Uploaded image for project: 'Apache Cordova'
  1. Apache Cordova
  2. CB-14145

Resolve npm audit issues in platforms - patch updates

    Details

      Description

      From private discussions I discovered that running npm audit on a number of components would report dependencies with security issues. While we could not see any npm audit issues that may affect applications built using Cordova I think it is extremely important to resolve these issues as soon as possible. Most affect devDependencies used for testing of Cordova itself; a minority seem to affect Cordova scripts that may be run by Cordova application developers. Better safe than sorry!

      I would like to resolve this issue as follows:

      • patch release of common library components such as cordova-common, cordova-lib, etc. (fixed in minor release branch) - solution for other components to be tracked on GitHub, moved out of the scope of this issue
      • patch or minor release of other affected components such as CLI, Cordova platform implementations, major plugins, etc. (expected to be fixed in minor release branch; do not want to pollute the master branch with extra reverts, updated node_modules committed, etc.) - solution for other components to be tracked on GitHub, moved out of the scope of this issue
      • npm audit issues resolved in master branch for next major release, which should NOT be shipped with any npm audit issues lurking - to be tracked on GitHub, as part of general update of dependencies, moved out of the scope of this issue
      • npm audit step added to CI for both patch release and next major release (not wanted)

        Attachments

          Activity

            People

            • Assignee:
              brodybits Chris Brody
              Reporter:
              brodybits Chris Brody
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: