[Pkg-javascript-devel] Bug#1072121: Bug#1072121: node-ip: CVE-2024-29415

[Yadd]

On 5/29/24 00:40, Moritz Mühlenhoff wrote:

Source: node-ip
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for node-ip.

CVE-2024-29415[0]:
| The ip package through 2.0.1 for Node.js might allow SSRF because
| some IP addresses (such as 127.1, 01200034567, 012.1.2.3,
| 000:0:::01, and ::fFFf:127.0.0.1) are improperly categorized as
| globally routable via isPublic. NOTE: this issue exists because of
| an incomplete fix for CVE-2023-42282.

https://github.com/indutny/node-ip/issues/150
https://github.com/indutny/node-ip/pull/144
https://github.com/indutny/node-ip/pull/143


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-29415
 https://www.cve.org/CVERecord?id=CVE-2024-29415

Please adjust the affected versions in the BTS as needed.


The proposed patch changes node-ip behavior and needs recent nodejs. I 
just pushed it to experimental to have more test.


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1071213: Bug#1071213: pkg-js-tools: nodepath fails with nodejs 20 because it passes non-integer to process.exit

[Yadd]

On 5/16/24 13:16, Jérémy Lal wrote:

Package: pkg-js-tools
Version: 0.15.19
Severity: important

Hi,

this makes all automatic autopkgtest fail:

$ nodepath after
node:internal/errors:541
   throw error;
TypeError [ERR_INVALID_ARG_TYPE]: The "code" argument must be of type number. 
Received type boolean (true)

Since this is somewhat urgent, please tell me if I should do the fix.

Jérémy


Hi,

I just pushed your fix

Thanks!

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1066749: FTBFS: dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit code 1

[Yadd]

Control: tags -1 + moreinfo

Hi,

I'm unable to reproduce this issue. Probably fixed elsewhere during 
time_t transition


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1064558: Bug#1064558: node-leveldown: FTBFS on mips64el: not ok 1397 Error: batch(array) element must be an object and not `null`

[Yadd]

On 2/24/24 13:10, Sebastian Ramacher wrote:

Source: node-leveldown
Version: 5.6.0+dfsg-4
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)
X-Debbugs-Cc: sramac...@debian.org

https://buildd.debian.org/status/fetch.php?pkg=node-leveldown=mips64el=5.6.0%2Bdfsg-4%2Bb1=1708632735=0

not ok 1397 Error: batch(array) element must be an object and not `null`
   ---
 operator: error
 stack: |-
   Error: batch(array) element must be an object and not `null`
   at AbstractLevelDOWN.batch 
(/usr/share/nodejs/abstract-leveldown/abstract-leveldown.js:163:33)
   at /<>/test/iterator-recursion-test.js:48:8
   at /usr/share/nodejs/abstract-leveldown/abstract-leveldown.js:41:5
   ...

Cheers


Hi Jérémy,

when trying to build on mips64el porterbox, i got this:

make[1]: Entering directory '/home/yadd/node-leveldown'
node-gyp clean
node: error while loading shared libraries: libnode.so.108: cannot open 
shared object file: No such file or directory

make[1]: *** [debian/rules:18: override_dh_auto_clean] Error 127
make[1]: Leaving directory '/home/yadd/node-leveldown'


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1059829: Thank you

[Yadd]

On 1/16/24 20:36, Georges Khaznadar wrote:

Hello,

Javascript/Npm are not my cup of tea; so, please receive many thanks
about the help you provided to my poor packaging efforts.

If node-html5-qrcode happens to be dfsg-free, which should be the right
umbrella to host it on salsa.d.o? https://salsa.debian.org/js-team or
https://salsa.debian.org/georgesk ?


Hi,

yes I already push it on js-team/node-html5-qrcode. It is fixed now in 
it and ready to be pushed. Do you want I push it ?



I saw that you managed to let salsa's automaton pass 53 of the upstream
tests, and I would like to learn such magics. Please have you some
useful links about them?


Most of JS Team packages uses dh-sequence-nodejs. To start with it: 
https://wiki.debian.org/Javascript/Tutorial and then pkg-js-tools(7)


However, the changes I did here need a minimum knowledge of npm because 
the package doesn't follow exactly the common way (see dh_auto_install hook)



Best regards,   Georges.


Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1027859: Fwd: pkg-js-tools_0.15.17~bpo11+1_sourceonly.changes REJECTED

[Yadd]

Control: tags -1 + wontfix

>  Forwarded Message 
> Subject: pkg-js-tools_0.15.17~bpo11+1_sourceonly.changes REJECTED
> Date: Wed, 17 Jan 2024 09:17:48 +
> From: Debian FTP Masters 
> To: Yadd , Debian Javascript Maintainers  javascript-de...@lists.alioth.debian.org>
>
>
> not in stable - belongs to sloppy

Update refused, so bug won't be fixed

Regards,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1059829: node-html5-qrcode: Build using libraries downloaded from Internet during build

[Yadd]

On 1/2/24 09:50, Yadd wrote:

Package: node-html5-qrcode
Version: 2.3.8+repack-3
Severity: serious
Justification: not-dfsg
X-Debbugs-Cc: y...@debian.org

node-html5-qrcode is built using "npm install" which downloads libraries
from Internet. This is totally out of DFSG.


For now, the --omit-dev avoid downloading anything until this package 
will have dependencies but npm still access to Internet for "audit".


Easy to fix: use "pkgjs-run build" instead of npm (and drop build 
dependency to npm)


second bug: package is unusable because not installed correctly (that's 
probably why autopkgtest was disabled...), also third_party/ is missing 
in install


A fixed version of this package is available at
https://salsa.debian.org/js-team/node-html5-qrcode

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1059829: node-html5-qrcode: Build using libraries downloaded from Internet during build

[Yadd]

Package: node-html5-qrcode
Version: 2.3.8+repack-3
Severity: serious
Justification: not-dfsg
X-Debbugs-Cc: y...@debian.org

node-html5-qrcode is built using "npm install" which downloads libraries
from Internet. This is totally out of DFSG.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1058596: Bug#1058596: yarnpkg broken on bookworm - yarnpkg --help fails with TypeError: commander.on is not a function

[Yadd]

On 12/13/23 19:17, Praveen Arimbrathodiyil wrote:

Control: fixed -1 1.22.19+~cs24.27.18-4

On Wed, 13 Dec 2023 20:39:39 +0530 Pirate Praveen  
wrote:

We should backport the patches in unstable to bookworm as well.


Updating the fixed info.


Hi,

since severity is grave, please prepare an update for stable also

Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1058513: Bug#1058513: node-signal-exit: FTBFS: SyntaxError: Cannot use import statement outside a module

[Yadd]

Control: tags -1 + moreinfo

On 12/13/23 00:52, Lucas Nussbaum wrote:

Source: node-signal-exit
Version: 4.1.0-6
Severity: serious
Justification: FTBFS
Tags: trixie sid ftbfs
User: lu...@debian.org
Usertags: ftbfs-20231212 ftbfs-trixie

Hi,

During a rebuild of all packages in sid, your package failed to build
on amd64.


Relevant part (hopefully):

make[1]: Entering directory '/<>'
tsc -p tsconfig.json
tsc -p tsconfig-esm.json
sh ./scripts/fixup.sh
#cp debian/index.cjs dist/cjs/
make[1]: Leaving directory '/<>'
dh_auto_test --buildsystem=nodejs
ln -s ../. node_modules/signal-exit
/bin/sh -ex debian/tests/pkg-js/test
+ tap -T -R spec test/all-integration-test.ts test/signal-exit-test.ts

/<>/test/all-integration-test.ts:1
import assert from 'assert'
^^



Hi,

I'm unable to reproduce this issue.

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1058080: node-eslint-plugin-eslint-plugin: Please add this patch for node-ajv >= 8

[Yadd]

Package: node-eslint-plugin-eslint-plugin
Version: 2.3.0+~0.3.0-3
Severity: important
Tags: ftbfs patch upstream
X-Debbugs-Cc: y...@debian.org

Hi,

here is a patch that updates AJV schemas. It is compatible with current
node-ajv 6 and node-ajv >= 8

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index e799068..317e5a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-eslint-plugin-eslint-plugin (2.3.0+~0.3.0-4) UNRELEASED; urgency=medium
+
+  * Team upload
+
+ -- Yadd   Tue, 12 Dec 2023 09:38:42 +0400
+
 node-eslint-plugin-eslint-plugin (2.3.0+~0.3.0-3) unstable; urgency=medium
 
   * add patch cherry-picked upstream
diff --git a/debian/patches/2006_prepare-for-ajv-8.patch 
b/debian/patches/2006_prepare-for-ajv-8.patch
new file mode 100644
index 000..669
--- /dev/null
+++ b/debian/patches/2006_prepare-for-ajv-8.patch
@@ -0,0 +1,27 @@
+Description: prepare for ajv 8
+Author: Yadd 
+Forwarded: no
+Last-Update: 2023-12-12
+
+--- a/lib/rules/meta-property-ordering.js
 b/lib/rules/meta-property-ordering.js
+@@ -21,7 +21,7 @@
+ fixable: 'code',
+ schema: [{
+   type: 'array',
+-  elements: { type: 'string' },
++  items: { type: 'string' },
+ }],
+   },
+ 
+--- a/lib/rules/test-case-property-ordering.js
 b/lib/rules/test-case-property-ordering.js
+@@ -22,7 +22,7 @@
+ fixable: 'code',
+ schema: [{
+   type: 'array',
+-  elements: { type: 'string' },
++  items: { type: 'string' },
+ }],
+   },
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 5eb779a..1de9aa5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 2003_avoid_eslint-config-not-an-aardvark.patch
 2004_avoid_eslint-config-airbnb-base.patch
 2005_no-require-jsdoc.patch
+2006_prepare-for-ajv-8.patch
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1058078: Bug#1058078: FTBFS: ESLint couldn't find the config "not-an-aardvark/node" to extend from

[Yadd]

Control: tags -1 + patch

On 12/12/23 09:59, Yadd wrote:

Package: node-eslint-plugin-eslint-plugin
Version: 2.3.0+~0.3.0-4
Severity: serious
Tags: ftbfs
Justification: ftbfs

Hi,

when trying to reproduce node-eslint-plugin-eslint-plugin build, sbuild
fails. Below relevant logs:

eslint --format tap Xcomposer
TAP version 13
1..2
ok 1 - /<>/Xcomposer/lib/rule-composer.js
ok 2 - /<>/Xcomposer/tests/lib/rule-composer.js

eslint --format tap . --ignore-pattern '!.*'

Oops! Something went wrong! :(

ESLint: 6.4.0.

ESLint couldn't find the config "not-an-aardvark/node" to extend from. Please 
check that the name of the config is correct.

The config "not-an-aardvark/node" was referenced from the config file in 
"/<>/.pc/2002_avoid_eslint-plugin-self.patch/.eslintrc.yml".

If you still have problems, please stop by https://gitter.im/eslint/eslint to 
chat with the team.

make[1]: *** [debian/rules:38: override_dh_auto_test] Error 2


Hi Jonas,

this patch seems to fix the problem:

--- a/debian/rules
+++ b/debian/rules
@@ -35,7 +35,7 @@ override_dh_auto_build: $(DOCS) $(CHANGELOGS)

 override_dh_auto_test:
$(ESLINT) Xcomposer
-   $(ESLINT) . --ignore-pattern '!.*'
+   $(ESLINT) . --ignore-pattern .pc
$(MOCHA) --recursive Xcomposer/tests
$(MOCHA) --recursive tests

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1058078: FTBFS: ESLint couldn't find the config "not-an-aardvark/node" to extend from

[Yadd]

Package: node-eslint-plugin-eslint-plugin
Version: 2.3.0+~0.3.0-4
Severity: serious
Tags: ftbfs
Justification: ftbfs

Hi,

when trying to reproduce node-eslint-plugin-eslint-plugin build, sbuild
fails. Below relevant logs:

eslint --format tap Xcomposer
TAP version 13
1..2
ok 1 - /<>/Xcomposer/lib/rule-composer.js
ok 2 - /<>/Xcomposer/tests/lib/rule-composer.js

eslint --format tap . --ignore-pattern '!.*'

Oops! Something went wrong! :(

ESLint: 6.4.0.

ESLint couldn't find the config "not-an-aardvark/node" to extend from. Please 
check that the name of the config is correct.

The config "not-an-aardvark/node" was referenced from the config file in 
"/<>/.pc/2002_avoid_eslint-plugin-self.patch/.eslintrc.yml".

If you still have problems, please stop by https://gitter.im/eslint/eslint to 
chat with the team.

make[1]: *** [debian/rules:38: override_dh_auto_test] Error 2

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1057707: Bug#1057707: eslint is incompatible with node-ajv >= 8

[Yadd]

On 12/8/23 03:59, Jonas Smedegaard wrote:

Quoting Yadd (2023-12-07 14:37:31)

Control: tags -1 + patch

On 12/7/23 15:52, Jérémy Lal wrote:



Le jeu. 7 déc. 2023 à 12:45, Yadd mailto:y...@debian.org>> a écrit :

 Package: eslint
 Version: 6.4.0~dfsg+~6.1.9-7
 Severity: important
 Tags: ftbfs upstream

 Hi,

 eslint depends on node-ajv 6 and is incompatible with node-ajv 8
 (available in exeprimental branch). All is in lib/shared/ajv.js:

   - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no
     more available
   - eslint tries to set `ajv._opts.defaultMeta` which is
     `ajv.opts.defaultMeta` in node-ajv 8.

 Changing "ajv/lib/refs/json-schema-draft-04.json" to
 "ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this
 patch which looks to work but 27 tests fail (not the good error string).
 It uses default ajv schemas.

 Help needed here ;-)


I suppose you tried
https://github.com/eslint/eslint/pull/13911/commits
<https://github.com/eslint/eslint/pull/13911/commits>
?


Thanks a lot Jérémy! Based on your suggestion, I succeed to build a patch.

@Jonas, do you agree if I push this to experimental ?


If it succeeds the testsuite then by all means, go for it.


Hi,

sure, all test passed now. Only error strings had to be updated

Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1057707: Bug#1057707: eslint is incompatible with node-ajv >= 8

[Yadd]

Control: tags -1 + patch

On 12/7/23 15:52, Jérémy Lal wrote:



Le jeu. 7 déc. 2023 à 12:45, Yadd <mailto:y...@debian.org>> a écrit :


Package: eslint
Version: 6.4.0~dfsg+~6.1.9-7
Severity: important
Tags: ftbfs upstream

Hi,

eslint depends on node-ajv 6 and is incompatible with node-ajv 8
(available in exeprimental branch). All is in lib/shared/ajv.js:

  - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no
    more available
  - eslint tries to set `ajv._opts.defaultMeta` which is
    `ajv.opts.defaultMeta` in node-ajv 8.

Changing "ajv/lib/refs/json-schema-draft-04.json" to
"ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this
patch which looks to work but 27 tests fail (not the good error string).
It uses default ajv schemas.

Help needed here ;-)


I suppose you tried
https://github.com/eslint/eslint/pull/13911/commits 
<https://github.com/eslint/eslint/pull/13911/commits>

?


Thanks a lot Jérémy! Based on your suggestion, I succeed to build a patch.

@Jonas, do you agree if I push this to experimental ?

Best regards,
Yadddiff --git a/debian/control b/debian/control
index 10b6f6fc..35786a59 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends:
  help2man ,
  jq,
  mocha ,
- node-ajv  ,
+ node-ajv (>= 8)  ,
  node-babel-core (>= 7) ,
  node-babel-loader (>= 7) ,
  node-babel-preset-env (>= 7) ,
diff --git a/debian/patches/2012_fix-for-ajv-8.patch b/debian/patches/2012_fix-for-ajv-8.patch
new file mode 100644
index ..f0a2d132
--- /dev/null
+++ b/debian/patches/2012_fix-for-ajv-8.patch
@@ -0,0 +1,351 @@
+Description: fix for node-ajv >= 8
+Author: Evgeny Poberezkin <https://github.com/epoberezkin>
+Origin: upstream, https://github.com/eslint/eslint/pull/13911/files
+Bug: https://github.com/eslint/eslint/issues/13888
+Bug-Debian: https://bugs.debian.org/1057707
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2023-12-07
+
+--- a/conf/config-schema.js
 b/conf/config-schema.js
+@@ -11,8 +11,7 @@
+ globals: { type: "object" },
+ overrides: {
+ type: "array",
+-items: { $ref: "#/definitions/overrideConfig" },
+-additionalItems: false
++items: { $ref: "#/definitions/overrideConfig" }
+ },
+ parser: { type: ["string", "null"] },
+ parserOptions: { type: "object" },
+@@ -33,8 +32,7 @@
+ { type: "string" },
+ {
+ type: "array",
+-items: { type: "string" },
+-additionalItems: false
++items: { type: "string" }
+ }
+ ]
+ },
+@@ -44,7 +42,6 @@
+ {
+ type: "array",
+ items: { type: "string" },
+-additionalItems: false,
+ minItems: 1
+ }
+ ]
+--- a/lib/rule-tester/rule-tester.js
 b/lib/rule-tester/rule-tester.js
+@@ -48,7 +48,7 @@
+ { getRuleOptionsSchema, validate } = require("../shared/config-validator"),
+ { Linter, SourceCodeFixer, interpolate } = require("../linter");
+ 
+-const ajv = require("../shared/ajv")({ strictDefaults: true });
++const ajv = require("../shared/ajv")({ strictSchema: true });
+ 
+ const { SourceCode } = require("../source-code");
+ 
+@@ -398,7 +398,7 @@
+ 
+ if (ajv.errors) {
+ const errors = ajv.errors.map(error => {
+-const field = error.dataPath[0] === "." ? error.dataPath.slice(1) : error.dataPath;
++const field = error.instancePath[0] === "." ? error.instancePath.slice(1) : error.instancePath;
+ 
+ return `\t${field}: ${error.message}`;
+ }).join("\n");
+--- a/lib/rules/array-element-newline.js
 b/lib/rules/array-element-newline.js
+@@ -23,7 +23,6 @@
+ },
+ 
+ fixable: "whitespace",
+-
+ schema: [
+ {
+ oneOf: [
+--- a/lib/rules/eqeqeq.js
 b/lib/rules/eqeqeq.js
+@@ -43,8 +43,7 @@
+ },
+ additionalProperties: false
+ }
+-],
+-additionalItems: false
++]
+ },
+ {
+ type: "array",
+@@ -52,8 +51,7 @@
+ {
+ enum: ["smart", "allow-null"]
+ }
+-],
+-additionalItems: false
++]
+  

[Pkg-javascript-devel] Bug#1057707: eslint is incompatible with node-ajv >= 8

[Yadd]

Package: eslint
Version: 6.4.0~dfsg+~6.1.9-7
Severity: important
Tags: ftbfs upstream

Hi,

eslint depends on node-ajv 6 and is incompatible with node-ajv 8
(available in exeprimental branch). All is in lib/shared/ajv.js:

 - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no
   more available
 - eslint tries to set `ajv._opts.defaultMeta` which is
   `ajv.opts.defaultMeta` in node-ajv 8.

Changing "ajv/lib/refs/json-schema-draft-04.json" to
"ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this
patch which looks to work but 27 tests fail (not the good error string).
It uses default ajv schemas.

Help needed here ;-)

--- a/lib/shared/ajv.js
+++ b/lib/shared/ajv.js
@@ -8,8 +8,7 @@
 // Requirements
 
//--

-const Ajv = require("ajv"),
-metaSchema = require("ajv/lib/refs/json-schema-draft-04.json");
+const Ajv = require("ajv");

 
//--
 // Public Interface
@@ -17,6 +16,7 @@

 module.exports = (additionalOptions = {}) => {
 const ajv = new Ajv({
+strict: false,
 meta: false,
 useDefaults: true,
 validateSchema: false,
@@ -26,9 +26,5 @@
 ...additionalOptions
 });

-ajv.addMetaSchema(metaSchema);
-// eslint-disable-next-line no-underscore-dangle
-ajv._opts.defaultMeta = metaSchema.id;
-
 return ajv;
 };

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1056705: node-mqtt: Missing dependency to node-lru-cache

[Yadd]

Package: node-mqtt
Version: 4.3.7-2
Severity: serious
Tags: patch
Justification: Failure
X-Debbugs-Cc: y...@debian.org

Hi,

node-mqtt autopkgtest shows that this package requires node-lru-cache,
however it is not listed in debian/control and then start to fail when
one of its dependencies no more depend on node-lru-cache.

