You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cordova.apache.org by Chris Brody <ch...@gmail.com> on 2018/09/14 06:24:42 UTC
Cordova 8.1.0 (minor release) proposal
I would like to propose making 8.1.0 minor release, which would consist of:
* new cordova-lib@8.1.0 minor release
* new cordova-cli@8.1.0 minor release
to accomplish the following:
* resolve npm audit issues that show up in cordova-lib@8.0.0 & cordova-cli@8.0.0
* support cordova-android@~7.1.x and cordova-windows@~6.0.x releases by default
* stable AppVeyor CI & Travis CI builds
I already raised the proposal on cordova-lib in:
https://github.com/apache/cordova-lib/pull/693
For cordova-cli the major items would be to update insight, to resolve
npm audit issues, and use new cordova-lib@8.1.0 minor release.
Feedback would be appreciated whether this minor release is wanted,
patch release is really needed for some reason, or if we should wait
for the next major release.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org
Re: Cordova 8.1.0 (minor release) proposal
Posted by ra...@gmail.com.
The only minor doubt I'd have is about the insight update: as I've
mentioned in the corresponding PR, it will cause _all_ users to be pompted
again about their telemetry preference. I've thought that to be OK for a
major release. Might be a bit strange in a minor though. Just wanted to let
you know.
That being said, I see these releases as nice to have. If someone wants to
do that work, I'm fine with it.
Chris Brody <ch...@gmail.com> schrieb am Fr., 14. Sep. 2018, 08:24:
> I would like to propose making 8.1.0 minor release, which would consist of:
> * new cordova-lib@8.1.0 minor release
> * new cordova-cli@8.1.0 minor release
>
> to accomplish the following:
> * resolve npm audit issues that show up in cordova-lib@8.0.0 &
> cordova-cli@8.0.0
> * support cordova-android@~7.1.x and cordova-windows@~6.0.x releases by
> default
> * stable AppVeyor CI & Travis CI builds
>
> I already raised the proposal on cordova-lib in:
> https://github.com/apache/cordova-lib/pull/693
>
> For cordova-cli the major items would be to update insight, to resolve
> npm audit issues, and use new cordova-lib@8.1.0 minor release.
>
> Feedback would be appreciated whether this minor release is wanted,
> patch release is really needed for some reason, or if we should wait
> for the next major release.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>
>
Re: Cordova 8.1.0 (minor release) proposal
Posted by Jesse <pu...@gmail.com>.
Here's a similar discussion on the relative merits of shrinkwrap from 2014.
https://markmail.org/thread/osbvx53d3l5s6fsj
@purplecabbage
risingj.com
On Fri, Sep 14, 2018 at 2:04 PM Chris Brody <ch...@gmail.com> wrote:
> A quick try of #6 worked for me, you can see the results in my
> cordova-cli WIP PR at: https://github.com/apache/cordova-cli/pull/326
>
> It is probably not the best: I simply edited npm-shrinkwrap.json by
> hand, then npm install would update it further.
>
> Resolves npm audit issues, runs on Node.js 4, does not need possibly
> breaking change from insight@0.10.x.
>
> I will try to do a better job next week, at least we know #6 is possible.
> On Fri, Sep 14, 2018 at 4:52 PM <ra...@gmail.com> wrote:
> >
> > I'd really like to try #6. If that does not work as expected, we can
> still
> > go with #2.
> >
> > Jan Piotrowski <pi...@gmail.com> schrieb am Fr., 14. Sep. 2018,
> 21:47:
> >
> > > #2 sounds absolutely fine to me as this dependency is in cordova-cli
> > > which is only used on developer machines, not included in any deployed
> > > packages.
> > >
> > > Besides: Cordova has been shipping software with `npm audit` like
> > > issues for ages and I don't think there has been a "totally
> > > unacceptable in all cases" vote result on that.
> > >
> > > -J
> > >
> > > 2018-09-14 21:31 GMT+02:00 <ra...@gmail.com>:
> > > > 6. Use manually edited npm-shrinkwrap.json to force a more recent
> version
> > > > of `inquirer` ourselves. Little work, no audit warnings for the
> users. I
> > > > could do that when the branch is ready. However, we should test the
> whole
> > > > thing with a alpha suffix or something like that first.
