On Wed, Sep 28, 2016 at 02:26:07AM +0000, Potter, Tim (HPE Linux Support) wrote:
> * Package name    : node-is-extglob
>   Version         : 2.0.0
>   Upstream Author : Jon Schlinkert (https://github.com/jonschlinkert)
> * URL             : https://github.com/jonschlinkert/is-extglob

After reading this ITP, I investigated the package on github.  If the intent is
to implement a predicate about bash-like extglobs, the package is wrong (and if
it is to implement some other standard, for instance a kind of pattern-matching
string where "[" is not a special character, the documentation is woefully
inadequate since nowhere is "extglob" specified).

The package author declined to fix the issue I filed, and also declined to
incorporate a pull-request which showed the bug I feel exists:  "it's extremely
clear that you're trying to come up with patterns that no one has actually

By contrast, I feel it's important to correctly handle even malicious or
malformed inputs, since in the node ecosystem it's possible that someone
several layers up the dependency tree in a piece of enduser software may use
the underlying code in a security-sensitive environment. (I don't know what
is-extglob is a prospective reverse dependency of, to say whether this is
relevant to Debian at this moment)


After two tries with the author, I wash my hands of it.  But I thought that you
might like to know.

(My interactions on github were weeks ago;  I wasn't even planning to write or
send this message, but in light of the recent discussion of the shortcomings of
node-os-homedir in another thread on debian-devel, I felt I should mention it)


Reply via email to