Best regards,
Yadd

Ref: 
https://ci.debian.net/data/autopkgtest/testing/amd64/n/node-mqtt/40126282/log.gz

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1056334: Bug#1056334: node-ast-types: autopkgtest failure

[Yadd]

Control: tags -1 + moreinfo

On 11/21/23 12:28, Gianfranco Costamagna wrote:

Source: node-ast-types
Version: 0.16.1-2
Severity: serious


Hello, according to ci, the package autopkgtests looks failing.
https://ci.debian.net/packages/n/node-ast-types/unstable/amd64/39617621/


  66s autopkgtest [20:34:26]: test pkg-js-autopkgtest: 
[---

  66s # Using ./package.(json|yaml)
  66s # Node module name is ast-types
  66s # Build files found: tsconfig.json
  66s # Test files found:
  66s # Found debian/tests/pkg-js/files, let's use it
  66s # Files/dir to be installed from source: src
  66s test
  66s tsconfig*
  66s ls: cannot access 'test': No such file or directory


This is strange: it seems that the test isn't launched from source 
directory (which has a test subdir)



  66s # Copy debian/tests/pkg-js content
  66s 'debian/tests/pkg-js' -> 
'/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js'
  66s 'debian/tests/pkg-js/test' -> 
'/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js/test'
  66s 'debian/tests/pkg-js/files' -> 
'/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js/files'

  66s Found debian/tests/test_modules
  66s # let's copy it
  66s Found debian/nodejs/extlinks
  67s @babel/parser linked into node_modules
  67s @babel/types linked into node_modules
  68s tslib linked into node_modules
  68s @types/esprima linked into node_modules
  69s @types/estree linked into node_modules
  69s @types/glob linked into node_modules
  70s @types/mocha linked into node_modules
  70s # Searching module in /usr/lib/nodejs/ast-types
  70s # Searching module in /usr/lib/*/nodejs/ast-types
  70s # Searching module in /usr/share/nodejs/ast-types
  70s # Found /usr/share/nodejs/ast-types
  70s # Searching files to link in /usr/share/nodejs/ast-types
  70s # Launch debian/tests/pkg-js/test with sh -ex
  70s + test /tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp !=
  70s + rm -rf lib
  70s + tsc
  70s Version 4.8.4
  70s tsc: The TypeScript Compiler - Version 4.8.4
  70s
  70s COMMON COMMANDS


The "copy" part of pkg-js-autopkgtest failed, then "tsconfig.json" is 
missing then tsc display this.


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054853: node-katex: FTBFS: TypeError: Cannot read properties of undefined (reading '.cjs')

[Yadd]

Control: reassign -1 node-postcss-loader
Control: affects -1 node-katex
Control: found -1 7.3.3-1

It seems that node-postcss-loader 7.3.3 needs node-cosmiconfig 8 and "jiti".

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054432: Not a bug

[Yadd]

Control: severity -1 wishlist

Files are readable

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054667: Bug#1054667: node-browserify-sign: CVE-2023-46234

[Yadd]

On 10/27/23 20:20, Moritz Mühlenhoff wrote:

Source: node-browserify-sign
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for node-browserify-sign.

CVE-2023-46234[0]:
| browserify-sign is a package to duplicate the functionality of
| node's crypto public key functions, much of this is based on Fedor
| Indutny's work on indutny/tls.js. An upper bound check issue in
| `dsaVerify` function allows an attacker to construct signatures that
| can be successfully verified by any public key, thus leading to a
| signature forgery attack. All places in this project that involve
| DSA verification of user-input signatures will be affected by this
| vulnerability. This issue has been patched in version 4.2.2.

https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-46234
 https://www.cve.org/CVERecord?id=CVE-2023-46234

Please adjust the affected versions in the BTS as needed.


Hi,

please find attached the debdiff for Bookworm

Kind regards,
Yadddiff --git a/debian/changelog b/debian/changelog
index 5e3404f..c421503 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-browserify-sign (4.2.1-3+deb12u1) bookworm-security; urgency=high
+
+  * Team upload
+  * Properly check the upper bound for DSA signatures (Closes: #1054667, 
CVE-2023-46234)
+
+ -- Yadd   Sat, 28 Oct 2023 12:03:04 +0400
+
 node-browserify-sign (4.2.1-3) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-46234.patch 
b/debian/patches/CVE-2023-46234.patch
new file mode 100644
index 000..152fd72
--- /dev/null
+++ b/debian/patches/CVE-2023-46234.patch
@@ -0,0 +1,68 @@
+Description: properly check the upper bound for DSA signatures
+Author: roadicing 
+Origin: upstream, https://github.com/browserify/browserify-sign/commit/85994cd6
+Bug: 
https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
+Bug-Debian: https://bugs.debian.org/1054667
+Forwarded: not-needed
+Applied-Upstream: 4.2.2, commit: 85994cd6
+Reviewed-By: Yadd 
+Last-Update: 2023-10-28
+
+--- a/browser/verify.js
 b/browser/verify.js
+@@ -78,7 +78,7 @@
+ 
+ function checkValue (b, q) {
+   if (b.cmpn(0) <= 0) throw new Error('invalid sig')
+-  if (b.cmp(q) >= q) throw new Error('invalid sig')
++  if (b.cmp(q) >= 0) throw new Error('invalid sig')
+ }
+ 
+ module.exports = verify
+--- a/test/index.js
 b/test/index.js
+@@ -4,6 +4,8 @@
+ var nCrypto = require('crypto')
+ var bCrypto = require('../browser')
+ var fixtures = require('./fixtures')
++var BN = require('bn.js')
++var parseKeys = require('parse-asn1')
+ 
+ function isNode10 () {
+   return parseInt(process.version.split('.')[1], 10) <= 10
+@@ -100,6 +102,35 @@
+   t.end()
+ })
+   }
++
++  var s = parseKeys(pub).data.q;
++  test(
++f.message + ' against a fake signature',
++{ skip: !s || '(this test only applies to DSA signatures and not EC 
signatures, this is ' + f.scheme + ')' },
++function (t) {
++  var messageBase64 = Buffer.from(f.message, 'base64');
++
++  // forge a fake signature
++  var r = new BN('1');
++
++  try {
++var fakeSig = asn1.signature.encode({ r: r, s: s }, 'der');
++  } catch (e) {
++t.ifError(e);
++t.end();
++return;
++  }
++
++  var bVer = bCrypto.createVerify(f.scheme);
++  t['throws'](
++function () { bVer.update(messageBase64).verify(pub, fakeSig); },
++Error,
++'fake signature is invalid'
++  );
++
++  t.end();
++}
++  );
+ })
+ 
+ fixtures.valid.kvectors.forEach(function (f) {
diff --git a/debian/patches/series b/debian/patches/series
index 8aafdeb..86ff972 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 drop-rmd160-support.patch
+CVE-2023-46234.patch
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054175: Closing: not a bug

[Yadd]

Control: close -1
Control: notfound -1 2.0.0-2

Closing: unable to reproduce

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054443: node-graphql: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:21, Bastien Roucariès wrote:

Source:  node-graphql
Version: 16.8.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory
https://sources.debian.org/src/node-graphql/16.8.1-1/website/src/pages/index.jsx/?hl=2#L2

You should repack or package docusaurus and rebuild

Bastien


No unreadable files here

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054435: Bug#1054435: node-react-redux: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:08, Bastien Roucariès wrote:

Source:  node-react-redux
Version: 8.1.2+dfsg1+~cs1.2.3-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory

You should repack or package docusaurus and rebuild

Bastien


No unreadable file here

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054439: node-rjsf: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:15, Bastien Roucariès wrote:

Source:  node-rjsf
Version: 5.6.2+~5.0.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory
https://sources.debian.org/src/node-rjsf/5.6.2+~5.0.1-1/packages/docs/docusaurus.config.js/?hl=54#L54

You should repack or package docusaurus and rebuild

Bastien


No unreadable file here

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054439: Bug#1054439: node-rjsf: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:15, Bastien Roucariès wrote:

Source:  node-rjsf
Version: 5.6.2+~5.0.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory
https://sources.debian.org/src/node-rjsf/5.6.2+~5.0.1-1/packages/docs/docusaurus.config.js/?hl=54#L54

You should repack or package docusaurus and rebuild

Bastien


No unreadable files here

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054441: node-ts-jest: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:18, Bastien Roucariès wrote:

Source:  node-ts-jest
Version: 29.1.1+~cs0.2.6-2
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory
https://sources.debian.org/data/main/n/node-ts-jest/29.1.1%2B~cs0.2.6-2/website/

You should repack or package docusaurus and rebuild

Bastien


No unreadable file here

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054434: Bug#1054434: Bug#1054434: node-redux: website is build with Docusaurus not packaged for debian

[Yadd]

On 10/24/23 06:25, Yadd wrote:

Control: tags -1 + moreinfo

On 10/23/23 23:07, Bastien Roucariès wrote:

Source:  node-redux
Version: 4.2.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory

You should repack or package docusaurus and rebuild

Bastien


Hello,

directory docs contains only .md files, totally readable. What is the 
serious bug here ?


Also website/ directory, no unreadable file, no serialized files,... Do 
we have to consider html files as no source because they were written 
with a non free tool ?


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054434: Bug#1054434: node-redux: website is build with Docusaurus not packaged for debian

[Yadd]

Control: tags -1 + moreinfo

On 10/23/23 23:07, Bastien Roucariès wrote:

Source:  node-redux
Version: 4.2.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory

You should repack or package docusaurus and rebuild

Bastien


Hello,

directory docs contains only .md files, totally readable. What is the 
serious bug here ?


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054167: Bug#1054167: ftbfs: AssertionError in tests

[Yadd]

Control: severity -1 important

Hi,

not really a serious-bug since it exists only when using a color term. 
Fixed anyway in version 2.0.0-4


Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1054175: Bug#1054175: node-require-main-filename: failing dh_auto_test

[Yadd]

Control: tags -1 + moreinfo

On 10/18/23 20:27, Tianyu Chen wrote:

Source: node-require-main-filename
Version: 2.0.0-2
Severity: serious
Tags: ftbfs
Justification: fails to build from source
X-Debbugs-Cc: sweetyf...@deepin.org

Hi,

During a rebuild of your package in unstable, your package fails to
build from source.

Full log can be accessed at:


https://build.opensuse.org/package/live_build_log/home:utsweetyfish:node-202309/node-require-main-filename/Debian_Unstable/aarch64

Tail of log for your package:

# Subtest: should default to process.cwd() if require.main is 
undefined
not ok 1 - expected '/usr/src/packages/BUILD' to match 
/(?:.*autopkgtest.*|require-main-filename)/
  ---
[...]

1..1
# failed 1 test
# time=95.325ms
not ok 1 - test.js # time=95.325ms
  ---
  env: {}
  file: test.js
  timeout: 3
  command: /usr/bin/node
  args:
- test.js
  stdio:
- 0
- pipe
- 2
  cwd: /usr/src/packages/BUILD
  exitCode: 1
  ...

1..1
# failed 1 test
# time=1113.041ms
--|-|--|-|-|---
File  | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s
--|-|--|-|-|---
All files | 100 |  100 | 100 | 100 |
 index.js | 100 |  100 | 100 | 100 |
--|-|--|-|-|---
dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit 
code 1
make: *** [debian/rules:8: binary] Error 25
dpkg-buildpackage: error: debian/rules binary subprocess returned exit 
status 2

Thanks!
Tianyu Chen @ deepin


Hi,

I'm not able to reproduce this issue

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] Comments regarding node-sixel_0.16.0-1_amd64.changes

[Yadd]

On 10/13/23 21:36, Thorsten Alteholz wrote:

Hi,

please also mention Photopea for node-sixel-0.16.0/src/Quantizer.ts as 
coypright holder.

Thanks!
  Thorsten


Thanks for the review, copyright updated in version 0.16.0-2!

Best regards,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1053895: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-und...@packages.debian.org
Control: affects -1 + src:node-undici

[ Reason ]
node-undici doesn't clear Cookie and Host headers on cross-origin
redirect.

[ Impact ]
Medium security issue

[ Tests ]
No new test here

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Drop headers Host/Cookie unless same-origin

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 92c0de8..168ee34 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2) bookworm; urgency=medium
+
+  * Delete cookie and host headers on cross-origin redirect
+(Closes: #1053879, CVE-2023-45143)
+
+ -- Yadd   Fri, 13 Oct 2023 22:14:45 +0400
+
 node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium
 
   * Fix security issues (Closes: #1031418):
diff --git a/debian/patches/CVE-2023-45143.patch 
b/debian/patches/CVE-2023-45143.patch
new file mode 100644
index 000..c196bd2
--- /dev/null
+++ b/debian/patches/CVE-2023-45143.patch
@@ -0,0 +1,24 @@
+Description: delete 'cookie' and 'host' headers on cross-origin redirect
+Author: Khafra 
+Origin: upstream, https://github.com/nodejs/undici/commit/e041de35
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
+ https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp
+Bug-Debian: https://bugs.debian.org/1053879
+Forwarded: not-needed
+Applied-Upstream: 5.26.2, commit:e041de35
+Reviewed-By: Yadd 
+Last-Update: 2023-10-13
+
+--- a/lib/fetch/index.js
 b/lib/fetch/index.js
+@@ -1204,6 +1204,10 @@
+   if (!sameOrigin(requestCurrentURL(request), locationURL)) {
+ // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
+ request.headersList.delete('authorization')
++
++// "Cookie" and "Host" are forbidden request-headers, which undici 
doesn't implement.
++request.headersList.delete('cookie')
++request.headersList.delete('host')
+   }
+ 
+   // 14. If request’s body is non-null, then set request’s body to the first 
return
diff --git a/debian/patches/series b/debian/patches/series
index ce1440a..297000a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@ drop-ssl-tests.patch
 CVE-2023-23936.patch
 CVE-2023-24807.patch
 update-httpbin.org-test-timeout.patch
+CVE-2023-45143.patch
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1052428: node-minimatch: please update to 9.x

[Yadd]

On 9/22/23 00:10, Jérémy Lal wrote:

Package: node-minimatch
Version: 5.1.1+~5.1.2-1
Severity: normal

Hi,

nodejs 18.18.0 depends on node-minimatch 9.0.3.

It'd be nice if someone could update that module.

Regards,
Jérémy


Hi,

I'm going to push version 9.0.3 to experimental (breaking changes)

Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] node-jss_10.10.0+ds1+~0.3.1-1_amd64.changes REJECTED

[Yadd]

Hi,

thanks for the review. I just fixed it and repushed to NEW queue.

Best regards,
Yadd

On 9/10/23 21:10, Thorsten Alteholz wrote:


Hi Yadd,

as you seem to add examples/plugins to your binary packages, please also add 
the ISC license.

Thanks!
  Thorsten



===

Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.



--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1051550: node-rollup-plugin-terser: Please update (or embed) to @rollup/plugin-terser

[Yadd]

Package: node-rollup-plugin-terser
Version: 7.0.2+~5.0.1-8
Severity: wishlist

Hi,

rollup-plugin-terser is going to be replaced by @rollup/plugin-terser.
Could you update this package or embed both during transition ?

Cheers,
Yadd

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] node-quickjs-emscripten_0.23.0+dfsg-1_amd64.changes REJECTED

[Yadd]

Hi,

Jake Teton-Landis is mentioned in LICENSE file (see 
https://salsa.debian.org/js-team/node-quickjs-emscripten/-/blob/master/LICENSE)
"quickjs" is a component, so not in orig.tar.xz file but in 
orig-quickjs.tar.xz file 
(https://salsa.debian.org/js-team/node-quickjs-emscripten/-/tree/master/quickjs)


Can I reupload ?

Regards,
Yadd

On 8/13/23 15:00, Thorsten Alteholz wrote:


Hi,

Jake Teton-Landis is not mentioned in any file as coypright 
holder/maitainer/contributor.
There is no directory quickjs and LICENSE only mentions the other persons from 
your debian/copyright.
Probably something went wrong during packaging?

   Thorsten



===

Please feel free to respond to this email if you don't understand why
your files were rejected, or if you upload new files which address our
concerns.



--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1041010: Bug#1041010: Bug#1041010: Please include nbconvert-css

[Yadd]

On 7/17/23 17:06, Yadd wrote:

On 7/17/23 16:39, Julian Gilbey wrote:

On Sun, Jul 16, 2023 at 03:04:26PM +0100, Julian Gilbey wrote:

For some reason, nbconvert-css is excluded from the package.  Might it
be possible to include it?

Best wishes,


Hi,

I put node-jupyterlab into experimental because it's still WIP. For 
now I'm
not able to build all @jupyterlab/* components due to missing 
dependencies.

I'll continue this during autumn.


Hi Yadd,

Thanks for the info!  I'm taking a further look at this now and will
report back when I have more information (hopefully soon).
[...]


Quick update: I managed to build @jupyterlab/nbconvert-css using just
a small patch to the node-jupyterlab repo on salsa.  But I'm not sure
if my code is "correct" (though it produces identical output to
upstream) - I've filed an issue upstream about this.
(https://github.com/webpack/webpack.js.org/issues/6969)

When I'm happy that I've done the "right" thing, I'll file a PR
against jupyterlab to drop the deprecated null-loader dependency.  Are
you then happy for me to push the patch directly to the salsa
node-jupyterlab repo?


Hi,

sure you can, thanks !


I just pushed a new version with @jupyterlab/nbconvert-css (the problem 
isn't in webpack but in schema-utils transition)


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1041010: Bug#1041010: Bug#1041010: Please include nbconvert-css

[Yadd]

On 7/17/23 16:39, Julian Gilbey wrote:

On Sun, Jul 16, 2023 at 03:04:26PM +0100, Julian Gilbey wrote:

For some reason, nbconvert-css is excluded from the package.  Might it
be possible to include it?

Best wishes,


Hi,

I put node-jupyterlab into experimental because it's still WIP. For now I'm
not able to build all @jupyterlab/* components due to missing dependencies.
I'll continue this during autumn.


Hi Yadd,

Thanks for the info!  I'm taking a further look at this now and will
report back when I have more information (hopefully soon).
[...]


Quick update: I managed to build @jupyterlab/nbconvert-css using just
a small patch to the node-jupyterlab repo on salsa.  But I'm not sure
if my code is "correct" (though it produces identical output to
upstream) - I've filed an issue upstream about this.
(https://github.com/webpack/webpack.js.org/issues/6969)

When I'm happy that I've done the "right" thing, I'll file a PR
against jupyterlab to drop the deprecated null-loader dependency.  Are
you then happy for me to push the patch directly to the salsa
node-jupyterlab repo?


Hi,

sure you can, thanks !

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1041010: Bug#1041010: Please include nbconvert-css

[Yadd]

On 7/14/23 01:40, Julian Gilbey wrote:

Package: node-jupyterlab
Version: 4.0.0~rc1+ds1+~1.0.2-1
Severity: wishlist

Hi Yadd!

Thanks for building this package!

I'm in the process of trying to upgrade (python3-)nbconvert (it's a
dependency of Spyder), and the new version tries to use
https://unpkg.com/@jupyterlab/nbconvert-css@3.6.1/style/index.css
during the build process.  I obviously need to replace this by a local
file, so the node-jupyterlab is the obvious place to look.

For some reason, nbconvert-css is excluded from the package.  Might it
be possible to include it?

Best wishes,


Hi,

I put node-jupyterlab into experimental because it's still WIP. For now 
I'm not able to build all @jupyterlab/* components due to missing 
dependencies. I'll continue this during autumn.


Regards,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1040683: bookworm-pu: package node-webpack/5.75.0+dfsg+~cs17.16.14-1+deb12u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-webp...@packages.debian.org
Control: affects -1 + src:node-webpack

[ Reason ]
node-webpack is vulnerable to cross-realm object access
(#1032904, CVE-2023-28154).

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

Regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 0053d7ee..a07dd9d4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154)
+
+ -- Yadd   Mon, 29 May 2023 07:53:16 +0400
+
 node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-28154.patch 
b/debian/patches/CVE-2023-28154.patch
new file mode 100644
index ..2f651167
--- /dev/null
+++ b/debian/patches/CVE-2023-28154.patch
@@ -0,0 +1,80 @@
+Description: avoid cross-realm objects
+Author: Jack Works 
+Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb
+Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154
+Bug-Debian: https://bugs.debian.org/1032904
+Forwarded: not-needed
+Applied-Upstream: 5.76.1, commit:4b4ca3bb
+Reviewed-By: Yadd 
+Last-Update: 2023-05-29
+
+--- a/lib/dependencies/ImportParserPlugin.js
 b/lib/dependencies/ImportParserPlugin.js
+@@ -137,7 +137,7 @@
+   if (importOptions.webpackInclude !== undefined) 
{
+   if (
+   !importOptions.webpackInclude ||
+-  
importOptions.webpackInclude.constructor.name !== "RegExp"
++  !(importOptions.webpackInclude 
instanceof RegExp)
+   ) {
+   parser.state.module.addWarning(
+   new 
UnsupportedFeatureWarning(
+@@ -146,13 +146,13 @@
+   )
+   );
+   } else {
+-  include = new 
RegExp(importOptions.webpackInclude);
++  include = 
importOptions.webpackInclude;
+   }
+   }
+   if (importOptions.webpackExclude !== undefined) 
{
+   if (
+   !importOptions.webpackExclude ||
+-  
importOptions.webpackExclude.constructor.name !== "RegExp"
++  !(importOptions.webpackExclude 
instanceof RegExp)
+   ) {
+   parser.state.module.addWarning(
+   new 
UnsupportedFeatureWarning(
+@@ -161,7 +161,7 @@
+   )
+   );
+   } else {
+-  exclude = new 
RegExp(importOptions.webpackExclude);
++  exclude = 
importOptions.webpackExclude;
+   }
+   }
+   if (importOptions.webpackExports !== undefined) 
{
+--- a/lib/javascript/JavascriptParser.js
 b/lib/javascript/JavascriptParser.js
+@@ -3635,17 +3635,27 @@
+   return EMPTY_COMMENT_OPTIONS;
+   }
+   let options = {};
++  /** @type {unknown[]} */
+   let errors = [];
+   for (const comment of comments) {
+   const { value } = comment;
+   if (value && webpackCommentRegExp.test(value)) {
+   // try compile only if webpack options comment 
is present
+   try {
+-  const val = 
vm.runInNewContext(`(function(){return {${value}};})()`);
+-  Object.assign(options, val);
++  for (let [key, val] of Object.entries(
++  
vm.runInNewContext(

[Pkg-javascript-devel] Bug#1040680: bookworm-pu: package node-openpgp-seek-bzip/1.0.5-2+deb12u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-openpgp-seek-b...@packages.debian.org
Control: affects -1 + src:node-openpgp-seek-bzip

[ Reason ]
src:node-openpgp-seek-bzip provides:
 * a Node.js module (node-openpgp-seek-bzip)
 * command-line scripts (seek-bzip)

This second package is unusable due to missing files and broken links.

