from:"Xavier Guimard"

[Pkg-javascript-devel] Bug#981474: node-rollup-plugin-terser: test randomly fails due to timeout problems

2021-01-31 Thread Xavier Guimard

Package: node-rollup-plugin-terser
Version: 7.0.2-4
Severity: serious
Tags: ftbfs
Justification: Policy 2.1

https://ci.debian.net/packages/n/node-rollup-plugin-terser/testing/amd64/
shows that node-rollup-plugin-terser test randomly fails

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#981279: lintian: False positive: pkg-js-autopkgtest-file-does-not-exist packages/*/test

2021-01-28 Thread Xavier Guimard

Package: lintian
Version: 2.104.0
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

lintian looks enable to understand `packages/*/test` expression when
trying to verify that files declared in debian/tests/pkg-js/files exist.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#980032: RM: node-request/2.88.1-5

2021-01-13 Thread Xavier Guimard

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

node-request is deprecated (#956423) and won't be part of Bullseye. I'd
like to see it removed from testing after node-jsdom migration.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#980012: FTBFS: TypeError: Cannot read property 'register' of undefined

2021-01-12 Thread Xavier Guimard

Package: coffeescript
Version: 1.12.8~dfsg-4
Severity: serious

coffeescript build seems broken. Logs:

 dpkg-source -b .
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building coffeescript using existing 
./coffeescript_1.12.8~dfsg.orig.tar.gz
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: building coffeescript in 
coffeescript_1.12.8~dfsg-5.debian.tar.xz
dpkg-source: info: building coffeescript in coffeescript_1.12.8~dfsg-5.dsc
 debian/rules binary
CDBS WARNING:  copyright-check disabled - licensecheck is missing.
test -x debian/rules
dh_testroot
dh_prep
dh_installdirs -A
mkdir -p "."

Scanning upstream source for new/changed copyright notices...

set -e; LC_ALL=C.UTF-8 /usr/bin/licensecheck --check '.*' --recursive 
--copyright --deb-fmt --ignore 
'^(debian/(changelog|copyright(|_hints|_newhints)))$' --lines 0 -- * | 
/usr/lib/cdbs/licensecheck2dep5 > debian/copyright_newhints
/bin/sh: 1: /usr/bin/licensecheck: not found
0 combinations of copyright and licensing found.
No new copyright notices found - assuming no news is good news...
touch debian/stamp-copyright-check
mkdir -p "debian/upstream-cruft"
cp -a "lib" "debian/upstream-cruft/lib";
touch debian/stamp-upstream-cruft
mkdir -p docs/v1/browser-compiler
chmod +x bin/cake
bin/cake build
bin/cake build
bin/cake build:browser
bin/cake test
(node:2439631) [DEP0005] DeprecationWarning: Buffer() is deprecated due to 
security and usability issues. Please use the Buffer.alloc(), 
Buffer.allocUnsafe(), or Buffer.from() methods instead.
(node:2439631) [DEP0124] DeprecationWarning: REPLServer.rli is deprecated
passed 856 tests in 1.66 seconds
bin/cake test:browser
/<>/Cakefile:450
CoffeeScript.register();
 ^

TypeError: Cannot read property 'register' of undefined
at runTests (/<>/Cakefile:450:18)
at Object.action (/<>/Cakefile:562:19)
at invoke (/<>/lib/coffee-script/cake.js:44:26)
at Object.exports.run (/<>/lib/coffee-script/cake.js:70:20)
at Object. (/<>/bin/cake:15:42)
at Module._compile (internal/modules/cjs/loader.js:999:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
at Module.load (internal/modules/cjs/loader.js:863:32)
at Function.Module._load (internal/modules/cjs/loader.js:708:14)
at Function.executeUserEntryPoint [as runMain] 
(internal/modules/run_main.js:60:12)
at internal/main/run_main_module.js:17:47

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#979874: node-cross-spawn-async: Keep out of testing

2021-01-12 Thread Xavier Guimard

Package: node-cross-spawn-async
Version: 2.2.5-4
Severity: serious

As node-cross-spawn, node-cross-spawn-async shoul d be kept out of
Bullseye

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#979587: ITP: ts-jest -- Node.js preprocessor with source maps support to help use TypeScript with Jest

2021-01-08 Thread Xavier Guimard

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org, 
pkg-javascript-de...@lists.alioth.debian.org

* Package name: ts-jest
  Version : 26.4.4
  Upstream Author : Kulshekhar Kabra <https://github.com/kulshekhar>
* URL : https://github.com/kulshekhar/ts-jest
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js preprocessor with source maps support to help use 
TypeScript with Jest

Jest is a popular test framework for JavaScript projects. ts-jest
extends jest to test projects written in Typescript.

For now, some Debian packages keep untested due to the lack of this
package (for example, all node-dom* packages). It was not possible to
build ts-jest until now, due to lack of Jest typescript definitions
(fixed now).

ts-jest will be maintained under JS Team umbrella.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#979553: node-vinyl-fs: Please ship typescript definitions

2021-01-08 Thread Xavier Guimard

Package: node-vinyl-fs
Version: 3.0.3-5
Severity: normal

Please embed typescript definitions

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#979475: node-gyp-build: Keep out of testing

2021-01-06 Thread Xavier Guimard

Package: node-gyp-build
Severity: serious
Justification: Policy 2.1

node-gyp-rebuild replaces `node-gyp rebuild` using pre-compiled
binaries. This is useless in Debian.

I did an error when packaging it, this package should be removed from
Debian archive, shouldn't it?

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#979457: RM: node-babel-preset-env -- ROM; Useless and replaced by node-babel7

2021-01-06 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

all reverse dependencies to node-babel-preset-env have been updated to
use node-babel7 (or virtual "node-babel-preset-env ≥ 7"), so this
package can now be safely removed from Debian archive.