> > > >
> > > > Am Fr., 14. Sep. 2018 um 21:18 Uhr schrieb Chris Brody <
> > > > chris.brody@gmail.com>:
> > > >
> > > >> Unfortunately I spotted a catch-22 situation while working on CLI
> > > >> 8.1.x WIP in https://github.com/apache/cordova-cli/pull/326:
> > > >> * insight@0.8 (0.8.4) has the audit issue
> > > >> * newer insight starting with 0.9 uses inquirer@5 which does not
> > > >> support Node.js 4.
> > > >>
> > > >> I can think of the following alternatives:
> > > >>
> > > >> 1. skip the proposed 8.1.0 minor release
> > > >> 2. publish 8.1.0 minor release with known audit issue in the CLI
> > > >> 3. drop use of insight in 8.1.0 minor release
> > > >> 4. ask insight to publish 0.8.5 release that resolves the audit
> issue
> > > >> 5. publish special fork of insight which resolves the audit issue
> for
> > > >> 8.1.0 minor release
> > > >>
> > > >> Disadvantages of each alternative:
> > > >>
> > > >> 1: Users do not get some needed updates before the next major
> release.
> > > >> I think the major ones are:
> > > >> - use of cordova-android@~7.1.x by default
> > > >> - use of cordova-windows@~6.0.x by default
> > > >>
> > > >> 2: Bad practice, with possible responsibility for unknown security
> > > >> issues. While I would not expect any real security issues in
> practice,
> > > >> I would say better safe than sorry.
> > > >>
> > > >> 3. I think this kind of behavior should not be dropped in minor
> > > >> release, only to come back in next major release.
> > > >>
> > > >> 4. I highly doubt they would be motivated to do such a thing for us.
> > > >> Support for deprecated Node.js 4 is not desired in other projects
> > > >> unless absolutely necessary.
> > > >>
> > > >> 5. One more package for us to manage and maintain, on a temporary
> basis
> > > >>
> > > >> To be honest I really wouldn't mind if we would just make the new
> > > >> release to drop Node.js 4 support and abandon support for the
> existing
> > > >> package releases.
> > > >> On Fri, Sep 14, 2018 at 9:25 AM <ra...@gmail.com> wrote:
> > > >> >
> > > >> > Am Fr., 14. Sep. 2018 um 14:15 Uhr schrieb Chris Brody <
> > > >> > chris.brody@gmail.com>:
> > > >> >
> > > >> > > Thanks Raphael for the reminder about insight, which I
> overlooked. I
> > > >> > > personally do not like the idea of an extra reminder message
> before
> > > the
> > > >> > > next major release. I would like to consider this over the
> weekend
> > > >> > >
> > > >> >
> > > >> > That could be resolved in a few ways:
> > > >> >
> > > >> > - rolling back to previous version (can't remember if it had
> audit
> > > >> > issues)
> > > >> > - Using insight's `config` option [1] with a config provider
> that
> > > uses
> > > >> > the same file as before. The commit that changed the config
> store
> > > was
> > > >> [2]
> > > >> >
> > > >> > Cheers
> > > >> >
> > > >> > [1]: https://github.com/yeoman/insight#config
> > > >> > [2]:
> > > >> >
> > > >>
> > >
> https://github.com/yeoman/insight/commit/dae6dd4b73b9cebe3c1ad877f467b7b1c58c1d4c
> > > >>
> > > >>
> ---------------------------------------------------------------------
> > > >> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> > > >> For additional commands, e-mail: dev-help@cordova.apache.org
> > > >>
> > > >>
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> > > For additional commands, e-mail: dev-help@cordova.apache.org
> > >
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>
>
Re: Cordova 8.1.0 (minor release) proposal
Posted by Chris Brody <ch...@gmail.com>.
A quick try of #6 worked for me, you can see the results in my
cordova-cli WIP PR at: https://github.com/apache/cordova-cli/pull/326
It is probably not the best: I simply edited npm-shrinkwrap.json by
hand, then npm install would update it further.
Resolves npm audit issues, runs on Node.js 4, does not need possibly
breaking change from insight@0.10.x.
