I vote +1 I did the following: - Verified pgp signature and sha-hash with `coho verify-archive` - Verified git tag and commit hash by looking into GitHub - Checked version in package.json: Ok, no `-dev` suffix - Ran `npm install` - Ran `npm audit`:
* Dist: No issues (Running on https://dist.apache.org/repos/dist/dev/cordova/lib-13.0.0/cordova-lib-13.0.0.tgz) * GitHub: 1 moderate severity vulnerability: "node-tar has a race condition leading to uninitialized memory exposure“ like already mentioned (Running on https://github.com/apache/cordova-lib/commit/6c2cdd9347b3ca3cd5dea8b1bc64e27c7e102d9b) - Ran `npm test` on checked out code from GitHub: No issues - Checked GitHub actions are green for commit Von: Niklas Merz <[email protected]> Datum: Mittwoch, 29. Oktober 2025 um 16:03 An: [email protected] <[email protected]> Betreff: Re: [VOTE] cordova-lib 13.0.0 Release I vote +1 * signature ok * hash ok * no audit issues * tests pass locally * tag ok * licenses ok * headers ok * checked a few cli commands with lib installed On October 29, 2025, Erisu <[email protected]> wrote: > Please review and vote on this cordova-lib release v13.0.0 > by replying to this email (and keep discussion on the DISCUSS thread) > > The archive has been published to dist/dev: > > https://dist.apache.org/repos/dist/dev/cordova/lib-13.0.0 > > The package was published from its corresponding git tag: > > cordova-lib: 13.0.0 (6c2cdd9347) > > Upon a successful vote I will upload the archive to dist/, publish it > to > npm, and post the blog post. > > Voting guidelines: > https://github.com/apache/cordova-coho/blob/master/docs/release- > voting.md > > Voting will go on for a minimum of 48 hours. > > ===== > > I vote +1: > > * Ran coho audit-license-headers over the relevant repos > * Ran coho check-license to ensure all dependencies and sub- > dependencies > have Apache-compatible licenses > * Ensured the continuous build was green when repo was tagged > * Ran `npm test` > * Ran various `cordova` test w/ sample app: > * `cordova` > * `cordova -v` > * `cordova create` > * `cordova info` > * `cordova requirements` > * `cordova help` > * `cordova config` > * `cordova platform` > * `cordova platform add` > * `cordova platform rm` > * `cordova plugin --help` > * `cordova plugin add` > * `cordova plugin rm` > * `cordova build` > * `cordova prepare` > * `cordova compile` > * `cordova run` > * `cordova serve` (confirmed as removed) > * Tested rebuilding a project from a clean state. > * Ran `npm audit` > * found 0 vulnerabilities > > Note: There are a couple of deprecation warnings for two packages when > running npm install, but they should not be an issue. One of them is a > development dependency and won’t appear when installing the Cordova > CLI. > These warnings are not blockers for this release.