[ Impact ]
/usr/bin/seek-bunzip and /usr/bin/seek-table are unusable

[ Tests ]
No changes

[ Risks ]
No risk, this just fix install

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Install missing /usr/share/nodejs/seek-bzip/bin files and fix links in
/usr/bin

Regards,
Yadd
diff --git a/debian/changelog b/debian/changelog
index daa35de..20dc0b2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-openpgp-seek-bzip (1.0.5-2+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Fix seek-bzip install (Closes: #1040584)
+
+ -- Yadd   Sun, 09 Jul 2023 09:29:47 +0400
+
 node-openpgp-seek-bzip (1.0.5-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/nodejs/links b/debian/nodejs/links
index 0ff514c..6c89a6e 100644
--- a/debian/nodejs/links
+++ b/debian/nodejs/links
@@ -1,2 +1,2 @@
-@openpgp/seek-bzip/bin/seek-bunzip /usr/bin/seek-bunzip
-@openpgp/seek-bzip/bin/seek-bzip-table /usr/bin/seek-table
+seek-bzip/bin/seek-bunzip /usr/bin/seek-bunzip
+seek-bzip/bin/seek-bzip-table /usr/bin/seek-table
diff --git a/debian/seek-bzip.install b/debian/seek-bzip.install
index e772481..8bbbe8d 100644
--- a/debian/seek-bzip.install
+++ b/debian/seek-bzip.install
@@ -1 +1,2 @@
 usr/bin
+usr/share/nodejs/seek-bzip/bin
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1040679: bullseye-pu: package node-dottie/2.0.2-4+deb11u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-dot...@packages.debian.org
Control: affects -1 + src:node-dottie

[ Reason ]
node-dottie is vulnerable to prototype pollution (#1040592,
CVE-2023-26132)

[ Impact ]
Medium security issue

[ Tests ]
Test updated passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Don't allow __proto__ modifications.
Patch includes also debian/tests/pkg-js/enable_proto file to allow
__proto__ calls during autopkgtest (forbidden by default) because patch
includes a prototype-pollution test

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 9edf53f..5c9d435 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-dottie (2.0.2-4+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: #1040592, CVE-2023-26132)
+
+ -- Yadd   Sun, 09 Jul 2023 08:46:31 +0400
+
 node-dottie (2.0.2-4) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-26132.patch 
b/debian/patches/CVE-2023-26132.patch
new file mode 100644
index 000..5186407
--- /dev/null
+++ b/debian/patches/CVE-2023-26132.patch
@@ -0,0 +1,76 @@
+Description: rudimentary __proto__ guarding
+Author: Mick Hansen 
+Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c
+Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
+Bug-Debian: https://bugs.debian.org/1040592
+Forwarded: not-needed
+Applied-Upstream: 2.0.6, commit:7d3aee1c
+Reviewed-By: Yadd 
+Last-Update: 2023-07-09
+
+--- a/README.md
 b/README.md
+@@ -42,6 +42,8 @@
+ });
+ ```
+ 
++If you accept arbitrary/user-defined paths to `set` you should call 
`Object.preventExtensions(values)` first to guard against potential pollution.
++
+ ### Transform object
+ Transform object from keys with dottie notation to nested objects
+ 
+--- a/dottie.js
 b/dottie.js
+@@ -72,6 +72,7 @@
+   // Set nested value
+   Dottie.set = function(object, path, value, options) {
+ var pieces = Array.isArray(path) ? path : path.split('.'), current = 
object, piece, length = pieces.length;
++if (pieces[0] === '__proto__') return;
+ 
+ if (typeof current !== 'object') {
+ throw new Error('Parent is not an object.');
+@@ -137,6 +138,9 @@
+ 
+   if (key.indexOf(options.delimiter) !== -1) {
+ pieces = key.split(options.delimiter);
++
++if (pieces[0] === '__proto__') break;
++
+ piecesLength = pieces.length;
+ current = transformed;
+ 
+--- a/test/set.test.js
 b/test/set.test.js
+@@ -45,4 +45,12 @@
+ });
+ expect(data.foo.bar.baz).to.equal('someValue');
+   });
++
++  it('should not attempt to set __proto__', function () {
++var data = {};
++
++dottie.set(data, '__proto__.pollution', 'polluted');
++
++expect(data.__proto__.pollution).to.be.undefined;
++  });
+ });
+\ No newline at end of file
+--- a/test/transform.test.js
 b/test/transform.test.js
+@@ -145,4 +145,16 @@
+ expect(transformed.user.location.city).to.equal('Zanzibar City');
+ expect(transformed.project.title).to.equal('dottie');
+   });
++
++  it("should guard against prototype pollution", function () {
++var values = {
++  'user.name': 'John Doe',
++  '__proto__.pollution': 'pollution'
++};
++
++var transformed = dottie.transform(values);
++expect(transformed.user).not.to.equal(undefined);
++expect(transformed.user.name).to.equal('John Doe');
++expect(transformed.__proto__.pollution).to.be.undefined;
++  });
+ });
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..e86da5e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26132.patch
diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto
new file mode 100644
index 000..e69de29
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1040678: bookworm-pu: package node-dottie/2.0.2-4+deb12u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-dot...@packages.debian.org
Control: affects -1 + src:node-dottie

[ Reason ]
node-dottie is vulnerable to prototype pollution (#1040592,
CVE-2023-26132)

[ Impact ]
Medium security issue

[ Tests ]
Test updated passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Don't allow __proto__ modifications.
Patch includes also debian/tests/pkg-js/enable_proto file to allow
__proto__ calls during autopkgtest (forbidden by default) because patch
includes a prototype-pollution test

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 9edf53f..a6edff9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-dottie (2.0.2-4+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: #1040592, CVE-2023-26132)
+
+ -- Yadd   Sun, 09 Jul 2023 08:43:00 +0400
+
 node-dottie (2.0.2-4) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-26132.patch 
b/debian/patches/CVE-2023-26132.patch
new file mode 100644
index 000..5186407
--- /dev/null
+++ b/debian/patches/CVE-2023-26132.patch
@@ -0,0 +1,76 @@
+Description: rudimentary __proto__ guarding
+Author: Mick Hansen 
+Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c
+Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763
+Bug-Debian: https://bugs.debian.org/1040592
+Forwarded: not-needed
+Applied-Upstream: 2.0.6, commit:7d3aee1c
+Reviewed-By: Yadd 
+Last-Update: 2023-07-09
+
+--- a/README.md
 b/README.md
+@@ -42,6 +42,8 @@
+ });
+ ```
+ 
++If you accept arbitrary/user-defined paths to `set` you should call 
`Object.preventExtensions(values)` first to guard against potential pollution.
++
+ ### Transform object
+ Transform object from keys with dottie notation to nested objects
+ 
+--- a/dottie.js
 b/dottie.js
+@@ -72,6 +72,7 @@
+   // Set nested value
+   Dottie.set = function(object, path, value, options) {
+ var pieces = Array.isArray(path) ? path : path.split('.'), current = 
object, piece, length = pieces.length;
++if (pieces[0] === '__proto__') return;
+ 
+ if (typeof current !== 'object') {
+ throw new Error('Parent is not an object.');
+@@ -137,6 +138,9 @@
+ 
+   if (key.indexOf(options.delimiter) !== -1) {
+ pieces = key.split(options.delimiter);
++
++if (pieces[0] === '__proto__') break;
++
+ piecesLength = pieces.length;
+ current = transformed;
+ 
+--- a/test/set.test.js
 b/test/set.test.js
+@@ -45,4 +45,12 @@
+ });
+ expect(data.foo.bar.baz).to.equal('someValue');
+   });
++
++  it('should not attempt to set __proto__', function () {
++var data = {};
++
++dottie.set(data, '__proto__.pollution', 'polluted');
++
++expect(data.__proto__.pollution).to.be.undefined;
++  });
+ });
+\ No newline at end of file
+--- a/test/transform.test.js
 b/test/transform.test.js
+@@ -145,4 +145,16 @@
+ expect(transformed.user.location.city).to.equal('Zanzibar City');
+ expect(transformed.project.title).to.equal('dottie');
+   });
++
++  it("should guard against prototype pollution", function () {
++var values = {
++  'user.name': 'John Doe',
++  '__proto__.pollution': 'pollution'
++};
++
++var transformed = dottie.transform(values);
++expect(transformed.user).not.to.equal(undefined);
++expect(transformed.user.name).to.equal('John Doe');
++expect(transformed.__proto__.pollution).to.be.undefined;
++  });
+ });
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..e86da5e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26132.patch
diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto
new file mode 100644
index 000..e69de29
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1040677: bullseye-pu: package node-tough-cookie/4.0.0-2+deb11u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-tough-coo...@packages.debian.org
Control: affects -1 + src:node-tough-cookie

[ Reason ]
node-tough-cookie is vulnerable to prototype pollution

[ Impact ]
Littel security issue

[ Tests ]
Test updated, passed

[ Risks ]
No risk, patch is trivial and tested

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Create new object instead of using default {}

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3652359..84339cf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-tough-cookie (4.0.0-2+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: CVE-2023-26136)
+
+ -- Yadd   Sun, 09 Jul 2023 08:32:32 +0400
+
 node-tough-cookie (4.0.0-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-26136.patch 
b/debian/patches/CVE-2023-26136.patch
new file mode 100644
index 000..05e6372
--- /dev/null
+++ b/debian/patches/CVE-2023-26136.patch
@@ -0,0 +1,71 @@
+Description: Fix prototype pollution
+ CVE-2023-26136
+Author: Yadd 
+Forwarded: not-needed
+Last-Update: 2023-07-07
+
+--- a/lib/memstore.js
 b/lib/memstore.js
+@@ -39,7 +39,7 @@
+   constructor() {
+ super();
+ this.synchronous = true;
+-this.idx = {};
++this.idx = Object.create(null);
+ if (util.inspect.custom) {
+   this[util.inspect.custom] = this.inspect;
+ }
+@@ -109,10 +109,10 @@
+ 
+   putCookie(cookie, cb) {
+ if (!this.idx[cookie.domain]) {
+-  this.idx[cookie.domain] = {};
++  this.idx[cookie.domain] = Object.create(null);
+ }
+ if (!this.idx[cookie.domain][cookie.path]) {
+-  this.idx[cookie.domain][cookie.path] = {};
++  this.idx[cookie.domain][cookie.path] = Object.create(null);
+ }
+ this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
+ cb(null);
+@@ -144,7 +144,7 @@
+ return cb(null);
+   }
+   removeAllCookies(cb) {
+-this.idx = {};
++this.idx = Object.create(null);
+ return cb(null);
+   }
+   getAllCookies(cb) {
+--- a/test/cookie_jar_test.js
 b/test/cookie_jar_test.js
+@@ -669,4 +669,29 @@
+   }
+ }
+   })
++  .addBatch({
++"Issue #282 - Prototype pollution": {
++  "when setting a cookie with the domain __proto__": {
++topic: function() {
++  const jar = new tough.CookieJar(undefined, {
++rejectPublicSuffixes: false
++  });
++  // try to pollute the prototype
++  jar.setCookieSync(
++"Slonser=polluted; Domain=__proto__; Path=/notauth",
++"https://__proto__/admin;
++  );
++  jar.setCookieSync(
++"Auth=Lol; Domain=google.com; Path=/notauth",
++"https://google.com/;
++  );
++  this.callback();
++},
++"results in a cookie that is not affected by the attempted prototype 
pollution": function() {
++  const pollutedObject = {};
++  assert(pollutedObject["/notauth"] === undefined);
++}
++  }
++}
++  })
+   .export(module);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..67af372
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26136.patch
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1040563: bookworm-pu: package node-tough-cookie/4.0.0-2+deb12u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-tough-coo...@packages.debian.org
Control: affects -1 + src:node-tough-cookie

[ Reason ]
node-tough-cookie is vulnerable to prototype pollution

[ Impact ]
Littel security issue

[ Tests ]
Test updated, passed

[ Risks ]
No risk, patch is trivial and tested

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Create new object instead of using default {}

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3652359..a8e8b7e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-tough-cookie (4.0.0-2+deb12u1) bookworm; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution (Closes: CVE-2023-26136)
+
+ -- Yadd   Fri, 07 Jul 2023 20:57:36 +0400
+
 node-tough-cookie (4.0.0-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-26136.patch 
b/debian/patches/CVE-2023-26136.patch
new file mode 100644
index 000..05e6372
--- /dev/null
+++ b/debian/patches/CVE-2023-26136.patch
@@ -0,0 +1,71 @@
+Description: Fix prototype pollution
+ CVE-2023-26136
+Author: Yadd 
+Forwarded: not-needed
+Last-Update: 2023-07-07
+
+--- a/lib/memstore.js
 b/lib/memstore.js
+@@ -39,7 +39,7 @@
+   constructor() {
+ super();
+ this.synchronous = true;
+-this.idx = {};
++this.idx = Object.create(null);
+ if (util.inspect.custom) {
+   this[util.inspect.custom] = this.inspect;
+ }
+@@ -109,10 +109,10 @@
+ 
+   putCookie(cookie, cb) {
+ if (!this.idx[cookie.domain]) {
+-  this.idx[cookie.domain] = {};
++  this.idx[cookie.domain] = Object.create(null);
+ }
+ if (!this.idx[cookie.domain][cookie.path]) {
+-  this.idx[cookie.domain][cookie.path] = {};
++  this.idx[cookie.domain][cookie.path] = Object.create(null);
+ }
+ this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
+ cb(null);
+@@ -144,7 +144,7 @@
+ return cb(null);
+   }
+   removeAllCookies(cb) {
+-this.idx = {};
++this.idx = Object.create(null);
+ return cb(null);
+   }
+   getAllCookies(cb) {
+--- a/test/cookie_jar_test.js
 b/test/cookie_jar_test.js
+@@ -669,4 +669,29 @@
+   }
+ }
+   })
++  .addBatch({
++"Issue #282 - Prototype pollution": {
++  "when setting a cookie with the domain __proto__": {
++topic: function() {
++  const jar = new tough.CookieJar(undefined, {
++rejectPublicSuffixes: false
++  });
++  // try to pollute the prototype
++  jar.setCookieSync(
++"Slonser=polluted; Domain=__proto__; Path=/notauth",
++"https://__proto__/admin;
++  );
++  jar.setCookieSync(
++"Auth=Lol; Domain=google.com; Path=/notauth",
++"https://google.com/;
++  );
++  this.callback();
++},
++"results in a cookie that is not affected by the attempted prototype 
pollution": function() {
++  const pollutedObject = {};
++  assert(pollutedObject["/notauth"] === undefined);
++}
++  }
++}
++  })
+   .export(module);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..67af372
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-26136.patch
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] node-jupyterlab_4.0.0~rc1+ds1+~1.0.2-1_amd64.changes REJECTED

[Yadd]

On 7/4/23 22:00, Thorsten Alteholz wrote:


Hi,

please also mention at least
  Guillaume Potier.
  Julien Crouzet
  Florian Schwingenschlgl.
  Brian Vaughn
in your debian/copyright.

While you are at it, the BSD-3 license text in your debian/copyright does not 
match the text in LICENSE.

   Thorsten


Hi,

thanks, I just re-pushed it with these fixes.

Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1036980: unblock: jquery-minicolors/2.3.5+dfsg-4

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: jquery-minicol...@packages.debian.org
Control: affects -1 + src:jquery-minicolors

Please unblock package jquery-minicolors

[ Reason ]
jquery-minicolor is vulnerable to a cross-site scripting
(CVE-2021-32850)

[ Impact ]
Low security issue

[ Tests ]
No test here

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock jquery-minicolors/2.3.5+dfsg-4
diff --git a/debian/changelog b/debian/changelog
index 1e959f0..dcf5b2f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+jquery-minicolors (2.3.5+dfsg-4) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.6.2
+  * Fix cross-site scripting issue (Closes: CVE-2021-32850)
+
+ -- Yadd   Wed, 31 May 2023 16:44:37 +0400
+
 jquery-minicolors (2.3.5+dfsg-3) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/debian/control b/debian/control
index 3dcf29b..66693e1 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: Debian JavaScript Maintainers 

 Uploaders: Yadd 
 Build-Depends: debhelper-compat (= 13), uglifyjs
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
 Homepage: https://github.com/jquery-minicolors
 Vcs-Git: https://salsa.debian.org/js-team/jquery-minicolors.git
 Vcs-Browser: https://salsa.debian.org/js-team/jquery-minicolors
diff --git a/debian/patches/CVE-2021-32850.patch 
b/debian/patches/CVE-2021-32850.patch
new file mode 100644
index 000..5e54e6d
--- /dev/null
+++ b/debian/patches/CVE-2021-32850.patch
@@ -0,0 +1,21 @@
+Description: fix XSS vuln
+Author: Cory LaViska 
+Origin: upstream, https://github.com/claviska/jquery-minicolors/commit/ef134824
+Bug: 
https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin/
+Forwarded: not-needed
+Applied-Upstream: 2.3.6, commit:ef134824
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/jquery.minicolors.js
 b/jquery.minicolors.js
+@@ -226,7 +226,8 @@
+ }
+ swatchString = swatch;
+ swatch = isRgb(swatch) ? parseRgb(swatch, true) : 
hex2rgb(parseHex(swatch, true));
+-$('')
++$('')
++  .attr("title", name)
+   .appendTo(swatches)
+   .data('swatch-color', swatchString)
+   .find('.minicolors-swatch-color')
diff --git a/debian/patches/series b/debian/patches/series
index 7ba3ddc..b5c3525 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Use-local-CSS-and-JavaScript-in-examples.patch
+CVE-2021-32850.patch
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1036978: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-und...@packages.debian.org
Control: affects -1 + src:node-undici

[ Reason ]
node-undici is vulnerable to:
 * CVE-2023-23936: "Host" HTTP header isn't protected against CLRF injection
 * CVE-2023-24807: Regex Denial of Service on headers set/append

[ Impact ]
Medium security issues

[ Tests ]
Test updated, passed

[ Risks ]
Low risk, patches are trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just new little checks

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3a69b63..92c0de8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium
+
+  * Fix security issues (Closes: #1031418):
+- Protect "Host" HTTP header from CLRF injection (Closes: CVE-2023-23936)
+- Fix potential ReDoS on Headers.set and Headers.append
+  (Closes: CVE-2023-24807)
+  * Increase httpbin.org test timeout
+
+ -- Yadd   Wed, 31 May 2023 15:52:45 +0400
+
 node-undici (5.15.0+dfsg1+~cs20.10.9.3-1) unstable; urgency=medium
 
   * Update standards version to 4.6.2, no changes needed.
diff --git a/debian/patches/CVE-2023-23936.patch 
b/debian/patches/CVE-2023-23936.patch
new file mode 100644
index 000..e6fbb0f
--- /dev/null
+++ b/debian/patches/CVE-2023-23936.patch
@@ -0,0 +1,62 @@
+Description: Protect "Host" HTTP header from CLRF injection
+Author: Yadd 
+Origin: upstream, https://github.com/nodejs/undici/commit/a2eff054
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
+Bug-Debian: https://bugs.debian.org/1031418
+Forwarded: not-needed
+Applied-Upstream: 5.19.1, commit:a2eff054
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/lib/core/request.js
 b/lib/core/request.js
+@@ -299,6 +299,9 @@
+ key.length === 4 &&
+ key.toLowerCase() === 'host'
+   ) {
++if (headerCharRegex.exec(val) !== null) {
++  throw new InvalidArgumentError(`invalid ${key} header`)
++}
+ // Consumed by Client
+ request.host = val
+   } else if (
+--- /dev/null
 b/test/headers-crlf.js
+@@ -0,0 +1,37 @@
++'use strict'
++
++const { test } = require('tap')
++const { Client } = require('..')
++const { createServer } = require('http')
++const EE = require('events')
++
++test('CRLF Injection in Nodejs ‘undici’ via host', (t) => {
++  t.plan(1)
++
++  const server = createServer(async (req, res) => {
++res.end()
++  })
++  t.teardown(server.close.bind(server))
++
++  server.listen(0, async () => {
++const client = new Client(`http://localhost:${server.address().port}`)
++t.teardown(client.close.bind(client))
++
++const unsanitizedContentTypeInput =  '12 \r\n\r\naaa:aaa'
++
++try {
++  const { body } = await client.request({
++path: '/',
++method: 'POST',
++headers: {
++  'content-type': 'application/json',
++  'host': unsanitizedContentTypeInput
++},
++body: 'asd'
++  })
++  await body.dump()
++} catch (err) {
++  t.same(err.code, 'UND_ERR_INVALID_ARG')
++}
++  })
++})
diff --git a/debian/patches/CVE-2023-24807.patch 
b/debian/patches/CVE-2023-24807.patch
new file mode 100644
index 000..986fb16
--- /dev/null
+++ b/debian/patches/CVE-2023-24807.patch
@@ -0,0 +1,46 @@
+Description: fix potential ReDoS on Headers.set and Headers.append
+Author: Rich Trott 
+Origin: upstream, https://github.com/nodejs/undici/commit/f2324e54
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
+Bug-Debian: https://bugs.debian.org/1031418
+Forwarded: not-needed
+Applied-Upstream: 5.19.1, commit:f2324e54
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/lib/fetch/headers.js
 b/lib/fetch/headers.js
+@@ -23,10 +23,12 @@
+   //  To normalize a byte sequence potentialValue, remove
+   //  any leading and trailing HTTP whitespace bytes from
+   //  potentialValue.
+-  return potentialValue.replace(
+-/^[\r\n\t ]+|[\r\n\t ]+$/g,
+-''
+-  )
++
++  // Trimming the end with `.replace()` and a RegExp is typically subject to
++  // ReDoS. This is safer and faster.
++  let i = potentialValue.length
++  while (/[\r\n\t ]/.test(potentialValue.charAt(--i)));
++  return potentialValue.slice(0, i + 1).replace(/^[\r\n\t ]+/, '')
+ }
+ 
+ function fill (headers, object) {
+--- a/test/fetch/headers.js
 b/test/fetch/headers.js
+@@ -665,3 +665,14 @@
+ 
+   t.end()
+ })
++
++tap.test('headers that might cause a ReDoS', (t) => {
++  t.doesNotThrow(() => {
++// This test will time out if the ReDoS attack is successful.
++const headers = new Headers()
++const attack = 'a' + '\t'.repeat(500_