Cheers,
Xavier
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#979174: node-express-generator: Incompatible with current node-commander and node-mkdirp

2021-01-03 Thread Xavier Guimard

Package: node-express-generator
Version: 4.0.0-2
Severity: grave
Tags: sid, ftbfs
Justification: renders package unusable

node-express-generator isn't compatible with current node-commander,
neither node-mkdirp. As it has no reverse dependency, I suggest to
remove it from Debian

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#978051: node-consolidate depends on babel-core 6

2020-12-25 Thread Xavier Guimard

Package: node-consolidate
Version: 0.15.1+repack-1
Severity: serious

Enabling test proves that node-consolidate depends on node-babel-core 6:

```
  function requireReact(module, filename) {
var babel = requires.babel || (requires.babel = require('babel-core'));
  
var compiled = babel.transformFileSync(filename, { presets: [ 'react' ] 
}).code;
  
return module._compile(compiled, filename);
  }
  
  exports.requireReact = requireReact;
  
  /**
   *  Converting a string into a node module.
   */
  function requireReactString(src, filename) {
var babel = requires.babel || (requires.babel = require('babel-core'));
  
if (!filename) filename = '';
var m = new module.constructor();
filename = filename || '';
  
// Compile Using React
var compiled = babel.transform(src, { presets: [ 'react' ] }).code;
```

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#977963: node-terser: Please fix test to be compatible with node-commander ≥ 6

2020-12-23 Thread Xavier Guimard

Package: node-terser
Version: 4.1.2-7
Severity: important
Tags: patch

With commander 6, uglifyjs.terser displays:

  Usage: uglifyjs [options]...

instead of:

  Usage: uglifyjs.terser [options]...

The simple attached patch fixes test check with a more tolerant regex.
Please apply this patch if you think it is useful, this will unblock
node-commander upgrade (available in experimental).

Cheers,
Xavier
diff --git a/debian/tests/uglifyjs.terser.t b/debian/tests/uglifyjs.terser.t
index 7333e22..2412e1c 100644
--- a/debian/tests/uglifyjs.terser.t
+++ b/debian/tests/uglifyjs.terser.t
@@ -16,7 +16,7 @@ like stdout, qr/^terser [\d.]+$/, 'version, stdout';
 cmp_ok stderr, 'eq', '', 'version, stderr';
 
 run_ok $CMD, qw(--help);
-like stdout, qr/^\s*Usage: $CMD \[options\] \[files\.\.\.\]\n/, 'help, stdout';
+like stdout, qr/^\s*Usage: uglifyjs\S* \[options\] \[files\.\.\.\]\n/, 'help, 
stdout';
 cmp_ok stderr, 'eq', '', 'help, stderr';
 
 done_testing;
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#977886: RM: node-samsam -- ROM; Obsolete, replaced by node-sinonjs-samsam

2020-12-22 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

node-samsam is deprecated. It is now @sinonjs/samsam
(node-sinonjs-samsam) which is part of node-sinon.
node-samsam has no reverse dependencies, it should be removed from
Debian archive.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#977864: libjs-bootstrap4: Missing maintscript blocks upgrade

2020-12-21 Thread Xavier Guimard

Package: libjs-bootstrap4
Version: 4.5.2+dfsg1-3
Severity: serious

Version 4.5.2+dfsg1-2 transform /usr/share/javascript/bootstrap4 from
symlink to dir without any maintscript. This break updates.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#977712: RM: node-jsv -- ROM; Unmaintained and orphaned

2020-12-19 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

node-jsv isn't maintained upstream for 8 years, useless and unmaintained
in Debian. It has no reverse dependencies and could be safely removed.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#977710: libjs-milligram is not maintained by JS Team

2020-12-19 Thread Xavier Guimard

Package: libjs-milligram
Severity: serious
Tags: security

libjs-milligram is marked as maintained by JS Team, howeber uploader is
not member of this team and repository isn't under /js-team/ tree.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#977677: FTBFS: dependency to node-babel-runtime >=7 isn't understood by deb tools

2020-12-18 Thread Xavier Guimard

Package: node-regenerator-transform
Version: 0.14.5-2
Severity: serious
Tags: ftbfs

Since 0.14.5-2, dependency to node-babel7 was replaced by a dependency to
node-babel-runtime (>= 7) which is provided by:
 * node-babel-runtime (src node-babel 6)
 * virtual node-babel-runtime provided by node-babel7

Debian tools ignore virtual package here and then don't succeed to
resolve node-babel-runtime (>= 7).

Either wait for node-babel7 split or revert that change.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#977472: ITP: node-gyp-build -- Node.js build tool and bindings loader that supports prebuilds

2020-12-15 Thread Xavier Guimard

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org, 
pkg-javascript-de...@lists.alioth.debian.org

* Package name: node-gyp-build
  Version : 4.2.3
  Upstream Author : Mathias Buus 
* URL : https://github.com/prebuild/node-gyp-build
* License : Expat
  Programming Lang: Javascript
  Description : Node.js build tool and bindings loader that supports 
prebuilds

node-gyp-build works similar to "node-gyp build"  except that it will check
if a build or rebuild is present before rebuilding your project.

It's main intended use is as an npm install script and bindings loader for
native modules that bundle prebuilds using prebuildify.

