CVE-2015-5207 - Bypass of Access Restrictions in Apache Cordova iOS
Severity: High
Vendor: The Apache Software Foundation
Versions Affected: cordova-ios 3.9.2 and below
Description: Apache Cordova iOS contains 2 methods to bypass the URL access restrictions provided by the whitelist. An attacker can use any of the 2 methods to load malicious resources in an app that uses a whitelist to only load trusted resources.
Upgrade path: Developers who are concerned about this issue should install version 4.0.0 or higher of the cordova-ios platform.
Credit: This issue was discovered by Muneaki Nishimura (nishimunea) of Recruit Technologies Co.,Ltd.
CVE-2015-5208 - Arbitrary plugin execution issue in Apache Cordova iOS
Severity: High
Vendor: The Apache Software Foundation
Versions Affected: cordova-ios 3.9.2 and below
Description: An arbitrary plugin can be executed when a user clicks on a link.
Upgrade path: Developers who are concerned about this issue should install version 4.0.0 or higher of the cordova-ios platform.
Credit: This issue was discovered by Muneaki Nishimura (nishimunea) of Recruit Technologies Co.,Ltd.
The following plugins were updated today:
This release includes a new plugin named cordova-plugin-compat. cordova-plugin-compat
allows backwards compatibility for plugins that had to upgrade to the new permissions model for cordova-android@5+
. Plugin authors can use and depend on cordova-plugin-compat
to continue to support older versions (<5
) of cordova-android
. Checkout the cordova-plugin-compat repo for more information. Previously, we were packaging copies of PermissionHelper.java
with the plugins that needed the permission updates, but have now decided that it would be better to store PermissionHelper.java
in cordova-plugin-compat
.
Plugin authors can also use the new engines element to specify what versions of cordova-android
your plugin supports. Read more about it in our plugin fetching blog post.
You can update any plugin by removing it, and then re-adding it.
E.g. To update your camera plugin:
cordova plugin rm cordova-plugin-camera --save
cordova plugin add cordova-plugin-camera@latest --save
Changes include:
We are happy to announce that Cordova Windows 4.3.2
has been released!
This release fixes a number of bugs including an issue when some of config-file
changes were not applied to appxmanifest files
and the bug with omitted icons, specified using target
attribute (see icons guide
for target
attribute usage). See below for full list of changes.
Cordova CLI 6.1.1 will automatically start using this version of Cordova-Windows when creating new projects.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update windows@4.3.2
To add it explicitly:
cordova platform add windows@4.3.2
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guide.
New patch update of cordova-cli
and cordova
are now live!
We had to fix a few issues that were discovered with the recent 6.1.0 release.
To update your tools:
If you have cordova
installed:
npm install -g cordova@latest
If you have plugman
installed:
npm install -g plugman@latest
We are happy to announce that Cordova iOS 4.1.1
has been released!
This release addresses issue CB-10773, which was an issue with creating an iOS project on a Windows machine and then building on OSX.
A new version of the cordova-cli
will need to be released to pin this version of cordova-ios as the default version when creating a new project. If you want to start using this version now, make sure to specify the version when doing a cordova platform add/update
.
To upgrade:
npm install -g cordova
cd my_project
cordova platform rm ios
cordova platform add ios@4.1.1
To add it explicitly:
cordova platform add ios@4.1.1
New versions of cordova tools are now live!
Release Highlights include:
To update your tools:
If you have cordova
installed:
npm install -g cordova@latest
If you have plugman
installed:
npm install -g plugman@latest
The Cordova 6.0.0 release introduced the pinning of core plugin versions in cordova-lib.
We are happy to announce that one of the new features in the upcoming Cordova 6.1.0 release is a general API that allows any plugin to guide the CLI in choosing a compatible plugin release to fetch for a given project. This moves the plugin dependency information out of cordova-lib so that it can update independently of the Cordova tools and support third-party plugins outside of core. Our hope is that this feature will improve Cordova's plugin ecosystem and reduce some of the frustration that Cordova developers face when adding a new plugin to a project.
The following plugins were updated today:
You can update any plugin by removing it, and then re-adding it.
E.g. To update your camera plugin:
cordova plugin rm cordova-plugin-camera --save
cordova plugin add cordova-plugin-camera@2.1.1 --save
Changes include:
We are happy to announce that Cordova Browser 4.1.0
has been released. It will be the default Browser version after the next cordova-cli
release.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update browser@4.1.0
To add it explicitly:
cordova platform add browser@4.1.0
We are happy to announce that we have made significant content updates to our documentation.
We are happy to announce that Cordova iOS 4.1.0
has been released!
This release addresses issue CB-10530, which was an issue with your apps periodically freezing directly after starting.
A new version of the cordova-cli
will need to be released to pin this version of cordova-ios as the default version when creating a new project. If you want to start using this version now, make sure to specify the version when doing a cordova platform add/update
.
To upgrade:
npm install -g cordova
cd my_project
cordova platform rm ios
cordova platform add ios@4.1.0
To add it explicitly:
cordova platform add ios@4.1.0
We are happy to announce that Cordova Android 5.1.1
has been released.
Cordova CLI 6.0.0 will automatically start using this version of Cordova-Android when creating new projects.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update android@5.1.1
To add it explicitly:
cordova platform add android@5.1.1
We are happy to announce that Cordova OSX 4.0.0
has been released! This was a much needed updated to get cordova-osx
working with the cordova-cli
. Try it out!
Add it to your projects via:
cordova platform add osx@4.0.0
The following plugins were updated today:
You can update any plugin by removing it, and then re-adding it.
E.g. To update your media plugin:
cordova plugin rm cordova-plugin-media --save
cordova plugin add cordova-plugin-media@2.2.0 --save
Changes include:
An important regression issue was discovered for cordova-plugin-inappbrowser
version 1.2.0
.