[Pkg-javascript-devel] Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jquer...@packages.debian.org
Control: affects -1 + src:jqueryui

[ Reason ]
jqueryui is potentially vulnerable to cross-site scripting
(CVE-2022-31160)

[ Impact ]
Low security issue

[ Tests ]
Sadly tests are minimal in this package. Anyway passed

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Don't accept label outside of the root element

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3a6a587..9b1e9cc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: 
CVE-2022-31160)
+
+ -- Yadd   Wed, 31 May 2023 15:08:55 +0400
+
 jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-31160.patch 
b/debian/patches/CVE-2022-31160.patch
new file mode 100644
index 000..11d7baa
--- /dev/null
+++ b/debian/patches/CVE-2022-31160.patch
@@ -0,0 +1,156 @@
+Description: Checkboxradio: Don't re-evaluate text labels as HTML
+Author: Michał Gołębiowski-Owczarek 
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1
+Bug: 
https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+Forwarded: not-needed
+Applied-Upstream: 1.13.2, commit:8cc5bae1
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/tests/unit/checkboxradio/checkboxradio.html
 b/tests/unit/checkboxradio/checkboxradio.html
+@@ -64,6 +64,18 @@
+ 
+   
+ 
++
++  
++  Hi, I'm a label
++
++
++  
++  Hi, I'm a label
++
++
++  
++  emHi, I'm a label/em
++
+ 
+ 
+ 
+--- a/tests/unit/checkboxradio/core.js
 b/tests/unit/checkboxradio/core.js
+@@ -135,4 +135,41 @@
+   );
+ } );
+ 
++QUnit.test( "Inheriting label from initial HTML", function( assert ) {
++  var tests = [
++  {
++  id: "label-with-no-for-with-html",
++  expectedLabel: "Hi, I'm a 
label"
++  },
++  {
++  id: "label-with-no-for-with-text",
++  expectedLabel: "Hi, I'm a label"
++  },
++  {
++  id: "label-with-no-for-with-html-like-text",
++  expectedLabel: "emHi, I'm a label/em"
++  }
++  ];
++
++  assert.expect( tests.length );
++
++  tests.forEach( function( testData ) {
++  var id = testData.id;
++  var expectedLabel = testData.expectedLabel;
++  var inputElem = $( "#" + id );
++  var labelElem = inputElem.parent();
++
++  inputElem.checkboxradio( { icon: false } );
++
++  var labelWithoutInput = labelElem.clone();
++  labelWithoutInput.find( "input" ).remove();
++
++  assert.strictEqual(
++  labelWithoutInput.html().trim(),
++  expectedLabel.trim(),
++  "Label correct [" + id + "]"
++  );
++  } );
++} );
++
+ } );
+--- a/tests/unit/checkboxradio/methods.js
 b/tests/unit/checkboxradio/methods.js
+@@ -94,4 +94,42 @@
+   assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input 
preserved" );
+ } );
+ 
++QUnit.test( "Initial text label not turned to HTML on refresh", function( 
assert ) {
++  var tests = [
++  {
++  id: "label-with-no-for-with-html",
++  expectedLabel: "Hi, I'm a 
label"
++  },
++  {
++  id: "label-with-no-for-with-text",
++  expectedLabel: "Hi, I'm a label"
++  },
++  {
++  id: "label-with-no-for-with-html-like-text",
++  expectedLabel: "emHi, I'm a label/em"
++  }
++  ];
++
++  assert.expect( tests.length );
++
++  tests.forEach( function( testData ) {
++  var id = testData.id;
++  var expectedLabel = testData.expectedLabel;
++  var inputElem = $( "#" + id );
++  var labelElem = inputElem.parent();
++
++  inputElem.checkboxradio( { icon: false } );
++  inputElem.checkboxradio( "refresh" );
++
++  var labelWithoutInput = labelElem.clone();
++  labelWithoutInput.find( "input" ).remove();
++
++  assert.strictEqual(
++

[Pkg-javascript-devel] Bug#1036976: bullseye-pu: package grunt/1.3.0-1+deb11u2

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: gr...@packages.debian.org
Control: affects -1 + src:grunt

[ Reason ]
file.copy operations in GruntJS are vulnerable to a TOCTOU race condition
leading to arbitrary file write in GitHub repository gruntjs/grunt prior to
1.5.3. This vulnerability is capable of arbitrary file writes which can lead
to local privilege escalation to the GruntJS user if a lower-privileged user
has write access to both source and destination directories as the
lower-privileged user can create a symlink to the GruntJS user's .bashrc
file or replace /etc/shadow file if the GruntJS user is root.

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
Low risk: patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Refuse to copy a file if destination is a symlink

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 23c3145..dcebea4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+grunt (1.3.0-1+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Patch up race condition in symlink copying (Closes: CVE-2022-1537)
+
+ -- Yadd   Wed, 31 May 2023 14:59:30 +0400
+
 grunt (1.3.0-1+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-1537.patch 
b/debian/patches/CVE-2022-1537.patch
new file mode 100644
index 000..19c750b
--- /dev/null
+++ b/debian/patches/CVE-2022-1537.patch
@@ -0,0 +1,39 @@
+Description: Patch up race condition in symlink copying
+Author: Vlad Filippov 
+Origin: upstream, https://github.com/gruntjs/grunt/commit/58016ffa
+Bug: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/
+Forwarded: not-needed
+Applied-Upstream: 1.5.3, commit:58016ffa
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/lib/grunt/file.js
 b/lib/grunt/file.js
+@@ -333,8 +333,8 @@
+ }
+   }
+   // Abort copy if the process function returns false.
+-  if (contents === false) {
+-grunt.verbose.writeln('Write aborted.');
++  if (contents === false || file.isLink(destpath)) {
++grunt.verbose.writeln('Write aborted. Either the process function 
returned false or the destination is a symlink');
+   } else {
+ file.write(destpath, contents, readWriteOptions);
+   }
+--- a/test/grunt/file_test.js
 b/test/grunt/file_test.js
+@@ -916,5 +916,13 @@
+   test.ok(fs.lstatSync(path.join(destdir.path, 
path.basename(fixtures))).isSymbolicLink());
+   test.done();
+ },
+-  }
++  },
++  'symbolicLinkDestError': function(test) {
++test.expect(1);
++var tmpfile = new Tempdir();
++fs.symlinkSync(path.resolve('test/fixtures/octocat.png'), 
path.join(tmpfile.path, 'octocat.png'), 'file');
++grunt.file.copy(path.resolve('test/fixtures/octocat.png'), 
path.join(tmpfile.path, 'octocat.png'));
++test.ok(fs.lstatSync(path.join(tmpfile.path, 
'octocat.png')).isSymbolicLink());
++test.done();
++  },
+ };
diff --git a/debian/patches/series b/debian/patches/series
index 24fd9f9..6231471 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ add-root-variable.patch
 fix-for-coffescript.diff
 adapt-gruntfile.patch
 CVE-2022-0436.patch
+CVE-2022-1537.patch
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1036975: bullseye-pu: package node-url-parse/1.5.3-1+deb11u2

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-url-pa...@packages.debian.org
Control: affects -1 + src:node-url-parse

[ Reason ]
node-url-parse is vulnerable to authorization bypass through
user-controlled key prior version 1.5.6

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
Low risk, the non-test part of the patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Update URL split to fix user and password values if any

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 842b4ff..c261d0e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-url-parse (1.5.3-1+deb11u2) bullseye; urgency=medium
+
+  * Team upload
+  * Correctly handle userinfo containing the at sign (Closes: CVE-2022-0512)
+
+ -- Yadd   Wed, 31 May 2023 14:43:23 +0400
+
 node-url-parse (1.5.3-1+deb11u1) bullseye; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-0512.patch 
b/debian/patches/CVE-2022-0512.patch
new file mode 100644
index 000..9b3caed
--- /dev/null
+++ b/debian/patches/CVE-2022-0512.patch
@@ -0,0 +1,135 @@
+Description: Correctly handle userinfo containing the at sign
+Author: Luigi Pinca 
+Origin: upstream, https://github.com/unshiftio/url-parse/commit/9be7ee88
+Bug: https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b
+Forwarded: not-needed
+Applied-Upstream: 1.5.6, commit:9be7ee88
+Reviewed-By: Yadd 
+Last-Update: 2023-05-31
+
+--- a/index.js
 b/index.js
+@@ -306,7 +306,11 @@
+ if (parse !== parse) {
+   url[key] = address;
+ } else if ('string' === typeof parse) {
+-  if (~(index = address.indexOf(parse))) {
++  index = parse === '@'
++? address.lastIndexOf(parse)
++: address.indexOf(parse);
++
++  if (~index) {
+ if ('number' === typeof instruction[2]) {
+   url[key] = address.slice(0, index);
+   address = address.slice(index + instruction[2]);
+@@ -373,9 +377,19 @@
+   //
+   url.username = url.password = '';
+   if (url.auth) {
+-instruction = url.auth.split(':');
+-url.username = instruction[0] || '';
+-url.password = instruction[1] || '';
++index = url.auth.indexOf(':');
++
++if (~index) {
++  url.username = url.auth.slice(0, index);
++  url.username = encodeURIComponent(decodeURIComponent(url.username));
++
++  url.password = url.auth.slice(index + 1);
++  url.password = encodeURIComponent(decodeURIComponent(url.password))
++} else {
++  url.username = encodeURIComponent(decodeURIComponent(url.auth));
++}
++
++url.auth = url.password ? url.username +':'+ url.password : url.username;
+   }
+ 
+   url.origin = url.protocol !== 'file:' && isSpecial(url.protocol) && url.host
+--- a/test/test.js
 b/test/test.js
+@@ -712,6 +712,54 @@
+ });
+   });
+ 
++  it('handles @ in username', function () {
++  var url = 'http://user@@www.example.com/'
++, parsed = parse(url);
++
++  assume(parsed.protocol).equals('http:');
++  assume(parsed.auth).equals('user%40');
++  assume(parsed.username).equals('user%40');
++  assume(parsed.password).equals('');
++  assume(parsed.hostname).equals('www.example.com');
++  assume(parsed.pathname).equals('/');
++  assume(parsed.href).equals('http://user...@www.example.com/');
++
++  url = 'http://user...@www.example.com/';
++  parsed = parse(url);
++
++  assume(parsed.protocol).equals('http:');
++  assume(parsed.auth).equals('user%40');
++  assume(parsed.username).equals('user%40');
++  assume(parsed.password).equals('');
++  assume(parsed.hostname).equals('www.example.com');
++  assume(parsed.pathname).equals('/');
++  assume(parsed.href).equals('http://user...@www.example.com/');
++});
++
++it('handles @ in password', function () {
++  var url = 'http://user@:pas:s@@www.example.com/'
++, parsed = parse(url);
++
++  assume(parsed.protocol).equals('http:');
++  assume(parsed.auth).equals('user%40:pas%3As%40');
++  assume(parsed.username).equals('user%40');
++  assume(parsed.password).equals('pas%3As%40');
++  assume(parsed.hostname).equals('www.example.com');
++  assume(parsed.pathname).equals('/');
++  
assume(parsed.href).equals('http://user%40:pas%3as...@www.example.com/');
++
++  url = 'http://user%40:pas%3as...@www.example.com/'
++  parsed = parse(url);
++
++  assume(parsed.protocol).equals('http:');
++  assume(parsed.auth).equals('user%40:pas%3As%40');
++  assume(parsed.username).equals('user%40');
++  assume(parsed.password).equals('pas%3As%40');
++  assume(parsed.hostname).equals('www.example.com')

[Pkg-javascript-devel] Bug#1036944: unblock: node-babel7/7.20.15+ds1+~cs214.269.168-3

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-bab...@packages.debian.org
Control: affects -1 + src:node-babel7

Please unblock package node-babel7

[ Reason ]
Upgrades from Buster to Bookworm via Bullseye are broken due to a
missing Breaks/Replaces

[ Impact ]
Upgrades may fail

[ Tests ]
No changes

[ Risks ]
No risk, node-babel-code-frame < 7 has been removed before Bullseye

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-babel7/7.20.15+ds1+~cs214.269.168-3
diff --git a/debian/changelog b/debian/changelog
index d445ccc55..f0ff6d95f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-babel7 (7.20.15+ds1+~cs214.269.168-3) unstable; urgency=medium
+
+  * Team upload
+  * Add Breaks+Replaces against node-babel-code-frame << 7
+(Closes: #1036942)
+
+ -- Yadd   Tue, 30 May 2023 12:24:08 +0400
+
 node-babel7 (7.20.15+ds1+~cs214.269.168-2) unstable; urgency=medium
 
   * Update minimum version of node-regexpu-core to 5.2.1~.
diff --git a/debian/control b/debian/control
index ff31d4894..e5dba9547 100644
--- a/debian/control
+++ b/debian/control
@@ -120,6 +120,8 @@ Depends: ${misc:Depends}
 Suggests: node-babel-plugin-polyfill-es-shims
  , node-babel7-debug
 Breaks: node-babel-core (<< 6.26.0+repack-3~)
+ , node-babel-code-frame (<< 7)
+Replaces: node-babel-code-frame (<< 7)
 Provides: ${nodeBabel7:Provides}
  , babeljs (= ${binary:Version})
 X-Javascript-Built-Using: ${nodejs:BuiltUsing}
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1036259: Bug#1036259: moment-timezone.js: FTBFS in testing: make[1]: *** [debian/rules:28: execute_before_dh_auto_configure] Error 1

[Yadd]

On 5/28/23 19:56, gregor herrmann wrote:

On Thu, 18 May 2023 09:00:03 +0200, Lucas Nussbaum wrote:


During a rebuild of all packages in testing (bookworm), your package failed
to build on amd64.


Relevant part (hopefully):

  debian/rules binary
dh binary
dh_update_autotools_config
dh_autoreconf
debian/rules execute_before_dh_auto_configure
make[1]: Entering directory '/<>'
# Fail the build if the tzdata package does not match TZVER.
grep -q '^# version 2022g$' /usr/share/zoneinfo/tzdata.zi
make[1]: *** [debian/rules:28: execute_before_dh_auto_configure] Error 1


This looked reasonably easy to fix (cf. attached patch), but the
tests fail as follows:


Hi,

I fixed it in salsa (needs an update to import 2023 data). I'm waiting 
for Martina review who maintains it.


Cheers,
Yadd


#v+
Running "nodeunit:countries" (nodeunit) task
Testing countries.jsFF

countries - zone_countries
Error: [] deepEqual [ 'CA' ]
at Object.deepEqual (/usr/share/nodejs/nodeunit/lib/types.js:83:39)
at Object.zone_countries (tests/countries/countries.js:230:8)
at Object. (/usr/share/nodejs/nodeunit/lib/core.js:236:16)
at Object. (/usr/share/nodejs/nodeunit/lib/core.js:236:16)
at /usr/share/nodejs/nodeunit/lib/core.js:236:16
at Object.exports.runTest (/usr/share/nodejs/nodeunit/lib/core.js:70:9)
at /usr/share/nodejs/nodeunit/lib/core.js:118:25
at /usr/share/javascript/async/async.js:665:13
at iterate (/usr/share/javascript/async/async.js:149:13)
at async.eachSeries (/usr/share/javascript/async/async.js:165:9)



countries - zone_countries
Error: [ 'US' ] deepEqual [ 'UM', 'US' ]
at Object.deepEqual (/usr/share/nodejs/nodeunit/lib/types.js:83:39)
at Object.zone_countries (tests/countries/countries.js:552:8)
at Object. (/usr/share/nodejs/nodeunit/lib/core.js:236:16)
at Object. (/usr/share/nodejs/nodeunit/lib/core.js:236:16)
at /usr/share/nodejs/nodeunit/lib/core.js:236:16
at Object.exports.runTest (/usr/share/nodejs/nodeunit/lib/core.js:70:9)
at /usr/share/nodejs/nodeunit/lib/core.js:118:25
at /usr/share/javascript/async/async.js:665:13
at iterate (/usr/share/javascript/async/async.js:149:13)
at async.eachSeries (/usr/share/javascript/async/async.js:165:9)



countries - country_zones
Actual:
   [
 'America/Atikokan',  'America/Blanc-Sablon',
 'America/Cambridge_Bay', 'America/Creston',
 'America/Dawson','America/Dawson_Creek',
 'America/Edmonton',  'America/Fort_Nelson',
 'America/Glace_Bay', 'America/Goose_Bay',
 'America/Halifax',   'America/Inuvik',
 'America/Iqaluit',   'America/Moncton',
 'America/Panama','America/Phoenix',
 'America/Puerto_Rico',   'America/Rankin_Inlet',
 'America/Regina','America/Resolute',
 'America/St_Johns',  'America/Swift_Current',
 'America/Toronto',   'America/Vancouver',
 'America/Whitehorse','America/Winnipeg'
   ]
Operator:
   deepEqual
Expected:
   [
 'America/Atikokan',  'America/Blanc-Sablon',
 'America/Cambridge_Bay', 'America/Creston',
 'America/Dawson','America/Dawson_Creek',
 'America/Edmonton',  'America/Fort_Nelson',
 'America/Glace_Bay', 'America/Goose_Bay',
 'America/Halifax',   'America/Inuvik',
 'America/Iqaluit',   'America/Moncton',
 'America/Panama','America/Phoenix',
 'America/Puerto_Rico',   'America/Rankin_Inlet',
 'America/Regina','America/Resolute',
 'America/St_Johns',  'America/Swift_Current',
 'America/Toronto',   'America/Vancouver',
 'America/Whitehorse','America/Winnipeg',
 'America/Yellowknife'
   ]
at Object.deepEqual (/usr/share/nodejs/nodeunit/lib/types.js:83:39)
at Object.country_zones (tests/countries/countries.js:646:8)
at Object. (/usr/share/nodejs/nodeunit/lib/core.js:236:16)
at Object. (/usr/share/nodejs/nodeunit/lib/core.js:236:16)
at /usr/share/nodejs/nodeunit/lib/core.js:236:16
at Object.exports.runTest (/usr/share/nodejs/nodeunit/lib/core.js:70:9)
at /usr/share/nodejs/nodeunit/lib/core.js:118:25
at /usr/share/javascript/async/async.js:665:13
at iterate (/usr/share/javascript/async/async.js:149:13)
at /usr/share/javascript/async/async.js:160:25



countries - country_zones
Actual:
   [
 'Pacific/Midway',
 'Pacific/Pago_Pago',
 'Pacific/Tarawa',
 'Pacific/Wake'
   ]
Operator:
   deepEqual
Expected:
   [
 'Pacific/Honolulu',
 'Pacific/Midway',
 'Pacific/Pago_Pago',
 'Pacific/Tarawa',
 'Pacific/Wake'
   ]
at Object.deepEqual (/usr/share/nodejs/nodeunit/lib/types.js:83:39)
at Object.country_zones (tests/countries/countries.js:839:8)
at Object. (/usr/share/nodejs/nodeunit/lib/core.js:236:16)
at Object. (/usr/share/nodejs/nodeunit/lib/core.js:236:16)
at /usr/share/nodejs/nodeunit/lib/core.js:236:16
at Object.exports.runTest (/usr/share/nodejs/nodeunit/lib/core.js:70:9)
at /usr/share/nodejs/nodeunit/lib/core.js:118:25
at /usr/share/javascript/async/async.js:665:13
at iterate (/usr/

[Pkg-javascript-devel] Bug#1036660: unblock: node-socket.io-parser/4.2.1+~3.1.0-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-socket.io-par...@packages.debian.org
Control: affects -1 + src:node-socket.io-parser

Please unblock package node-socket.io-parser

[ Reason ]
node-socket.io-parser is vulnerable to CVE-2023-32695: a malformet
packet can trigger an uncaught exception on the Socket.IO server,
thus killing the Node.js process.

