Update: Done: node-rollup_3.15.0-1 Done: node-redis_4.5.1+~1.1.2-1 Not a regression of nodejs, but is a pkg-javascript problem so it's Done: node-minipass_3.3.6+~cs9.4.19-1 Not a regression of nodejs, not my problem at all: dask.distributed_2022.12.1+ds.1-3 Not part of bookworm - just ignore: jquery_3.3.1~dfsg-3 Done: node-csstype_3.1.1-1
"Done" means there is a FTBFS bug for that package, and I opened a release.debian.org bug containing a diff that fixes the FTBFS bug for that package. Le lun. 17 févr. 2025 à 12:04, Jérémy Lal <kapo...@melix.org> a écrit : > Thank you for this helpful work. > Yes, since the latest nodejs update to bookworm has been somewhat > catastrophic, > it is our duty to ensure the next one goes very smoothly for it to be > accepted. > > To sum up, we have this: > > Those packages fail with nodejs_18.19.0+dfsg-6~deb12u1 and > nodejs_18.20.4+dfsg-1~deb12u1 > node-rollup_3.15.0-1 > node-redis_4.5.1+~1.1.2-1 > node-minipass_3.3.6+~cs9.4.19-1 > dask.distributed_2022.12.1+ds.1-3 > jquery_3.3.1~dfsg-3 > node-csstype_3.1.1-1 > node-recast_0.21.1-1 > node-js-sdsl_4.1.4-2 > node-wikibase-cli_15.15.4-4 > node-regexpp_3.2.0-4 > science.js_1.9.3+dfsg-3 > moment-timezone.js_0.5.40+dfsg-1+2023c > node-resolve_1.22.1+~cs5.31.10-1 > node-jest_29.3.1~ds1+~cs70.48.25-2 > node-jschardet_3.0.0+dfsg+~1.4.0-2 > node-lib0_0.2.58-1 > > 1 package builds with nodejs_18.20.4+dfsg-1~deb12u1 > PASSED: firefox-esr_128.5.0esr-1~deb12u1 > > 5 new failures with nodejs_18.20.4+dfsg-1~deb12u1: > node-node-rsa_1.1.1-4 > node-rollup-plugin-sass_1.12.16-1 > macaulay2_1.21+ds-3 > node-public-encrypt_4.0.3-1 > node-mutate-fs_2.1.1-2 > > The goal is to fix them (ensure they build, and their autopkgtest pass for > node 18.20.4), then do a reportbug release.debian.org > to bookworm-pu for each of them, finishing with a bookworm-pu for nodejs > 18.20.4. > Attention: some of them might already have bookworm-pu bugs opened. > > > > Le lun. 17 févr. 2025 à 11:36, Naaz, Syeda Shagufta < > syedashagufta.n...@siemens.com> a écrit : > >> Hi Jeremy Lal, >> >> >> >> Thank you for your earlier email. >> >> >> >> As per your suggestion, I have attached the RATT test results for Node.js >> versions 18.19.0 and 18.20.4, covering a total of 1707 packages, along with >> the build logs for the failed packages. >> >> >> >> Upon reviewing the results, I noticed the following: >> >> - Version 18.19.0 has failures in *18* packages. >> 1. firefox-esr_128.5.0esr-1~deb12u1: this package failed in >> version 18.19.0 but passed in version 18.20.4. >> - Version 18.20.4 has failures in *22* packages, of which 5 are >> additional compared to v18.19.0: >> 1. node-public-encrypt_4.0.3-1 (failure in dh_auto_test) >> 2. node-node-rsa_1.1.1-4 (failure in dh_auto_test) >> 3. node-rollup-plugin-sass_1.12.16-1 (failure in dh_auto_test) >> 4. macaulay2_1.21+ds-3 (failure in dh_auto_build) >> 5. node-mutate-fs_2.1.1-2 (failure in dh_auto_test) >> >> I also noticed that the first two packages are failing due to the Openssl >> CVE fix for CVE-2023-46809 >> <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads#L20> >> . >> >> >> >> Could the additional failures in version 18.20.4 be the reason the update >> has not yet been implemented? >> >> I would appreciate your insights on this matter. Please let me know your >> thoughts. >> >> Best Regards, >> >> Syeda Shagufta Naaz >> >> >> >> Senior Software Developer >> >> *SIEMENS* *FT FDS (Foundational Services)* >> >> >> >> >> >> >> >> *From:* Jérémy Lal <kapo...