I will try to do a better job next week, at least we know #6 is possible.
On Fri, Sep 14, 2018 at 4:52 PM <ra...@gmail.com> wrote:
>
> I'd really like to try #6. If that does not work as expected, we can still
> go with #2.
>
> Jan Piotrowski <pi...@gmail.com> schrieb am Fr., 14. Sep. 2018, 21:47:
>
> > #2 sounds absolutely fine to me as this dependency is in cordova-cli
> > which is only used on developer machines, not included in any deployed
> > packages.
> >
> > Besides: Cordova has been shipping software with `npm audit` like
> > issues for ages and I don't think there has been a "totally
> > unacceptable in all cases" vote result on that.
> >
> > -J
> >
> > 2018-09-14 21:31 GMT+02:00 <ra...@gmail.com>:
> > > 6. Use manually edited npm-shrinkwrap.json to force a more recent version
> > > of `inquirer` ourselves. Little work, no audit warnings for the users. I
> > > could do that when the branch is ready. However, we should test the whole
> > > thing with a alpha suffix or something like that first.
> > >
> > > Am Fr., 14. Sep. 2018 um 21:18 Uhr schrieb Chris Brody <
> > > chris.brody@gmail.com>:
> > >
> > >> Unfortunately I spotted a catch-22 situation while working on CLI
> > >> 8.1.x WIP in https://github.com/apache/cordova-cli/pull/326:
> > >> * insight@0.8 (0.8.4) has the audit issue
> > >> * newer insight starting with 0.9 uses inquirer@5 which does not
> > >> support Node.js 4.
> > >>
> > >> I can think of the following alternatives:
> > >>
> > >> 1. skip the proposed 8.1.0 minor release
> > >> 2. publish 8.1.0 minor release with known audit issue in the CLI
> > >> 3. drop use of insight in 8.1.0 minor release
> > >> 4. ask insight to publish 0.8.5 release that resolves the audit issue
> > >> 5. publish special fork of insight which resolves the audit issue for
> > >> 8.1.0 minor release
> > >>
> > >> Disadvantages of each alternative:
> > >>
> > >> 1: Users do not get some needed updates before the next major release.
> > >> I think the major ones are:
> > >> - use of cordova-android@~7.1.x by default
> > >> - use of cordova-windows@~6.0.x by default
> > >>
> > >> 2: Bad practice, with possible responsibility for unknown security
> > >> issues. While I would not expect any real security issues in practice,
> > >> I would say better safe than sorry.
> > >>
> > >> 3. I think this kind of behavior should not be dropped in minor
> > >> release, only to come back in next major release.
> > >>
> > >> 4. I highly doubt they would be motivated to do such a thing for us.
> > >> Support for deprecated Node.js 4 is not desired in other projects
> > >> unless absolutely necessary.
> > >>
> > >> 5. One more package for us to manage and maintain, on a temporary basis
> > >>
> > >> To be honest I really wouldn't mind if we would just make the new
> > >> release to drop Node.js 4 support and abandon support for the existing
> > >> package releases.
> > >> On Fri, Sep 14, 2018 at 9:25 AM <ra...@gmail.com> wrote:
> > >> >
> > >> > Am Fr., 14. Sep. 2018 um 14:15 Uhr schrieb Chris Brody <
> > >> > chris.brody@gmail.com>:
> > >> >
> > >> > > Thanks Raphael for the reminder about insight, which I overlooked. I
> > >> > > personally do not like the idea of an extra reminder message before
> > the
> > >> > > next major release. I would like to consider this over the weekend
> > >> > >
> > >> >
> > >> > That could be resolved in a few ways:
> > >> >
> > >> > - rolling back to previous version (can't remember if it had audit
> > >> > issues)
> > >> > - Using insight's `config` option [1] with a config provider that
> > uses
> > >> > the same file as before. The commit that changed the config store
> > was
> > >> [2]
> > >> >
> > >> > Cheers
> > >> >
> > >> > [1]: https://github.com/yeoman/insight#config
> > >> > [2]:
> > >> >
> > >>
> > https://github.com/yeoman/insight/commit/dae6dd4b73b9cebe3c1ad877f467b7b1c58c1d4c
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> > >> For additional commands, e-mail: dev-help@cordova.apache.org
> > >>
> > >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> > For additional commands, e-mail: dev-help@cordova.apache.org
> >
> >
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org
Re: Cordova 8.1.0 (minor release) proposal
Posted by ra...@gmail.com.