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
No risk:
 * patch is trivial
 * the patch is a revert, version 4.0.2 (Bullseye) isn't vulnerable even
   if included in the report
   (see https://github.com/socketio/socket.io/discussions/4721)

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-socket.io-parser/4.2.1+~3.1.0-2

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1036615: unblock: node-isomorphic-fetch/3.0.0-3

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-isomorphic-fe...@packages.debian.org
Control: affects -1 + src:node-isomorphic-fetch

Please unblock package node-isomorphic-fetch

[ Reason ]
The useless link for browser module pointed to a libjs-fetch file
instead of new node-whatwg-fetch dependency

[ Impact ]
Only developpers that require the "browser" file of this library had to
install libjs-fetch.

[ Tests ]
No changes

[ Risks ]
No risk here

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-isomorphic-fetch/3.0.0-3

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1036613: unblock: node-jschardet/3.0.0+dfsg+~1.4.0-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-jschar...@packages.debian.org
Control: affects -1 + src:node-jschardet

Please unblock package node-jschardet

[ Reason ]
node-js-chardet had a useless link to node-buffer

[ Impact ]
Just a dandling link

[ Tests ]
No change

[ Risks ]
No risk

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-jschardet/3.0.0+dfsg+~1.4.0-2
diff --git a/debian/changelog b/debian/changelog
index 6cc65b3..e38faf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-jschardet (3.0.0+dfsg+~1.4.0-2) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.6.2
+  * Drop useless symlink to buffer (Closes: #1036609)
+
+ -- Yadd   Tue, 23 May 2023 13:03:58 +0400
+
 node-jschardet (3.0.0+dfsg+~1.4.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 8e3fed7..a778394 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,7 @@ Build-Depends: debhelper-compat (= 13)
  , node-typescript
  , terser
  , webpack (>= 5.0~)
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-jschardet
 Vcs-Git: https://salsa.debian.org/js-team/node-jschardet.git
 Homepage: https://github.com/aadsm/jschardet#readme
diff --git a/debian/rules b/debian/rules
index 8ad0ced..e58679b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -15,7 +15,6 @@ override_dh_auto_build:
cp chardet/package.json debian/
perl -i -pe 's/0.0.0-development/$(CHARDET_VERSION)/' 
chardet/package.json
dh_auto_build --buildsystem=nodejs
-   ln -s /usr/share/nodejs/buffer .
webpack --config debian/webpack.config.js --output-library=jschardet \
--entry index.js --output-path ./dist --output-filename jschardet.js
terser dist/jschardet.js -o dist/jschardet.min.js
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1036605: unblock: node-is-docker/3.0.0-5

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-is-doc...@packages.debian.org
Control: affects -1 + src:node-is-docker

Please unblock package node-is-docker

[ Reason ]
The /usr/bin/is-docker link was broken

[ Impact ]
Library unusable in command-line

[ Tests ]
No changes

[ Risks ]
No risk

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-is-docker/3.0.0-5
diff --git a/debian/changelog b/debian/changelog
index 5270a2c..4d93442 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-is-docker (3.0.0-5) unstable; urgency=medium
+
+  * Team upload
+  * Declare compliance with policy 4.6.2
+  * Fix /usr/bin/is-docker link (Closes: #1036579)
+
+ -- Yadd   Tue, 23 May 2023 12:15:54 +0400
+
 node-is-docker (3.0.0-4) unstable; urgency=medium
 
   * team upload
diff --git a/debian/control b/debian/control
index e6a687b..7c4821f 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Build-Depends:
  debhelper-compat (= 13)
  , dh-sequence-nodejs (>= 0.14.12~)
  , rollup
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Homepage: https://github.com/sindresorhus/is-docker#readme
 Vcs-Git: https://salsa.debian.org/js-team/node-is-docker.git
 Vcs-Browser: https://salsa.debian.org/js-team/node-is-docker
diff --git a/debian/links b/debian/links
deleted file mode 100644
index b9973ef..000
--- a/debian/links
+++ /dev/null
@@ -1 +0,0 @@
-usr/lib/nodejs/is-docker/cli.js usr/bin/is-docker
diff --git a/debian/nodejs/links b/debian/nodejs/links
new file mode 100644
index 000..6016422
--- /dev/null
+++ b/debian/nodejs/links
@@ -0,0 +1 @@
+is-docker/cli.js /usr/bin/is-docker
diff --git a/debian/rules b/debian/rules
index b6e6027..ee9210e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,3 +10,7 @@
 override_dh_auto_build:
mjs2cjs index.js
perl -i -pe 's/node://' index.cjs
+
+override_dh_fixperms:
+   dh_fixperms
+   chmod +x debian/node-is-docker/usr/share/nodejs/is-docker/cli.js
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1036604: unblock: node-shelljs/0.8.5+~cs0.8.10-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-shel...@packages.debian.org
Control: affects -1 + src:node-shelljs

Please unblock package node-shelljs

[ Reason ]
The /usr/bin/shjs link was broken

[ Impact ]
Library unusable in command line

[ Tests ]
No changes

[ Risks ]
No risk

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-shelljs/0.8.5+~cs0.8.10-2
diff --git a/debian/changelog b/debian/changelog
index 1a94a3e..c688687 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-shelljs (0.8.5+~cs0.8.10-2) unstable; urgency=medium
+
+  * Team upload
+  * Fix /usr/bin/shjs link (Closes: #1036582)
+
+ -- Yadd   Tue, 23 May 2023 06:39:48 +0400
+
 node-shelljs (0.8.5+~cs0.8.10-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/links b/debian/links
deleted file mode 100644
index ba4d0f7..000
--- a/debian/links
+++ /dev/null
@@ -1 +0,0 @@
-usr/lib/nodejs/shelljs/bin/shjs usr/bin/shjs
diff --git a/debian/nodejs/links b/debian/nodejs/links
new file mode 100644
index 000..971d6b0
--- /dev/null
+++ b/debian/nodejs/links
@@ -0,0 +1 @@
+shelljs/bin/shjs /usr/bin/shjs
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] node-vscode-lsp_1.0.0~git20230424.1320922-1_amd64.changes REJECTED

[Yadd]

Hi,

thanks. I just repushed a new version.

Best regards,
Yadd

On 5/11/23 22:10, Thorsten Alteholz wrote:


Hi,

please also mention TypeFox in your debian/copyright.

Thanks!
  Thorsten


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035916: unblock: node-source-map/0.7.0++dfsg2+really.0.6.1-14

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-source-...@packages.debian.org
Control: affects -1 + src:node-source-map

Please unblock package node-source-map

[ Reason ]
There was an error in maintscript, then updates from Bullseye dropped
the copyright.

[ Impact ]
Missing copyright

[ Risks ]
No risk

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-source-map/0.7.0++dfsg2+really.0.6.1-14
diff --git a/debian/changelog b/debian/changelog
index 524ef9d..0de8d6b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-source-map (0.7.0++dfsg2+really.0.6.1-14) unstable; urgency=medium
+
+  * Team upload
+  * Fix maintscript (Closes: #1035805). Thanks to Andreas Beckmann.
+
+ -- Yadd   Thu, 11 May 2023 06:30:12 +0400
+
 node-source-map (0.7.0++dfsg2+really.0.6.1-13) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/node-source-map.maintscript 
b/debian/node-source-map.maintscript
index 45938e9..dcfb513 100644
--- a/debian/node-source-map.maintscript
+++ b/debian/node-source-map.maintscript
@@ -1 +1 @@
-dir_to_symlink /usr/share/doc/node-source-map ../libjs-source-map 
0.7.0++dfsg2+really.0.6.1-9~
+dir_to_symlink /usr/share/doc/node-source-map libjs-source-map 
0.7.0++dfsg2+really.0.6.1-9~
diff --git a/debian/rules b/debian/rules
index 55b4534..540fff9 100755
--- a/debian/rules
+++ b/debian/rules
@@ -15,6 +15,3 @@ override_dh_auto_build:
 
 override_dh_auto_clean:
rm -rf dist node_modules/.cache
-
-override_dh_installdocs:
-   dh_installdocs --link-doc=libjs-source-map
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035915: unblock: node-asn1.js/5.4.1-4

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-asn1...@packages.debian.org
Control: affects -1 + src:node-asn1.js

Please unblock package node-asn1.js

[ Reason ]
node-asn1.js included broken symlinks, no more needed (#1035859).

[ Impact ]
No impact, just a dandling link

[ Risks ]
No impact, just a dandling link

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock node-asn1.js/5.4.1-4
diff --git a/debian/changelog b/debian/changelog
index ca7bb42..b083e72 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-asn1.js (5.4.1-4) unstable; urgency=medium
+
+  * Team upload
+  * Drop useless links (Closes: #1035859)
+
+ -- Yadd   Wed, 10 May 2023 19:59:21 +0400
+
 node-asn1.js (5.4.1-3) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/nodejs/links b/debian/nodejs/links
deleted file mode 100644
index a084e8e..000
--- a/debian/nodejs/links
+++ /dev/null
@@ -1,2 +0,0 @@
-asn1.js/rfc/2560 asn1.js-rfc2560
-asn1.js/rfc/5280 asn1.js-rfc5280
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035805: node-source-map: copyright file missing after upgrade (policy 12.5)

[Yadd]

On 5/10/23 20:25, Andreas Beckmann wrote:

Control: tag -1 - moreinfo

On 10/05/2023 17.54, Yadd wrote:
node-source-map depends on libjs-source-map, so the link isn't broken 
in normal installation.


After a fresh installation in bookworm, the link is
   /usr/share/doc/node-source-map -> libjs-source-map
and everything is fine, but after an upgrade from bullseye the link is
   /usr/share/doc/node-source-map -> ../libjs-source-map
which does not work.

node-source-map.maintscript has the corresponding error:

dir_to_symlink /usr/share/doc/node-source-map ../libjs-source-map 
0.7.0++dfsg2+really.0.6.1-9~


Simply reinstalling the package fixes the link (the package
already ships the correct link and dpkg-maintscript-helper does
not touch it again in this case.
So there is no need for a manual cleanup of this mess.

All that needs to be done is an upload with the fixed path
(removing '../') in node-source-map.maintscript.


Done thanks !

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035805: node-source-map: copyright file missing after upgrade (policy 12.5)

[Yadd]

Control: tags -1 + moreinfo

On 5/9/23 16:13, Andreas Beckmann wrote:

Package: node-source-map
Version: 0.7.0++dfsg2+really.0.6.1-13
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

a test with piuparts revealed that your package misses the copyright
file after an upgrade, which is a violation of Policy 12.5:
https://www.debian.org/doc/debian-policy/ch-docs.html#copyright-information

After the upgrade /usr/share/doc/$PACKAGE/ is just an empty directory.

This was observed on the following upgrade paths:

   bullseye -> bookworm

 From the attached log (scroll to the bottom...):

0m39.3s ERROR: WARN: Inadequate results from running adequate!
   node-source-map: broken-symlink /usr/share/doc/node-source-map -> 
../libjs-source-map
   node-source-map: missing-copyright-file 
/usr/share/doc/node-source-map/copyright


Hi,

node-source-map depends on libjs-source-map, so the link isn't broken in 
normal installation.


Regards,
Yadd


   MISSING COPYRIGHT FILE: /usr/share/doc/node-source-map/copyright
   # ls -lad /usr/share/doc/node-source-map
   lrwxrwxrwx 1 root root 19 May  3 22:16 /usr/share/doc/node-source-map -> 
../libjs-source-map
   # ls -la /usr/share/doc/node-source-map/
   ls: cannot access '/usr/share/doc/node-source-map/': No such file or 
directory


Additional info may be available here:
https://wiki.debian.org/MissingCopyrightFile

Note that dpkg intentionally does not replace directories with symlinks
and vice versa, you need the maintainer scripts to do this.
See in particular the end of point 4 in
https://www.debian.org/doc/debian-policy/ch-maintainerscripts.html#details-of-unpack-phase-of-installation-or-upgrade

It is recommended to use the dpkg-maintscript-helper commands
'dir_to_symlink' and 'symlink_to_dir' (available since dpkg 1.17.14)
to perform the conversion, ideally using d/$PACKAGE.maintscript.
See dpkg-maintscript-helper(1) and dh_installdeb(1) for details.


cheers,

Andreas


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] Comments regarding node-blueprintjs_4.17.8~git20230417213433.6dab069+ds1-1_amd64.changes

[Yadd]

On 5/6/23 21:58, Thorsten Alteholz wrote:

Hi,

I assume that all icons from ./package/lib/*/generated-icons/* can be generated 
from resources/icons/*.
It would be nice to confirm this in a comment within debian/copyright ...

Thanks!
  Thorsten


Hi,

thanks a lot, I just added a comment in debian/copyright

Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035625: unblock: node-yaml/2.1.3-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-y...@packages.debian.org
Control: affects -1 + src:node-yaml

Please unblock package node-yaml

[ Reason ]
node-yaml is vulnerable to Denial-of-Service (#1035580, CVE-2023-2251)

[ Impact ]
Medium security issue

[ Tests ]
New tests added:
 - by upstream in the CVE-2023-2251.patch file
 - by myself in autopkgtest using code provided to prove the issue

You can verify using
https://salsa.debian.org/js-team/node-yaml/-/pipelines that the CVE is
fixed by this patch.

[ Risks ]
Low risk, patch is trivial (just fix line characters count)

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Others ]
This debdiff includes also:
 * little things from lintian-brush
 * a little test paths fix because test failed on platforms where the
   "debian" word was in the build root path (especially salsa)

Cheers,
Yadd

unblock node-yaml/2.1.3-2
diff --git a/debian/changelog b/debian/changelog
index 3265e73..5d44f16 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-yaml (2.1.3-2) unstable; urgency=medium
+
+  * Team upload
+  * Update lintian override info format in
+d/source/lintian-overrides on line 2-7
+  * Update standards version to 4.6.2, no changes needed
+  * Fix corner case failure in error pretty-printer
+(Closes: #1035580, CVE-2023-2251)
+
+ -- Yadd   Sun, 07 May 2023 00:10:19 +0400
+
 node-yaml (2.1.3-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 0a7fe7e..e221de8 100644
--- a/debian/control
+++ b/debian/control
@@ -15,7 +15,7 @@ Build-Depends:
  , node-tslib 
  , node-typescript 
  , rollup
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Homepage: https://eemeli.org/yaml/
 Vcs-Git: https://salsa.debian.org/js-team/node-yaml.git
 Vcs-Browser: https://salsa.debian.org/js-team/node-yaml
diff --git a/debian/patches/CVE-2023-2251.patch 
b/debian/patches/CVE-2023-2251.patch
new file mode 100644
index 000..0d8b1d4
--- /dev/null
+++ b/debian/patches/CVE-2023-2251.patch
@@ -0,0 +1,36 @@
+Description: fix: Corner case failure in error pretty-printer
+Author: Eemeli Aro 
+Origin: upstream, https://github.com/eemeli/yaml/commit/984f5781
+Bug: https://github.com/advisories/GHSA-f9xv-q969-pqx4
+Bug-Debian: https://bugs.debian.org/1035580
+Forwarded: not-needed
+Applied-Upstream: 2.2.2, commit:984f5781
+Reviewed-By: Yadd 
+Last-Update: 2023-05-06
+
+--- a/src/errors.ts
 b/src/errors.ts
+@@ -91,7 +91,7 @@
+   let count = 1
+   const end = error.linePos[1]
+   if (end && end.line === line && end.col > col) {
+-count = Math.min(end.col - col, 80 - ci)
++count = Math.max(1, Math.min(end.col - col, 80 - ci))
+   }
+   const pointer = ' '.repeat(ci) + '^'.repeat(count)
+   error.message += `:\n\n${lineStr}\n${pointer}\n`
+--- a/tests/doc/errors.js
 b/tests/doc/errors.js
+@@ -341,6 +341,12 @@
+ const doc = YAML.parseDocument(src, { prettyErrors: true })
+ expect(doc.warnings).toMatchObject([{ name: 'YAMLWarning' }])
+   })
++
++  test('repeated CR', () => {
++const src = '[' + '\r'.repeat(80)
++const doc = YAML.parseDocument(src, { prettyErrors: true })
++expect(doc.errors[0]).not.toHaveProperty('source')
++  })
+ })
+ 
+ describe('tags on invalid nodes', () => {
diff --git a/debian/patches/series b/debian/patches/series
index 053c2da..e2d7781 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 fix-test.patch
 fix-for-rollup-3.patch
+CVE-2023-2251.patch
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
index 7c118d4..b78412d 100644
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,10 +1,10 @@
 # False positive: test data
-source-is-missing *tests/doc/YAML-1.2.spec.js*
-source-is-missing *tests/doc/foldFlowLines.js*
-source-contains-prebuilt-javascript-object *tests/doc/YAML-1.2.spec.js*
-source-contains-prebuilt-javascript-object *tests/doc/foldFlowLines.js*
-source-is-missing *debian/tests/test_modules/*
-source-contains-prebuilt-javascript-object *debian/tests/test_modules/*
+source-is-missing [*tests/doc/YAML-1.2.spec.js*]
+source-is-missing [*tests/doc/foldFlowLines.js*]
+source-contains-prebuilt-javascript-object [*tests/doc/YAML-1.2.spec.js*]
+source-contains-prebuilt-javascript-object [*tests/doc/foldFlowLines.js*]
+source-is-missing [*debian/tests/test_modules/*]
+source-contains-prebuilt-javascript-object [*debian/tests/test_modules/*]
 very-long-line-length-in-source-file *tests/doc/YAML-1.2.spec.js*
 very-long-line-length-in-source-file *tests/doc/foldFlowLines.js*
 very-long-line-length-in-source-file *debian/tests/test_modules/*
diff --git a/debian/tests/CVE-2023-2251 b/debian/tests/CVE-2023-2251

[Pkg-javascript-devel] Bug#1035443: unblock: node-source-map/0.7.0++dfsg2+really.0.6.1-13

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-source-...@packages.debian.org
Control: affects -1 + src:node-source-map

Please unblock package node-source-map

[ Reason ]
node-source-map had a dandling link (#1035437)

[ Impact ]
Just a dandling link that makes piupart cry

[ Risks ]
No risk

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-source-map/0.7.0++dfsg2+really.0.6.1-13
diff --git a/debian/changelog b/debian/changelog
index fe8a39e..524ef9d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-source-map (0.7.0++dfsg2+really.0.6.1-13) unstable; urgency=medium
+
+  * Team upload
+  * Drop dandling link (Closes: #1035437)
+
+ -- Yadd   Wed, 03 May 2023 17:32:45 +0400
+
 node-source-map (0.7.0++dfsg2+really.0.6.1-12) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/node-source-map.links b/debian/node-source-map.links
index 7045f84..0260904 100644
--- a/debian/node-source-map.links
+++ b/debian/node-source-map.links
@@ -1,4 +1,3 @@
 /usr/share/javascript/source-map/source-map.debug.js 
/usr/share/nodejs/source-map/dist/source-map.debug.js
 /usr/share/javascript/source-map/source-map.js 
/usr/share/nodejs/source-map/dist/source-map.js
 /usr/share/javascript/source-map/source-map.min.js 
/usr/share/nodejs/source-map/dist/source-map.debug.min.js
-/usr/share/javascript/source-map/source-map.min.js.map 
/usr/share/nodejs/source-map/dist/source-map.min.js.map
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1034969: Fwd: Bug#1034969: terser: missing Breaks+Replaces for uglifyjs.terser when upgrading from bullseye

[Yadd]

On 5/2/23 08:25, Jonas Smedegaard wrote:

Quoting Yadd (2023-05-02 04:58:47)

a previous "unblock" was missing here: unstable version is 5.16.5-1
while testing version is 5.16.4-1. What do you want to do, fix only this
bug with a 5.16.5-really-5.16.4-1 or a full update ?


It is a bugfix release, and as such I would consider it relevant for
stable, but I get exhausted just thinking about the need for "defending"
changes against the release team: If you do it, you can desice if you
want to try get all of it in or only a (arguably too) minimal patch.

Thanks!

  - Jonas


For the record, unblock issue is #1035368

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035368: unblock: node-terser/5.16.5-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-ter...@packages.debian.org
Control: affects -1 + src:node-terser

Please unblock package node-terser

[ Reason ]
node-terser has several bugs in its version 5.16.4:
 * #1034969: missing "Replaces" fields
 * Mutating options.format is unsafe when config is re-used
(https://github.com/terser/terser/issues/1341)
 * Transform functions shouldn't mutate AST arrays

[ Impact ]
 * RC bug: upgrade is broken
 * Transformation issues

[ Tests ]
New tests added, passed.

[ Risks ]
Low risk, the main changes Have been in unstable for 2 months and didn't
generate any regressions.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-terser/5.16.5-2

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1034969: Fwd: Bug#1034969: terser: missing Breaks+Replaces for uglifyjs.terser when upgrading from bullseye

[Yadd]

Hi,

a previous "unblock" was missing here: unstable version is 5.16.5-1 
while testing version is 5.16.4-1. What do you want to do, fix only this 
bug with a 5.16.5-really-5.16.4-1 or a full update ?


