Closed almercier closed 2 years ago
Shelljs was removed from cordova-ios approximately 2 years and was included in cordova-ios@6.0.0 release via https://github.com/apache/cordova-ios/pull/851
Use npm ls shelljs
to determine what packages are depending on ShellJS. You may also want to try nuking your package-lock.json
file and node_modules
folder and install from a clean slate.
Closing because this isn't a bug with modern versions of cordova-ios. If you need further assistance, feel free to ask our Slack Community.
Did some digging and shellJS is being installed from cordova-ios 6.0.0 as a nested dependency. shellJS has since fixed the patch, but simctl which is depended by ios-sim which is depended by cordova-ios hasn't updated to it yet.
It's frustrating that a clean install of cordova-ios generates npm audit warnings, and it's frustrating that the bug report was immediately dismissed as an invalid local issue when it is immediately replicable on latest albeit not exactly immediately solvable.
I submitted an issue to simctl, but it doesn't seem like an actively maintained project https://github.com/ios-control/simctl/issues/27
@breautek
simctl has been updated and the issues should be gone.
Bug Report
Problem
What is expected to happen?
Running
npm audit
should report no vulnerable dependencies used by the latest version of cordova-iosWhat does actually happen?
I get an
Improper Privilege Management in shelljs
warning from cordova-ios dependenciesInformation
Interestingly, the audit fix seems to think installing v4.1.0 will fix this issue, which is two major version behind where I am at currently on 6.2.0
Command or Code
npm i cordova-ios@latest
npm audit
Environment, Platform, Device
Macbook Pro, 15-inch, 2016
Version information
MacOS 12.1 npm 8.1.2 cordova-ios 6.2.0
Checklist