[Pkg-javascript-devel] Bug#794890: Bug#794890: Bug#794890: npm: new upstream version

Michael Prokop mika at debian.org
Wed Nov 23 14:31:47 UTC 2016 

* Jonas Smedegaard [Wed Nov 23, 2016 at 02:57:35PM +0100]:
> Quoting Michael Prokop (2016-11-23 14:18:49)

> > ... I'm afraid the situation of node-* packages in Debian is worse 
> > than I expected. node-request's upstream release of version 2.26.1 
> > dates back to August 2013 and nowadays upstream is at version 2.79. 
> > There's #844072 against node-request (where someone is asking for a 
> > newer version of node-request in Debian), but it was filed just this 
> > month (November 2016) and between 2013 and 2016 there was not a single 
> > package upload for node-request in Debian.

> Seems you imply that node-request is badly maintained.  Another 
> interpretation of above facts is that node-request was very well written 
> and its dependencies in Debian until recently was satisfied fine by the 
> older version.

Or that not much people are using the node-request version from
Debian as-is.

> > Asking around what other Debian contributors and users usually do when 
> > they've to deal with npm + nodejs: either "npm install -g npm"(sic!) 
> > and then use npm to install the actual node packages or directly head 
> > towards upstream (like https://deb.nodesource.com/setup_4.x).

> Npm is an *alternative* to using Debian packaged nodejs code.

> Users of Debian cannot tell anything about how same or similar tasks 
> could be solved using Debian, because they evidently stopped trying.

I'm not sure I understand you correct, but if you're implying that
users of Debian don't use the Debian packages as provided then
that's the trend I'm afraid of if we still ship those packages
(though don't really care about them).

> > Now one reason why we have node-* packages in Debian is that they
> > are dependencies of further packages. To have some numbers: I see
> > 601 packages named "node-*" in sid/amd64 as of today, and when
> > looking at their reverse dependencies I see only those 24 binary
> > packages with node-* packages in their depends/recommends/suggests:
> []
> > [JFTR: I didn't consider and look into build-depends for my numbers
> > and didn't verify my list with UDD or similar yet. If my numbers are
> > wrong please correct me.]

> Seems you counted only _binary_ packages - missing e.g. libjs-jquery 
> which is a dependency of quite a few packages.

Yes, and I also looked just at the node-* namespace to have a
starting point. Thanks for mentioning that though.

> > I might be wrong (please correct me), but my impression is that people 
> > are uploading node-* packages mainly to satisfy a (build-)dependency 
> > they have in a package and then don't really care about those packages 
> > any longer.

> That may be true for some packages, but please fix your counting method 
> before further discussion, to avoid discouraging people doing good work 
> here,

I don't want to discourage anyone (actually I'm interested in the
exact opposit, that's why I put quite some time into looking into
this *and* talk about it, most other Debian folks I talked to just
don't care enough to even look into this).

My numbers for the node-* packages should be OK-ish though, I just
didn't include the libjs-* namespace. :)

> > Back to the npm situation: I was reporting 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794890#34 because 
> > Debian's npm can't be really used reliably nowadays (the 
> > "@module/names" not supported at all). Looking through the bugreports 
> > of the npm package I'd call it unmaintained,

> I suspect you are right that npm specifically is in bad shape in Debian 
> - but my (unsubstantiated) impression is that the cause is not that 
> Nodejs packages in general are badly maintained, but instead because of 
> the very aim of npm being not to fit Debian but to bypass it.

This might be very well true.

Now with nodejs 4.6.1~dfsg-1 in testing many Debian users might be
able to skip the https://deb.nodesource.com/setup_4.x approach if we
provide a recent enough npm package? Would be nice to get this
working (and I'd be willing to help, though I'd like to see this as
a team effort).

Thanks for your fast reply and input.

regards,
-mika-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-javascript-devel/attachments/20161123/b1850ad0/attachment.sig>

More information about the Pkg-javascript-devel mailing list