I actually did give a use case for this: try installing polymer as per the
instruction given on my initial report. It just doesn't work, as Jeremy
states. NPM is a growing, dynamic repository and you'll be hard pressed to
find any major package that is 3 years old and 100% compatible with the
current version of this package in Debian.
So yes, as I said before, and I stand by it, the fact it is so old and the
NPM repository has continued to advance does, indeed "render [the] package
unusable". Or as Jeremy puts it: "npm install thisorthatmodule` is failing
for a growing list of modules". This is the most basic NPM operation and it
is failing 100% of the time in many cases.
Of course this can be fixed by updating the NPM version to the current
version, as Ben says, but it shouldn't demote the priority to "wishlist":
there's a real problem here with possible security implication (re Jeremy)
and a major loss of usability (yes, to the point of "renders package
unusable"). But anyway, if it was a simple thing to do, I'm sure someone
would have done it at some point after 2014, so my first suggestion was to
consider removal altogether.
Jeremy, thank you for following through with this. I know asking for
package removal is a big thing in Debian but if NPM is to stay, it needs to
be up-to-date, and if it isn't, it better that it be removed. I think
that's the best choice for now, thanks again!
On 16 March 2017 at 20:50, Jérémy Lal <kapo...@melix.org> wrote:
> 2017-03-17 0:30 GMT+01:00 Ben Finney <bign...@debian.org>:
> > Control: tags -1 + moreinfo
> > Alex Henry <tuk...@gmail.com> wrote:
> >> Severity: grave
> >> Justification: renders package unusable
> > Thank you for considering the severity of bug reports. You claim the
> > package is unusable in general, but I don't see anything in your
> > description that supports this.
> > The only description of package behaviour you give is:
> >> […] the *extremely outdated* version
> >> proved by this package siomply doesn't work anymore.
> > In what specific way does this package not work anymore? What should it
> > do at version 1.4.21, what does it do instead on Debian? There must be
> > some *specific, actionable* behaviour where the package behaves in a
> > buggy way at version 1.4.21.
> > So far this seems to be in fact a request to package a newer version,
> > which is a “Severity: wishlist” request.
> I should have done this long before, but npm should not stay in testing:
> - `npm install thisorthatmodule` is failing for a growing list of modules
> - npmjs.org might drop support for this old client at anytime now
> - it's not supportable (security-wise) and i'd advise against using it
> I'll use block this bug by the handful of packages depending on npm.