Bug#972570: [Pkg-javascript-devel] Bug#972570: node-lightgallery is built using minified files
Hello, The package on Salsa should be ready for upload and backport. It wasn't uploaded at the time due to the release freeze, and it's been waiting for review since then. I'd have uploaded it myself after the freeze ended, but I haven't been able to get my GPG key signed due to the pandemic so I don't have maintainer access. Sincerely, Daniel Ring On 10/3/2021 12:32 PM, Joe Nahmias wrote: Hello, Now that bullseye has been released, would it be possible to upload a fix for this to unstable? That would allow node-lightgallery and rainloop to migrate to testing (bookworm) and then be backported to bullseye. If you are not able to do this at the moment, due to time constraints, I'm happy to prepare the upload based on what's in Salsa, as long as it's okay with the JS team. Thanks, --Joe On Sat, Apr 24, 2021 at 04:12:06PM -0700, Daniel Ring wrote: It looks like this RC bug also caused the next version of Rainloop to be removed from bullseye before the freeze. That version contains an relatively important security fix (bug #962629), so both Rainloop and node-lightgallery will need to be uploaded to bullseye-backports (when available) as well as unstable. Sincerely, Daniel Ring On 4/23/2021 9:35 PM, Daniel Ring wrote: The warnings are already overridden in the current version on Salsa, since the Youtube/Vimeo/etc. embeds are only loaded when Lightgallery is used to display a video from that source (e.g. by passing it a Youtube link). Sincerely, Daniel Ring On 4/23/2021 12:31 PM, Yadd wrote: Le 23/04/2021 à 19:03, Jonas Smedegaard a écrit : Quoting Yadd (2021-04-23 17:47:23) Control: tags -1 + pending Le 23/04/2021 à 09:44, Daniel Ring a écrit : Hello Xavier, It looks like the build process was minifying the source files to the destination *.js files and copying the pre-minified files to *.min.js. I corrected it to copy the unminified files directly and minify them to *.min.js. I also updated the package on Salsa to exclude the minified modules/*.min.js files via Files-Excluded in d/copyright, so they're no longer in the source package at all. Sincerely, Daniel Ring Hi, looks good to me, thanks! Could you also ignore these warnings in a debain/lintian-overrides? It looks like false positive Cheers, Yadd W: node-lightgallery: privacy-breach-generic usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [ [...] Those warnings look real to me. What makes you consider them false positives, Xavier? Hi Jonas, yes but the relevant lines are in if/then/else blocks: if (isVideo.youtube) { ... video = '
Bug#972570: [Pkg-javascript-devel] Bug#972570: node-lightgallery is built using minified files
Hello, Now that bullseye has been released, would it be possible to upload a fix for this to unstable? That would allow node-lightgallery and rainloop to migrate to testing (bookworm) and then be backported to bullseye. If you are not able to do this at the moment, due to time constraints, I'm happy to prepare the upload based on what's in Salsa, as long as it's okay with the JS team. Thanks, --Joe On Sat, Apr 24, 2021 at 04:12:06PM -0700, Daniel Ring wrote: > It looks like this RC bug also caused the next version of Rainloop to be > removed from bullseye before the freeze. That version contains an relatively > important security fix (bug #962629), so both Rainloop and node-lightgallery > will need to be uploaded to bullseye-backports (when available) as well as > unstable. > > Sincerely, > Daniel Ring > > On 4/23/2021 9:35 PM, Daniel Ring wrote: > > The warnings are already overridden in the current version on Salsa, > > since the Youtube/Vimeo/etc. embeds are only loaded when Lightgallery is > > used to display a video from that source (e.g. by passing it a Youtube > > link). > > > > Sincerely, > > Daniel Ring > > > > On 4/23/2021 12:31 PM, Yadd wrote: > > > Le 23/04/2021 à 19:03, Jonas Smedegaard a écrit : > > > > Quoting Yadd (2021-04-23 17:47:23) > > > > > Control: tags -1 + pending > > > > > > > > > > Le 23/04/2021 à 09:44, Daniel Ring a écrit : > > > > > > Hello Xavier, > > > > > > > > > > > > It looks like the build process was minifying the source files to > > > > > > the > > > > > > destination *.js files and copying the pre-minified > > > > > > files to *.min.js. I > > > > > > corrected it to copy the unminified files directly and minify them > > > > > > to > > > > > > *.min.js. > > > > > > > > > > > > I also updated the package on Salsa to exclude the minified > > > > > > modules/*.min.js files via Files-Excluded in > > > > > > d/copyright, so they're no > > > > > > longer in the source package at all. > > > > > > > > > > > > Sincerely, > > > > > > Daniel Ring > > > > > > > > > > Hi, > > > > > > > > > > looks good to me, thanks! Could you also ignore these warnings in a > > > > > debain/lintian-overrides? It looks like false positive > > > > > > > > > > Cheers, > > > > > Yadd > > > > > > > > > > W: node-lightgallery: privacy-breach-generic > > > > > usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [ > > > > class="lg-video-object lg-dailymotion '+o+'" '+l+' width="560" > > > > > height="315" > > > > [...] > > > > Those warnings look real to me. > > > > > > > > What makes you consider them false positives, Xavier? > > > > > > Hi Jonas, > > > > > > yes but the relevant lines are in if/then/else blocks: > > > > > > if (isVideo.youtube) { > > > ... video = '
