From issues-return-95901-archive-asf-public=cust-asf.ponee.io@cordova.apache.org Tue Jul 10 02:57:03 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 4351718062A for ; Tue, 10 Jul 2018 02:57:03 +0200 (CEST) Received: (qmail 26882 invoked by uid 500); 10 Jul 2018 00:57:02 -0000 Mailing-List: contact issues-help@cordova.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@cordova.apache.org Received: (qmail 26871 invoked by uid 99); 10 Jul 2018 00:57:02 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Jul 2018 00:57:02 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id BA3F2C0110 for ; Tue, 10 Jul 2018 00:57:01 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.501 X-Spam-Level: X-Spam-Status: No, score=-109.501 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id C8hzSS9wswXq for ; Tue, 10 Jul 2018 00:57:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id E3D965F1C7 for ; Tue, 10 Jul 2018 00:57:00 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 7D447E134E for ; Tue, 10 Jul 2018 00:57:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 2AFBA21EE9 for ; Tue, 10 Jul 2018 00:57:00 +0000 (UTC) Date: Tue, 10 Jul 2018 00:57:00 +0000 (UTC) From: "ASF GitHub Bot (JIRA)" To: issues@cordova.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (CB-14145) Resolve npm audit issues MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CB-14145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16537848#comment-16537848 ] ASF GitHub Bot commented on CB-14145: ------------------------------------- brodybits edited a comment on issue #50: CB-14145 resolve npm audit issues in patch fix URL: https://github.com/apache/cordova-osx/pull/50#issuecomment-403664425 I would like to make one more update to include xcode@1.0.1 with [dev] audit fixes in apache/cordova-node-xcode#10. Apologies for any possible confusion. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: users@infra.apache.org > Resolve npm audit issues > ------------------------ > > Key: CB-14145 > URL: https://issues.apache.org/jira/browse/CB-14145 > Project: Apache Cordova > Issue Type: Bug > Components: cordova-android, cordova-app-hello-world, cordova-browser, cordova-cli, cordova-coho, cordova-common, cordova-ios, cordova-js, cordova-lib, cordova-osx, cordova-plugman, cordova-windows > Reporter: Chris Brody > Assignee: Chris Brody > Priority: Major > > From private discussions I discovered that running {{npm audit}} on a number of components would report dependencies with security issues. While we could not see any {{npm audit}} issues that may affect applications built using Cordova I think it is extremely important to resolve these issues as soon as possible. Most affect devDependencies used for testing of Cordova itself; a minority seem to affect Cordova scripts that may be run by Cordova application developers. Better safe than sorry! > I would like to resolve this issue as follows: > * patch release of common library components such as {{cordova-common}}, {{cordova-lib}}, etc. (fixed in minor release branch) > * patch or minor release of other affected components such as CLI, Cordova platform implementations, major plugins, etc. (expected to be fixed in minor release branch; do not want to pollute the master branch with extra reverts, updated node_modules committed, etc.) > * {{npm audit}} issues resolved in master branch for next major release, which should NOT be shipped with any {{npm audit}} issues lurking > * {{npm audit}} step added to CI for both patch release and next major release -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org For additional commands, e-mail: issues-help@cordova.apache.org