Open Likhi1111 opened 1 year ago
A fresh install shows different results (npm install -g cordova may not be a fresh install if you had an older version previously installed)
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
added 489 packages, and audited 490 packages in 1m
52 packages are looking for funding
run `npm fund` for details
5 moderate severity vulnerabilities
To address all issues, run:
npm audit fix
Run `npm audit` for details.
You can use npm -g upgrade cordova
to upgrade global packages. The difference between upgrade
and install
and install
will update the main package, but may not recursively update it's dependencies or child dependencies, if the version is already satisfactory, where as upgrade
will upgrade all of the package's dependencies and child dependencies recursively to the latest version available that satisfies their declared semver version.
This will resolve the deprecation warnings for receive for uuid
and stringify-package
Nonetheless, there are still 2 active deprecations used, which are: har-validor
and request
npm ls har-validator
cdvtest@1.0.0 /home/norman/test/cdvtest
└─┬ cordova@11.0.0
└─┬ insight@0.11.1
└─┬ request@2.88.2
└── har-validator@5.1.5
As you can see, har-validot
is used by request
, soo...
npm ls request
cdvtest@1.0.0 /home/norman/test/cdvtest
└─┬ cordova@11.0.0
├─┬ cordova-create@4.0.0
│ └─┬ cordova-fetch@3.0.1
│ └─┬ pacote@11.3.5
│ └─┬ @npmcli/run-script@1.8.6
│ └─┬ node-gyp@7.1.2
│ └── request@2.88.2 deduped
└─┬ insight@0.11.1
└── request@2.88.2
There are 2 sub-dependencies that Cordova depends on that is including this dependency, pacote
which is part of NPM's codebase and insight. Pacote may need to wait for NodeJS's package node-gyp to update first. There isn't anything Cordova can do directly to resolve these deprecation warnings. While these packages are deprecated they should work as is for the foreseeable future. Therefore I think it's fine to wait for updates of the underlying packages for the time being.
As for the reported vulnerabilities, they are from the update-notifier
package. There are ways to forcefully force cordova to use a different version, such as version 6.x
of update-notifier
which resolves the moderate vulnerabilities, however 6.x includes breaking changes that a simple test causes Cordova not to work properly. You can use npm audit
to find more information on vulnerability to determine the severity for you.
Issue Type
Description
showing some warning while installing Cordava
Information
npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated stringify-package@1.0.1: This module is not used anymore, and has been replaced by @npmcli/package-json npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
added 489 packages, and audited 490 packages in 36s
52 packages are looking for funding run
npm fund
for details4 moderate severity vulnerabilities
To address all issues (including breaking changes), run: npm audit fix --force
Run
npm audit
for details.Command or Code
npm install -g cordava
Environment, Platform, Device
cmd
Version information
Checklist