This is a new dependency of node-websocket. It will be maintained under
JS Team umbrella.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#977269: node-rollup-plugin-terser seems incompatible with current node-terser

2020-12-13 Thread Xavier Guimard

Package: node-rollup-plugin-terser
Version: 7.0.2-2
Severity: grave
Justification: renders package unusable

When trying current rollup-plugin-terser (7.0.2)  with current
node-terser (4.1.2), package is unuseable:

$ rollup -c

index.js → dist/pako.js, dist/pako.min.js...
[!] (plugin terser) Error: Cannot find module 
'/home/xavier/dev/debian/src/pkg-js/packages/node-pako/node_modules/terser/dist/bundle.min.js'.
 Please verify that the package.json has a valid "main" entry
Error: Cannot find module 
'/home/xavier/dev/debian/src/pkg-js/packages/node-pako/node_modules/terser/dist/bundle.min.js'.
 Please verify that the package.json has a valid "main" entry
at tryPackage (internal/modules/cjs/loader.js:315:19)
at Function.Module._findPath (internal/modules/cjs/loader.js:528:18)
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:818:27)
at Function.Module._load (internal/modules/cjs/loader.js:687:27)
at Module.require (internal/modules/cjs/loader.js:903:19)
at require (internal/modules/cjs/helpers.js:74:18)
at Object. 
(/home/xavier/dev/debian/src/pkg-js/packages/node-pako/node_modules/rollup-plugin-terser/transform.js:1:20)
at Module._compile (internal/modules/cjs/loader.js:1015:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1035:10)
at Module.load (internal/modules/cjs/loader.js:879:32)


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')

Kernel: Linux 5.9.0-4-amd64
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages node-rollup-plugin-terser depends on:
ii  node-babel77.12.9+~cs150.130.99-1
ii  node-jest-worker   26.6.3+repack+~cs61.38.31-2
ii  node-serialize-javascript  5.0.1-2
ii  node-terser4.1.2-7

node-rollup-plugin-terser recommends no packages.

node-rollup-plugin-terser suggests no packages.

-- no debconf information
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#976955: FTBFS: semver not found

2020-12-09 Thread Xavier Guimard

Package: ts-node
Version: 9.0.0-1
Severity: serious
Tags: ftbfs

Here is the relevant part of build log:

make[1]: Entering directory '/<>'
tsc
src/index.spec.ts(4,25): error TS2307: Cannot find module 'semver' or its 
corresponding type declarations.
make[1]: *** [debian/rules:7: override_dh_auto_build] Error 2

This can be fixed easily using dh-sequence-nodejs: set "semver" in
debian/nodejs/extlinks (workaround tsc path problems)

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#976839: node-istanbul: @types/istanbul-lib-instrument depends on deprecated babel-types

2020-12-08 Thread Xavier Guimard

Package: node-istanbul
Version: 0.4.5+ds+~cs53.14.45-1
Severity: important

babel-types should be replaced by @babel/types

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#976713: RM: node-formatio -- ROM; Useless and unmaintained upstream

2020-12-07 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

node-formatio isn't maintained upstream [1]: it has been replaced by
@sinonjs/formatio which is included in node-sinon. No package depend on
it, so I think it should be removed from Debian archive.

Cheers,
Xavier

[1]: https://www.npmjs.com/package/formatio

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#976186: node-backbone: Please provides typescript definition

2020-11-30 Thread Xavier Guimard

Package: node-backbone
Version: 1.3.3~dfsg-5
Severity: important

node-typescript-types is deprecated, please embed @types/backbone in
node-backbone.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#975405: wabt: Please build wabt.js

2020-11-21 Thread Xavier Guimard

Package: wabt
Version: 1.0.20-1
Severity: important
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

wabt.js upstream repository is a minified file built from wabt. This
package is a reverse dependency of many packages in Debian (via webpack,
webassembly, jest,...). Without it, those packages works but some
features are missing.

You can either build the full nodejs package or simply wabt.js (and then
I'll create node-wabt.js with a link to your files.

I posted a question to know which target corresponds to this build (see
https://github.com/AssemblyScript/wabt.js/issues/20).

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#975009: node-schema-utils breacking change

2020-11-17 Thread Xavier Guimard

Package: node-schema-utils
Version: 2.6.6-1
Severity: serious

node-schema-utils API changed: `require("schema-utils")` becomes
`require("schema-utils").validate`

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#974587: node-uuid: Bad "exports" field?

2020-11-12 Thread Xavier Guimard

Package: node-uuid
Version: 8.2.0-1
Severity: important

Hi,

node-uuid breaks dependent package with error like:

  Package subpath './v1' is not defined by "exports" in 
/usr/share/nodejs/uuid/package.json

(same error with any of v{1,2,3,4}.js)

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#974218: node-requirejs: Please embed typescript definitions

2020-11-11 Thread Xavier Guimard

Package: node-requirejs
Version: 2.3.6-2
Severity: important
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

to avoid version conflicts, JS team decided to remove typescript
definitions (node-typescript-types) and embed them directly in the
relevant packages.

node-requirejs isn't under JS Team umbrella, so we can't do it for
@types/requirejs. But we need to synchronize this work (needs to
repack node-typescript-types and add a "Breaks" in your package).
Could you do it or give us its maintenance?

Adding such types is easy with pkg-js-tools:

 $ add-node-component @types/requirejs

If your package uses pkg-js-tools auto installer, don't forget to add
this:

 $ mkdir debian/nodejs
 $ echo '*' >debian/nodejs/root_modules

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#974064: node-client-sessions: Remove dependency to (deprecated) node-request

2020-11-09 Thread Xavier Guimard

Package: node-client-sessions
Version: 0.8.0-2
Severity: serious
Tags: ftbfs upstream

Hi,

node-request won't be part of bullseye, please patch
node-client-sessions to replace node-request by another library
(node-got, node-fetch, node-axios,...).

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#973913: RM: eyes.js -- ROM; Orphaned upstream

2020-11-07 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pkg-javascript-devel@alioth-lists.debian.net

Hi,

eyes.js is no longer maintained upstream. I patched its reverse
dependency (vows) to remove this link. No eyes.js can be safely removed
from Debian.

This removal has been discussed in RC-bug #961507

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#973696: ITP: node-source-map-resolve -- Node module to resolve source map and/or sources for a generated file

2020-11-03 Thread Xavier Guimard

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org, 
pkg-javascript-de...@lists.alioth.debian.org

* Package name: node-source-map-resolve
  Version : 0.6.0
  Upstream Author : Simon Lydell
* URL : https://github.com/lydell/source-map-resolve
* License : Expat
  Programming Lang: JavaScript
  Description : Node module to resolve source map and/or sources for a 
generated file

source-map-resolve resolves the source map for a given generated file by
looking for a sourceMappingURL comment. The spec defines yet a way to
provide the URL to the source map: by sending the `SourceMap: ` header
along with the generated file.

