I don't think cordova should add --allow-git or any of the new allow
commands without the user's consent -- as inconvenient that might be for
us. We shouldn't be disabling security features unless explicitly
requested by the user.
But exposing the ability to allow the user to pass in --allow-git might
be the path of least resistance for us to still allow testing dev builds.
On 2026-07-01 6:05 p.m., Manuel Beck wrote:
Does this mean "cordova plugin add https://github.com/…“ will not work anymore? I
see "--allow-git“ can be set, could Cordova set this, or would this be wrong? Will
NPM 12 automatically be used, when it’s out?
Am 01.07.2026 um 20:55 schrieb Darryl Pogue <[email protected]>:
Bryan also reminded me that npm 12 will disable installing packages
from git by default:
https://github.blog/changelog/2026-06-09-upcoming-breaking-changes-for-npm-v12/
(which possibly has bigger, API-breaking, implications for cordova-fetch)
~Darryl
On Tue, Jun 30, 2026 at 11:44 PM Manuel Beck <[email protected]> wrote:
So nightly builds will be currently not available but still be required for
testing the CLI. Ok just wanted to gather some information about it.
Von: Darryl Pogue <[email protected]>
Datum: Dienstag, 23. Juni 2026 um 18:13
An: [email protected] <[email protected]>
Betreff: Re: [DISCUSSION] Support of @nightly builds on npm
For platforms and plugins, installing from git isn't much of a
problem, but nightly builds are more useful for testing the CLI
tooling, because that relies on other dependencies like cordova-lib,
cordova-fetch, and cordova-common, and you can't (easily) tell the CLI
to use those dependencies from git.
If we get trusted publishing set up with npm, we should be able to
still do nightly builds from GitHub Actions but our process for
triggering them would have to be modified. If we want to turn on the
new staged publishing though, I think that would prevent doing nightly
builds because all of them would need manual approval.
~Darryl
On Tue, Jun 23, 2026 at 3:23 AM Manuel Beck <[email protected]> wrote:
Hi all,
Norman noticed on issue
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fcordova-android%2Fissues%2F1957%23issuecomment-4772188115&data=05%7C02%7C%7C04fc55b2cad7498b588408ded14259c4%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C639178280054723711%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=NMfj2mlx3afe1nGEpvNkr1KOI1VWIA34BDgsYEbeolg%3D&reserved=0<https://github.com/apache/cordova-android/issues/1957#issuecomment-4772188115>
"that nightly is no longer published since NPM started cracking down on long lived access
tokens.“. I’m not so familiar with npm. What is the benefit of supporting nightly builds? Would the
installing from GitHub directly not be enough, if someone wants to test something?
Regards,
Manuel
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]