Any timeline for a cordova-browser release 6.0.1 with security fixes?

[KBEMobisys]

Sorry, for still asking here but on StackOverflow I did not get an answer, yet :(. Also the Slack Community Chat Sign-up at https://slack.cordova.io/ is dead.

My simple question is: The current version of cordova-browser is 6.0.0 at npmjs.com.

The master branch contains already some security fixes (e.g. use shelljs v0.8.5 instead of v0.5.3) which would be nice to get as a new version 6.0.1 or so.

Are there any plans for at least a security release?

---

Apache Cordova uses GitHub Issues as a feature request and bug tracker only. For usage and support questions, please check out the resources below. Thanks!

---

You can get answers to your usage and support questions about Apache Cordova on:

• Slack Community Chat: https://cordova.slack.com (you can sign-up at http://slack.cordova.io/)
• StackOverflow: https://stackoverflow.com/questions/tagged/cordova using the tag cordova

---

[breautek]

The master branch contains already some security fixes (e.g. use shelljs v0.8.5 instead of v0.5.3) which would be nice to get as a new version 6.0.1 or so.

This particular fix was just a minor version bump. I don't think the other code change is relevant (otherwise it should have been a major change on shelljs part). So you should be able to use npm upgrade to update all of your subdependencies, which should include shelljs from cordova-browser.

[KBEMobisys]

Maybe I don't get it but this is my problem: cordova-browser v6.0.0 defines in its package.json the following: "shelljs": "^0.5.3"

In my knowledge this means that it is allowed any version up to 0.5.X. Any version like 0.6.x or 0.8.x is not allowed. You can test this here: https://semver.npmjs.com/

Our open source security tool 'Mend' tells us there is a security vulnerability with the CVE-2022-0144 on shelljs v0.5.3 which is closed in v0.8.5. So we would like to update to shelljs to v0.8.5 which is not possible because cordova-browser v6.0.0 restrict it to v0.5.x. So npm upgrade will not work here.

But since the shelljs dependency is updated to v0.8.5 on the cordova-browser master branch, we could fix the security issue if there would be a new version of cordova-browser.

We could include on our side a dependency to the master branch but this is a ugly solution.

Would it be possible to release a security update for cordova-browser? Or are there any plans for a new release anyway?

[breautek]

Looks like I have stand corrected. I didn't realise the ^ caret operated differently if the major version is 0. Normally ^ allows any greater minor or patch version, however if ^0.x.y it will only accept the next ~minor~ patch version.

I'll try to allocate time after my work day to start preparing a release. If you like, you can watch for the discussion/vote thread via our Dev Mailing List

Also the Slack Community Chat Sign-up at https://slack.cordova.io/ is dead.

FYI We have shifted to Github Discussions. I know we still have some links lingering in some places.

Edit: Looks like the current master is in a 7.0.0-dev state, so the next version will be a 7.0.0 release.

[breautek]

An alternate workaround for the time being is to use the overrides feature available in NPM 8 and later.

It can be used inside your package.json like so:

{
  ...
  "overrides": {
    "cordova-browser": {
      "shelljs": "^0.8.5"
    }
  }
}

See the NPM Docs for more info on using the overrides.

[KBEMobisys]

Thanks for the hint. I did not know that NPM feature. Will try it out. :) Thanks for your time 👍🏻

[KBEMobisys]

Just for information: Using the above NPM override will not work because "shelljs": "0.8.5" seems to have a breaking change which prevents our build.

See additional changes in commit: https://github.com/apache/cordova-browser/commit/4fe7e97e6b381120bb30990d7692cd7852ae39ec

[breautek]

I'm working on preparing a release, I just want https://github.com/apache/cordova-browser/pull/119 merged in and confirm that all the tests runs properly with the upcoming new Node LTS. If all is good, then I'll start a release process.

I'm doing this on my own free time and I don't personally use this platform so I don't know the ins-and-outs of it. So it would be helpful for me if you could give current master a test.

cordova platform remove browser
cordova platform add https://github.com/apache/cordova-browser.git

It's a major version bump, but the only user-facing breaking changes I believe are just supported Node version drops.

cordova-browser@7.x will support NodeJS 16+. ~I'm dropping testing for NodeJS 14 but I didn't update pin and I plan to keep it that way for this release unless if someone rejects.~ NodeJS 14 is being dropped completely and the engines will reflect that.