On 08/09/2017 08:06 AM, Stephen Gallagher wrote: > > > On Fri, Aug 4, 2017 at 10:43 AM Troy Dawson <[email protected] > <mailto:[email protected]>> wrote: > > Although this looks tempting, it's only looking at half the problem. > Versions > Nodejs modules get updated all the time, at different rates for > different packages. > If you had just one package for many modules, it would be getting > updated at an alarming rate. > Point taken. > > > I think the better approach is carefully-controlled bundling in > Fedora. As of a couple years ago, it is now permissible to bundle > software together in Fedora if it meets certain conditions: > 1) If the dependency is already packaged in Fedora and this software > is compatible with that version, then this software must link against > the unbundled version. > 2) If the dependency is not yet packaged in Fedora but is likely to be > useful to large amounts of Fedora software, it is strongly encouraged > that it be packaged separately. > 3) Other dependencies MAY be carried internally by the package that > needs them, but that package MUST include `Provides: > bundled(npm(modulename)) = version` > > Rule 3) is so that if there is a security vulnerability in > npm(modulename), we can find any and all software that is required to > be updated. > > I haven't had any time to work on it, but I'd very much like to > develop an automatic RPM dependency generator that will recurse down > the node_modules directories, read their package.json files and > automatically create those Provides. If anyone else wants to take a > crack at doing that, it would be an immense help. That sounds workable. Thanks! There are 502 npm dependencies of scuttlebot, 196 of which are already in Fedora. I shudder to think of the Requires: list and the Provides: list!!
_______________________________________________ nodejs mailing list -- [email protected] To unsubscribe send an email to [email protected]