On 5/1/23 08:37, Jonas Smedegaard wrote:

Thanks for the patch, Yadd - and for the bugreport, Helmut.

I am quite busy elsewhere currently - if you have the time then I would
appreciate if you would handle this issue.

Otherwise I'll try make time for it the upcoming weekend.

  - Jonas

Quoting Yadd (2023-04-28 05:38:56)

Hi Jonas,

it seems that "Breaks" fields needs to be duplicated in "Replaces":

diff --git a/debian/control b/debian/control
index 6772ac76..3d8f1174 100644
--- a/debian/control
+++ b/debian/control
@@ -34,6 +34,9 @@ Depends:
   Breaks:
uglifyjs.terser (<< 4.8.0-1~),
node-rollup-plugin-terser (<< 7.0.2+~5.0.1-3~)
+Replaces:
+ uglifyjs.terser (<< 4.8.0-1~),
+ node-rollup-plugin-terser (<< 7.0.2+~5.0.1-3~)
   Suggests:
terser,
   Multi-Arch: foreign
@@ -87,6 +90,8 @@ Recommends:
node-source-map-support,
   Breaks:
uglifyjs.terser (<< 4.8.0-1~),
+Replaces:
+ uglifyjs.terser (<< 4.8.0-1~),
   Suggests:
node-acorn,
   Multi-Arch: foreign

Cheers,
Yadd

 Forwarded Message 
Subject: [Pkg-javascript-devel] Bug#1034969: terser: missing
Breaks+Replaces for uglifyjs.terser when upgrading from bullseye
Resent-Date: Thu, 27 Apr 2023 13:11:12 +
Resent-From: Helmut Grohne 
Resent-To: debian-bugs-d...@lists.debian.org
Resent-CC: Debian Javascript Maintainers

Date: Thu, 27 Apr 2023 14:59:55 +0200
From: Helmut Grohne 
Reply-To: Helmut Grohne , 1034...@bugs.debian.org
To: sub...@bugs.debian.org

Package: terser
Version: 5.16.4-1
Severity: serious
Justification: dpkg unpack error

Attempting to unpack terser/5.16.4-1 from Debian bookworm
on a minimal Debian bullseye with uglifyjs.terser/4.1.2-8
installed, causes an unpack error from dpkg due to
/usr/share/nodejs/terser/bin/uglifyjs being contained in both packages.

| Selecting previously unselected package terser.
| dpkg: considering deconfiguration of uglifyjs.terser, which would be
broken by installation of terser ...
| dpkg: yes, will deconfigure uglifyjs.terser (broken by terser)
| (Reading database ... 4922 files and directories currently installed.)
| Preparing to unpack ./terser_5.16.4-1_all.deb ...
| De-configuring uglifyjs.terser (4.1.2-8) ...
| Unpacking terser (5.16.4-1) ...
| dpkg: error processing archive ./terser_5.16.4-1_all.deb (--unpack):
|  trying to overwrite '/usr/share/nodejs/terser/bin/uglifyjs', which is
also in package uglifyjs.terser 4.1.2-8
| Errors were encountered while processing:
|  ./terser_5.16.4-1_all.deb


Please ensure that terser has sufficient Breaks and Replaces declarations.

Helmut

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel




--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Debian 12 release

[Yadd]

Hi all,

last BTS to fix for us before release:
 * terser: 1034969, missing Breaks+Replaces for uglifyjs.terser when
   upgrading from bullseye (note: "Breaks" isn't enough in this case, a
   "Replaces" field should be added
 * nodejs:
   - 1030284: [arm64] RangeError: Maximum call stack size exceeded
   - 1031834: CVE-2023-23918 CVE-2023-23919 CVE-2023-23920

Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] Comments regarding node-juggle-resize-observer_3.4.0+ds1-1_amd64.changes

[Yadd]

On 4/28/23 22:16, Thorsten Alteholz wrote:

Hi,

I marked the package for ACCEPT.
But your Comment: for "Files: *" might be seen different.
There is a line in LICENSE which states:
  Copyright 2019 JUGGLE LTD
Addmittedly not quite the correct place, but given it is the Apache license, 
good enough.

   Thorsten


Hi,

thanks, I fixed this in version 3.4.0+ds1-2

Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035040: unblock: node-jest/29.3.1~ds1+~cs70.48.25-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-j...@packages.debian.org
Control: affects -1 + src:node-jest

Please unblock package node-jest

[ Reason ]
"Breaks" field isn't enough for apt, it needs a "Replaces" to manage 
file conflicts. This update just adds this.

[ Risks ]
No risk here

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-jest/29.3.1~ds1+~cs70.48.25-2
diff --git a/debian/changelog b/debian/changelog
index 920d0a8..e577799 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-jest (29.3.1~ds1+~cs70.48.25-2) unstable; urgency=medium
+
+  * Duplicate Breaks field with Replaces (Closes: #1035008)
+
+ -- Yadd   Fri, 28 Apr 2023 06:42:41 +0400
+
 node-jest (29.3.1~ds1+~cs70.48.25-1) unstable; urgency=medium
 
   * New upstream version 29.3.1~ds1+~cs70.48.25 (updates @types/jest)
diff --git a/debian/control b/debian/control
index 90aeb56..cd2f3cb 100644
--- a/debian/control
+++ b/debian/control
@@ -203,6 +203,7 @@ Depends: ${misc:Depends}
  , node-types-node
 Breaks: node-rollup-plugin-terser (<< 7.0.2-6~)
  , jest (<< 29.1.2~ds1+~cs70.47.21-1~)
+Replaces: jest (<< 29.1.2~ds1+~cs70.47.21-1~)
 Provides: ${nodeJestWorker:Provides}
 Multi-Arch: foreign
 Description: Nodejs module for executing heavy tasks under forked processes in 
parallel
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035039: unblock: node-core-js/3.26.1-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-core...@packages.debian.org
Control: affects -1 + src:node-core-js

Please unblock package node-core-js

[ Reason ]
"Breaks" field isn't enough for apt, it needs a "Replaces" to manage 
file conflicts. This update just adds this.

[ Risks ]
No risk here

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-core-js/3.26.1-2
diff --git a/debian/changelog b/debian/changelog
index f85b17e..0c46ebf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-core-js (3.26.1-2) unstable; urgency=medium
+
+  * Team upload
+  * Duplicate Breaks fields with Replaces
+(Closes: #1034980, #1034989, 1035000, #1034947)
+
+ -- Yadd   Fri, 28 Apr 2023 06:52:43 +0400
+
 node-core-js (3.26.1-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index cce0fb8..955a902 100644
--- a/debian/control
+++ b/debian/control
@@ -41,6 +41,7 @@ Depends: ${misc:Depends}
  , node-semver
  , webpack
 Breaks: node-core-js (<< 3.21.1~)
+Replaces: node-core-js (<< 3.21.1~)
 Description: Node.js module to build a custom core-js
  For some cases could be useful to exclude some `core-js` features or
  generate a polyfill for target engines. This API helps conditionally include
@@ -52,6 +53,7 @@ Architecture: all
 Depends: ${misc:Depends}
 Multi-Arch: foreign
 Breaks: node-core-js (<< 3.21.1~)
+Replaces: node-core-js (<< 3.21.1~)
 Description: Modular version of core-js to load only required features
  core-js is a modular standard library for JavaScript. Includes polyfills for
  ECMAScript up to 2021: promises, symbols, collections, iterators, typed
@@ -65,6 +67,7 @@ Depends: ${misc:Depends}
  , node-semver
 Multi-Arch: foreign
 Breaks: node-core-js (<< 3.21.1~)
+Replaces: node-core-js (<< 3.21.1~)
 Description: data about the necessity of core-js
  core-js-compat contains data about the necessity of core-js modules and API
  for getting a list of required core-js modules by browserslist query.
@@ -74,6 +77,7 @@ Architecture: all
 Depends: ${misc:Depends}
 Multi-Arch: foreign
 Breaks: node-core-js (<< 3.21.1~)
+Replaces: node-core-js (<< 3.21.1~)
 Description: Modular standard library for JavaScript without global namespace 
pollution
  Includes polyfills for ECMAScript up to 2021: promises, symbols,
  collections, iterators, typed arrays, ECMAScript 7+ proposals, setImmediate,
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035037: unblock: node-parse5/7.1.2+dfsg-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-par...@packages.debian.org
Control: affects -1 + src:node-parse5

Please unblock package node-parse5

[ Reason ]
Missing Breaks+Replaces agaist node-cheerio (#1034984)

[ Risks ]
No risk

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-parse5/7.1.2+dfsg-2
diff --git a/debian/changelog b/debian/changelog
index 94e7e84..3719f73 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-parse5 (7.1.2+dfsg-2) unstable; urgency=medium
+
+  * Team upload
+  * Add missing Breaks+Replaces against node-cheerio (Closes: #1034984)
+
+ -- Yadd   Fri, 28 Apr 2023 06:58:41 +0400
+
 node-parse5 (7.1.2+dfsg-1) unstable; urgency=medium
 
   * Apply multi-arch hints (foreign)
diff --git a/debian/control b/debian/control
index 85e9fc2..c821db8 100644
--- a/debian/control
+++ b/debian/control
@@ -40,7 +40,9 @@ Depends: ${misc:Depends}
  , node-domhandler
  , node-parse5
 Breaks: node-jsdom (<< 20.0.0+repack1~)
+ , node-cheerio (<< 1.0.0~rc~10+repack-1~)
 Replaces: node-jsdom (<< 20.0.0+repack1~)
+ , node-cheerio (<< 1.0.0~rc~10+repack-1~)
 Description: node-htmlparser2 tree adapter
  Parse5 provides nearly everything needed when dealing with HTML. It's the
  fastest spec-compliant HTML parser for Node.js to date. It parses HTML the
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035038: unblock: node-strip-eof/3.0.0-5

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-strip-...@packages.debian.org
Control: affects -1 + src:node-strip-eof

Please unblock package node-strip-eof

[ Reason ]
"Breaks" field isn't enough for apt, it needs a "Replaces" to manage 
file conflicts. This update just adds this.

[ Risks ]
No risk here

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-strip-eof/3.0.0-5
diff --git a/debian/changelog b/debian/changelog
index 0f08d46..fbe8ec8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-strip-eof (3.0.0-5) unstable; urgency=medium
+
+  * Team upload
+  * Duplicate Breaks field with Replaces (Closes: #1034924)
+
+ -- Yadd   Fri, 28 Apr 2023 06:54:14 +0400
+
 node-strip-eof (3.0.0-4) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 9b911b4..45de062 100644
--- a/debian/control
+++ b/debian/control
@@ -19,6 +19,7 @@ Architecture: all
 Depends: ${misc:Depends}
 Provides: ${nodejs:Provides}
 Breaks: node-execa (<< 5.1.1+dfsg+~cs19.3.6~)
+Replaces: node-execa (<< 5.1.1+dfsg+~cs19.3.6~)
 Multi-Arch: foreign
 Description: strip CR and LF characters from a string/buffer
  Strips CR and LF characters (i.e., it strips them away, if the string ends
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035036: unblock: node-npm-run-path/5.1.0+~4.0.0-8

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-npm-run-p...@packages.debian.org
Control: affects -1 + src:node-npm-run-path

[ Reason ]
"Breaks" field isn't enough for apt, it needs a "Replaces" to manage 
file conflicts. This update just adds this.

[ Risks ]
No risk here

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-npm-run-path/5.1.0+~4.0.0-8
diff --git a/debian/changelog b/debian/changelog
index 2c842dd..e2ff48a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-npm-run-path (5.1.0+~4.0.0-8) unstable; urgency=medium
+
+  * Team upload
+  * Duplicate Breaks field with Replaces (Closes: #1034945)
+
+ -- Yadd   Fri, 28 Apr 2023 07:08:33 +0400
+
 node-npm-run-path (5.1.0+~4.0.0-7) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 56b3abf..dcd115f 100644
--- a/debian/control
+++ b/debian/control
@@ -20,5 +20,6 @@ Architecture: all
 Depends: ${misc:Depends}
 Provides: ${nodejs:Provides}
 Breaks: node-execa (<< 6.1.0+dfsg1~)
+Replaces: node-execa (<< 6.1.0+dfsg1~)
 Description: Get your PATH prepended with locally installed binaries
  Node.js is an event-based server-side JavaScript engine.
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035035: unblock: node-whatwg-fetch/3.6.2-7

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-whatwg-fe...@packages.debian.org
Control: affects -1 + src:node-whatwg-fetch

[ Reason ]
"Breaks" field isn't enough for apt, it needs a "Replaces" to manage
file conflicts. This update just adds this.

[ Risks ]
No risk here

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-whatwg-fetch/3.6.2-7
diff --git a/debian/changelog b/debian/changelog
index 125ed5c..6838dbe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-whatwg-fetch (3.6.2-7) unstable; urgency=medium
+
+  * Team upload
+  * Duplicate Breaks field with Replaces (Closes: #1034933)
+
+ -- Yadd   Fri, 28 Apr 2023 07:13:09 +0400
+
 node-whatwg-fetch (3.6.2-6) unstable; urgency=medium
 
   * Add fix for rollup 3 (Closes: #1022653)
diff --git a/debian/control b/debian/control
index a61d511..371adc4 100644
--- a/debian/control
+++ b/debian/control
@@ -18,6 +18,7 @@ Architecture: all
 Depends: ${misc:Depends}
 Provides: libjs-whatwg-fetch (= ${binary:Version})
 Breaks: libjs-fetch (<< 3.5.0-2~)
+Replaces: libjs-fetch (<< 3.5.0-2~)
 Multi-Arch: foreign
 Description: window.fetch JavaScript polyfill
  The fetch() function is a Promise-based mechanism for programmatically making
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1035008: Bug#1035008: node-jest-worker: missing Breaks+Replaces for jest when upgrading from bullseye

[Yadd]

On 4/27/23 16:59, Helmut Grohne wrote:

Package: node-jest-worker
Version: 29.3.1~ds1+~cs70.48.25-1
Severity: serious
Justification: dpkg unpack error

Attempting to unpack node-jest-worker/29.3.1~ds1+~cs70.48.25-1 from Debian 
bookworm
on a minimal Debian bullseye with jest/26.6.3+repack+~cs64.44.39-3
installed, causes an unpack error from dpkg due to
/usr/share/nodejs/@jest/types/build/Circus.d.ts being contained in both 
packages.

| dpkg: considering deconfiguration of jest, which would be broken by 
installation of node-jest-worker ...
| dpkg: yes, will deconfigure jest (broken by node-jest-worker)
| (Reading database ... 21294 files and directories currently installed.)
| Preparing to unpack .../node-jest-worker_29.3.1~ds1+~cs70.48.25-1_all.deb ...
| De-configuring jest (26.6.3+repack+~cs64.44.39-3) ...
| Unpacking node-jest-worker (29.3.1~ds1+~cs70.48.25-1) over 
(26.6.3+repack+~cs64.44.39-3) ...
| dpkg: error processing archive 
./node-jest-worker_29.3.1~ds1+~cs70.48.25-1_all.deb (--unpack):
|  trying to overwrite '/usr/share/nodejs/@jest/types/build/Circus.d.ts', which 
is also in package jest 26.6.3+repack+~cs64.44.39-3
| Errors were encountered while processing:
|  ./node-jest-worker_29.3.1~ds1+~cs70.48.25-1_all.deb


Please ensure that node-jest-worker has sufficient Breaks and Replaces 
declarations.

Helmut


Hi,

node-jest-worker has already

  Breaks: jest (<< 29.1.2~ds1+~cs70.47.21-1~)

how it is possible to have this issue ?

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1034665: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-xml...@packages.debian.org
Control: affects -1 + src:node-xml2js

[ Reason ]
node-xml2js version 0.4.23 allows an external attacker to edit or add new
properties to an object (#1034148, CVE-2023-0842)

[ Impact ]
Medium security issue

[ Tests ]
Sadly test are not enabled in Bullseye

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Replace {} by Object.create(null)

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 628f69a..106d13b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-xml2js (0.2.8-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
+
+ -- Yadd   Fri, 21 Apr 2023 11:33:31 +0400
+
 node-xml2js (0.2.8-1) unstable; urgency=low
 
   * Upstream update
diff --git a/debian/patches/CVE-2023-0842.patch 
b/debian/patches/CVE-2023-0842.patch
new file mode 100644
index 000..cd03e08
--- /dev/null
+++ b/debian/patches/CVE-2023-0842.patch
@@ -0,0 +1,46 @@
+Description: use Object.create(null) to create all parsed objects
+ (prevent prototype replacement)
+Author: James Crosby 
+Origin: upstream, commit:581b19a6
+Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc
+Bug-Debian: https://bugs.debian.org/1034148
+Forwarded: not-needed
+Applied-Upstream: 0.5.0, commit:581b19a6
+Reviewed-By: Yadd 
+Last-Update: 2023-04-21
+
+--- a/src/xml2js.coffee
 b/src/xml2js.coffee
+@@ -105,12 +105,12 @@
+ charkey = @options.charkey
+ 
+ @saxParser.onopentag = (node) =>
+-  obj = {}
++  obj = Object.create(null)
+   obj[charkey] = ""
+   unless @options.ignoreAttrs
+ for own key of node.attributes
+   if attrkey not of obj and not @options.mergeAttrs
+-obj[attrkey] = {}
++obj[attrkey] = Object.create(null)
+   if @options.mergeAttrs
+ obj[key] = node.attributes[key]
+   else
+@@ -158,7 +158,7 @@
+ 
+   # put children into  property and unfold chars if necessary
+   if @options.explicitChildren and not @options.mergeAttrs and typeof obj 
is 'object'
+-node = {}
++node = Object.create(null)
+ # separate attributes
+ if @options.attrkey of obj
+   node[@options.attrkey] = obj[@options.attrkey]
+@@ -193,7 +193,7 @@
+ if @options.explicitRoot
+   # avoid circular references
+   old = obj
+-  obj = {}
++  obj = Object.create(null)
+   obj[nodeName] = old
+ 
+ @resultObject = obj
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..6b5589b
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-0842.patch
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1034664: unblock: node-xml2js/0.4.23+~cs15.4.0+dfsg-5

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-xml...@packages.debian.org
Control: affects -1 + src:node-xml2js

Please unblock package node-xml2js

[ Reason ]
node-xml2js version 0.4.23 allows an external attacker to edit or add new
properties to an object (#1034148, CVE-2023-0842)

[ Impact ]
Medium security issue

[ Tests ]
Test updates, passed

[ Risks ]
Low risk, patch is trivial and tested

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-xml2js/0.4.23+~cs15.4.0+dfsg-5
diff --git a/debian/changelog b/debian/changelog
index 98492d7..9d9dac7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+node-xml2js (0.4.23+~cs15.4.0+dfsg-5) unstable; urgency=medium
+
+  * Team upload
+  * Update standards version to 4.6.2, no changes needed.
+  * Update nodejs dependency to nodejs:any
+  * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842)
+
+ -- Yadd   Fri, 21 Apr 2023 11:11:13 +0400
+
 node-xml2js (0.4.23+~cs15.4.0+dfsg-4) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index dc4d6d0..406a88d 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends:
  , node-sax 
  , dh-sequence-nodejs
  , node-diff
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-xml2js
 Vcs-Git: https://salsa.debian.org/js-team/node-xml2js.git
 Homepage: https://github.com/Leonidas-from-XIV/node-xml2js
@@ -21,8 +21,8 @@ Architecture: all
 Depends:
  ${misc:Depends}
  , node-sax
- , nodejs
  , node-diff
+ , nodejs:any
 Provides: ${nodejs:Provides}
 Description: simple XML to JavaScript object converter - Node.js module
  xml2js parses XML using node-sax and converts it to a plain JavaScript
diff --git a/debian/patches/CVE-2023-0842.patch 
b/debian/patches/CVE-2023-0842.patch
new file mode 100644
index 000..3d80ed9
--- /dev/null
+++ b/debian/patches/CVE-2023-0842.patch
@@ -0,0 +1,103 @@
+Description: use Object.create(null) to create all parsed objects
+ (prevent prototype replacement)
+Author: James Crosby 
+Origin: upstream, commit:581b19a6
+Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc
+Bug-Debian: https://bugs.debian.org/1034148
+Forwarded: not-needed
+Applied-Upstream: 0.5.0, commit:581b19a6
+Reviewed-By: Yadd 
+Last-Update: 2023-04-21
+
+--- a/src/parser.coffee
 b/src/parser.coffee
+@@ -103,12 +103,12 @@
+ charkey = @options.charkey
+ 
+ @saxParser.onopentag = (node) =>
+-  obj = {}
++  obj = Object.create(null)
+   obj[charkey] = ""
+   unless @options.ignoreAttrs
+ for own key of node.attributes
+   if attrkey not of obj and not @options.mergeAttrs
+-obj[attrkey] = {}
++obj[attrkey] = Object.create(null)
+   newValue = if @options.attrValueProcessors then 
processItem(@options.attrValueProcessors, node.attributes[key], key) else 
node.attributes[key]
+   processedKey = if @options.attrNameProcessors then 
processItem(@options.attrNameProcessors, key) else key
+   if @options.mergeAttrs
+@@ -161,7 +161,7 @@
+   # put children into  property and unfold chars if necessary
+   if @options.explicitChildren and not @options.mergeAttrs and typeof obj 
is 'object'
+ if not @options.preserveChildrenOrder
+-  node = {}
++  node = Object.create(null)
+   # separate attributes
+   if @options.attrkey of obj
+ node[@options.attrkey] = obj[@options.attrkey]
+@@ -179,7 +179,7 @@
+   # append current node onto parent's  array
+   s[@options.childkey] = s[@options.childkey] or []
+   # push a clone so that the node in the children array can receive 
the #name property while the original obj can do without it
+-  objClone = {}
++  objClone = Object.create(null)
+   for own key of obj
+ objClone[key] = obj[key]
+   s[@options.childkey].push objClone
+@@ -196,7 +196,7 @@
+ if @options.explicitRoot
+   # avoid circular references
+   old = obj
+-  obj = {}
++  obj = Object.create(null)
+   obj[nodeName] = old
+ 
+ @resultObject = obj
+--- a/test/parser.test.coffee
 b/test/parser.test.coffee
+@@ -531,13 +531,13 @@
+ 
+   'test single attrNameProcessors': skeleton(attrNameProcessors: 
[nameToUpperCase], (r)->
+ console.log 'Result object: ' + util.inspect r, false, 10
+-equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAMELCASEATTR'), 
true
+-equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWERCASEATTR'), 
true)
++equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 
'CAMELCASEATTR'), true
++equ {}.hasOwnProperty.call(r.sample.attrN