We are releasing version 1.2.1
of cordova-plugin-inappbrowser
to address
CB-10407: InAppBrowser not firing loadstart
event on Android. This release also includes some other improvements for Android, iOS and Windows platforms.
You can update the plugin by removing it, and then re-adding it.
cordova plugin rm cordova-plugin-inappbrowser --save
cordova plugin add cordova-plugin-inappbrowser --save
Changes include:
We are happy to announce that Cordova Windows 4.3.1
has been released!
This is a patch release which fixes a couple of small bugs related to plugins installation, and the significant issue that caused Windows 10 Universal apps to restart instead of resume in some cases.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update windows@4.3.1
To add it explicitly:
cordova platform add windows@4.3.1
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guide.
New versions of cordova tools are now live!
Release Highlights include:
cordova-android@5
, cordova-ios@4
and cordova-windows@4.3
.
cordova-android@5.1
supports Android 6.X.X (Marshmallow) cordova-ios@4.0
adds iOS9 and WKWebView
supportcordova-windows@4.3
updated the platform to use the new Platform API.create
command. E.g. cordova create --template cordova-app-hello-world
. This can fetch templates via npm, git URL or local paths.cordova
. This means that cordova plugin add cordova-plugin-camera
will fetch the pinned version of the plugin instead of the always grabbing the latest
. Users can still install any version of a plugin via cordova plugin add cordova-plugin-camera@VERSION
.To update your tools:
If you have cordova
installed:
npm install -g cordova@latest
If you have plugman
installed:
npm install -g plugman@latest
We are happy to announce that Cordova Android 5.1.0
has been released.
This update introduces a new API for Android plugin authors. Plugins that launch external activities can now better handle method calls on devices that are low on memory. In that scenario, the Android OS will sometimes kill the Cordova Activity when it is pushed into the background by the external Activity. This causes the plugin to lose any callbacks they have pending in the javascript. The new API allows the results of external Activity calls to be delivered via the resume event that is fired in the javascript after the Cordova Activity is destroyed and recreated. Plugin authors wishing to implement the new API should read the updated plugin guide here.
Two core plugins support this new API and have been updated to fix longstanding bugs:
Application authors are encouraged to update both their plugin and cordova-android versions to take advantage of these bug fixes. Please note that the aforementioned fixes require changes to your application as well. More information can be found in the READMEs of each of those plugins and in the new Android lifecycle guide that has been published to the Cordova documentation. This guide provides explanations and guidance on how to handle low memory scenarios on the Android platform as well as integrate the new resume APIs into your application.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update android@5.1.0
To add it explicitly:
cordova platform add android@5.1.0
The following plugins were updated today:
You can update any plugin by removing it, and then re-adding it.
E.g. To update your camera plugin:
cordova plugin rm cordova-plugin-camera --save
cordova plugin add cordova-plugin-camera --save
Changes include:
We are happy to announce that Cordova Windows 4.3.0
has been released!
This release mostly aims to bring support for Platform Api interface and unified message logging for Windows. It will be the default Windows version after the next cordova-cli
release.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update windows@4.3.0
To add it explicitly:
cordova platform add windows@4.3.0
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
We are happy to announce that Cordova Ubuntu 4.3.2
has been released. This is a patch release, with several usability improvements and an update of the default framework to ubuntu-sdk-15.04
.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update ubuntu@4.3.2
To add it explicitly:
cordova platform add ubuntu@4.3.2
We are happy to announce that Cordova iOS 4.0.1
has been released. This is a patch release.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update ios@4.0.1
To add it explicitly:
cordova platform add ios@4.0.1
The following plugins were updated today:
This release brings cordova-ios@4.0.0
platform compatibility to the cordova-plugin-inappbrowser
plugin, and it is also backwards compatible with cordova-ios@3.
The cordova-plugin-wkwebview-engine
plugin was updated to fix a bug related to loading pages in cordova-plugin-inappbrowser
.
To install:
cordova plugin add cordova-plugin-inappbrowser --save
cordova plugin add cordova-plugin-wkwebview-engine --save
Changes include:
The following plugins were updated today:
This is the initial release of this plugin. This plugin requires cordova-ios@4.0.0
. Please read the iOS 4.0.0 release blog for instructions to update.
To install:
cordova plugin add cordova-plugin-wkwebview-engine --save
If you are thinking of migrating from using the UIWebView on iOS, please read the README and also take note of the limitations of this plugin.
Changes include:
We are happy to announce that Cordova iOS 4.0.0
has been released.
This is a major release, and deprecated APIs have been removed. Some 3rd party plugins might require updates before they are compatible. This release adds first-class support for pluggable webviews - namely we now support WKWebView -- a bundled modern WebView for iOS!
The platform now supports Asset Catalogs for splashscreens and icons -- this is all transparent to you when using the <splash>
and <icon>
tags in config.xml.
ios-sim is bundled with the platform now, you will not need to install this separately anymore. However for ios-deploy you will need to update your version to the latest.
The minimum deployment target has been updated to iOS 8.0. This means that this platform release has only been tested on iOS 8 devices and greater only and will only support those iOS versions.
cordova-ios@4.0.0
will be the default iOS version in the next version of cordova
. If you just can't wait though, you can try it out now:
cd my_project
cordova platform update ios@4.0.0
# To install the WKWebView engine (optional):
cordova plugin add cordova-plugin-wkwebview-engine
We are in the process of releasing the cordova-plugin-wkwebview-engine
plugin to npm. If you decide to update to cordova-ios@4.0.0
before we release this plugin, please install the plugin via git
for now.
cordova plugin add https://github.com/apache/cordova-plugin-wkwebview-engine.git#1.0.0
Note that the cordova-plugin-wkwebview-engine
plugin has some limitations versus the default UIWebView, please consult the README for more details.
