On Tue, Apr 26, 2016 at 11:32:54PM +0200, Jérémy Lal wrote:
> Update:
> https://nodejs.org/en/blog/announcements/v6-release
> """
> In October 2016, Node.js v6 will become the LTS release and the LTS release
> line (version 4)
> will go under maintenance mode in April 2017, meaning only critical bugs,
> critical security
> fixes and documentation updates will be permitted.
> Users should begin transitioning from v4 to v6 in October when v6 goes into
> LTS.
> """
> I guess it will be too late for next debian release - still, it's good to
> know.

With the delayed freeze for jessie that would be doable again, right?
The nodejs LTS is more volatile than a traditional LTS (also including
bugfixes etc), but that seems ok (and is in line with e.g. security
support for Firefox ESR).

If we include nodejs 6 with security support in jessie we would limit
it to the lifetime of that LTS branch. Is is already known how long
that will be?

I'm also slightly concerned about you being the single maintainer of
nodejs. Your updates in unstable have been really quick, but you'll
be on vacation/sick/busy, so I'd be really great to have a fallback
(not a blocker, though). Maybe a RFH on debian-devel would help?

While I'm fine with nodejs in stretch, I have strong concerns about the
various node-* packages in the archive. It appears to me that the node
modules ecosystem is very volatile and I have doubts that the various
module upstreams will be able/willing to support the LTS branch of
nodejs (or security backports in general). As of today we have
already ten modules with unfixed security issues in unstable :-/

I think we can provide nodejs as a solid for server applications,
but herding lots of poorly maintained node modules in a stable release
is stretching our resources too thin. Also, I suppose everyone is
used to npm anyway.


Pkg-javascript-devel mailing list

Reply via email to