This module is currently embedded in node-css and is a dependency of
future node-rollup-plugin-sourcemap. It's also a dependency of many
other node modules, including some react plugins (see [1]).

If this module is accepted, node-css will be repackaged to no more
include source-map-resolve, decode-uri-component and atob.

[1]: https://www.npmjs.com/package/source-map-resolve

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#972932: node-eslint-scope: Please embed @types/eslint-scope

2020-10-26 Thread Xavier Guimard

Package: node-eslint-scope
Version: 5.0.0-2
Severity: important

Hi,

@types/eslint-scope is required at least to upgrade webpak. Please embed
it.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#972931: eslint: Please embed @types/eslint

2020-10-26 Thread Xavier Guimard

Package: eslint
Version: 5.16.0~dfsg-7
Severity: important

Hi,

@types/eslint is required at least to update webpack. Please embed it.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#972575: npm2deb should search node modules in virtual packages

2020-10-20 Thread Xavier Guimard

Package: npm2deb
Version: 0.3.0-5
Severity: important

npm2deb currently uses salsa repository to know if a package already
exists or not. This is a bad way because:
 * some node packages are not under pkg-js umbrella (node-almond,...)
 * lintian warns when a package does not declare its modules installed
   in nodejs root directories
 * some packages exists in js-team repo while they've been removed from
   archive

Then I think we should switch to (virtual) package search.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#972570: node-lightgallery is built using minified files

2020-10-20 Thread Xavier Guimard

Package: node-lightgallery
Version: 1.6.11+dfsg-1
Severity: serious
Justification: 4

Hi,

debian/source/lintian-overrides overwrites some real problems: the
"concat" part of Gulpfile uses modules/* files which are all obfuscated
using minification (downloaded from distinct sources).
A possible solution could be to ignore modules/* files during import and
add related components using uscan components (with a build).

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#972414: node-pruddy-error: Please enable test

2020-10-18 Thread Xavier Guimard

Package: node-pruddy-error
Version: 2.0.2-1
Severity: important
Tags: patch

Hi,

test is not enabled in this package, while it is easy to enable it:
 * `echo mocha >debian/tests/pkg-js/test`
 * install "assume" and "fn.name" in debian/tests/test_modules
   and update debian/copyright
 * update build dependencies:
   mocha , node-deep-eql , node-is-node ,
   node-object-inspect , node-pathval 
 * fix test using a little patch:

   --- a/test.js
   +++ b/test.js
   @@ -45,7 +45,7 @@
  pruddy(fixture, {
read: function read(data) {
  assume(data).is.a('object');
   -  assume(data.filename).contains('pruddy-error/test.js');
   +  //assume(data.filename).contains('pruddy-error/test.js');
  assume(data.line).equals(5);
  assume(data.col).equals(19);

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#971833: node-babel7 should depends on node-regenerator-runtime

2020-10-08 Thread Xavier Guimard

Package: node-babel7
Version: 7.11.6+~cs65.71.39-1
Severity: normal

This is required by @babel/runtime/regenerator/index.js

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#971656: lintian: dh_addons should accept dh-sequence-nodejs as a replacement for pkg-js-tools

2020-10-04 Thread Xavier Guimard

Package: lintian
Version: 2.97.0
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

When building nodejs packages, using dh-sequence-nodejs, lintian
reports:

  E: node-rollup-plugin-typescript source: 
missing-build-dependency-for-dh-addon nodejs => pkg-js-tools

This is a false positive since dh-sequence-* are some aliases which
automatic "dh --with foo".

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#971519: node-locate-character: Rebuild from sources

2020-10-01 Thread Xavier Guimard

Package: node-locate-character
Version: 2.0.5-1
Severity: serious
Justification: source-is-missing

2.0.5 is packaged from npm registry temporarily to be able to build
rollup 2. Upstream didn't push 2.0.5 source in git repo (last github
release/HEAD is 2.0.1), then 2.0.5 was packaged from npm registry instead.

This bug is a reminder to avoid having 2.0.5-1 pushed outside
experimental

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#970651: rollup: Unable to build with current tsc

2020-09-20 Thread Xavier Guimard

Package: rollup
Version: 1.12.0-2
Severity: serious
Tags: ftbfs
Justification: Policy 7.7.7

node-rollup 1.12.0 can't be build with current typescript (4.0.2). It
requires tsc 3.4.5 (tested with success). Output:

$ tsc --esModuleInterop
src/ModuleLoader.ts:59:3 - error TS2322: Type '(id: string) => boolean' is not 
assignable to type '(id: string, ...args: T) => boolean'.
  Types of parameters 'id' and 'id' are incompatible.
Type '[id: string, ...args: T]' is not assignable to type '[id: string]'.
  Source has 2 element(s) but target allows only 1.

59  return id => ids.has(id);
~

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#970506: ITP: node-deepmerge -- Node.js module to merge properties of two objects deeply

2020-09-17 Thread Xavier Guimard

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org, 
pkg-javascript-de...@lists.alioth.debian.org

* Package name: node-deepmerge
  Version : 4.2.2
  Upstream Author : Josh Duff 
* URL : https://github.com/TehShrike/deepmerge
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js module to merge properties of two objects deeply

deepmerge is a node.js module written to deep (recursive) merge Javascript
objects.