I'd really like to try #6. If that does not work as expected, we can still
go with #2.
Jan Piotrowski <pi...@gmail.com> schrieb am Fr., 14. Sep. 2018, 21:47:
> #2 sounds absolutely fine to me as this dependency is in cordova-cli
> which is only used on developer machines, not included in any deployed
> packages.
>
> Besides: Cordova has been shipping software with `npm audit` like
> issues for ages and I don't think there has been a "totally
> unacceptable in all cases" vote result on that.
>
> -J
>
> 2018-09-14 21:31 GMT+02:00 <ra...@gmail.com>:
> > 6. Use manually edited npm-shrinkwrap.json to force a more recent version
> > of `inquirer` ourselves. Little work, no audit warnings for the users. I
> > could do that when the branch is ready. However, we should test the whole
> > thing with a alpha suffix or something like that first.
> >
> > Am Fr., 14. Sep. 2018 um 21:18 Uhr schrieb Chris Brody <
> > chris.brody@gmail.com>:
> >
> >> Unfortunately I spotted a catch-22 situation while working on CLI
> >> 8.1.x WIP in https://github.com/apache/cordova-cli/pull/326:
> >> * insight@0.8 (0.8.4) has the audit issue
> >> * newer insight starting with 0.9 uses inquirer@5 which does not
> >> support Node.js 4.
> >>
> >> I can think of the following alternatives:
> >>
> >> 1. skip the proposed 8.1.0 minor release
> >> 2. publish 8.1.0 minor release with known audit issue in the CLI
> >> 3. drop use of insight in 8.1.0 minor release
> >> 4. ask insight to publish 0.8.5 release that resolves the audit issue
> >> 5. publish special fork of insight which resolves the audit issue for
> >> 8.1.0 minor release
> >>
> >> Disadvantages of each alternative:
> >>
> >> 1: Users do not get some needed updates before the next major release.
> >> I think the major ones are:
> >> - use of cordova-android@~7.1.x by default
> >> - use of cordova-windows@~6.0.x by default
> >>
> >> 2: Bad practice, with possible responsibility for unknown security
> >> issues. While I would not expect any real security issues in practice,
> >> I would say better safe than sorry.
> >>
> >> 3. I think this kind of behavior should not be dropped in minor
> >> release, only to come back in next major release.
> >>
> >> 4. I highly doubt they would be motivated to do such a thing for us.
> >> Support for deprecated Node.js 4 is not desired in other projects
> >> unless absolutely necessary.
> >>
> >> 5. One more package for us to manage and maintain, on a temporary basis
> >>
> >> To be honest I really wouldn't mind if we would just make the new
> >> release to drop Node.js 4 support and abandon support for the existing
> >> package releases.
> >> On Fri, Sep 14, 2018 at 9:25 AM <ra...@gmail.com> wrote:
> >> >
> >> > Am Fr., 14. Sep. 2018 um 14:15 Uhr schrieb Chris Brody <
> >> > chris.brody@gmail.com>:
> >> >
> >> > > Thanks Raphael for the reminder about insight, which I overlooked. I
> >> > > personally do not like the idea of an extra reminder message before
> the
> >> > > next major release. I would like to consider this over the weekend
> >> > >
> >> >
> >> > That could be resolved in a few ways:
> >> >
> >> > - rolling back to previous version (can't remember if it had audit
> >> > issues)
> >> > - Using insight's `config` option [1] with a config provider that
> uses
> >> > the same file as before. The commit that changed the config store
> was
> >> [2]
> >> >
> >> > Cheers
> >> >
> >> > [1]: https://github.com/yeoman/insight#config
> >> > [2]:
> >> >
> >>
> https://github.com/yeoman/insight/commit/dae6dd4b73b9cebe3c1ad877f467b7b1c58c1d4c
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> >> For additional commands, e-mail: dev-help@cordova.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>
>
Re: Cordova 8.1.0 (minor release) proposal
Posted by Jan Piotrowski <pi...@gmail.com>.