@melix.org> >> *Sent:* 07 February 2025 16:31 >> *To:* Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) < >> syedashagufta.n...@siemens.com> >> *Cc:* pkg-javascript-devel@alioth-lists.debian.net; Hombourger, Cedric >> (FT FDS CES LX) <cedric.hombour...@siemens.com>; Kumar, Ritesh (FT FDS >> CES LX PBU RSOL) <ritesh-ku...@siemens.com>; Koturappa, Hemanth (FT FDS >> CES LX PBU 2) <hemanth.kotura...@siemens.com>; Prusty, Badrikesh (FT FDS >> CES LX PBU 2) <badrikesh.pru...@siemens.com> >> *Subject:* Re: Discrepancy in nodejs version in Debian Bookworm vs. >> Salsa Debian repository >> >> >> >> Also note that debian/trixie will have a version of nodejs that uses even >> more external dependencies, >> >> with a source tarball excluding the externalized dependencies, which will >> make the process of doing security uploads easier for everyone. >> >> >> >> Le ven. 7 févr. 2025 à 11:59, Jérémy Lal <kapo...@melix.org> a écrit : >> >> Security uploads take a lot of work to ensure all reverse >> (build-)dependencies of a package build and pass their test suite >> successfully. >> >> For that last upload, I in particular, lost track of time. >> >> To help me, one can redo those verifications, and then, once several >> packages failing to rebuild have been identified, >> >> they must be fixed, proposed to bookworm, and once they are all accepted, >> that version of nodejs can be proposed to bookworm too. >> >> >> >> >> >> Le ven. 7 févr. 2025 à 11:04, Naaz, Syeda Shagufta < >> syedashagufta.n...@siemens.com> a écrit : >> >> Package: nodejs >> >> Version: 18.19.0+dfsg-6~deb12u2 >> >> Severity: critical >> >> >> >> Dear Debian Community, >> >> >> >> We are currently working with the Debian Bookworm >> <https://packages.debian.org/bookworm/nodejs> 12.9 release for our >> project and observed that the nodejs version is *18.19.0+dfsg-6~deb12u2*. >> >> >> >> >> However, upon reviewing the salsa-debian/bookworm >> <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads> >> branch, we noticed that version *18.20.4+dfsg-1~deb12u1 *is available, >> which includes fixes for multiple CVE issues, such as, >> >> - CVE-2024-27983 >> <https://security-tracker.debian.org/tracker/CVE-2024-27983> (*8.2 >> HIGH*) >> - CVE-2024-21892 >> <https://security-tracker.debian.org/tracker/CVE-2024-21892> (*7.5 >> HIGH*) >> - CVE-2024-22019 >> <https://security-tracker.debian.org/tracker/CVE-2024-22019> (*7.5 >> HIGH*) >> >> These fixes are not included in the current Bookworm release. Having the >> severity of some of these vulnerabilities as High, we are eager for these >> fixes to be available. >> >> >> >> Could you please help clarify why there is a discrepancy between the >> version in the Bookworm release and the one on salsa? Is there a any >> specific reason for the delay and, is there any fixed timeline for >> resolving this? >> >> >> >> I appreciate your time and guidance on this matter. >> >> >> >> Best Regards, >> >> Syeda Shagufta Naaz >> >> Senior Software Developer >> >> *SIEMENS* *FT FDS (Foundational Services)* >> >>
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