In addition to the <access>
tag, there is support for the new <allow-intent>
and <allow-navigation>
tags, documented here. Note that you do not need cordova-plugin-whitelist
installed for cordova-ios-4.0.0
.
cordova
will convert <access>
and <allow-navigation>
tags to the appropriate Application Transport Security (ATS) directives which are new in iOS 9. <access>
and <allow-navigation>
tags also support two new attributes: minimum-tls-version
and requires-forward-secrecy
.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update ios@4.0.0
To add it explicitly:
cordova platform add ios@4.0.0
New patch update of cordova-cli
and cordova
are now live!
We had to fix a few issues that were discovered with the recent 5.4.0 release.
To update your tools:
If you have cordova
installed:
npm install -g cordova@latest
The following plugins were updated today:
The following plugins now require cordova-android@5.0.0
. Please read the Android 5.0.0 release blog for instructions to update.
Since cordova-android@5.0.0
isn't yet pinned by default in cordova
, you will have to explicitly install these new versions of these five plugins now. The previous released versions of the above five plugins are still set to latest
on npm instead of these newly released versions. These will be set to latest
once we release cordova@6
which will have cordova-android@5.0.0
pinned.
E.g.
cordova plugin add cordova-plugin-camera@2.0.0 --save
To see what versions exist for a plugin, run npm info PLUGINNAME versions
.
You can update any plugin by removing it, and then re-adding it.
E.g. To update your camera plugin:
cordova plugin rm cordova-plugin-camera --save
cordova plugin add cordova-plugin-camera --save
Changes include:
Updated 02/20/2016
Apache Cordova has re-visited CVE-2015-5256 "Apache Cordova vulnerable to improper application of whitelist restrictions on Android”. Upon further investigation we found that the vulnerability is more limited than was previously understood. We are lowering the severity to Low, and updating the description, affected versions, and upgrade path.
CVE-2015-5257 continues to be a valid vulnerability present in Cordova 3.6.4 and this is fixed in later versions of Cordova, and we want to encourage users to upgrade to 4.1.1 and for users needing to support Marshmallow (API 23+) we recommend to upgrade to Cordova Android 5.1.x.
When using the Cordova CLI, the command to use 4.1.1 or 5.1.0 of Cordova Android is:
cordova platform add android@4.1.0
cordova platform add android@5.1.0
The security issues are CVE-2015-5256 and CVE-2015-5257
For your convenience, the text of the CVEs are included here.
We are happy to announce that Cordova Windows 4.2.0
has been released!
This release adds support for back button handling on Windows 10 and
Windows Phone 8.1 and various other improvements. It will be the default
Windows version after the next cordova-cli
release.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update windows@4.2.0
To add it explicitly:
cordova platform add windows@4.2.0
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
We are happy to announce that Cordova Android 5.0.0
has been released.
With this release, there is now support for Android Marshmallow permission checking in plugins. Due to the nature of the recent Android changes, the major version has been incremented to reflect the new API changes. Only plugins that use certain permissions as defined by Google are affected by this change. The following core plugins needed to be updated:
cordova-plugin-camera
cordova-plugin-geolocation
cordova-plugin-contacts
cordova-plugin-file
cordova-plugin-media
We are in the process of releasing these plugins to npm. If you decide to update to cordova-android@5.0.0
before we release the plugins, please install these updated plugins via git
for now.
cordova plugin add https://github.com/apache/cordova-plugin-camera.git
Information on how to use the new Android Permission APIs can be found in the Cordova documentation, which can be found here.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update android@5.0.0
To add it explicitly:
cordova platform add android@5.0.0
New versions of cordova tools are now live!
Release highlights:
cordova plugin add
. This only happens if the old-style plugin ID exists in the registry-mapper, it will be auto converted to the new ID and fetched from npm instead. CLI
will now know if a newer version is available and will prompt users to update.cordova-lib
have been moved into a new module named cordova-common
. cordova-common
is shared among cordova-lib
and cordova platforms.To update your tools:
If you have cordova
installed:
npm install -g cordova@latest
If you have plugman
installed:
npm install -g plugman@latest
We are happy to announce that Cordova iOS 3.9.2
has been released and will be the default iOS version.
This release addresses multiple iOS 9/9.1 and XCode 7/7.1 issues. It also deprecates a number of APIs, which will be removed in Cordova iOS 4.0.0
. For a full list of API changes see API changes in 4.0.md
To upgrade:
npm install -g cordova
cd my_project
cordova platform update ios@3.9.2
Cordova tools 5.3.3 has been released to properly support Node v4.
If you are currently develop for the iOS platform and plan to use Node v4, we recommend you update to this release:
If you have cordova
installed:
npm install -g cordova
If you have plugman
installed:
npm install -g plugman
A medium security issue was discovered for cordova-plugin-file-transfer plugin. We are releasing version 1.3.0
of cordova-plugin-file-transfer
to address this security issue. We recommend that all applications currently using an older version of this plugin to upgrade as soon as possible.
You can update the plugin by removing it, and then re-adding it.
E.g. To update your file-transfer plugin:
cordova plugin rm cordova-plugin-file-transfer --save
cordova plugin add cordova-plugin-file-transfer --save
The security issue is CVE-2015-5204.
For your convenience, the text of the CVE is included here:
New versions of cordova tools are now live!
To update your tools:
If you have cordova
installed:
npm install -g cordova
If you have plugman
installed:
npm install -g plugman
Starting today, plugins.cordova.io has become immutable. Plugin authors are encouraged to move their plugins over to npm if they haven't already. Plugin authors should checkout our guide to transition over to npm here.
Users can start searching for cordova plugins which have moved over to npm on our new cordova npm search page.
Cordova CLI version 5.0.0 or higher is required to fetch plugins from npm. If you want to use the latest releases of plugins, please update your version of Cordova. Alternatively, older cli users can add plugins via git urls. Example:
cordova plugin add https://github.com/apache/cordova-plugin-camera.git
Make sure to checkout our previous blog post about moving plugins to npm if you missed it the first time around.
We are happy to announce that Cordova BlackBerry 3.8.0
has been released and will be the
default BlackBerry version after next cordova-cli
release.
This release adds support for adding blackberry10 platform on any workstation OS, adds subdomain whitelisting and includes several bug fixes.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update blackberry10@3.8.0
To add it explicitly:
cordova platform add blackberry10@3.8.0 --save
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
We are happy to announce that Cordova Windows 4.1.0
has been released and will be the
default Windows version after next cordova-cli
release.
This release aligns with the RTM release of Windows 10, and supports the web platform enhancements that it included, such as hosted apps and a new version of WinJS. It also supports the new .NET Native compilation model for Cordova plugins which include a native or .NET component.
There are also a number of bug fixes, including platform dependency problems and the ability to perform a cordova prepare
for Windows while on a Mac.
Finally, user-configurable packaging parameters are now fully baked, so that Windows code signing requirements don't overwrite code signing requirements for other platforms. Use the windows-packageVersion
attribute of <widget>
in config.xml to specify an independent version for Windows Store submission, and to incorporate the name of the application which is assigned by the Windows Store, set the <preference>
named WindowsStoreIdentityName
.
Now there is support to see console.log messages and exceptions from your app in the console. This can be useful for quick diagnostics. In an admin command prompt, you can run:
platforms\windows\cordova\log
To upgrade:
npm install -g cordova
cd my_project
cordova platform update windows@4.1.0
To add it explicitly:
cordova platform add windows@4.1.0 --save
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
New versions of cordova tools are now live!
Release highlights:
Plugman
publish
, unpublish
, addUser
and owner add/rm
commands due to plugins.cordova.io switching to read only. Plugin authors are encouraged to publish to npm instead. Learn more at http://plugins.cordova.io/npm/authors.html.clean
command to cordova-cli
. This cleans the build artifacts for your project. Run cordova clean -h
for more information.config.xml
via --save
flag.plugman platform add
--usegit
flag.--browserify
. EX. cordova run android --browserify
.To update your tools:
If you have cordova
installed:
npm install -g cordova
If you have plugman
installed:
npm install -g plugman
We are happy to announce that Cordova iOS 3.9.0
has been released and will be the
default iOS version after next cordova-cli release.
UPDATE: To deploy to iOS devices, developers will have to update their ios-deploy
dependency to the version 1.4.0 or greater. Run npm install ios-deploy -g
to download
the latest release.
Apart from a number of bug fixes, there is now support for checking system requirements for iOS platform:
$>cordova requirements ios
Requirements check results for ios:
Apple OS X: installed darwin
Xcode: installed 6.3
ios-deploy: installed 1.7.0
ios-sim: installed 4.1.1
and support for Signing the App for iOS platform:
$>/path/to/my/project/cordova/build --codeSignIdentity="iPhone Distribtion" --provisioningProfile="926c2bd6-8de9-4c2f-8407-1016d2d12954"
To upgrade:
npm install -g cordova
cd my_project
cordova platform update ios@3.9.0
We are happy to announce that Cordova Android 4.1.0
has been released.
With this release, there is now support for checking system requirements for Android platform:
$>cordova requirements android
Requirements check results for android:
Java JDK: installed 1.7.0
Android SDK: installed
Android target: installed android-19,android-21,android-22,Google Inc.:Google APIs:19,Google Inc.:Google APIs (x86 System Image):19,Google Inc.:Google APIs:21
Gradle: installed 1.12
Apart from a number of bug fixes, mininumSdkTarget has also been switched to 14 from 7. The minimum supported Android OS for Cordova is now Ice Cream Sandwich.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update android@4.1.0
To add it explicitly:
cordova platform add android@4.1.0
The following plugins were updated today:
New versions of cordova tools are now live!
Release highlights:
cordova requirements
commandcordova prepare --browserify
now supports 3rd party plugins to build your cordova.js
at run time! Try it out!To update your tools:
If you have cordova
installed:
npm install -g cordova
If you have plugman
installed:
npm install -g plugman
Cordova tools 4.3.1 has been released to pin version 3.7.2 of the Android platform, which includes an important security update.
If you are currently using Cordova 4.x and develop for the Android platform, we recommend you update to this release:
npm install -g cordova@4.3.1
If you have existing projects that use Cordova Android 3.7.1 or earlier, you can update them to 3.7.2:
cordova platform update android@3.7.2
We are happy to announce that Cordova Windows 4.0.0 has been released!
windows-target-version
preference in config.xml set to 8.0, you will see this warning and you should consider changing it to 8.1.windows8
platform keyword is deprecated. For all plugins, use windows
as the platform keyword.A major Security issue were discovered in the Android platform of Cordova. We are releasing version 4.0.2 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova 4.0.x or higher be upgraded to use version 4.0.2 of Cordova Android. If you are using an older version of Cordova, we have also released 3.7.2 with the same fix, and we recommend that you at upgrade your project to either of these fixed versions. Other Cordova platforms such as iOS are unaffected, and do not have an update.
When using the Cordova CLI, the command to use 4.0.2 of Cordova Android is:
cordova platform add android@4.0.2
and the command to use 3.7.2 is:
cordova platform add android@3.7.2
The security issue is CVE-2015-1835
For your convenience, the text of the CVE is included here.
New versions of cordova tools are now live!
Release highlights:
<feature>
tags have been renamed to <plugin>
tags in your projects config.xml
. Adding a <plugin>
tag to your config.xml
will fetch and install it on cordova prepare
if it isn't already installed.config.xml
. When adding plugins or platforms, use the --save
flag to add them to config.xml
. Ex: cordova platform add android --save
. Existing projects can use cordova plugin save
and cordova platform save
commands to save all previously installed plugins and platforms into your project's config.xml
. Platforms and plugins will be autorestored when cordova prepare
is run. This allows developers to easily manage and share their dependenceis among different development enviroments and with their coworkers. To update your tools:
If you have cordova
installed:
npm install -g cordova
If you have plugman
installed:
npm install -g plugman
The Apache Cordova team is happy to announce a new plugins release that coincides with us moving our core plugins to npm!
With the move over to npm, we have decided to rename our core plugins for improved readability and to better fit within the npm ecosystem.
org.apache.cordova.*
to cordova-plugin-*
.cordova plugin add cordova-plugin-device
.
Using the new ID will fetch the plugin directly from npm.Our current Cordova plugins registry (CPR) will continue to be operational for at least 6 months (October 15th, 2015
) as we help plugin developers transition over to npm.
This will also allow current Cordova developers to upgrade their CLI
to version 5.0.0 or higher.
July 15th, 2015
.To find plugins on npm, search for ecosystem:cordova.
We are working with npm to improve discoverability and will have more to announce later this year.
We encourage all third party plugin developers to add ecosystem:cordova
as a keyword in their plugin's package.json
.
We are happy to announce that Cordova Android 4.0.0
has been released!
This release adds significant functionality, and also introduces a number of breaking changes. Mostly though, it adds first-class support for Crosswalk -- a bundled modern WebView!
cordova-android@4.0.0
will be the default android version in the next
version of cordova
. If you just can't wait though, you can try it out now:
cd my_project
cordova platform update android@4.0.0
cordova plugin add https://github.com/apache/cordova-plugin-whitelist.git#r1.0.0
# To install Crosswalk (optional):
cordova plugin add https://github.com/MobileChromeApps/cordova-plugin-crosswalk-webview.git#1.0.0
New versions of cordova tools are now live!
To update your tools:
If you have cordova
installed:
npm install -g cordova
If you have plugman
installed:
npm install -g plugman
Release highlights:
iOS-deploy
dependency to launch on iOS devices. Please run npm install -g ios-deploy
to install the latest version 1.4.0
.--save
command when adding platforms and plugins to your project.
Saved platforms and plugins are automagically restored during prepare.
Ex. cordova platform add android --save
.
This should make it easier developing cordova projects among a team.plugman createpackagejson <plugin_path>
to add a package.json
file to their plugins.We are happy to announce that Cordova Windows 3.8.0
has been released!
This release adds support for new Visual Studio 2015 Tools and has various other improvements. It will be the default Windows version when the cordova-cli 4.3.0 is released.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update windows
To add it explicitly:
cordova platform add windows@3.8.0
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
UPDATE: To deploy to iOS devices, developers will have to update their ios-deploy
dependency to the latest release. Run npm install ios-deploy -g
to download the latest release of version 1.4.0
.
We are happy to announce that Cordova iOS 3.8.0
has been released!
This release has various bug fixes, and will be the default iOS version when the cordova-cli 4.3.0 is released. This release also requires Xcode 6.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update ios
To add it explicitly:
cordova platform add ios@3.8.0
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
The following plugins were updated today:
The plugins have been updated on our registry at plugins.cordova.io.
You can update any plugin by removing it, and then re-adding it.
E.g. To update your camera plugin:
cordova plugin rm org.apache.cordova.camera
cordova plugin add org.apache.cordova.camera
Changes include:
We are happy to announce that Cordova Android 3.7.1
has been released!
This release has numerous bug fixes, and sets the target-sdk to android-21 (which yields a pretty good graphics speed-up on Lollipop devices!). It will be the default Android version when the cordova-cli 4.1.0 is released.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update android@3.7.1
To add it explicitly:
cordova platform add android@3.7.1
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
New versions of cordova tools are now live!
To update your tools:
If you have cordova
installed:
npm install -g cordova
If you have plugman
installed:
npm install -g plugman
The following plugins were updated today:
The plugins have been updated on our registry at plugins.cordova.io.
You can update any plugin by removing it, and then readding it. E.g. To update your camera plugin:
cordova plugin rm org.apache.cordova.camera
cordova plugin add org.apache.cordova.camera
Changes include:
Apple has recently announced that new and updated apps submitted to the Apple App Store must include 64-bit support for them to be approved. This change will be implemented by the Apple App Store starting February 1, 2015.
This means that starting at that time, Cordova-based apps should be built using a version of Cordova that has 64-bit iOS support.
The first version of Cordova to include 64-bit for iOS is 3.4.1. Therefore, to meet these requirements of the Apple App Store, you should be using at least version 3.4.1 of Cordova before this February deadline.
While developing mobile apps with Cordova, performance is a common concern many developers have. Though recent WebView improvements have made smooth experiences easy to achieve, it is always important to watch out for code in our apps that may make the app janky.
The latest versions of Android and iOS WebViews can connect to and leverage developer tools in browsers for profiling rendering performance of apps. Developer tools provide insights into details like frames rates, repaints, layouts, etc.
Articles (like my performance audit workflow and the runtime performance checklist) articulate the typical workflow for auditing performance of webpages. Similar principles can be applied to apps too.
New versions of cordova tools are now live!
To update your tools:
If you have cordova
installed:
npm install -g cordova
If you have plugman
installed:
npm install -g plugman
A certificate in the Windows platform template has expired on 11/11/2014 and as a result, building Windows using the Cordova CLI currently fails. This affects all existing projects and any new projects created using the command line prior to Cordova versions <= 4.0.0
.
Note that this does not affect the WP8 platform.
When building Cordova for Windows, you may seen an error message that looks something like this
cordova run windows
C:\Program Files (x86)\MSBuild\Microsoft\VisualStudio\v12.0\AppxPackage\Microsoft.AppXPackage.Targets(1772,9): error APPX0108: The certificate specified has expired.
For more information about renewing certificates, see http://go.microsoft.com/fwlink/?LinkID=241478.
This issue will be fixed in the next release of the Cordova CLI
However, to ensure that you can continue building your existing Cordova projects for Windows till then, please replace the expired certificate located at yourCordovaProject\platforms\windows\CordovaApp_TemporaryKey.pfx
with a new one from here. Ensure that the downloaded file is renamed to CordovaApp_TemporaryKey.pfx
We are happy to announce that Cordova Windows & WP8 3.7.0
has been released!
This release has various bug fixes.
It will be available in the next cordova-cli release (Cordova CLI 4.1.0), which is expected in a few days.
To upgrade (once CLI update is released):
npm install -g cordova
cd my_project
cordova platform update windows
To add it explicitly (available now):
cordova platform add windows@3.7.0
cordova platform add wp8@3.7.0
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
We are happy to announce that Cordova iOS 3.7.0
has been released!
This release has various bug fixes, and will be the default iOS version when the cordova-cli 4.1.0 is released. This release also requires Xcode 6.
To upgrade:
npm install -g cordova
cd my_project
cordova platform update ios
To add it explicitly:
cordova platform add ios@3.7.0
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
The following plugins were updated today:
Notable changes include:
iPhone 6/6+
support for cordova-splashscreen
pluginMobile
to Cellular
for cordova-network-information
plugin.cordova-media-capture
plugin getPreferredLanguage()
and getLocaleName()
for cordova-globalization
plugin.ms-appdata URIs
for cordova-file-transfer
plugin The plugins have been updated on our registry at plugins.cordova.io.
You can update any plugin by removing it, and then readding it. E.g. To update your camera plugin:
cordova plugin rm org.apache.cordova.camera
cordova plugin add org.apache.cordova.camera
Other changes include:
We are happy to announce that Apache Cordova CLI 4.0
has been released!
We have also released Cordova-Browser 3.6.0
, Cordova-Android 3.6.4
, Cordova-Windows 3.6.4
, and Cordova-WP8 3.6.4
.
Most notable changes include:
4.0.0
to reflect our changes in release policy.--target
flagTo upgrade: (replace android
with the platform you want to update):
npm install -g cordova
cd my_project
cordova platform update android
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
We have recently decided to update our release process to include independent releases for platforms. This means that our platform maintainers can release updates when they need to and not have to wait for other platforms to be ready to release.
The following plugins were updated today:
Notable changes include:
The plugins have been updated on our registry at plugins.cordova.io.
We are happy to announce that Apache Cordova 3.6
has been released!
Most notable changes include:
To upgrade: (replace android
with the platform you want to update):
npm install -g cordova
cd my_project
cordova platform update android
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
While preparing the 3.6.0 release, the release candidates were published to a write-once repository. When it was discovered that the release candidates needed to be updated, we were unable to modify the write-once repository, so we were forced to bump the version number. This is why all the 3.6 cadence release items are labelled as "3.6.3". So 3.6.3 is the first release of the 3.6.x version. Apologies for the confusion.
An updated version of cordova
and cordova-lib
are available starting today.
To update your tools:
npm install -g cordova
These contain only one minor function change, which is related to the recent release of Cordova Android 3.5.1. Before today's update, when adding the Android platform to a project, by default it would use version 3.5.0 of Cordova Android. In order to get the latest 3.5.1 of Cordova Android, you would need to manually specify the 3.5.1 version number on the platform add
command. Today's update changes the default version of Cordova Android used when adding the Android platform to a project, so that you no longer need to manually specify the 3.5.1 version number to get the 3.5.1 version. You'll now get 3.5.1 by default.
The following plugins were updated today:
Notable changes include:
The plugins have been updated on our registry at plugins.cordova.io.
You can update any plugin by removing it, and then readding it. E.g. To update your file plugin:
cordova plugin rm org.apache.cordova.file
cordova plugin add org.apache.cordova.file
Other changes include:
On Monday, we released Cordova Android 3.5.1, to address a couple of security issues. Afterwards, talking with the original researchers, we realized that the text of the security announcement that went out wasn't quite right, so we've amended it.
You can read the amended blog post here.
The issue in CVE-2014-3502 is that Cordova applications would, by default, pass any URLs that they couldn't load to the Android intent system for handling. This lets developers construct URLs that open email applications, maps, or send SMS messages, or even open web pages in the system browser, but it also allowed malicious URLs that could potentially open other applications on the device. This meant that if someone could execute their own JavaScript in your application, that they could use other applications on the device to "phone home" with the user's data. This is why we are recommending that all Android developers upgrade to Cordova 3.5.1.
Updated: 2014-08-06 (The text of CVE-2014-3502 was changed after this post was released, to better explain the cope of the issue and the ways to mitigate the problem)
Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.
When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is:
cordova platform add android@3.5.1 --usenpm
The security issues are CVE-2014-3500, CVE-2014-3501, and CVE-2014-3502.
For your convenience, the text of these CVEs is included here.
New versions of plugman
, cordova
and cordova-lib
are now live!
To update your tools:
npm install -g cordova
npm install -g plugman
Most notable changes are:
cordova save plugins --experimental
cordova restore plugins --experimental
browserify
to package our cordova.js
build artifact. This is an internal change to our tooling, and is currently still off-by-default. We would appreciate feedback since we hope to switch to on-by-default in a future release. Try it using plugman as:
plugman (un)install --browserify --project [PROJECT] --plugin [PLUGIN] --platform [ios|android]
Other changes include:
The following plugins were updated today:
Notable changes include:
navigator.contacts.pickContact
API has been added for Android, iOS, Windows Phone 8 and Windows 8 platformsnavigator.contacts.find
API on Android, iOS and Windows Phone 8 now supports desiredFields
which specifies contact fields to be returnedThe plugins have been updated on our registry at plugins.cordova.io.
You can update any plugin by removing it, and then re-adding it. E.g. To update your contacts plugin:
cordova plugin rm org.apache.cordova.contacts
cordova plugin add org.apache.cordova.contacts
Other changes include:
The following plugins were updated today:
Notable changes include:
cordova.file.*
(iOS & Android, refer to docs)CONTRIBUTING.md
)The plugins have been updated on our registry at plugins.cordova.io.
You can update any plugin by removing it, and then readding it. E.g. To update your file plugin:
cordova plugin rm org.apache.cordova.file
cordova plugin add org.apache.cordova.file
Other changes include:
We are happy to announce that Apache Cordova 3.5
has been released!
Most notable changes include:
cordova-cli
& cordova-plugman
has been moved into its own repo named cordova-lib
. package.json
file and has been uploaded to npm
. Future updates to the cordova-cli
will make use of npm
instead of git
for loading platforms.arm64
. New projects are built as a universal binary (64 and 32-bit), and require a minimum deployment target of iOS 6.0.To upgrade: (replace android
with the platform you want to update):
npm install -g cordova
cd my_project
cordova platform update android
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
Other changes include:
The following plugins were updated today:
Many of these are minor, or only relevant to a couple of platforms. However, some notable changes include:
statusbar
is now a core Cordova plugin, and now includes support for Windows Phonesplashscreen
now includes support for Tizenfile
now produces webview-compatible URLs (file:///) URLs by default when calling .toURL
file
includes much of the functionality of the file-system-roots
plugin, and allows access to all files on the device (except those blocked by the OS)clearcache
and clearsessioncache
like Androidmedia-capture
which prevented it from being used with the file
pluginThe plugins have been updated on our registry at plugins.cordova.io.
E.g. To update your file plugin:
cordova plugin rm org.apache.cordova.file
cordova plugin add org.apache.cordova.file
Other changes include:
New versions of plugman
, cordova
and cordova-ios
are now live!
To update your tools:
npm update -g cordova
npm update -g plugman
Cordova iOS 3.4.1 is included with the latest update of cordova
.
Most notable changes include:
.pbxproj
files according to Xcode 5.1 recommendationsarm64
by defaultplugin add
for FirefoxOS.cordova info
command fixed for Windows platformOther changes include:
New versions of plugman
and cordova
are now live!
To update your tools:
npm update -g cordova
npm update -g plugman
Most notable changes include:
plugman create
for generating a plugin template (CB-4886)cordova prepare
after installing a plugin (CB-5647)cordova
now shows output of builds and hook scriptsOther changes include:
The following plugins were updated today:
Notable changes include:
file
pluginfile-transfer
trustAllHosts on iOS (was true, is now false)inappbrowser
on iOS being able to run code within the host UIWebViewThe plugins have been updated on our registry at plugins.cordova.io.
E.g. To update your file plugin:
cordova plugin rm org.apache.cordova.file
cordova plugin add org.apache.cordova.file
Other changes include:
We are happy to announce that Cordova 3.4
has been released!
This release has various bug fixes for all of our supported platforms.
Our friends at Mozilla have put together a blog post about getting started with Cordova Firefox OS. Check it out at https://hacks.mozilla.org/2014/02/building-cordova-apps-for-firefox-os/.
To upgrade: (replace android
with the platform you want to update):
npm install -g cordova
cd my_project
cordova platform update android
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
The following plugins were updated today:
The most noticeable changes in this release are to the File plugin. It has been revamped to use a new URL scheme cdvfile://localhost/<filesystemType>/<path to file>
. These URLs are generated by all file operations, and are passed over the bridge to native code. (This is in contrast to the previous version, which passed around absolute paths on the device filesystem).
Most of these changes are to bring us more in line with the HTML Filesystem standard, although they will also allow us to extend the filesystem abstraction to cover new kinds of storage, both internal and external to devices.
Other changes include:
It's been a long time since our last tools release, but it's certainly no sign of stagnation. Today's release is action packed!
To update your tools:
npm update -g cordova
npm update -g plugman
This release brings with it a plethora of bug fixes as well as some new features! Notably:
config.xml
now lives at the project root by default (instead of within www/
)hooks
now lives at the project root by default (instead of within .cordova
)www/
to use when creating a new project with --link-to
or --copy-from
cordova
and plugman
to search for plugins locally using --searchpath
Full list of release notes:
The following plugins were updated today:
With this release, documentation for plugins have moved from
http://cordova.apache.org/docs to the doc/
directory
within plugins themselves. Eventually, docs will be available online through
plugins.cordova.io. Until then, they will be viewable online
via github.
Aside from documentation, changes include:
On Friday, Cordova 3.3
went live on npm. Woohoo!
This release brings with it initial support for Ubuntu Touch as well as Amazon Fire OS!
To upgrade: (replace android
with the platform you want to update):
npm install -g cordova
cd my_project
cordova platform update android
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
The Apache Cordova team has just released the first release candidate for Cordova 3.3.0! We will be aiming to release the final version near the end of next week! Just in time for some holiday hacking!
Now we ask you, our community, to please download and help us test!
Installing cordova for the first time:
npm install -g cordova@3.3.0-rc.1
Updating your current version of cordova:
npm update -g cordova@3.3.0-rc.1
Example of updating your current cordova android project to the latest version:
cd cordovaApp
cordova platform update android
Issues can be reported at https://issues.apache.org/jira/browse/CB
We will release a changelog with the offical 3.3.0 release when it ships!
Today we are doing a plugins release in preparation for Cordova 3.3.0. Most plugins now have support for our upcoming platform additions, Amazon Fire OS & Ubuntu! Most notable changes include:
The plugins have been updated on our registry at plugins.cordova.io.
The new & improved file plugin did not get released with todays release. It requires more work & testing. We hope to have it out before 3.3.0 lands next week.
The Apache Cordova team has just released Cordova 3.2.0. Woo Hoo! This release has various bug fixes and enhancements for all of the platforms.
To upgrade to a 3.2 project (replace android
with the platform you want to update):
npm install -g cordova
cd my_project
cordova platform update android
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
We are in the process of fixing Android 4.4 (KitKat) related bugs. If you want to develop for KitKat, please read our KitKat blog post.
Two known issues can be found at CB-5398 and CB-5294.
Please report any bugs on our issue tracker.
Android KitKat brings a massive update to the system WebView. This is terrific news for Cordova developers, as initial reviews give it a big thumbs up.
Update: The following is not actually true. It was an issue with a release candidate, but does not manifest in the final version of the WebView.
However, the update introduced a bug in Cordova applications
that were built with Cordova versions prior to 3.1.0
, or 2.9.1
which can cause native bridge callbacks to not be received until another one is made
(e.g. by switching in & out of the app). We strongly encourage all apps to
update their Cordova version,
or to directly apply the fix to
cordova-android and
cordova-js.
The Apache Cordova team has just released the first release candidate for Cordova 3.2.0! Barring no hiccups, we will be aiming to release the final version later this week. Now we ask you, our community, to please download and help us test! We want this to be the most solid release yet!
Installing cordova for the first time:
npm install -g cordova@3.2.0-rc.1
Updating your current version of cordova:
npm update -g cordova@3.2.0-rc.1
Example of updating your current cordova android project to the latest version:
cd cordovaApp
cordova platform update android
Issues can be reported at https://issues.apache.org/jira/browse/CB
We will release a changelog with the offical 3.2.0 release when it ships!
The Apache Cordova team has just released Cordova 2.9.1. Wait what?! You read right! We have backported some bug fixes to the Cordova 2 series for all of you that haven't upgraded to the Cordova 3 series yet. Hurray! Among other fixes, this release backports iOS 7 support.
Users can download the source zip from https://www.apache.org/dist/cordova/cordova-2.9.1-src.zip
We will continue to backport fixes for a few more months, but we highly suggest upgrading to the Cordova 3 series.
Today we are doing a plugins and tooling release in preparation for Cordova 3.2.0. Most notable changes include:
The plugins have been updated on our registry at plugins.cordova.io.
Cordova 3.0 saw a major shift towards plugins. As part of this shift, we're focusing on making plugins easy to use and, equally importantly, easy to discover. App developers want to know what plugins are available to them, and plugin developers want their plugins to be visible to the community.
Our solution, which has been alluded to in previous posts, is the Cordova plugin registry. Using the Cordova CLI, app developers can add plugins to their projects with a single command.
Today we are doing a release for the plugins that have been updated since our last release. We are also excited to announce three new plugins that have recently been added to our registry.
The new plugins include:
The following plugins have been updated for this release:
These plugins have been updated on our registry at plugins.cordova.io.
The Apache Cordova team has just released Cordova 3.1.0. Hurray! Most notable changes include:
To upgrade a 3.0 project (replace android
with the platform you want to update):
npm install -g cordova
cd my_project
cordova platform update android
For non-CLI projects or for pre-3.0 projects, refer to the upgrade guides.
Today we are doing a plugin release in preparation for Apache Cordova 3.1.0, which is scheduled to be released later this week.
The main change for this release is removing 'core' from the plugin ID fields. This was done to make installing plugins simpler in 3.1.0. We are switching over to using plugin IDs and our plugin registry for plugin installation instead of directly installing from the plugin git urls.
These plugins are compatible with Cordova 3.0.0. Feel free to upgrade your current plugins if you can't wait for 3.1.0 next week. Keep in mind that after you install these updated plugins, if you decide to remove these plugins from your project, you will have to reference the new IDs instead of the old ones that our docs show.
E.g. To update your camera plugin:
cordova plugin rm org.apache.cordova.core.camera
cordova plugin add org.apache.cordova.camera
Last week Cordova saw 83 commits come in from 24 different authors. No releases were made, but attention was spent on adding Firefox OS support, translating docs, and fixing bugs.
Last week Cordova saw 39 commits come in, plugman
reached version 0.11.0
, and CLI
reached 3.0.9
.
plugman
now has initial support for Windows Phone, plugin URLs can now
specify a git hash and subdirectory,
and <engine>
tags are now enforced.
There was also good progress made towards launching our Plugin Registry.
Apache Cordova is going global! Apache Cordova is already being used by developers all over the world and now, we are proud to announce, the Apache Cordova documentation will be translated into a number of languages. But we need your help! With the support of Crowdin, a translation and localization management platform, translators can login to the easy-to-use tooling and provide as much or as little translation assistance as they would like. If you know another language please support Cordova and contribute.
http://crowdin.net/project/cordova
Email ldeluca@apache.org for more information.
It went live on Friday! Snapshot available on our download page but before downloading please read on to find out whats new including for more ways to work with Cordova!
Cordova 3 introduces a new unified project structure and ships with a very limited API surface. Developers can now compose a version of Cordova with only the APIs they need. In the past, Cordova shipped with the entire kitchen sink of APIs that most applications only needed a small subset of. This lead to messy, and often not even necessary, upgrading for our community. With the release of Cordova 3 you start with a very light weight core and only add the API surface your application requires. Obviously, this means a performance improvement but the real win here is maintenance and upgrading. We'll continue to maintain "core" APIs which are the same device APIs you've come to know and love.
We're very excited to share two new command line tools: Cordova and Plugman. Both are implemented using NodeJS
and thusly distributed via npm
. The cordova
command line tool has been a long time coming. It unifies all platforms into a single project structure, making it easy to maintain a single codebase for multiple platforms. The cordova
tool builds off of our other new tool: plugman
, which provides automated discovery, installation, and removal of both core and custom plugins.
We've been testing for months but keep in mind both tools are new. Bugs happen, so you if you find one or even just have an idea for a new feature please visit our issue tracker.
Cordova now has a Blog! Look here to stay up-to-date with what's happening with the project. There is a major release 3.0 just around the corner (July 19, 2013), and we are really excited about it!
Be sure to subscribe using RSS