[Pkg-javascript-devel] Bug#1034105: unblock: node-ua-parser-js/0.8.1+ds+~0.7.36-3

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-ua-parser...@packages.debian.org
Control: affects -1 + src:node-ua-parser-js

Please unblock package node-ua-parser-js

[ Reason ]
node-ua-parser-js is vulnerable to a Regex DoS (CVE-2022-25927)

[ Impact ]
Low security issue

[ Tests ]
No new test, current still pass

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

Cheers,
Yadd

unblock node-ua-parser-js/0.8.1+ds+~0.7.36-3
diff --git a/debian/changelog b/debian/changelog
index 97dc70f..fe75bc4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-ua-parser-js (0.8.1+ds+~0.7.36-3) unstable; urgency=medium
+
+  * Team upload
+  * Update standards version to 4.6.2, no changes needed.
+  * Remove unsafe and ueless regex (Closes: CVE-2022-25927)
+
+ -- Yadd   Sun, 09 Apr 2023 07:47:39 +0400
+
 node-ua-parser-js (0.8.1+ds+~0.7.36-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff --git a/debian/control b/debian/control
index a65ee3c..5156727 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends: debhelper-compat (= 13)
  , node-requirejs 
  , node-safe-regex 
  , terser
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-ua-parser-js
 Vcs-Git: https://salsa.debian.org/js-team/node-ua-parser-js.git
 Homepage: https://github.com/faisalman/ua-parser-js
diff --git a/debian/patches/CVE-2022-25927.patch 
b/debian/patches/CVE-2022-25927.patch
new file mode 100644
index 000..23e19bd
--- /dev/null
+++ b/debian/patches/CVE-2022-25927.patch
@@ -0,0 +1,22 @@
+Description: Remove unsafe regex in trim() function
+ `trim()` function contains a regular expression that is vulnerable to
+ ReDoS but was uncaught by `safe-regex` module
+Author: Faisal Salman 
+Origin: upstream, https://github.com/faisalman/ua-parser-js/commit/a6140a17
+Bug: https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450
+Forwarded: not-needed
+Applied-Upstream: 1.0.33, commit:a6140a17
+Reviewed-By: Yadd 
+Last-Update: 2023-04-09
+
+--- a/src/ua-parser.js
 b/src/ua-parser.js
+@@ -92,7 +92,7 @@
+ },
+ trim = function (str, len) {
+ if (typeof(str) === STR_TYPE) {
+-str = str.replace(/^\s\s*/, EMPTY).replace(/\s\s*$/, EMPTY);
++str = str.replace(/^\s\s*/, EMPTY);
+ return typeof(len) === UNDEF_TYPE ? str : str.substring(0, 
UA_MAX_LENGTH);
+ }
+ };
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..8115996
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-25927.patch
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1033929: unblock: node-interpret/2.2.0-3

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-interp...@packages.debian.org
Control: affects -1 + src:node-interpret

Please unblock package node-interpret

[ Reason ]
node-interpret uses network for its autopkgtest. Due to upstream changes
in some old transpilers, autopkgtest started to fail. The proposed patch
only change things in node-interpret test.

BTS: #1033816

[ Impact ]
No change in installed files, patch changes only node-interpret test.

[ Tests ]
Broken test on deprecated transpiler are now disabled.

[ Risks ]
No risk, even if patch is a little big, there is no change in installed
files.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Changes ]
 * don't test babel/register and buble/register (Debian uses
   @babel/register, no more babel/register)
 * test modules: drop embedded "expect" and add patch to use
   Debian's node-expect (provided by jest)
 * lintian-brush:
   * update lintian tags
   * update metadata
 * update debian/watch

Cheers,
Yadd

unblock node-interpret/2.2.0-3
diff --git a/debian/changelog b/debian/changelog
index b38fa5c..b5bca67 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+node-interpret (2.2.0-3) unstable; urgency=medium
+
+  * Team upload
+
+  [ lintian-brush ]
+  * Update lintian override info format in d/source/lintian-overrides
+on line 2-4
+  * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse
+  * Update standards version to 4.6.2, no changes needed
+
+  [ Yadd ]
+  * Fix filenamemangle
+  * Add fix for expect 28 and drop embedded "expect"
+  * Set upstream metadata fields: Repository.
+  * Drop test on deprecated transpilers (Closes: #1033816)
+
+ -- Yadd   Mon, 03 Apr 2023 08:10:46 +0400
+
 node-interpret (2.2.0-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 2b09242..510057d 100644
--- a/debian/control
+++ b/debian/control
@@ -20,7 +20,7 @@ Build-Depends: debhelper-compat (= 13)
  , node-parse-node-version 
  , node-which-boxed-primitive 
  , node-which-collection 
-Standards-Version: 4.6.0
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-interpret
 Vcs-Git: https://salsa.debian.org/js-team/node-interpret.git
 Homepage: https://github.com/tkellen/node-interpret
diff --git a/debian/copyright b/debian/copyright
index e9d0fe5..b5809a0 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -16,10 +16,6 @@ Files: debian/tests/test_modules/*
 Copyright: 1014-2020 Jordan Harband
 License: Expat
 
-Files: debian/tests/test_modules/expect/*
-Copyright: 2015 Michael Jackson
-License: Expat
-
 Files: debian/tests/test_modules/*/node_modules/isarray/*
 Copyright: 2013 Julian Gruber 
 License: Expat
diff --git a/debian/patches/drop-test-on-deprecated-transpilers.patch 
b/debian/patches/drop-test-on-deprecated-transpilers.patch
new file mode 100644
index 000..d9a7cea
--- /dev/null
+++ b/debian/patches/drop-test-on-deprecated-transpilers.patch
@@ -0,0 +1,24 @@
+Description: drop test on deprecated transpilers
+Author: Yadd 
+Bug-Debian: https://bugs.debian.org/1033816
+Forwarded: not-needed
+Last-Update: 2023-04-03
+
+--- a/test/index.js
 b/test/index.js
+@@ -126,6 +126,7 @@
+ var fixtureDir = path.dirname(fixture);
+ var idx = attempt.index;
+ 
++if( name !== 'babel/register' && name !== 'buble/register' ) {
+ it('can require ' + extension + ' using ' + name + ' (' + idx + ')', 
function(done) {
+   var minVersion = minVersions[module];
+ 
+@@ -232,6 +233,7 @@
+   }
+   done();
+ });
++}
+   });
+ 
+   it('does not error with the .mjs extension', function(done) {
diff --git a/debian/patches/fix-for-expect-28.patch 
b/debian/patches/fix-for-expect-28.patch
new file mode 100644
index 000..af3bf26
--- /dev/null
+++ b/debian/patches/fix-for-expect-28.patch
@@ -0,0 +1,15 @@
+Description: add fix for expect 28 (jest)
+Author: Yadd 
+Forwarded: not-needed
+Last-Update: 2022-12-01
+
+--- a/test/index.js
 b/test/index.js
+@@ -1,6 +1,6 @@
+ 'use strict';
+ 
+-var expect = require('expect');
++var {expect} = require('expect');
+ 
+ var path = require('path');
+ var Module = require('module');
diff --git a/debian/patches/series b/debian/patches/series
index 0312c9a..7e124d8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
 fix-test.diff
+fix-for-expect-28.patch
+drop-test-on-deprecated-transpilers.patch
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
index 5c71dbd..792e152 100644
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,4 +1,4 @@
 # Test files used only during autopkgtest
-source-is-missing debian/tests/test_modules/expect/lib/Expectation.js
-source-contains-prebuilt-jav

[Pkg-javascript-devel] Bug#1033927: unblock: node-sinon/14.0.2+ds+~cs74.13.25-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-si...@packages.debian.org
Control: affects -1 + src:node-sinon

Please unblock package node-sinon

[ Reason ]
node-sinon is a package used during JS tests. In Debian JS Team we
choose to launch autopkgtest with `--disable-proto=throw` to ensure
that JS packages don't used this old way to access to prototype for
security reasons.
This change started in September 2022 (pkg-js-autopkgtest 0.15.x).

node-sinon currently parses all object properties without avoid
__proto__. This breaks (at least) node-nock autopkgtest.

[ Impact ]
No change, the patch just avoid parsing __proto__

[ Tests ]
No change in test, still pass (autopkgtest + build). This fixed also
node-nock test.

[ Risks ]
No risk here, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
This debdiff adds also some tips from lintian-brush (lintian tags and
metadata update)

Cheers,
Yadd

unblock node-sinon/14.0.2+ds+~cs74.13.25-2
diff --git a/debian/changelog b/debian/changelog
index aaace48..111c526 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-sinon (14.0.2+ds+~cs74.13.25-2) unstable; urgency=medium
+
+  * Team upload
+  * Update lintian override info format in d/source/lintian-overrides
+on line 2-3
+  * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse
+  * Update standards version to 4.6.2, no changes needed
+  * Drop calls to __proto__ (Closes: #1033818)
+
+ -- Yadd   Mon, 03 Apr 2023 07:26:51 +0400
+
 node-sinon (14.0.2+ds+~cs74.13.25-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 1a73a29..c60cd62 100644
--- a/debian/control
+++ b/debian/control
@@ -27,7 +27,7 @@ Build-Depends:
  , node-supports-color
  , node-type-detect
  , node-util 
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-sinon
 Vcs-Git: https://salsa.debian.org/js-team/node-sinon.git
 Homepage: https://sinonjs.org/
diff --git a/debian/patches/dont-try-to-access-to-__proto__.patch 
b/debian/patches/dont-try-to-access-to-__proto__.patch
new file mode 100644
index 000..5973750
--- /dev/null
+++ b/debian/patches/dont-try-to-access-to-__proto__.patch
@@ -0,0 +1,16 @@
+Description: don't try to access to __proto__
+Author: Yadd 
+Forwarded: no
+Last-Update: 2023-04-03
+
+--- a/lib/sinon/util/core/walk.js
 b/lib/sinon/util/core/walk.js
+@@ -17,7 +17,7 @@
+ }
+ 
+ forEach(Object.getOwnPropertyNames(obj), function (k) {
+-if (seen[k] !== true) {
++if (k !== '__proto__' && seen[k] !== true) {
+ seen[k] = true;
+ var target =
+ typeof Object.getOwnPropertyDescriptor(obj, k).get ===
diff --git a/debian/patches/series b/debian/patches/series
index ffb3e1f..b2b7689 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ fix-sinonjsreferee-sinon-test.diff
 reproducible.patch
 fix-for-path-to-regexp-6.patch
 drop-unstable-test.patch
+dont-try-to-access-to-__proto__.patch
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
index 3f4d9d6..05b110e 100644
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,6 +1,6 @@
 # False positive: data
-source-is-missing *sinonjstext-encoding/lib/encoding-indexes.js*
-source-contains-prebuilt-javascript-object 
*sinonjstext-encoding/lib/encoding-indexes.js*
+source-is-missing [*sinonjstext-encoding/lib/encoding-indexes.js*]
+source-contains-prebuilt-javascript-object 
[*sinonjstext-encoding/lib/encoding-indexes.js*]
 very-long-line-length-in-source-file *sinonjsfake-timers/LICENSE*
 very-long-line-length-in-source-file 
*sinonjstext-encoding/lib/encoding-indexes.js*
 very-long-line-length-in-source-file *.md*
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
index 6d85d64..c5adee0 100644
--- a/debian/upstream/metadata
+++ b/debian/upstream/metadata
@@ -1,6 +1,6 @@
 ---
 Archive: GitHub
-Bug-Database: https://github.com/cjohansen/Sinon.JS/issues
-Bug-Submit: https://github.com/cjohansen/Sinon.JS/issues/new
+Bug-Database: https://github.com/sinonjs/sinon/issues
+Bug-Submit: https://github.com/sinonjs/sinon/issues/new
 Repository: https://github.com/cjohansen/Sinon.JS.git
-Repository-Browse: https://github.com/cjohansen/Sinon.JS
+Repository-Browse: https://github.com/sinonjs/sinon
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1033820: node-snapdragon: autopkgtest regression: Cannot find module 'snapdragon-node'

[Yadd]

On 4/4/23 07:08, Yadd wrote:

On 4/3/23 21:55, Paul Gevers wrote:

Hi yadd,

On 03-04-2023 05:42, Yadd wrote:
I'm unable to reproduce this issue: there is a link that provides 
snapdragon-node inside snapdragon-capture-set:


I could by running the following on my laptop:
paul@mulciber ~ $ autopkgtest --no-built-binaries node-snapdragon -- 
lxc --sudo autopkgtest-unstable-amd64


What did you try?


$ debc|grep '> '
lrwxrwxrwx root/root 0 2022-12-01 17:20 
./usr/share/nodejs/snapdragon-capture-set/node_modules -> 
../snapdragon/node_modules


and snamdragon has snapdragon/node_modules/snapdragon-node


To avoid confusion, I assume you mean node-snapdragon.

https://packages.debian.org/sid/all/node-snapdragon/filelist
confirms
/usr/share/nodejs/snapdragon/node_modules/snapdragon-node/

In a failing testbed:
root@autopkgtest-lxc-xulhyp:/ # ls -al 
/usr/share/nodejs/snapdragon-capture-set

total 20
drwxr-xr-x  2 root root 4096 Apr  3 19:50 .
drwxr-xr-x 52 root root 4096 Apr  3 19:50 ..
-rw-r--r--  1 root root 4283 Nov 28 20:25 index.js
-rw-r--r--  1 root root 1460 Nov 28 20:25 package.json

Am I missing something?

Paul


Hi,

then the bug is in the build, not in the test itself. Found: the fix was 
rejected (maybe a md5 mismatch?). Let's repush it.


For the record, the submodule snapdragon-capture-set was broken for a 
long time, except when node-snapdragon-node was installed. The test 
started to fail when pkg-js-autopkgtest started to test all submodules 
(version 0.14.11, 2022-02-25). I fixed node-snapdragon on december but 
didn't see that upload was rejected. Fixed now.


Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1033820: Bug#1033820: Bug#1033820: node-snapdragon: autopkgtest regression: Cannot find module 'snapdragon-node'

[Yadd]

On 4/3/23 21:55, Paul Gevers wrote:

Hi yadd,

On 03-04-2023 05:42, Yadd wrote:
I'm unable to reproduce this issue: there is a link that provides 
snapdragon-node inside snapdragon-capture-set:


I could by running the following on my laptop:
paul@mulciber ~ $ autopkgtest --no-built-binaries node-snapdragon -- lxc 
--sudo autopkgtest-unstable-amd64


What did you try?


$ debc|grep '> '
lrwxrwxrwx root/root 0 2022-12-01 17:20 
./usr/share/nodejs/snapdragon-capture-set/node_modules -> 
../snapdragon/node_modules


and snamdragon has snapdragon/node_modules/snapdragon-node


To avoid confusion, I assume you mean node-snapdragon.

https://packages.debian.org/sid/all/node-snapdragon/filelist
confirms
/usr/share/nodejs/snapdragon/node_modules/snapdragon-node/

In a failing testbed:
root@autopkgtest-lxc-xulhyp:/ # ls -al 
/usr/share/nodejs/snapdragon-capture-set

total 20
drwxr-xr-x  2 root root 4096 Apr  3 19:50 .
drwxr-xr-x 52 root root 4096 Apr  3 19:50 ..
-rw-r--r--  1 root root 4283 Nov 28 20:25 index.js
-rw-r--r--  1 root root 1460 Nov 28 20:25 package.json

Am I missing something?

Paul


Hi,

then the bug is in the build, not in the test itself. Found: the fix was 
rejected (maybe a md5 mismatch?). Let's repush it.


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1033866: unblock: node-sockjs-client/1.6.1+dfsg1-2

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-sockjs-cli...@packages.debian.org
Control: affects -1 + src:node-sockjs-client

Please unblock package node-sockjs-client

[ Reason ]
autopkgtest is broken due to a __proto__ access which is now forbidden
during autopkgtest (pkg-js-autopkgtest).

[ Impact ]
No impact, no code change

[ Tests ]
Test passed (both build & autopkgtest)

[ Risks ]
No risk, no code change

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
This change includes a lintian-brush fix (little things in lintian +
policy 4.6.2)

Regards,
Yadd

unblock node-sockjs-client/1.6.1+dfsg1-2
diff --git a/debian/changelog b/debian/changelog
index d68db9b..77c59b4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+node-sockjs-client (1.6.1+dfsg1-2) unstable; urgency=medium
+
+  * Team upload
+
+  [ lintian-brush ]
+  * Update lintian override info format in d/source/lintian-overrides
+on line 2-8, 11-27
+  * Use secure URI in Homepage field
+  * Update standards version to 4.6.2, no changes needed
+
+  [ Yadd ]
+  * Drop __proto__ calls in tests (Closes: #1033821)
+
+ -- Yadd   Mon, 03 Apr 2023 10:13:25 +0400
+
 node-sockjs-client (1.6.1+dfsg1-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 811e9fc..809ccdc 100644
--- a/debian/control
+++ b/debian/control
@@ -22,10 +22,10 @@ Build-Depends:
  , node-proxyquire 
  , node-serve-static 
  , node-uuid 
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-sockjs-client
 Vcs-Git: https://salsa.debian.org/js-team/node-sockjs-client.git
-Homepage: http://sockjs.org
+Homepage: https://sockjs.org
 Rules-Requires-Root: no
 
 Package: node-sockjs-client
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
index 2f1b0b2..a846c89 100644
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,27 +1,27 @@
 # false positive
-node-sockjs-client source: source-is-missing lib/utils/escape.js
-node-sockjs-client source: source-is-missing tests/lib/echo-tests.js
-source-contains-prebuilt-javascript-object lib/utils/escape.js
-source-contains-prebuilt-javascript-object tests/lib/echo-tests.js
-very-long-line-length-in-source-file lib/utils/escape.js line *
-very-long-line-length-in-source-file tests/lib/echo-tests.js line *
-very-long-line-length-in-source-file *.md line *
+node-sockjs-client source: source-is-missing [lib/utils/escape.js]
+node-sockjs-client source: source-is-missing [tests/lib/echo-tests.js]
+source-contains-prebuilt-javascript-object [lib/utils/escape.js]
+source-contains-prebuilt-javascript-object [tests/lib/echo-tests.js]
+very-long-line-length-in-source-file * [lib/utils/escape.js:*]
+very-long-line-length-in-source-file * [tests/lib/echo-tests.js:*]
+very-long-line-length-in-source-file * [*.md:*]
 
 # False positive in test module
-source-is-missing debian/tests/test_modules/sockjs/lib/iframe.js
-source-is-missing debian/tests/test_modules/sockjs/lib/sockjs.js
-source-is-missing debian/tests/test_modules/sockjs/lib/trans-eventsource.js
-source-is-missing debian/tests/test_modules/sockjs/lib/trans-htmlfile.js
-source-is-missing debian/tests/test_modules/sockjs/lib/trans-jsonp.js
-source-is-missing debian/tests/test_modules/sockjs/lib/trans-websocket.js
-source-is-missing debian/tests/test_modules/sockjs/lib/trans-xhr.js
-source-is-missing debian/tests/test_modules/sockjs/lib/transport.js
-source-contains-prebuilt-javascript-object 
debian/tests/test_modules/sockjs/lib/iframe.js
-source-contains-prebuilt-javascript-object 
debian/tests/test_modules/sockjs/lib/sockjs.js
-source-contains-prebuilt-javascript-object 
debian/tests/test_modules/sockjs/lib/trans-eventsource.js
-source-contains-prebuilt-javascript-object 
debian/tests/test_modules/sockjs/lib/trans-htmlfile.js
-source-contains-prebuilt-javascript-object 
debian/tests/test_modules/sockjs/lib/trans-jsonp.js
-source-contains-prebuilt-javascript-object 
debian/tests/test_modules/sockjs/lib/trans-websocket.js
-source-contains-prebuilt-javascript-object 
debian/tests/test_modules/sockjs/lib/trans-xhr.js
-source-contains-prebuilt-javascript-object 
debian/tests/test_modules/sockjs/lib/transport.js
-very-long-line-length-in-source-file 
debian/tests/test_modules/sockjs/lib/sockjs.js line 122 is 675 characters long 
(>512)
+source-is-missing [debian/tests/test_modules/sockjs/lib/iframe.js]
+source-is-missing [debian/tests/test_modules/sockjs/lib/sockjs.js]
+source-is-missing [debian/tests/test_modules/sockjs/lib/trans-eventsource.js]
+source-is-missing [debian/tests/test_modules/sockjs/lib/trans-htmlfile.js]
+source-is-missing [debian/tests/test_modules/sockjs/lib/trans-jsonp.js]
+source-is-missing [debia

[Pkg-javascript-devel] Bug#1033820: Bug#1033820: node-snapdragon: autopkgtest regression: Cannot find module 'snapdragon-node'

[Yadd]

Control: tags -1 + moreinfo

On 4/2/23 12:05, Paul Gevers wrote:

Source: node-snapdragon
Version: 0.12.1+~cs1.2.1-2
Control: found -1 0.12.1+~cs1.2.1-1
Severity: serious
Control: tags -1 bookworm-ignore
User: debian...@lists.debian.org
Usertags: regression

Dear maintainer(s),

Your package has an autopkgtest, great. However, it started to fail at 
the beginning of 2022. Can you please investigate the situation and fix 
it? I copied some of the output at the bottom of this report.