#2 sounds absolutely fine to me as this dependency is in cordova-cli
which is only used on developer machines, not included in any deployed
packages.
Besides: Cordova has been shipping software with `npm audit` like
issues for ages and I don't think there has been a "totally
unacceptable in all cases" vote result on that.
-J
2018-09-14 21:31 GMT+02:00 <ra...@gmail.com>:
> 6. Use manually edited npm-shrinkwrap.json to force a more recent version
> of `inquirer` ourselves. Little work, no audit warnings for the users. I
> could do that when the branch is ready. However, we should test the whole
> thing with a alpha suffix or something like that first.
>
> Am Fr., 14. Sep. 2018 um 21:18 Uhr schrieb Chris Brody <
> chris.brody@gmail.com>:
>
>> Unfortunately I spotted a catch-22 situation while working on CLI
>> 8.1.x WIP in https://github.com/apache/cordova-cli/pull/326:
>> * insight@0.8 (0.8.4) has the audit issue
>> * newer insight starting with 0.9 uses inquirer@5 which does not
>> support Node.js 4.
>>
>> I can think of the following alternatives:
>>
>> 1. skip the proposed 8.1.0 minor release
>> 2. publish 8.1.0 minor release with known audit issue in the CLI
>> 3. drop use of insight in 8.1.0 minor release
>> 4. ask insight to publish 0.8.5 release that resolves the audit issue
>> 5. publish special fork of insight which resolves the audit issue for
>> 8.1.0 minor release
>>
>> Disadvantages of each alternative:
>>
>> 1: Users do not get some needed updates before the next major release.
>> I think the major ones are:
>> - use of cordova-android@~7.1.x by default
>> - use of cordova-windows@~6.0.x by default
>>
>> 2: Bad practice, with possible responsibility for unknown security
>> issues. While I would not expect any real security issues in practice,
>> I would say better safe than sorry.
>>
>> 3. I think this kind of behavior should not be dropped in minor
>> release, only to come back in next major release.
>>
>> 4. I highly doubt they would be motivated to do such a thing for us.
>> Support for deprecated Node.js 4 is not desired in other projects
>> unless absolutely necessary.
>>
>> 5. One more package for us to manage and maintain, on a temporary basis
>>
>> To be honest I really wouldn't mind if we would just make the new
>> release to drop Node.js 4 support and abandon support for the existing
>> package releases.
>> On Fri, Sep 14, 2018 at 9:25 AM <ra...@gmail.com> wrote:
>> >
>> > Am Fr., 14. Sep. 2018 um 14:15 Uhr schrieb Chris Brody <
>> > chris.brody@gmail.com>:
>> >
>> > > Thanks Raphael for the reminder about insight, which I overlooked. I
>> > > personally do not like the idea of an extra reminder message before the
>> > > next major release. I would like to consider this over the weekend
>> > >
>> >
>> > That could be resolved in a few ways:
>> >
>> > - rolling back to previous version (can't remember if it had audit
>> > issues)
>> > - Using insight's `config` option [1] with a config provider that uses
>> > the same file as before. The commit that changed the config store was
>> [2]
>> >
>> > Cheers
>> >
>> > [1]: https://github.com/yeoman/insight#config
>> > [2]:
>> >
>> https://github.com/yeoman/insight/commit/dae6dd4b73b9cebe3c1ad877f467b7b1c58c1d4c
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
>> For additional commands, e-mail: dev-help@cordova.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org
Re: Cordova 8.1.0 (minor release) proposal
Posted by ra...@gmail.com.
6. Use manually edited npm-shrinkwrap.json to force a more recent version
of `inquirer` ourselves. Little work, no audit warnings for the users. I
could do that when the branch is ready. However, we should test the whole
thing with a alpha suffix or something like that first.
Am Fr., 14. Sep. 2018 um 21:18 Uhr schrieb Chris Brody <
chris.brody@gmail.com>:
> Unfortunately I spotted a catch-22 situation while working on CLI
> 8.1.x WIP in https://github.com/apache/cordova-cli/pull/326:
> * insight@0.8 (0.8.4) has the audit issue
> * newer insight starting with 0.9 uses inquirer@5 which does not
> support Node.js 4.