It is required to update node-rollup-plugin* packages, especially
node-rollup-node-resolve.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#969081: gyp should not stay under pkg-js umbrella

2020-08-27 Thread Xavier Guimard

Package: gyp
Version: 0.1+20200513gitcaa6002-1
Severity: normal

Hi,

gyp is currently maintain under pkg-js umbrella. This package is a cross
platform tool written in Python and stored in salsa.d.o/debian/ area.
Then I don't understand the link with pkg-js team.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#961646: node-deep-for-each breaks node-grunt-webpack

2020-05-26 Thread Xavier Guimard

Package: node-deep-for-each
Version: 3.0.0-1
Severity: serious
Control: affects -1 node-grunt-webpack

Version 3.0.0 breaks node-grunt-webpack. Probably due to this change:

> This library is no longer built with Babel, you must compile it
> yourself within your app

Revert to a version 2.x may solve this issue

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#961487: node-code: Remove this package and replace it by node-hapi-code

2020-05-25 Thread Xavier Guimard

Package: node-code
Version: 6.0.0-3
Severity: important

Hi,

node-code is useless and has a name that could be ambiguous. Upstream
name is now @hapi/code.

I think we should remove this package. If a package needs @hapi/code,
we could package it later.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#960808: node-babel7: upgrade to 7.9.6

2020-05-16 Thread Xavier Guimard

Package: node-babel7
Version: 7.4.5+~cs6.2.2-2
Severity: important
Control: affects -1 twitter-boostrap4

Please upgrade to last published version (7.9.6). This is required at
least to upgrade twitter-bootstrap to 4.5.0

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#960684: RM: node-babel-plugin-transform-builtin-extend -- ROM; Useless with node-babel7

2020-05-15 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi,

node-babel-plugin-transform-builtin-extend is deprecated with
node-babel7. It should be removed from Debian archive

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#960488: eslint: autopkgtest failure: missing test dependency to node-babel7

2020-05-13 Thread Xavier Guimard

Package: eslint
Version: 5.16.0~dfsg-5
Severity: serious
Justification: unknwon

Hi,

node-babel7 seems required by autopkgtest test:

not ok 344 - 
/tmp/autopkgtest-lxc.9p09fhxf/downtmp/build.w0w/src/lib/formatters/codeframe.js
  ---
  message: '"@babel/code-frame" is not found.'
  severity: error
  data:
line: 8
column: 38
ruleId: node/no-missing-require
  ...

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#960264: libjs-webrtc-adapter: Please remove dependency to node-babel-preset-env

2020-05-11 Thread Xavier Guimard

Source: libjs-webrtc-adapter
Severity: important

Hi,

please remove dependency to node-babel-preset-env: this package seems
useless with node-babel7 and is going to be removed with node-babel 6.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#960261: node-babel7: @babel/polyfill depends on old core-js

2020-05-11 Thread Xavier Guimard

Package: node-babel7
Version: 7.4.5-8
Severity: important
Control: affects -1 node-string-decoder

@babel/polyfill requires core-js/es6 and some other core-js files that
are not available with node-core-js ≥ 3
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#960018: node-babel7: @babel/register depends on node-pirates which is not packaged

2020-05-08 Thread Xavier Guimard

Package: node-babel7
Version: 7.4.5-8
Severity: important
Control: affects -1 node-crc

@babel/register depends on node-pirates which is not available in Debian
archives. This blocks node-crc update to node-babel7.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#959933: RM: node-vue-template-compiler -- ROM; Provided by node-vue 2.6.11

2020-05-07 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi,

node-vue-template-compiler has the same source than node-vue. Since
node-vue 2.6.11+dfsg-1, this package is provided by node-vue

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#959777: RM: jquery -- ROM; Provided by node-jquery

2020-05-05 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi,

following #940975, I unified node-jquery and libjs-jquery (same source)
in src:node-jquery source package. Then no need to keep src:jquery in
Debian archive.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#950654: node-eslint-plugin-html seems unusable without eslint

2020-04-05 Thread Xavier Guimard

Package: node-eslint-plugin-html
Version: 3.2.1-3
Followup-For: Bug #950654

Hi,

in previous upload, eslint was moved from binary dependency to
"Enhances". This breaks autopkgtest. Please revert that change.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#955201: node-doctrine: Project is no longer maintained

2020-03-28 Thread Xavier Guimard

Package: node-doctrine
Version: 3.0.0-1
Severity: important

Following [1], node-doctrine is deprecated. Should be removed after
eslint >6 update.

[1]: https://github.com/eslint/doctrine#deprecation-notice

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#954835: buster-pu: package node-yargs-parser/11.1.1-1+deb10u1

2020-03-24 Thread Xavier Guimard

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

node-yargs-parser is vulnerable to prototype pollution. I fixed it and
added a basic test taken from [1].

Sid version is fixed (18.1.1-1).

Cheers,
Xavier

[1] https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
diff --git a/debian/changelog b/debian/changelog
index 481bfc4..5f18499 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-yargs-parser (11.1.1-1+deb10u1) unstable; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution and add test (Closes: CVE-2020-7608)
+
+ -- Xavier Guimard   Tue, 24 Mar 2020 10:22:44 +0100
+
 node-yargs-parser (11.1.1-1) unstable; urgency=medium
 
