KBEMobisys commented on issue #116: URL: https://github.com/apache/cordova-browser/issues/116#issuecomment-1531377228
Maybe I don't get it but this is my problem: cordova-browser v6.0.0 defines in its package.json the following: `"shelljs": "^0.5.3"` In my knowledge this means that it is allowed any version up to 0.5.X. Any version like 0.6.x or 0.8.x is not allowed. You can test this here: https://semver.npmjs.com/ Our open source security tool 'Mend' tells us there is a security vulnerability with the [CVE-2022-0144](https://www.mend.io/vulnerability-database/CVE-2022-0144) on shelljs v0.5.3 which is closed in v0.8.5. So we would like to update to shelljs to v0.8.5 which is not possible because cordova-browser v6.0.0 restrict it to v0.5.x. So `npm upgrade` will not work here. But since the shelljs dependency is updated to v0.8.5 on the cordova-browser master branch, we could fix the security issue if there would be a new version of cordova-browser. We could include on our side a dependency to the master branch but this is a ugly solution. Would it be possible to release a security update for cordova-browser? Or are there any plans for a new release anyway? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