>
> I can think of the following alternatives:
>
> 1. skip the proposed 8.1.0 minor release
> 2. publish 8.1.0 minor release with known audit issue in the CLI
> 3. drop use of insight in 8.1.0 minor release
> 4. ask insight to publish 0.8.5 release that resolves the audit issue
> 5. publish special fork of insight which resolves the audit issue for
> 8.1.0 minor release
>
> Disadvantages of each alternative:
>
> 1: Users do not get some needed updates before the next major release.
> I think the major ones are:
> - use of cordova-android@~7.1.x by default
> - use of cordova-windows@~6.0.x by default
>
> 2: Bad practice, with possible responsibility for unknown security
> issues. While I would not expect any real security issues in practice,
> I would say better safe than sorry.
>
> 3. I think this kind of behavior should not be dropped in minor
> release, only to come back in next major release.
>
> 4. I highly doubt they would be motivated to do such a thing for us.
> Support for deprecated Node.js 4 is not desired in other projects
> unless absolutely necessary.
>
> 5. One more package for us to manage and maintain, on a temporary basis
>
> To be honest I really wouldn't mind if we would just make the new
> release to drop Node.js 4 support and abandon support for the existing
> package releases.
> On Fri, Sep 14, 2018 at 9:25 AM <ra...@gmail.com> wrote:
> >
> > Am Fr., 14. Sep. 2018 um 14:15 Uhr schrieb Chris Brody <
> > chris.brody@gmail.com>:
> >
> > > Thanks Raphael for the reminder about insight, which I overlooked. I
> > > personally do not like the idea of an extra reminder message before the
> > > next major release. I would like to consider this over the weekend
> > >
> >
> > That could be resolved in a few ways:
> >
> > - rolling back to previous version (can't remember if it had audit
> > issues)
> > - Using insight's `config` option [1] with a config provider that uses
> > the same file as before. The commit that changed the config store was
> [2]
> >
> > Cheers
> >
> > [1]: https://github.com/yeoman/insight#config
> > [2]:
> >
> https://github.com/yeoman/insight/commit/dae6dd4b73b9cebe3c1ad877f467b7b1c58c1d4c
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>
>
Re: Cordova 8.1.0 (minor release) proposal
Posted by Chris Brody <ch...@gmail.com>.
Unfortunately I spotted a catch-22 situation while working on CLI
8.1.x WIP in https://github.com/apache/cordova-cli/pull/326:
* insight@0.8 (0.8.4) has the audit issue
* newer insight starting with 0.9 uses inquirer@5 which does not
support Node.js 4.
I can think of the following alternatives:
1. skip the proposed 8.1.0 minor release
2. publish 8.1.0 minor release with known audit issue in the CLI
3. drop use of insight in 8.1.0 minor release
4. ask insight to publish 0.8.5 release that resolves the audit issue
5. publish special fork of insight which resolves the audit issue for
8.1.0 minor release
Disadvantages of each alternative:
1: Users do not get some needed updates before the next major release.
I think the major ones are:
- use of cordova-android@~7.1.x by default
- use of cordova-windows@~6.0.x by default
2: Bad practice, with possible responsibility for unknown security
issues. While I would not expect any real security issues in practice,
I would say better safe than sorry.
3. I think this kind of behavior should not be dropped in minor
release, only to come back in next major release.
4. I highly doubt they would be motivated to do such a thing for us.
Support for deprecated Node.js 4 is not desired in other projects
unless absolutely necessary.
5. One more package for us to manage and maintain, on a temporary basis
To be honest I really wouldn't mind if we would just make the new
release to drop Node.js 4 support and abandon support for the existing
package releases.