   [ Utkarsh Gupta ]
diff --git a/debian/patches/CVE-2020-7608.diff 
b/debian/patches/CVE-2020-7608.diff
new file mode 100644
index 000..262102e
--- /dev/null
+++ b/debian/patches/CVE-2020-7608.diff
@@ -0,0 +1,51 @@
+Description: fix prototype pollution
+Author: Benjamin E. Coe 
+Bug: https://github.com/yargs/yargs-parser/pull/258
+ https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-03-24
+
+--- a/index.js
 b/index.js
+@@ -618,10 +618,11 @@
+ if (!configuration['dot-notation']) keys = [keys.join('.')]
+ 
+ keys.slice(0, -1).forEach(function (key) {
+-  o = (o[key] || {})
++  key = sanitizeKey(key)
++  o = (o[key])
+ })
+ 
+-var key = keys[keys.length - 1]
++var key = sanitizeKey(keys[keys.length - 1])
+ 
+ if (typeof o !== 'object') return false
+ else return key in o
+@@ -633,6 +634,7 @@
+ if (!configuration['dot-notation']) keys = [keys.join('.')]
+ 
+ keys.slice(0, -1).forEach(function (key, index) {
++  key = sanitizeKey(key)
+   if (typeof o === 'object' && o[key] === undefined) {
+ o[key] = {}
+   }
+@@ -652,7 +654,7 @@
+   }
+ })
+ 
+-var key = keys[keys.length - 1]
++var key = sanitizeKey(keys[keys.length - 1])
+ 
+ var isTypeArray = checkAllAliases(keys.join('.'), flags.arrays)
+ var isValueArray = Array.isArray(value)
+@@ -863,4 +865,9 @@
+   return parse(args.slice(), opts)
+ }
+ 
++function sanitizeKey (key) {
++  if (key === '__proto__') return '___proto___'
++  return key
++}
++
+ module.exports = Parser
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..348ca56
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2020-7608.diff
diff --git a/debian/rules b/debian/rules
index b39f453..9787e73 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,4 +10,8 @@
 override_dh_auto_test:
 ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
mocha test/*.js
+   if node debian/tests/CVE-2020-7608.js|egrep ^baz; then \
+   echo "Vulnerable to CVE-2020-7608"; \
+   exit 1; \
+   fi
 endif
diff --git a/debian/tests/CVE-2020-7608.js b/debian/tests/CVE-2020-7608.js
new file mode 100644
index 000..b61cef2
--- /dev/null
+++ b/debian/tests/CVE-2020-7608.js
@@ -0,0 +1,3 @@
+const parser = require("../..");
+console.log(parser('--foo.__proto__.bar baz'));
+console.log(({}).bar);
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#954832: RM: node-run-sequence -- ROM; Deprecated since node-gulp 4

2020-03-24 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi,

node-run-sequence is a sort of plugin for gulp 3 to be able to launch
tasks in series/parallel. Since version 4, gulp has its own system
(gulp.series and gulp.parallel) and node-run-sequence isn't compatible
with it [#954557]. I fixed all reverse dependencies of node-run-sequence
and now dak is OK [2].

Cheers,
Xavier

[954557] https://bugs.debian.org/954557
[2] dak output:
  Will remove the following packages from unstable:

  node-run-sequence |2.2.1-1 | source, all

  Maintainer: Debian Javascript Maintainers 


  --- Reason ---

  --

  Checking reverse dependencies...
  No dependency problem found.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#954429: node-acorn: Please rename binary to node-acorn

2020-03-21 Thread Xavier Guimard

Package: node-acorn
Version: 
6.2.1+ds+~0.4.0+~4.0.0+really4.0.0+~1.0.0+~5.0.1+ds+~1.7.0+ds+~0.1.1+~0.3.1+~0.2.0+~0.1.0+~0.3.0+~0.3.0-14
Severity: normal

Hi,

node-acorn bu=inary has been renamed to node-debbundle-acorn. Most of
our packages depends on node-acorn which is now a virtual package
provided by node-debbundle-acorn. Versionned dependencies on virtual
packages are known to cause problems, that's why I'd to see
node-debbundle-acorn renamed to node-acorn.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#954400: RM: node-acorn-dynamic-import -- ROM; Replaced by node-acorn

2020-03-21 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi,

node-acorn-dynamic-import is now included in node-acorn. This package
should be removed from unstable.
I fixed all packages mentionned in dak report (replaced by node-acorn):

 8< 
  Will remove the following packages from unstable:

  node-acorn-dynamic-import | 4.0.0+really3.0.0-1 | source

  Maintainer: Debian Javascript Maintainers 


  --- Reason ---

  --

  Checking reverse dependencies...
  # Broken Depends:
  node-buble: node-buble
  node-rollup: rollup
  node-webpack: webpack

  # Broken Build-Depends:
  codemirror-js: node-acorn-dynamic-import
  node-rollup: node-acorn-dynamic-import (>= 4~)
  node-webpack: node-acorn-dynamic-import

  Dependency problem found.
 >8 

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#954166: node-debug: Please add @types/debug component

2020-03-17 Thread Xavier Guimard

Package: node-debug
Version: 4.1.1-2
Severity: wishlist

Hi,

could you add @types/debug component in node-debug ? This is required to
update node-ws

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#954028: ITP: node-babel7 -- compiler for next generation JavaScript

2020-03-15 Thread Xavier Guimard

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 

* Package name: node-babel7
  Version : 7.4.5
  Upstream Author : Sebastian McKenzie 
* URL : https://babeljs.io/
* License : Expat
  Programming Lang: JavaScript
  Description : compiler for next generation JavaScript

Debian currently has a node-babel version 6. Version 7 is really
different and can cohabit with node-babel=6 (I already add an
alternative for /usr/bin/babeljs in node-babel 6).

I'd like to build a distinct node-babel7 since:
 * transition from node-babel 6 to node-babel 7 will be long
 * the 2 can cohabit: no common files (except alternative
   /usr/bin/babeljs)

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#953286: RM: node-srs/0.4.8+dfsg-4

2020-03-06 Thread Xavier Guimard

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm

Hi,

current node-srs is not compatible with Node.js ≥ 12. Upgrade is not
possible for now since it requires an update of libgdal (and upgraded
version is not compatible with Node.js ≥ 12 too).

To help Node.js 12 migration, I would like to ask for its testing-only
removal with node-millstone, its reverse dependency.

Cheers,
Xavier
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#953028: node-nodedbi: Not compatible with Node.js ≥ 12

2020-03-03 Thread Xavier Guimard

Package: node-nodedbi
Severity: grave
Tags: upstream
Justification: renders package unusable

Hi,

node-nodedbi is not compatible with Node.js ≥ 12. This RC bug will
permit to remove this (useless for now) package from testing to permit
Node.js 12 migration.
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#952785: buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1

2020-02-29 Thread Xavier Guimard

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

dojo is vulnerable to Cross-site Scripting. This is due to
dojox.xmpp.util.xmlEncode only encoding the first occurrence of each
character, not all of them.

This upstream patch fixes this issue

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 14447b52..0e5dc462 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+dojo (1.15.0+dfsg1-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Cleanup improper regex usage (Closes: #952771, 2019, 10785)
+
+ -- Xavier Guimard   Sat, 29 Feb 2020 09:07:02 +0100
+
 dojo (1.15.0+dfsg1-1) unstable; urgency=medium
 
   * New upstream version :
diff --git a/debian/patches/CVE-2019-10785.patch 
b/debian/patches/CVE-2019-10785.patch
new file mode 100644
index ..67ab40f2
--- /dev/null
+++ b/debian/patches/CVE-2019-10785.patch
@@ -0,0 +1,45 @@
+Description: Cleanup improper regex usage
+Author: Paul 
+Origin: upstream, https://github.com/dojo/dojox/pull/317
+Bug: https://github.com/dojo/dojox/pull/315
+Bug-Debian: https://bugs.debian.org/952771
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-02-29
+
+--- a/dojox/dtl/dom.js
 b/dojox/dtl/dom.js
+@@ -94,7 +94,7 @@ define([
+   
var replacement = "";
+   
for(var p = 2, pl = pair.length; p < pl; p++){
+   
if(p == 2){
+-  
replacement += "<" + tag + ' dtlinstruction="{% ' + 
token[k].replace('"', '\\"') + ' %}">';
++  
replacement += "<" + tag + ' dtlinstruction="{% ' + 
token[k].replace(/"/g, '\\"') + ' %}">';
+   
}else if(tag == pair[p]) {
+   
continue;
+   
}else{
+--- a/dojox/widget/RollingList.js
 b/dojox/widget/RollingList.js
+@@ -1050,7 +1050,7 @@ dojo.declare("dojox.widget.RollingList",
+   widgetItem.store = this.store;
+   widgetItem.item = item;
+   if(!widgetItem.label){
+-  widgetItem.attr("label", 
this.store.getLabel(item).replace(/", 
"").replace("<", "").replace("'", "").replace('"', "");
+-  }
+-  return str;
++  return dojo.string.escape(str);
+ };
+ 
+ dojox.xmpp.util.encodeJid = function(jid) {
diff --git a/debian/patches/series b/debian/patches/series
index f39e7f29..6051ed59 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 0001-Compatibility-patch-for-newer-rhino.patch
 0002-Do-notrun-test-suite-in-build.patch
 0003-Disable-flash-storage.patch
+#CVE-2019-10785.patch
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#952457: node-regenerator-transform depends on @babel/preset-env which is not available

2020-02-24 Thread Xavier Guimard

Package: node-regenerator-transform
Version: 0.14.1-2
Severity: important

package.json mention a preset to @babel/preset-env which is not
available. This affects node-crc build.

-- System Information:
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-3-amd64

Versions of packages node-regenerator-transform depends on:
ii  node-babel-runtime  6.26.0+repack-2
ii  node-babel-types6.26.0+repack-2
ii  node-private0.1.8-3
ii  nodejs  10.17.0~dfsg-2

node-regenerator-transform recommends no packages.

node-regenerator-transform suggests no packages.

-- no debconf information

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#951862: node-fetch should be renamed node-node-fetch to avoid confusion with libjs-fetch

2020-02-22 Thread Xavier Guimard

Package: node-fetch
Version: 1.7.3-1
Severity: normal

Hi,

all is in the title ;-)

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#951562: RM: validator.js -- ROM; Unmaintained

2020-02-17 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi,

validator.js is unmaintained (locked in unstable for a while). Dak
reports no dependency. Then I think it is safe to remove it from Debian.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#950827: RM: node-simplesmtp -- ROM; Orphaned & unmaintained

2020-02-06 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi,

I propose to remove node-simplesmtp:
 * it looks orphaned upstream (last commit 2015-02-16)
 * it is deprecated in favor of "smtp-server" [1]
 * enabling tests shows that library is buggy
 * popcon rank ~ 14
 * dak reports shows no reverse build deps

[1]: https://www.npmjs.com/package/simplesmtp

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#950657: node-eslint-plugin-flowtype: needed files not built

2020-02-04 Thread Xavier Guimard

Package: node-eslint-plugin-flowtype
Version: 2.25.0-1
Severity: serious

Package is unusable since files are not built during build

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#950568: node-copy-webpack-plugin FTBFS: test failures

2020-02-04 Thread Xavier Guimard

Package: node-copy-webpack-plugin
Version: 4.3.0-6
Followup-For: Bug #950568

This package depends on webpack-log which is not packaged.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#950654: FTBFS: node-eslint-plugin-html seems unusable without eslint

2020-02-04 Thread Xavier Guimard

Package: node-eslint-plugin-html
Version: 3.2.1-1
Severity: serious

This package seems unusable without eslint. See
https://ci.debian.net/data/autopkgtest/unstable/amd64/n/node-eslint-plugin-html/3801441/log.gz

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#949874: RM: node-tilelive-vector -- ROM; Unmaintained and future missing dependency

2020-01-26 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi,

node-tilelive-vector depends on node-mapnik which is going to be
removed.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#949873: RM: node-tilelive-mapnik -- ROM; Unmaintained and future missing dependency

2020-01-26 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi,

node-tilelive-mapnik depends on node-mapnik which is going to be
removed.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#949872: RM: node-tilelive-bridge -- ROM; Unmaintained and future missing dependency

2020-01-26 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi,

node-tilelive-bridge depends on node-mapnik which is going to be
removed.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#949871: RM: node-mapnik -- ROM; Incompatible with Node.js 12

2020-01-26 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi,

node-mapnik 3.7.x is incompatible with Node.js ≥ 12 and it seems that mapnik
itself can't be upgraded, then we can't upgrade node-mapnik to 4.x.

