Bug#1030952: npm depends on webpack and 200+ other packages
I'm unfamiliar with the Debian JS packaging process, but based on a quick search on npm, it would seem to me that this could be quite simple to resolve: Turn node-postcss-selector-parser into a concrete package, which would then contain only node-postcss-selector-parser, and depend on node-util-deprecate and node-cssesc (the latter being a virtual package provided by node-css-selector-tokenizer). I'm sure I'm not the only one with node-css-loader pinned at 5.0.1 to avoid installing webpack just for npm, so would enjoy seeing this fixed.
Bug#1030952: [Pkg-javascript-devel] Bug#1030952: npm depends on webpack and 200+ other packages
Control: reassign -1 node-css-loader On 2/10/23 07:09, Yadd wrote: Control: reassign -1 node-postcss-selector-parser On 2/10/23 01:35, Christopher Hagar wrote: Package: npm Version: 9.2.0~ds1-1 Severity: normal X-Debbugs-Cc: cmha...@gmail.com After recent changes in npm and node-css-loader (node-postcss-selector-parser), installing npm installs webpack and 200+ other node-related packages. Given that npm is a package manager, it should not require so many dependencies. Morever, npm is for installing packages outside of the Debian package manager! It should not bring in tons of Debian packages that will never be used. Debian Policy says that Depends declares an "absolute dependency". Recommends declares a "strong, but not absolute, dependency". Suggests declares that a packages "may be more useful with one or more others". And it is possible there should be no dependency relationship of any kind for npm depending on webpack. Hi, if you install upstream npm, you'll have hundreds packages in npm/node_modules (around 200 MB). The way chosen in Debian is to reuse modules that already exist in Debian (and then drop them from npm). So yes, there are a lot of dependencies but /usr/share/nodejs/npm (and related dirs like @npmcli/) contains only 3 MB including /usr/share/nodejs/npm/node_modules/. Anyway npm doesn't need webpack. Link between npm and webpack: - npm requires node-postcss-selector-parser (for @npmcli/query) - node-postcss-selector-parser requires node-css-loader because it requires node-indexes-of which is a virtual package provided by node-postcss-selector-parser - node-css-loader requires webpack So the bug is in node-postcss-selector-parser, it may embed indexes-of which is a 5-lines modules instead of depending of node-css-loader. I'm wrong here, node-postcss-selector-parser is a virtual package provided by node-css-loader.
Bug#1030952: npm depends on webpack and 200+ other packages
Control: reassign -1 node-postcss-selector-parser On 2/10/23 01:35, Christopher Hagar wrote: Package: npm Version: 9.2.0~ds1-1 Severity: normal X-Debbugs-Cc: cmha...@gmail.com After recent changes in npm and node-css-loader (node-postcss-selector-parser), installing npm installs webpack and 200+ other node-related packages. Given that npm is a package manager, it should not require so many dependencies. Morever, npm is for installing packages outside of the Debian package manager! It should not bring in tons of Debian packages that will never be used. Debian Policy says that Depends declares an "absolute dependency". Recommends declares a "strong, but not absolute, dependency". Suggests declares that a packages "may be more useful with one or more others". And it is possible there should be no dependency relationship of any kind for npm depending on webpack. Hi, if you install upstream npm, you'll have hundreds packages in npm/node_modules (around 200 MB). The way chosen in Debian is to reuse modules that already exist in Debian (and then drop them from npm). So yes, there are a lot of dependencies but /usr/share/nodejs/npm (and related dirs like @npmcli/) contains only 3 MB including /usr/share/nodejs/npm/node_modules/. Anyway npm doesn't need webpack. Link between npm and webpack: - npm requires node-postcss-selector-parser (for @npmcli/query) - node-postcss-selector-parser requires node-css-loader because it requires node-indexes-of which is a virtual package provided by node-postcss-selector-parser - node-css-loader requires webpack So the bug is in node-postcss-selector-parser, it may embed indexes-of which is a 5-lines modules instead of depending of node-css-loader.
Bug#1030952: npm depends on webpack and 200+ other packages
Package: npm Version: 9.2.0~ds1-1 Severity: normal X-Debbugs-Cc: cmha...@gmail.com After recent changes in npm and node-css-loader (node-postcss-selector-parser), installing npm installs webpack and 200+ other node-related packages. Given that npm is a package manager, it should not require so many dependencies. Morever, npm is for installing packages outside of the Debian package manager! It should not bring in tons of Debian packages that will never be used. Debian Policy says that Depends declares an "absolute dependency". Recommends declares a "strong, but not absolute, dependency". Suggests declares that a packages "may be more useful with one or more others". And it is possible there should be no dependency relationship of any kind for npm depending on webpack. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-3-amd64 (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages npm depends on: ii ca-certificates 20211016 ii node-abbrev 1.1.1+~1.1.2-1 ii node-agent-base 6.0.2+~cs5.4.2-2 ii node-aproba 2.0.0-3 ii node-archy1.0.0-6 ii node-base64-js1.5.1+dfsg+~1.3.0-2 ii node-binary-extensions2.2.0-2 ii node-cacache 17.0.3+~cs10.3.7-1 ii node-chalk5.2.0-1 ii node-chownr 2.0.0-2 ii node-ci-info 3.6.1+~cs1.1.0-1 ii node-cli-table [node-cli-table3] 0.3.11+~cs0.13.4-3 ii node-colors 1.4.0-4 ii node-columnify1.6.0+~1.5.1-1 ii node-css-loader [node-postcss-selector-parser]5.0.1+~cs14.0.5-1 ii node-css-selector-tokenizer [node-cssesc] 0.8.0+~cs4.8.3-1 ii node-debug4.3.4+~cs4.1.7-1 ii node-depd 2.0.0-2 ii node-diff 5.0.0~dfsg+~5.0.1-4 ii node-encoding 0.1.13-2 ii node-events 3.3.0+~3.0.0-3 ii node-glob 8.0.3+~cs8.4.15-1 ii node-got 11.8.5+~cs58.13.36-3 ii node-graceful-fs 4.2.10-1 ii node-gyp 9.3.0-2 ii node-hosted-git-info 6.1.1-2 ii node-https-proxy-agent [node-http-proxy-agent]5.0.1+~cs8.0.0-3 ii node-ieee754 1.2.1-3 ii node-ini 3.0.1-2 ii node-ip 2.0.0+~1.1.0-1 ii node-ip-regex 4.3.0+~4.1.1-1 ii node-json-parse-better-errors 1.0.2+~cs3.3.1-2 ii node-jsonparse1.3.1-10 ii node-lru-cache7.14.1-1 ii node-minimatch5.1.1+~5.1.2-1 ii node-minipass 3.3.6+~cs9.4.19-1 ii node-mkdirp 1.0.4+~1.0.2-4 ii node-ms 2.1.3+~cs0.7.31-3 ii node-negotiator 0.6.3+~0.6.1-1 ii node-nopt 5.0.0-4 ii node-normalize-package-data 4.0.1+~2.4.1-1 ii node-npm-bundled 2.0.1-2 ii node-npm-package-arg 10.0.0+~3.0.0-2 ii node-npmlog 7.0.1+~4.1.4-1 ii node-once 1.4.0-7 ii node-p-map4.0.0+~3.1.0+~3.0.1-1 ii node-promise-retry2.0.1-4 ii node-promzard 0.3.0-2 ii node-read 1.0.7-5 ii node-read-package-json [node-npm-normalize-package-b 5.0.2+~2.0.0-1 in] ii node-rimraf 3.0.2-2 ii node-semver 7.3.5+~7.3.9-2 ii