Also note that debian/trixie will have a version of nodejs that uses even more external dependencies, with a source tarball excluding the externalized dependencies, which will make the process of doing security uploads easier for everyone.
Le ven. 7 févr. 2025 à 11:59, Jérémy Lal <kapo...@melix.org> a écrit : > Security uploads take a lot of work to ensure all reverse > (build-)dependencies of a package build and pass their test suite > successfully. > For that last upload, I in particular, lost track of time. > To help me, one can redo those verifications, and then, once several > packages failing to rebuild have been identified, > they must be fixed, proposed to bookworm, and once they are all accepted, > that version of nodejs can be proposed to bookworm too. > > > Le ven. 7 févr. 2025 à 11:04, Naaz, Syeda Shagufta < > syedashagufta.n...@siemens.com> a écrit : > >> Package: nodejs >> >> Version: 18.19.0+dfsg-6~deb12u2 >> >> Severity: critical >> >> >> >> Dear Debian Community, >> >> >> >> We are currently working with the Debian Bookworm >> <https://packages.debian.org/bookworm/nodejs> 12.9 release for our >> project and observed that the nodejs version is *18.19.0+dfsg-6~deb12u2*. >> >> >> >> >> However, upon reviewing the salsa-debian/bookworm >> <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads> >> branch, we noticed that version *18.20.4+dfsg-1~deb12u1 *is available, >> which includes fixes for multiple CVE issues, such as, >> >> - CVE-2024-27983 >> <https://security-tracker.debian.org/tracker/CVE-2024-27983> (*8.2 >> HIGH*) >> - CVE-2024-21892 >> <https://security-tracker.debian.org/tracker/CVE-2024-21892> (*7.5 >> HIGH*) >> - CVE-2024-22019 >> <https://security-tracker.debian.org/tracker/CVE-2024-22019> (*7.5 >> HIGH*) >> >> These fixes are not included in the current Bookworm release. Having the >> severity of some of these vulnerabilities as High, we are eager for these >> fixes to be available. >> >> >> >> Could you please help clarify why there is a discrepancy between the >> version in the Bookworm release and the one on salsa? Is there a any >> specific reason for the delay and, is there any fixed timeline for >> resolving this? >> >> >> >> I appreciate your time and guidance on this matter. >> >> >> >> Best Regards, >> >> Syeda Shagufta Naaz >> >> Senior Software Developer >> >> *SIEMENS* *FT FDS (Foundational Services)* >> >
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
