[Pkg-javascript-devel] Bug#1103615: Bug#1103615: Bug#1103615: node-dompurify: please update to latest version

Mon, 21 Apr 2025 22:33:09 -0700 

On 4/21/25 11:19, Jérémy Lal wrote:




Le lun. 21 avr. 2025 à 10:12, Paul Gevers <elb...@debian.org 
<mailto:elb...@debian.org>> a écrit :


    Hi Jérémy,

    Thanks for the reply.

    On 20-04-2025 13:21, Jérémy Lal wrote:
     > Good question ! The answer is that it's not needed:
     > nodejs 20.19.0 can "require(esm)" [1] so a CJS module is no longer
     > locked out using ESM modules.
     > The other way around (import a CJS module form an ES module) has
    always
     > been possible.


    As I understand it, liferea is already ESM and my problem is that the
    code apparently assumes that node-dompurify (and handlebars) is ESM
    too.
    So far, I have never needed to fix javascript in a more than trivial
    manner, so I don't know where to start here. My fundamental question is
    what do I have to do to build liferea with the Debain shipped
    node-dompurity (and handlebars) instead of the vendored version?
    liferea
    uses the file during the build and embeds it in the executable, but as
    can be seen from my discussion in the upstream bug tracker [1], using
    the current versions in Debian doesn't work and upstream suggested that
    node-dompurify needs the change. I understand you say it should be
    trivial to fix on the liferea side? (The include happens here [2], for
    handlebars it's here [3]. I tried commenting them out and adding a
    <script> here [4] but that seems to be too simple.)


For handlebars, it should work all right as it is,
for dompurify, first fix the path you copy it from, use:
/usr/share/nodejs/dompurify/dist/purify.es.mjs

Then to fix the version mismatch, you can use this patch:

diff --git a/js/htmlview.js b/js/htmlview.js
index d6f4a9f..d1d4f69 100644
--- a/js/htmlview.js
+++ b/js/htmlview.js
@@ -22,6 +22,8 @@
  import { render, template } from './helpers/render.js';
  import DOMPurify from './vendor/purify.min.js';

+const purify = DOMPurify(window);
+
  window.debugflags = 0;

  function prepare(baseURL, title) {
@@ -227,7 +229,7 @@ function contentCleanup() {

         // Run DOMPurify
         let content = document.getElementById('content').innerHTML;

-       document.getElementById('content').innerHTML = 
DOMPurify.sanitize(content);
+       document.getElementById('content').innerHTML = 
purify.sanitize(content);


         // Fix inline SVG sizes
         const svgMinWidth = 50;

Hi,


looking at 
https://release.debian.org/britney/pseudo-excuses-experimental.html#node-dompurify 
it looks like the update of node-dompurify is possible without breaking 
things. I looked at the debdiff between the last and the current 
version, no big changes.


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel






















					Reply via email to