almercier opened a new issue #1219: URL: https://github.com/apache/cordova-ios/issues/1219
# Bug Report ## Problem ### What is expected to happen? Running `npm audit` should report no vulnerable dependencies used by the latest version of cordova-ios ### What does actually happen? I get an `Improper Privilege Management in shelljs ` warning from cordova-ios dependencies ## Information <!-- Include all relevant information that might help understand and reproduce the problem --> ``` shelljs <0.8.5 Severity: moderate Improper Privilege Management in shelljs - https://github.com/advisories/GHSA-64g7-mvw6-v9qj fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/shelljs simctl >=0.0.2 Depends on vulnerable versions of shelljs node_modules/simctl ios-sim >=4.1.0 Depends on vulnerable versions of simctl node_modules/ios-sim cordova-ios >=4.1.0 Depends on vulnerable versions of ios-sim node_modules/cordova-ios ``` Interestingly, the audit fix seems to think installing v4.1.0 will fix this issue, which is two major version behind where I am at currently on 6.2.0 ### Command or Code <!-- What command or code is needed to reproduce the problem? --> `npm i cordova-ios@latest` `npm audit` ### Environment, Platform, Device <!-- In what environment, on what platform or on which device are you experiencing the issue? --> Macbook Pro, 15-inch, 2016 ### Version information <!-- What are relevant versions you are using? For example: Cordova: Cordova CLI, Cordova Platforms, Cordova Plugins Other Frameworks: Ionic Framework and CLI version Operating System, Android Studio, Xcode etc. --> MacOS 12.1 npm 8.1.2 cordova-ios 6.2.0 ## Checklist <!-- Please check the boxes by putting an x in the [ ] like so: [x] --> - [x] I searched for existing GitHub issues - [x] I updated all Cordova tooling to most recent version - [x] I included all the necessary information above -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
