<div dir="ltr"><div><div>I actually did give a use case for this: try installing
polymer as per the instruction given on my initial report. It just
doesn't work, as Jeremy states. NPM is a growing, dynamic repository and
you'll be hard pressed to find any major package that is 3 years old and
100% compatible with the current version of this package in Debian.<br><br></div>So
yes, as I said before, and I stand by it, the fact it is so old and the
NPM repository has continued to advance does, indeed "render [the]
package unusable". Or as Jeremy puts it: "npm install thisorthatmodule`
is failing for a growing list of modules". This is the most basic NPM
operation and it is failing 100% of the time in many cases.<br><br></div>Of course this can be fixed by updating the NPM version to the current
version, as Ben says, but it shouldn't demote the priority to
"wishlist": there's a real problem here with possible security
implication (re Jeremy) and a major loss of usability (yes, to the point
of "renders package unusable"). But anyway, if it was a simple thing to
do, I'm sure someone would have done it at some point after 2014, so my
first suggestion was to consider removal altogether.<div class="gmail-yj6qo gmail-ajU"><div tabindex="0" class="gmail-ajR" id="gmail-:1ao"><img src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif" class="gmail-ajT"></div></div>Jeremy, thank you for following through with this. I know asking for package removal is a big thing in Debian but if NPM is to stay, it needs to be up-to-date, and if it isn't, it better that it be removed. I think that's the best choice for now, thanks again!<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 16 March 2017 at 20:50, Jérémy Lal <span dir="ltr"><<a href="mailto:kapouer@melix.org" target="_blank">kapouer@melix.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">2017-03-17 0:30 GMT+01:00 Ben Finney <<a href="mailto:bignose@debian.org">bignose@debian.org</a>>:<br>
> Control: tags -1 + moreinfo<br>
><br>
> Alex Henry <<a href="mailto:tukkek@gmail.com">tukkek@gmail.com</a>> wrote:<br>
>> Severity: grave<br>
>> Justification: renders package unusable<br>
><br>
> Thank you for considering the severity of bug reports. You claim the<br>
> package is unusable in general, but I don't see anything in your<br>
> description that supports this.<br>
><br>
> The only description of package behaviour you give is:<br>
><br>
>> […] the *extremely outdated* version<br>
>> proved by this package siomply doesn't work anymore.<br>
><br>
> In what specific way does this package not work anymore? What should it<br>
> do at version 1.4.21, what does it do instead on Debian? There must be<br>
> some *specific, actionable* behaviour where the package behaves in a<br>
> buggy way at version 1.4.21.<br>
><br>
> So far this seems to be in fact a request to package a newer version,<br>
> which is a “Severity: wishlist” request.<br>
<br>
</span>I should have done this long before, but npm should not stay in testing:<br>
- `npm install thisorthatmodule` is failing for a growing list of modules<br>
- <a href="http://npmjs.org" rel="noreferrer" target="_blank">npmjs.org</a> might drop support for this old client at anytime now<br>
- it's not supportable (security-wise) and i'd advise against using it<br>
<br>
I'll use block this bug by the handful of packages depending on npm.<br>
<span class="HOEnZb"><font color="#888888"><br>
Jérémy<br>
<br>
</font></span></blockquote></div><br></div>