Bug#972570: [Pkg-javascript-devel] Bug#972570: node-lightgallery is built using minified files
It looks like this RC bug also caused the next version of Rainloop to be removed from bullseye before the freeze. That version contains an relatively important security fix (bug #962629), so both Rainloop and node-lightgallery will need to be uploaded to bullseye-backports (when available) as well as unstable. Sincerely, Daniel Ring On 4/23/2021 9:35 PM, Daniel Ring wrote: The warnings are already overridden in the current version on Salsa, since the Youtube/Vimeo/etc. embeds are only loaded when Lightgallery is used to display a video from that source (e.g. by passing it a Youtube link). Sincerely, Daniel Ring On 4/23/2021 12:31 PM, Yadd wrote: Le 23/04/2021 à 19:03, Jonas Smedegaard a écrit : Quoting Yadd (2021-04-23 17:47:23) Control: tags -1 + pending Le 23/04/2021 à 09:44, Daniel Ring a écrit : Hello Xavier, It looks like the build process was minifying the source files to the destination *.js files and copying the pre-minified files to *.min.js. I corrected it to copy the unminified files directly and minify them to *.min.js. I also updated the package on Salsa to exclude the minified modules/*.min.js files via Files-Excluded in d/copyright, so they're no longer in the source package at all. Sincerely, Daniel Ring Hi, looks good to me, thanks! Could you also ignore these warnings in a debain/lintian-overrides? It looks like false positive Cheers, Yadd W: node-lightgallery: privacy-breach-generic usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [ [...] Those warnings look real to me. What makes you consider them false positives, Xavier? Hi Jonas, yes but the relevant lines are in if/then/else blocks: if (isVideo.youtube) { ... video = '
Bug#972570: [Pkg-javascript-devel] Bug#972570: node-lightgallery is built using minified files
The warnings are already overridden in the current version on Salsa, since the Youtube/Vimeo/etc. embeds are only loaded when Lightgallery is used to display a video from that source (e.g. by passing it a Youtube link). Sincerely, Daniel Ring On 4/23/2021 12:31 PM, Yadd wrote: Le 23/04/2021 à 19:03, Jonas Smedegaard a écrit : Quoting Yadd (2021-04-23 17:47:23) Control: tags -1 + pending Le 23/04/2021 à 09:44, Daniel Ring a écrit : Hello Xavier, It looks like the build process was minifying the source files to the destination *.js files and copying the pre-minified files to *.min.js. I corrected it to copy the unminified files directly and minify them to *.min.js. I also updated the package on Salsa to exclude the minified modules/*.min.js files via Files-Excluded in d/copyright, so they're no longer in the source package at all. Sincerely, Daniel Ring Hi, looks good to me, thanks! Could you also ignore these warnings in a debain/lintian-overrides? It looks like false positive Cheers, Yadd W: node-lightgallery: privacy-breach-generic usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [ [...] Those warnings look real to me. What makes you consider them false positives, Xavier? Hi Jonas, yes but the relevant lines are in if/then/else blocks: if (isVideo.youtube) { ... video = '
Bug#972570: [Pkg-javascript-devel] Bug#972570: node-lightgallery is built using minified files
Le 23/04/2021 à 19:03, Jonas Smedegaard a écrit : > Quoting Yadd (2021-04-23 17:47:23) >> Control: tags -1 + pending >> >> Le 23/04/2021 à 09:44, Daniel Ring a écrit : >>> Hello Xavier, >>> >>> It looks like the build process was minifying the source files to the >>> destination *.js files and copying the pre-minified files to *.min.js. I >>> corrected it to copy the unminified files directly and minify them to >>> *.min.js. >>> >>> I also updated the package on Salsa to exclude the minified >>> modules/*.min.js files via Files-Excluded in d/copyright, so they're no >>> longer in the source package at all. >>> >>> Sincerely, >>> Daniel Ring >> >> Hi, >> >> looks good to me, thanks! Could you also ignore these warnings in a >> debain/lintian-overrides? It looks like false positive >> >> Cheers, >> Yadd >> >> W: node-lightgallery: privacy-breach-generic >> usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [> class="lg-video-object lg-dailymotion '+o+'" '+l+' width="560" >> height="315" > [...] > Those warnings look real to me. > > What makes you consider them false positives, Xavier? Hi Jonas, yes but the relevant lines are in if/then/else blocks: if (isVideo.youtube) { ... video = '
Bug#972570: [Pkg-javascript-devel] Bug#972570: node-lightgallery is built using minified files
