) Received: (qmail 13640 invoked by uid 500); 6 Jul 2018 20:16:03 -0000 Mailing-List: contact issues-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@cordova.apache.org Received: (qmail 13622 invoked by uid 99); 6 Jul 2018 20:16:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Jul 2018 20:16:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 3D8A01A16F2 for ; Fri, 6 Jul 2018 20:16:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.501 X-Spam-Level: X-Spam-Status: No, score=-109.501 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id AJSbUpWgI2mT for ; Fri, 6 Jul 2018 20:16:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 8A4CD5F17E for ; Fri, 6 Jul 2018 20:16:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id C1649E0950 for ; Fri, 6 Jul 2018 20:16:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 86449274F8 for ; Fri, 6 Jul 2018 20:16:00 +0000 (UTC) Date: Fri, 6 Jul 2018 20:16:00 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: issues@cordova.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CB-14145) Resolve npm audit issues MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CB-14145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16535303#comment-16535303 ] ASF GitHub Bot commented on CB-14145: ------------------------------------- brodybits opened a new pull request #281: CB-14145 resolve npm audit issues in patch fix URL: https://github.com/apache/cordova-windows/pull/281 ### Platforms affected Windows ### What does this PR do? - Set VERSION to 6.0.1-dev & update JS snapshot to version 6.0.1-dev via coho, using local coho with apache/cordova-coho#176 for patch release support (on mac due to some issues with updating JavaScript on Windows) - Update cordova-common to 2.2.5, pinned in this patch fix, to resolve the `npm audit` issues - pin other dependencies in package.json in this patch fix - completely reinstall node_modules (ignoring `node_modules/.bin`) using the following command on npm@6.1.0: `npm install --only=production` - Update cordova.js from cordova-js@4.2.4 with the following changes, using local coho with apache/cordova-coho#176 for patch release support (on mac due to some issues with updating JavaScript on Windows): - CB-9366 log error.stack - update `bundledDependencies` to support deprecated Node.js 4 in this patch fix - add Node.js 8 & 10 to AppVeyor CI & Travis CI in this patch fix - add blank lines to `.travis.yml` in this patch fix - RELEASENOTES.md 6.0.0 fixes - remove extra info (now obsolete) - note `cordova.js` update from cordova-js@4.2.2 - other minor fixes ### What testing has been done on this change? - able to build and run Cordova Windows app when using deprecated Node.js version 4 without ugly engine error warnings - able to build and run Cordova Windows app on Node.js version 8 CI testing todo: - [ ] verify that `npm test` and other items pass on AppVeyor CI - [ ] verify that build tests items pass on Travis CI ### Checklist - [x] [Reported an issue](http://cordova.apache.org/contribute/issues.html) in the JIRA database - [x] Commit message follows the format: "CB-3232: (android) Fix bug with resolving file paths", where CB-xxxx is the JIRA ID & "android" is the platform affected. (with some exceptions) - ~~Added automated test coverage as appropriate for this change.~~ ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org > Resolve npm audit issues > ------------------------ > > Key: CB-14145 > URL: https://issues.apache.org/jira/browse/CB-14145 > Project: Apache Cordova > Issue Type: Bug > Components: cordova-android, cordova-app-hello-world, cordova-browser, cordova-cli, cordova-coho, cordova-common, cordova-ios, cordova-js, cordova-lib, cordova-osx, cordova-plugman, cordova-windows > Reporter: Chris Brody > Assignee: Chris Brody > Priority: Major > > From private discussions I discovered that running {{npm audit}} on a number of components would report dependencies with security issues. While we could not see any {{npm audit}} issues that may affect applications built using Cordova I think it is extremely important to resolve these issues as soon as possible. Most affect devDependencies used for testing of Cordova itself; a minority seem to affect Cordova scripts that may be run by Cordova application developers. Better safe than sorry! > I would like to resolve this issue as follows: > * patch release of common library components such as {{cordova-common}}, {{cordova-lib}}, etc. (fixed in minor release branch) > * patch or minor release of other affected components such as CLI, Cordova platform implementations, major plugins, etc. (expected to be fixed in minor release branch; do not want to pollute the master branch with extra reverts, updated node_modules committed, etc.) > * {{npm audit}} issues resolved in master branch for next major release, which should NOT be shipped with any {{npm audit}} issues lurking > * {{npm audit}} step added to CI for both patch release and next major release -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org For additional commands, e-mail: issues-help@cordova.apache.org