From private discussions I discovered that running npm audit on a number of components would report dependencies with security issues. While we could not see any npm audit issues that may affect applications built using Cordova I think it is extremely important to resolve these issues as soon as possible. Most affect devDependencies used for testing of Cordova itself; a minority seem to affect Cordova scripts that may be run by Cordova application developers. Better safe than sorry!
I would like to resolve this issue as follows:
- patch release of common library components such as cordova-common,
cordova-lib, etc.(fixed in minor release branch) - solution for other components to be tracked on GitHub, moved out of the scope of this issue
- patch or minor release of
other affected components such as CLI,Cordova platform implementations, major plugins, etc.(expected to be fixed in minor release branch; do not want to pollute the master branch with extra reverts, updated node_modules committed, etc.) - solution for other components to be tracked on GitHub, moved out of the scope of this issue npm audit issues resolved in master branch for next major release, which should NOT be shipped with any npm audit issues lurking- to be tracked on GitHub, as part of general update of dependencies, moved out of the scope of this issue npm audit step added to CI for both patch release and next major release(not wanted)