Quoting Yadd (2021-04-23 17:47:23) > Control: tags -1 + pending > > Le 23/04/2021 à 09:44, Daniel Ring a écrit : > > Hello Xavier, > > > > It looks like the build process was minifying the source files to the > > destination *.js files and copying the pre-minified files to *.min.js. I > > corrected it to copy the unminified files directly and minify them to > > *.min.js. > > > > I also updated the package on Salsa to exclude the minified > > modules/*.min.js files via Files-Excluded in d/copyright, so they're no > > longer in the source package at all. > > > > Sincerely, > > Daniel Ring > > Hi, > > looks good to me, thanks! Could you also ignore these warnings in a > debain/lintian-overrides? It looks like false positive > > Cheers, > Yadd > > W: node-lightgallery: privacy-breach-generic > usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [ class="lg-video-object lg-dailymotion '+o+'" '+l+' width="560" > height="315" > src="//www.dailymotion.com/embed/video/'+t.dailymotion[1]+d+'" > frameborder="0" allowfullscreen>] > (//www.dailymotion.com/embed/video/'+t.dailymotion[1]+d+') > W: node-lightgallery: privacy-breach-generic > usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [ class="lg-video-object lg-vimeo '+o+'" '+l+' width="560" height="315" > src="//player.vimeo.com/video/'+t.vimeo[1]+d+'" frameborder="0" > webkitallowfullscreen mozallowfullscreen allowfullscreen>] > (//player.vimeo.com/video/'+t.vimeo[1]+d+') > W: node-lightgallery: privacy-breach-generic > usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [ class="lg-video-object lg-vk '+o+'" '+l+' width="560" height="315" > src="//vk.com/video_ext.php?'+t.vk[1]+d+'" frameborder="0" > allowfullscreen>] (//vk.com/video_ext.php?'+t.vk[1]+d+') > W: node-lightgallery: privacy-breach-generic > usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [ class="lg-video-object lg-youtube '+o+'" '+l+' width="560" height="315" > src="//www.youtube.com/embed/'+t.youtube[1]+d+'" frameborder="0" > allowfullscreen>] (//www.youtube.com/embed/'+t.youtube[1]+d+') Those warnings look real to me. What makes you consider them false positives, Xavier? - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#972570: node-lightgallery is built using minified files
Control: tags -1 + pending Le 23/04/2021 à 09:44, Daniel Ring a écrit : > Hello Xavier, > > It looks like the build process was minifying the source files to the > destination *.js files and copying the pre-minified files to *.min.js. I > corrected it to copy the unminified files directly and minify them to > *.min.js. > > I also updated the package on Salsa to exclude the minified > modules/*.min.js files via Files-Excluded in d/copyright, so they're no > longer in the source package at all. > > Sincerely, > Daniel Ring Hi, looks good to me, thanks! Could you also ignore these warnings in a debain/lintian-overrides? It looks like false positive Cheers, Yadd W: node-lightgallery: privacy-breach-generic usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [] (//www.dailymotion.com/embed/video/'+t.dailymotion[1]+d+') W: node-lightgallery: privacy-breach-generic usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [] (//player.vimeo.com/video/'+t.vimeo[1]+d+') W: node-lightgallery: privacy-breach-generic usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [] (//vk.com/video_ext.php?'+t.vk[1]+d+') W: node-lightgallery: privacy-breach-generic usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [] (//www.youtube.com/embed/'+t.youtube[1]+d+')
Bug#972570: node-lightgallery is built using minified files
Hello Xavier, It looks like the build process was minifying the source files to the destination *.js files and copying the pre-minified files to *.min.js. I corrected it to copy the unminified files directly and minify them to *.min.js. I also updated the package on Salsa to exclude the minified modules/*.min.js files via Files-Excluded in d/copyright, so they're no longer in the source package at all. Sincerely, Daniel Ring On 10/20/2020 6:41 AM, Xavier Guimard wrote: Package: node-lightgallery Version: 1.6.11+dfsg-1 Severity: serious Justification: 4 Hi, debian/source/lintian-overrides overwrites some real problems: the "concat" part of Gulpfile uses modules/* files which are all obfuscated using minification (downloaded from distinct sources). A possible solution could be to ignore modules/* files during import and add related components using uscan components (with a build).
Bug#972570: node-lightgallery is built using minified files
Package: node-lightgallery Version: 1.6.11+dfsg-1 Severity: serious Justification: 4 Hi, debian/source/lintian-overrides overwrites some real problems: the "concat" part of Gulpfile uses modules/* files which are all obfuscated using minification (downloaded from distinct sources). A possible solution could be to ignore modules/* files during import and add related components using uscan components (with a build).