On Fri, Sep 14, 2018 at 9:25 AM <ra...@gmail.com> wrote:
>
> Am Fr., 14. Sep. 2018 um 14:15 Uhr schrieb Chris Brody <
> chris.brody@gmail.com>:
>
> > Thanks Raphael for the reminder about insight, which I overlooked. I
> > personally do not like the idea of an extra reminder message before the
> > next major release. I would like to consider this over the weekend
> >
>
> That could be resolved in a few ways:
>
> - rolling back to previous version (can't remember if it had audit
> issues)
> - Using insight's `config` option [1] with a config provider that uses
> the same file as before. The commit that changed the config store was [2]
>
> Cheers
>
> [1]: https://github.com/yeoman/insight#config
> [2]:
> https://github.com/yeoman/insight/commit/dae6dd4b73b9cebe3c1ad877f467b7b1c58c1d4c
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org
Re: Cordova 8.1.0 (minor release) proposal
Posted by ra...@gmail.com.
Am Fr., 14. Sep. 2018 um 14:15 Uhr schrieb Chris Brody <
chris.brody@gmail.com>:
> Thanks Raphael for the reminder about insight, which I overlooked. I
> personally do not like the idea of an extra reminder message before the
> next major release. I would like to consider this over the weekend
>
That could be resolved in a few ways:
- rolling back to previous version (can't remember if it had audit
issues)
- Using insight's `config` option [1] with a config provider that uses
the same file as before. The commit that changed the config store was [2]
Cheers
[1]: https://github.com/yeoman/insight#config
[2]:
https://github.com/yeoman/insight/commit/dae6dd4b73b9cebe3c1ad877f467b7b1c58c1d4c
Re: Cordova 8.1.0 (minor release) proposal
Posted by Chris Brody <ch...@gmail.com>.
Thanks Raphael for reviewing the PR 4 hours ago. Sorry I missed it.
On Fri, Sep 14, 2018, 8:19 AM Jan Piotrowski <pi...@gmail.com> wrote:
> What PR needs another review? Raphael reviewed the only one you linked
> in this thread 4 hours ago.
>
> 2018-09-14 14:15 GMT+02:00 Chris Brody <ch...@gmail.com>:
> > Thanks guys for the feedback. I would also appreciate a review of the PR
> on
> > GitHub (from a PMC member).
> >
> > Thanks Raphael for the reminder about insight, which I overlooked. I
> > personally do not like the idea of an extra reminder message before the
> > next major release. I would like to consider this over the weekend.
> >
> > I will work on the minor release next week if I can get the PMC review.
> >
> > On Fri, Sep 14, 2018, 7:49 AM Oliver Salzburg <oliver.salzburg@gmail.com
> >
> > wrote:
> >
> >> I feel like this would help move things forward. So I'm in favor.
> >>
> >>
> >> On 2018-09-14 08:24, Chris Brody wrote:
> >> > I would like to propose making 8.1.0 minor release, which would
> consist
> >> of:
> >> > * new cordova-lib@8.1.0 minor release
> >> > * new cordova-cli@8.1.0 minor release
> >> >
> >> > to accomplish the following:
> >> > * resolve npm audit issues that show up in cordova-lib@8.0.0 &
> >> cordova-cli@8.0.0
> >> > * support cordova-android@~7.1.x and cordova-windows@~6.0.x releases
> by
> >> default
> >> > * stable AppVeyor CI & Travis CI builds
> >> >
> >> > I already raised the proposal on cordova-lib in:
> >> > https://github.com/apache/cordova-lib/pull/693
> >> >
> >> > For cordova-cli the major items would be to update insight, to resolve
> >> > npm audit issues, and use new cordova-lib@8.1.0 minor release.
> >> >
> >> > Feedback would be appreciated whether this minor release is wanted,
> >> > patch release is really needed for some reason, or if we should wait
> >> > for the next major release.
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> >> > For additional commands, e-mail: dev-help@cordova.apache.org
> >> >
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> >> For additional commands, e-mail: dev-help@cordova.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>
>
Re: Cordova 8.1.0 (minor release) proposal
Posted by Jan Piotrowski <pi...@gmail.com>.
What PR needs another review? Raphael reviewed the only one you linked
in this thread 4 hours ago.
2018-09-14 14:15 GMT+02:00 Chris Brody <ch...@gmail.com>:
> Thanks guys for the feedback. I would also appreciate a review of the PR on
> GitHub (from a PMC member).
>
> Thanks Raphael for the reminder about insight, which I overlooked. I
> personally do not like the idea of an extra reminder message before the
> next major release. I would like to consider this over the weekend.
