I just did a very simple test. Not sure if this helps but: If you create a blank new npm project with "npm init" and install the tar from dist/dev, there are no audit issues. So npm doesnt install the vulnerable version right?
On October 31, 2025, norman breau <[email protected]> wrote: > I don't think this important enough to block a release. > > Because like you said, there is no shrinkwrap file, so the version is > not locked to particular release. The dependency is pinned inside > package-lock.json but that only affects developers working on the > cordova repository, not any end-users. > > So we can correct this anytime. We could add a note in our release > blog > stating that they may need to use `npm upgrade -g cordova` (or `npm > upgrade cordova` if they use local installs) to get the patched sub- > dependencies. > > If they already have cordova, `npm install` may not update the sub- > dependencies if the installed sub-dependency still satisfies all the > version pins in the dependency tree. > > On Thu, 2025-10-30 at 10:45 -0700, Darryl Pogue wrote: > > We've just got a warning about a node-tar vulnerability: > > https://github.com/apache/cordova-lib/security/dependabot/35 > > This causes `npm audit` to fail. > > > > However, this is a sub-dependency and the fix is within the semver > > range and we don't have a shrinkwrap file, so a published version of > > cordova-lib should automatically pull in the updated dependency. > > > > How does this impact the voting? > > > > ~Darryl > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected]
