[Pkg-javascript-devel] automatically pulling vulnerabilities from snyk.io

After filing https://bugs.debian.org/932500 I realized it would be great to have some automation in place to automatically pull vulnerabilities from https://snyk.io and turn them into CVE bugs in BTS. Thoughts ? Paolo -- Pkg-javascript-devel mailing list

[Pkg-javascript-devel] Processed: tagging 932500, retitle 932500 to vulnerability: CVE-2019-10746: prototype pollution

Processing commands for cont...@bugs.debian.org: > tags 932500 + security Bug #932500 [node-mixin-deep] vulnerability: prototype pollution Added tag(s) security. > retitle 932500 vulnerability: CVE-2019-10746: prototype pollution Bug #932500 [node-mixin-deep] vulnerability: prototype pollution

[Pkg-javascript-devel] Bug#932500: vulnerability: prototype pollution

Package: node-mixin-deep Version: 1.1.3-3 Severity: important Dear Maintainer, node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerability: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 https://github.com/jonschlinkert/mixin-deep/issues/6 Please upgrade to either 1.3.2 or 2.0.1.

Re: [Pkg-javascript-devel] Merging node-jquery and libjs-jquery source packages

Hi all, I agree to merge them. Following our policy, source package should be named jquery.js. For now we have: * node-jquery => src:node-jquery * libjs-jquery => src:jquery Then if we don't want to upload a new package, I prefer to keep src:jquery as source name Cheers, Xavier Le 19

[Pkg-javascript-devel] Merging node-jquery and libjs-jquery source packages

Hi, Historically we did not have the build tools for jquery in the archive, so a custom build system was created to build libjs-jquery. If there is any change in upstream build system, it will be hard to update this build system and since the same build tools used by upstream is now available