I don't think this important enough to block a release. Because like you said, there is no shrinkwrap file, so the version is not locked to particular release. The dependency is pinned inside package-lock.json but that only affects developers working on the cordova repository, not any end-users.
So we can correct this anytime. We could add a note in our release blog stating that they may need to use `npm upgrade -g cordova` (or `npm upgrade cordova` if they use local installs) to get the patched sub- dependencies. If they already have cordova, `npm install` may not update the sub- dependencies if the installed sub-dependency still satisfies all the version pins in the dependency tree. On Thu, 2025-10-30 at 10:45 -0700, Darryl Pogue wrote: > We've just got a warning about a node-tar vulnerability: > https://github.com/apache/cordova-lib/security/dependabot/35 > This causes `npm audit` to fail. > > However, this is a sub-dependency and the fix is within the semver > range and we don't have a shrinkwrap file, so a published version of > cordova-lib should automatically pull in the updated dependency. > > How does this impact the voting? > > ~Darryl > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