>
> I will work on the minor release next week if I can get the PMC review.
>
> On Fri, Sep 14, 2018, 7:49 AM Oliver Salzburg <ol...@gmail.com>
> wrote:
>
>> I feel like this would help move things forward. So I'm in favor.
>>
>>
>> On 2018-09-14 08:24, Chris Brody wrote:
>> > I would like to propose making 8.1.0 minor release, which would consist
>> of:
>> > * new cordova-lib@8.1.0 minor release
>> > * new cordova-cli@8.1.0 minor release
>> >
>> > to accomplish the following:
>> > * resolve npm audit issues that show up in cordova-lib@8.0.0 &
>> cordova-cli@8.0.0
>> > * support cordova-android@~7.1.x and cordova-windows@~6.0.x releases by
>> default
>> > * stable AppVeyor CI & Travis CI builds
>> >
>> > I already raised the proposal on cordova-lib in:
>> > https://github.com/apache/cordova-lib/pull/693
>> >
>> > For cordova-cli the major items would be to update insight, to resolve
>> > npm audit issues, and use new cordova-lib@8.1.0 minor release.
>> >
>> > Feedback would be appreciated whether this minor release is wanted,
>> > patch release is really needed for some reason, or if we should wait
>> > for the next major release.
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
>> > For additional commands, e-mail: dev-help@cordova.apache.org
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
>> For additional commands, e-mail: dev-help@cordova.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org
Re: Cordova 8.1.0 (minor release) proposal
Posted by Chris Brody <ch...@gmail.com>.
Thanks guys for the feedback. I would also appreciate a review of the PR on
GitHub (from a PMC member).
Thanks Raphael for the reminder about insight, which I overlooked. I
personally do not like the idea of an extra reminder message before the
next major release. I would like to consider this over the weekend.
I will work on the minor release next week if I can get the PMC review.
On Fri, Sep 14, 2018, 7:49 AM Oliver Salzburg <ol...@gmail.com>
wrote:
> I feel like this would help move things forward. So I'm in favor.
>
>
> On 2018-09-14 08:24, Chris Brody wrote:
> > I would like to propose making 8.1.0 minor release, which would consist
> of:
> > * new cordova-lib@8.1.0 minor release
> > * new cordova-cli@8.1.0 minor release
> >
> > to accomplish the following:
> > * resolve npm audit issues that show up in cordova-lib@8.0.0 &
> cordova-cli@8.0.0
> > * support cordova-android@~7.1.x and cordova-windows@~6.0.x releases by
> default
> > * stable AppVeyor CI & Travis CI builds
> >
> > I already raised the proposal on cordova-lib in:
> > https://github.com/apache/cordova-lib/pull/693
> >
> > For cordova-cli the major items would be to update insight, to resolve
> > npm audit issues, and use new cordova-lib@8.1.0 minor release.
> >
> > Feedback would be appreciated whether this minor release is wanted,
> > patch release is really needed for some reason, or if we should wait
> > for the next major release.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> > For additional commands, e-mail: dev-help@cordova.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>
>
Re: Cordova 8.1.0 (minor release) proposal
Posted by Oliver Salzburg <ol...@gmail.com>.
I feel like this would help move things forward. So I'm in favor.
On 2018-09-14 08:24, Chris Brody wrote:
> I would like to propose making 8.1.0 minor release, which would consist of:
> * new cordova-lib@8.1.0 minor release
> * new cordova-cli@8.1.0 minor release
>
> to accomplish the following:
> * resolve npm audit issues that show up in cordova-lib@8.0.0 & cordova-cli@8.0.0
> * support cordova-android@~7.1.x and cordova-windows@~6.0.x releases by default
> * stable AppVeyor CI & Travis CI builds
>
> I already raised the proposal on cordova-lib in:
> https://github.com/apache/cordova-lib/pull/693
>
> For cordova-cli the major items would be to update insight, to resolve
> npm audit issues, and use new cordova-lib@8.1.0 minor release.
>
> Feedback would be appreciated whether this minor release is wanted,
> patch release is really needed for some reason, or if we should wait
> for the next major release.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org