The release team has announced [1] that failing autopkgtest on amd64 and 
arm64 are considered RC in testing. [Release Team member hat on] Because 
we're currently in the hard freeze for bookworm, I have marked this bug 
as bookworm-ignore. Targeted fixes are still welcome.


More information about this bug and the reason for filing it can be 
found on 
https://wiki.debian.org/ContinuousIntegration/RegressionEmailInformation


Paul


Hi,

I'm unable to reproduce this issue: there is a link that provides 
snapdragon-node inside snapdragon-capture-set:


$ debc|grep '> '
lrwxrwxrwx root/root 0 2022-12-01 17:20 
./usr/share/nodejs/snapdragon-capture-set/node_modules -> 
../snapdragon/node_modules


and snamdragon has snapdragon/node_modules/snapdragon-node

Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1033350: Bug#1033350: node-should: please provide type declarations

[Yadd]

On 3/23/23 12:03, Andrius Merkys wrote:

Package: node-should
Version: 13.2.3~dfsg-6
Severity: wishlist

Hello,

I am working to update node-wikibase-sdk to 9.0.5 (newest release ATM). 
The new release has tests depending on @types/should which does not seem 
to be packaged.


Andrius


Hi,

should.js already provides its typescript definitions, @types/should is 
an empty package. Maybe the issue is just to rename "typings" field into 
"types"


Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-webp...@packages.debian.org
Control: affects -1 + src:node-webpack

Please unblock package node-webpack

[ Reason ]
node-webpack is vulnerable to cross-realm object access
(#1032904, CVE-2023-28154).

[ Impact ]
Medium security issue

[ Tests ]
Test updated, passed

[ Risks ]
Low risk, autopkgtest passed on all reverse dependencies

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
The attached debdiff doesn't show the doc and test snapshot updates,
else debdiff is really big and not relevant.

Cheers,
Yadd

unblock node-webpack/5.76.1+dfsg1+~cs17.16.16-1
diff --git a/README.md b/README.md
index c712d27f..a6549c1c 100644
--- a/README.md
+++ b/README.md
@@ -158,11 +158,11 @@ or are automatically applied via regex from your webpack 
configuration.
 
  Transpiling
 
-|
Name
|Status |  Install Size  | Description  
 |
-| 
::
 | :---: | :: | 
:
 |
-| https://github.com/babel/babel-loader;>https://worldvectorlogo.com/logos/babel-10.svg;> 
| ![babel-npm]  | ![babel-size]  | Loads ES2015+ code and transpiles to ES5 
using https://github.com/babel/babel;>Babel |
-|  https://github.com/TypeStrong/ts-loader;>https://cdn.rawgit.com/Microsoft/TypeScript/master/doc/logo.svg;>  |  
![type-npm]  |  ![type-size]  | Loads TypeScript like JavaScript
  |
-|https://github.com/webpack-contrib/coffee-loader;>https://worldvectorlogo.com/logos/coffeescript.svg;>| 
![coffee-npm] | ![coffee-size] | Loads CoffeeScript like JavaScript 
   |
+|  
   Name 

|Status |  Install Size  | Description  
 |
+| 
:--:
 | :---: | :: | 
:
 |
+|  https://github.com/babel/babel-loader;>https://worldvectorlogo.com/logos/babel-10.svg;>  
| ![babel-npm]  | ![babel-size] 
 | Loads ES2015+ code and transpiles to ES5 using https://github.com/babel/babel;>Babel |
+| https://github.com/TypeStrong/ts-loader;>https://raw.githubusercontent.com/microsoft/TypeScript-Website/f407e1ae19e5e990d9901ac8064a32a8cc60edf0/packages/typescriptlang-org/static/branding/ts-logo-128.svg;>
 |  ![type-npm]  |  ![type-size]  | Loads TypeScript like JavaScript
  |
+| https://github.com/webpack-contrib/coffee-loader;>https://worldvectorlogo.com/logos/coffeescript.svg;>   
  | ![coffee-npm] | ![coffee-size] 
| Loads CoffeeScript like JavaScript
|
 
 [babel-npm]: https://img.shields.io/npm/v/babel-loader.svg
 [babel-size]: https://packagephobia.com/badge?p=babel-loader
@@ -175,7 +175,7 @@ or are automatically applied via regex from your webpack 
configuration.
 
 |  
 Name   
 | Status  |   Install Size   | Description 
|
 | 
:---:
 | :-: | :--: | 
:---

[Pkg-javascript-devel] Bug#1032976: unblock: node-sqlite3/5.1.5+ds1-1

[Yadd]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-sqli...@packages.debian.org
Control: affects -1 + src:node-sqlite3

Please unblock package node-sqlite3

[ Reason ]
A code execution vulnerability was discover in node-sqlite3 due to the
underlying implementation of .toString(). It is then possible to execute
arbitrary JavaScript or to achieve a denial-of-service. if a binding
parameter is a crafted object.
(CVE-2022-43441)

[ Impact ]
Major security issue

[ Tests ]
New test added, passed

[ Risks ]
No risk, patch is trivial. The main change is this:

@@ -208,7 +208,7 @@ template  Values::Field*
 return new Values::Float(pos, source.ToNumber().DoubleValue());
 }
 else if (source.IsObject()) {
-Napi::String napiVal = source.ToString();
+Napi::String napiVal = Napi::String::New(source.Env(), "[object 
Object]");
 // Check whether toString returned a value that is not undefined.
 if(napiVal.Type() == 0) {
 return NULL;


[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
DSA pushed also for bullseye (5.0.0+ds1-1+deb11u2)

unblock node-sqlite3/5.1.5+ds1-1
diff --git a/README.md b/README.md
index 4a214a6..571df9e 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ Asynchronous, non-blocking [SQLite3](https://sqlite.org/) 
bindings for [Node.js]
  - [Extension 
support](https://github.com/TryGhost/node-sqlite3/wiki/API#databaseloadextensionpath-callback),
 including bundled support for the [json1 
extension](https://www.sqlite.org/json1.html)
  - Big test suite
  - Written in modern C++ and tested for memory leaks
- - Bundles SQLite v3.39.4, or you can build using a local SQLite
+ - Bundles SQLite v3.41.1, or you can build using a local SQLite
 
 # Installing
 
diff --git a/binding.gyp b/binding.gyp
index f1336f6..20d418b 100644
--- a/binding.gyp
+++ b/binding.gyp
@@ -25,8 +25,10 @@
 "libraries": [
"-l<(sqlite_libname)"
 ],
-"conditions": [ [ "OS=='linux'", 
{"libraries+":["-Wl,-rpath=<@(sqlite)/lib"]} ] ],
-"conditions": [ [ "OS!='win'", {"libraries+":["-L<@(sqlite)/lib"]} 
] ],
+"conditions": [
+  [ "OS=='linux'", {"libraries+":["-Wl,-rpath=<@(sqlite)/lib"]} ],
+  [ "OS!='win'", {"libraries+":["-L<@(sqlite)/lib"]} ]
+],
 'msvs_settings': {
   'VCLinkerTool': {
 'AdditionalLibraryDirectories': [
diff --git a/debian/changelog b/debian/changelog
index a1b24b6..5eb4c18 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-sqlite3 (5.1.5+ds1-1) unstable; urgency=medium
+
+  * Team upload
+  * Update lintian override info format in d/source/lintian-overrides
+on line 2-3
+  * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse
+  * Update standards version to 4.6.2, no changes needed.
+  * New upstream version (Closes: CVE-2022-43441)
+
+ -- Yadd   Tue, 14 Mar 2023 07:04:46 +0400
+
 node-sqlite3 (5.1.2+ds1-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index e775fb8..cd29f0e 100644
--- a/debian/control
+++ b/debian/control
@@ -16,7 +16,7 @@ Build-Depends:
  , mocha
  , libsqlite3-dev
  , dh-sequence-nodejs
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Homepage: https://github.com/mapbox/node-sqlite3/wiki
 Vcs-Git: https://salsa.debian.org/js-team/node-sqlite3.git
 Vcs-Browser: https://salsa.debian.org/js-team/node-sqlite3
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
index 6694acf..30e1e92 100644
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,5 +1,5 @@
 # only long lines, source is readable
-source-is-missing *test/null_error.test.js*
-source-contains-prebuilt-javascript-object *test/null_error.test.js*
+source-is-missing [*test/null_error.test.js*]
+source-contains-prebuilt-javascript-object [*test/null_error.test.js*]
 very-long-line-length-in-source-file *.md*
 very-long-line-length-in-source-file *test/null_error.test.js*
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
index 4b6a0f1..b794be2 100644
--- a/debian/upstream/metadata
+++ b/debian/upstream/metadata
@@ -1,6 +1,6 @@
 ---
 Archive: GitHub
-Bug-Database: https://github.com/mapbox/node-sqlite3/issues
-Bug-Submit: https://github.com/mapbox/node-sqlite3/issues/new
+Bug-Database: https://github.com/TryGhost/node-sqlite3/issues
+Bug-Submit: https://github.com/TryGhost/node-sqlite3/issues/new
 Repository: https://github.com/mapbox/node

[Pkg-javascript-devel] Bug#1032921: bullseye-pu: package node-webpack/4.43.0-6+deb11u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-webp...@packages.debian.org
Control: affects -1 + src:node-webpack

[ Reason ]
node-webpack is vulnerable to cross-realm object access
(#1032904, CVE-2023-28154)

[ Impact ]
Medium security issue

[ Tests ]
Sadly webpack has no test in Bullseye

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Better isolation in distinct Node.js vm for each object to parse before
setting keys in vulnerable object

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 4bbdc0d3..dcd60ee0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-webpack (4.43.0-6+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Avoid cross-realm object access (Closes: #1032904, CVE-2023-28154)
+
+ -- Yadd   Tue, 14 Mar 2023 07:43:57 +0400
+
 node-webpack (4.43.0-6) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-28154.patch 
b/debian/patches/CVE-2023-28154.patch
new file mode 100644
index ..c239d37b
--- /dev/null
+++ b/debian/patches/CVE-2023-28154.patch
@@ -0,0 +1,72 @@
+Description: avoid cross-realm object access
+Author: Jack Works 
+Bug: https://security-tracker.debian.org/tracker/CVE-2023-28154
+Bug-Debian: https://bugs.debian.org/1032904
+Forwarded: not-needed
+Applied-Upstream: 5.76.0, commit:4b4ca3bb
+Reviewed-By: Yadd 
+Last-Update: 2023-03-14
+
+--- a/lib/Parser.js
 b/lib/Parser.js
+@@ -2335,11 +2335,20 @@
+   if (value && webpackCommentRegExp.test(value)) {
+   // try compile only if webpack options comment 
is present
+   try {
+-  const val = 
vm.runInNewContext(`(function(){return {${value}};})()`);
+-  Object.assign(options, val);
++  for (let [key, val] of Object.entries(
++  
vm.runInNewContext(`(function(){return {${value}};})()`)
++  )) {
++  if (typeof val === "object" && 
val !== null) {
++  if 
(val.constructor.name === "RegExp") val = new RegExp(val);
++  else val = 
JSON.parse(JSON.stringify(val));
++  }
++  options[key] = val;
++  }
+   } catch (e) {
+-  e.comment = comment;
+-  errors.push(e);
++  const newErr = new 
Error(String(e.message));
++  newErr.stack = String(e.stack);
++  Object.assign(newErr, { comment });
++  errors.push(newErr);
+   }
+   }
+   }
+--- a/lib/dependencies/ImportParserPlugin.js
 b/lib/dependencies/ImportParserPlugin.js
+@@ -127,7 +127,7 @@
+   if (importOptions.webpackInclude !== undefined) 
{
+   if (
+   !importOptions.webpackInclude ||
+-  
importOptions.webpackInclude.constructor.name !== "RegExp"
++  !(importOptions.webpackInclude 
instanceof RegExp)
+   ) {
+   
parser.state.module.warnings.push(
+   new 
UnsupportedFeatureWarning(
+@@ -137,13 +137,13 @@
+   )
+   );
+   } else {
+-  include = new 
RegExp(importOptions.webpackInclude);
++  include = 
importOptions.webpackInclude;
+   }
+   }
+   if (importOptions.webpackExclude !== undefined) 
{
+   if (
+   !importOptions.webpackExclude ||
+-  
importOptions.webpackExclude.constructor.name !== "RegExp"
++   

Re: [Pkg-javascript-devel] RFS - node-openpgp

[Yadd]

On 3/13/23 02:15, Sandra Uwah wrote:

Hello,

I’ve made the necessary changes. Thanks


Hi,

no your change is wrong: doc/prettify doesn't own to Openpgp authors! It 
was imported in sources from another project and this file is 
serialized. Please drop the whole doc/scripts _from import_ with a 
+dfsg1 suffix. Same for node-openpgp-web-stream-tools and 
node-openpgp-web-stream-tools


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] [Pkg-JavaScript-devel] RFS - node-openpgp-web-stream-tools

[Yadd]

On 3/11/23 02:19, Sandra Uwah wrote:

Please what exactly is wrong in copyright?


See docs/scripts/prettify/Apache-License-2.0.txt


*From: *Yadd <mailto:y...@debian.org>
*Sent: *Friday, March 10, 2023 3:32 AM
*To: *Sandra Uwah <mailto:sandrauwa...@gmail.com>
*Cc: *pkg-javascript-devel@alioth-lists.debian.net 
<mailto:pkg-javascript-devel@alioth-lists.debian.net>
*Subject: *Re: [Pkg-javascript-devel] [Pkg-JavaScript-devel] RFS - 
node-openpgp-web-stream-tools


On 3/10/23 01:41, Sandra Uwah wrote:

 > Hello,

 >

 > I have made the change in copyright. Here’s the repository :

 > https://salsa.debian.org/sandra_uwah/node-openpgp-web-stream-tools

 > <https://salsa.debian.org/sandra_uwah/node-openpgp-web-stream-tools>

 >

 > I have also made some changes that were necessary for the build of

 > OpenPGP.js

 >

 > Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for 
Windows


 >

 > *From: *Yadd <mailto:y...@debian.org>

 > *Sent: *Sunday, January 29, 2023 4:34 AM

 > *To: *pkg-javascript-devel@alioth-lists.debian.net

 > <mailto:pkg-javascript-devel@alioth-lists.debian.net>

 > *Subject: *Re: [Pkg-javascript-devel] [Pkg-JavaScript-devel] RFS -

 > node-openpgp-web-stream-tools

Hi,

debian/copyright is still wrong. Drop docs/scripts/prettify from import

if you can



--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] RFS - node-openpgp-asmcrypto.js

[Yadd]

On 3/10/23 02:05, Sandra Uwah wrote:

Hello,

Requesting sponsorship for the package node-openpgp-asmcrypto.js

Package details;

Package version: 2.3.3~0

Package repo: https://salsa.debian.org/sandra_uwah/node-openpgp-asmcrypto.js

I have made the package lintian clean and have built in a clean 
environment using sbuild.


Hi,

* debian/watch seems wrong (uscan found nothing)
* package.json propose a CommonJS file (asmcrypto.all.js) which is not
  built with your patch, why did you drop it?
* please ajust package.json#files or .npmignore: only dist/ and
  ./asmcrypto*.js are needed

Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] RFS - node-openpgp

[Yadd]

On 3/10/23 01:57, Sandra Uwah wrote:

Hello,

Requesting sponsorship for the package node-openpgp.

Package details;

Package version: 5.7.0

Package repo: https://salsa.debian.org/sandra_uwah/node-openpgp 



I have made the package lintian clean and have built in a clean 
environment using sbuild.


Kindly also upload node-openpgp-asmcrypto 
(https://salsa.debian.org/sandra_uwah/node-openpgp-asmcrypto.js), and 
node-openpgp-web-stream-tools 
(https://salsa.debian.org/sandra_uwah/node-openpgp-web-stream-tools) 
which are required in building this  package.


Other packages required ( but not yet installable with apt ) can be 
found in their corresponding js-team repos. They include:


node-benchmark,

node-http-server,

node-email-addresses


Hi,

same problem with debian/copyright: a copy of prettify (Apache-2.0). 
Drop this repo from import if possible


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] [Pkg-JavaScript-devel] RFS - node-openpgp-web-stream-tools

[Yadd]

On 3/10/23 01:41, Sandra Uwah wrote:

Hello,

I have made the change in copyright. Here’s the repository : 
https://salsa.debian.org/sandra_uwah/node-openpgp-web-stream-tools 
<https://salsa.debian.org/sandra_uwah/node-openpgp-web-stream-tools>


I have also made some changes that were necessary for the build of 
OpenPGP.js


Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows

*From: *Yadd <mailto:y...@debian.org>
*Sent: *Sunday, January 29, 2023 4:34 AM
*To: *pkg-javascript-devel@alioth-lists.debian.net 
<mailto:pkg-javascript-devel@alioth-lists.debian.net>
*Subject: *Re: [Pkg-javascript-devel] [Pkg-JavaScript-devel] RFS - 
node-openpgp-web-stream-tools


Hi,

debian/copyright is still wrong. Drop docs/scripts/prettify from import 
if you can


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1032188: Bug#1032188: debdiff

[Yadd]

On 3/1/23 18:40, Bastien Roucariès wrote:

Dear security team,

For bullseye will you find the debdiff attached.

Waiting for your instruction


Salut,

pour les bugs mineurs de ce style, passe par un bullseye-pu

A+

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1032134: bullseye-pu: package node-cookiejar/2.1.2-1+deb11u1

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-cookie...@packages.debian.org
Control: affects -1 + src:node-cookiejar

[ Reason ]
node-cookiejar is vulnerable to ReDoS (CVE-2022-25901).

[ Impact ]
Medium security issue.

[ Tests ]
Test passed

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Check if cookie is not too big

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index d31a10d..2ecbcad 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-cookiejar (2.1.2-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Add a guard against maliciously-sized cookies (Closes: CVE-2022-25901)
+
+ -- Yadd   Tue, 28 Feb 2023 17:55:16 +0400
+
 node-cookiejar (2.1.2-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-25901.patch 
b/debian/patches/CVE-2022-25901.patch
new file mode 100644
index 000..8933f32
--- /dev/null
+++ b/debian/patches/CVE-2022-25901.patch
@@ -0,0 +1,22 @@
+Description: add a guard against maliciously-sized cookies
+Author: Andy Burke 
+Bug: https://github.com/TheKingTermux/alice/issues/240
+Forwarded: not-needed
+Applied-Upstream: 2.1.4, https://github.com/bmeck/node-cookiejar/pull/39
+Reviewed-By: Yadd 
+Last-Update: 2023-02-28
+
+--- a/cookiejar.js
 b/cookiejar.js
+@@ -65,6 +65,11 @@
+ var cookie_str_splitter = /[:](?=\s*[a-zA-Z0-9_\-]+\s*[=])/g;
+ Cookie.prototype.parse = function parse(str, request_domain, 
request_path) {
+ if (this instanceof Cookie) {
++if ( str.length > 32768 ) {
++console.warn("Cookie too long for parsing (>32768 
characters)");
++return;
++}
++
+ var parts = str.split(";").filter(function (value) {
+ return !!value;
+ });
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..239e3ed
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2022-25901.patch
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Re: [Pkg-javascript-devel] Request to be a contributor in the JavaScript team

[Yadd]

On 2/18/23 13:43, Komolehin Israel wrote:

Hi,

My name is Komolehin Israel, a software developer from Debian Nigeria.

I recently subscribed to your mailing list. I’m sending this email to let you 
know that I will like to be part of the Debian community JavaScript team as a 
contributor.

Thank you.

I look forward to hearing from you.

Regards,
Israel.


Hi Tsrael,

thanks for your help! Any help is welcome. To join us, you just have to 
create a salsa.debian.org account and propose your changes by MR (all JS 
packages are in salsa.debian.org/js-team/).

Note:
* you should read https://wiki.debian.org/Javascript/Tutorial and other
  doc given in https://wiki.debian.org/Javascript
* Debian 12 freeze started, then only targeted fixes are allowed until
  Debian 12 release

Cheers,
Yadd

--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel