[Pkg-javascript-devel] Bug#794890: Bug#794890: npm: new upstream version
Michael Prokop
mika at debian.org
Wed Nov 23 14:20:02 UTC 2016
* Jérémy Lal [Wed Nov 23, 2016 at 02:42:23PM +0100]:
> 2016-11-23 14:18 GMT+01:00 Michael Prokop <mika at debian.org>:
[...]
> > Looking at e.g. the current state of the node-request
> > dependency (~2.78.0):
> > % rmadison node-request
> > node-request | 2.26.1-1 | stable | source, all
> > node-request | 2.26.1-1 | stable-kfreebsd | source, all
> > node-request | 2.26.1-1 | testing | source, all
> > node-request | 2.26.1-1 | unstable | source, all
> I know it's just an example, but i started working on updating
> node-request last week.
Hej :)
[...]
> > I might be wrong (please correct me), but my impression is that
> > people are uploading node-* packages mainly to satisfy a
> > (build-)dependency they have in a package and then don't really care
> > about those packages any longer. I also count 196 node-* packages
> > without *any* rdepends on them (http://paste.grml.org/2868/ is the
> > full list), aren't people working on those things interested in an
> > up2date npm package?
> I believe as well it is true for most of them.
> Bundling dependencies (only when upstream actually takes care of
> updating them when doing a release) would solve the issue in many ways.
ACK
> > Back to the npm situation: I was reporting
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794890#34 because
> > Debian's npm can't be really used reliably nowadays (the
> > "@module/names" not supported at all). Looking through the
> > bugreports of the npm package I'd call it unmaintained, there's even
> > an open CVE (https://security-tracker.debian.org/tracker/CVE-2016-3956).
> > The last upload was in 2014 and no one felt to call for help with
> > its packaging since then (especially now with stretch freeze on our
> > horizon), orphan the package etc. or am I missing something here?
> > Overall, I'm not sure we are providing our users something good with
> > the current situation. Though what realistic options do we have get
> > forward here? Any thoughts?
> Most, if not all, npm dependencies are shipped by upstream "bundled",
> meaning they actually take care of updating the dependencies when
> doing a release of npm.
> That means it would be maintainable (and certainly much easier to do so)
> by simply distributing all the bundled submodules as part of the npm
> debian package - and by considering the release tarball to be the one
> distributed on upstream website, and not the one tagged from the git repository.
> If ftp masters are all right with this, i'm willing to do the work.
Ok, should we Cc ftpmasters@ (and possibly security@)?
> A question is left open: should the npm package "Provides" all those submodules
> and install them to be used by everyone ? Or should it keep them for its own
> internal use ?
> If bundled submodules are listed in "Provides", it would allow sharing common
> code and avoid multiple software to use different copies - i suppose it would be
> a good thing, though a bit out of policy.
Good question, I don't really have an opinion on that.
Thanks for fast response, looks like we're sharing much of the same view. :)
regards,
-mika-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20161123/f78b8aec/attachment.sig>
More information about the Pkg-javascript-devel
mailing list