[Pkg-javascript-devel] Plan for legacy rollup plugins in bullseye (was Re: node-rollup-plugin-inject 4.0.2+~3.0.2-1 MIGRATED to testing)

[Xavier]

Le 25/10/2020 à 09:06, Pirate Praveen a écrit :
> 
> On 2020, ഒക്‌ടോബർ 25 10:09:13 AM IST, Debian testing watch <noreply at release.debian.org> wrote:
>> FYI: The status of the node-rollup-plugin-inject source package
>> in Debian's testing distribution has changed.
>>
>>  Previous version: (not in testing)
>>  Current version:  4.0.2+~3.0.2-1
> 
> Are we going to maintain legacy versions of these plugins in bullseye? I agree adding them makes the transition easier, but removing the legacy copies should also be part of the plan to avoid maintaining multiple versions of these plugins.

Hi,

you're right, however there are a lot of outdated modules in JS Team
packages, and these rollup plugins have no known vulnerabilities.

We can also facilitate transition using this way (using experimental of
course):
 * remove legacy module from any node-rollup-plugin-*
 * insert our own legacy modules in them including just:
   * /usr/share/nodejs/rollup-plugin-foo/package.json

     { "name":"rollup-plugin-foo",
       "main":"index.js",
       "dependencies":{
         "@rollup/plugin-foo": "*"
       }
     }

   * /usr/share/nodejs/rollup-plugin-foo/index.js

     module.export = require("@rollup/plugin-foo");

Note that transition of node-rollup-plugin-commonjs won't be easy
(remember 10.0.1+really.9.2.0). Same for node-rollup-plugin-node-resolve

Cheers,
Xavier