This package is used only by node-tilelive-* package which seem
unmaintained also.

Cheers,
Xavier
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#949615: node-lodash: lodash does not export runInContext()

2020-01-22 Thread Xavier Guimard

Package: node-lodash
Version: 4.17.15+dfsg-1
Severity: important

Hi,

our lodash does not export while npm registry one export it. This
affects node-grunt-legacy-util upgrade. To reproduce this, try
node-grunt-legacy-util test from salsa:

$ dh_quilt_patch
$ sh debian/tests/pkg-js/test
(node:1971963) [DEP0016] DeprecationWarning: 'root' is deprecated, use 'global'
Running "nodeunit:util" (nodeunit) task
Fatal error: require(...).runInContext is not a function

Then install lodash from np registry in node_modules and relauch test,
it works.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#949121: buster-pu: package node-kind-of/6.0.2+dfsg-1+deb10u1

2020-01-16 Thread Xavier Guimard

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

node-kind-of is vulnerable to CVE-2019-20149: it allows external user
input to overwrite certain internal attributes via a conflicting name.
This little patch fixes this issue.

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index f69a6ac..93d28bf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-kind-of (6.0.2+dfsg-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * fix type checking vul in ctorName (Closes: #948095, CVE-2019-20149)
+
+ -- Xavier Guimard   Fri, 17 Jan 2020 06:19:37 +0100
+
 node-kind-of (6.0.2+dfsg-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2019-20149.diff 
b/debian/patches/CVE-2019-20149.diff
new file mode 100644
index 000..0129c8e
--- /dev/null
+++ b/debian/patches/CVE-2019-20149.diff
@@ -0,0 +1,20 @@
+Description: fix type checking vul in ctorName
+ CVE-2019-20149
+Author: Brian Woodward
+Bug: https://github.com/jonschlinkert/kind-of/pull/30
+Bug-Debian: https://bugs.debian.org/948095
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-01-17
+
+--- a/index.js
 b/index.js
+@@ -66,7 +66,7 @@
+ };
+ 
+ function ctorName(val) {
+-  return val.constructor ? val.constructor.name : null;
++  return typeof val.constructor === 'function' ? val.constructor.name : null;
+ }
+ 
+ function isArray(val) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..4228152
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2019-20149.diff
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#947867: RM: src:libjs-i18next -- ROM; Duplicate of node-i18next

2019-12-31 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi,

binary libjs-i18next is provided by:
 * src: node-i18next
 * src: libjs-i18next

The first is up-to-date and provide both browser and node libraries, not the
second. So I propose to remove src:libjs-i18next from our archive.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#947760: yarnpkg should depends on npm

2019-12-30 Thread Xavier Guimard

Package: yarnpkg
Version: 1.19.1-1
Severity: important

Hi,

yarnpkg does not depends on npm but this package is required to use it

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1

2019-12-29 Thread Xavier Guimard

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

node-handlebars is vulnearable to prototype pollution (CVE-2019-19919).
This patch is exactly the one of upstream.

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index b985661..95811b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Disallow calling "helperMissing" and "blockHelperMissing" directly
+(Closes: CVE-2019-19919)
+
+ -- Xavier Guimard   Mon, 30 Dec 2019 07:46:39 +0100
+
 node-handlebars (3:4.1.0-1) unstable; urgency=medium
 
   * New upstream version 4.1.0 (Closes: #923042)
diff --git a/debian/patches/CVE-2019-19919.patch 
b/debian/patches/CVE-2019-19919.patch
new file mode 100644
index 000..f63f106
--- /dev/null
+++ b/debian/patches/CVE-2019-19919.patch
@@ -0,0 +1,213 @@
+Description: Disallow calling "helperMissing" and "blockHelperMissing" directly
+ Fix for CVE-2019-19919
+Author: Nils Knappmeier 
+Origin: upstream, https://github.com/wycats/handlebars.js/commit/2078c72
+Bug: https://github.com/wycats/handlebars.js/issues/1558
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2019-12-30
+
+--- a/lib/handlebars/compiler/javascript-compiler.js
 b/lib/handlebars/compiler/javascript-compiler.js
+@@ -311,7 +311,7 @@
+   // replace it on the stack with the result of properly
+   // invoking blockHelperMissing.
+   blockValue: function(name) {
+-let blockHelperMissing = this.aliasable('helpers.blockHelperMissing'),
++let blockHelperMissing = 
this.aliasable('container.hooks.blockHelperMissing'),
+ params = [this.contextName(0)];
+ this.setupHelperArgs(name, 0, params);
+ 
+@@ -329,7 +329,7 @@
+   // On stack, after, if lastHelper: value
+   ambiguousBlockValue: function() {
+ // We're being a bit cheeky and reusing the options value from the prior 
exec
+-let blockHelperMissing = this.aliasable('helpers.blockHelperMissing'),
++let blockHelperMissing = 
this.aliasable('container.hooks.blockHelperMissing'),
+ params = [this.contextName(0)];
+ this.setupHelperArgs('', 0, params, true);
+ 
+@@ -622,18 +622,31 @@
+   // If the helper is not found, `helperMissing` is called.
+   invokeHelper: function(paramSize, name, isSimple) {
+ let nonHelper = this.popStack(),
+-helper = this.setupHelper(paramSize, name),
+-simple = isSimple ? [helper.name, ' || '] : '';
++helper = this.setupHelper(paramSize, name);
+ 
+-let lookup = ['('].concat(simple, nonHelper);
++let possibleFunctionCalls = [];
++
++if (isSimple) { // direct call to helper
++  possibleFunctionCalls.push(helper.name);
++}
++// call a function from the input object
++possibleFunctionCalls.push(nonHelper);
+ if (!this.options.strict) {
+-  lookup.push(' || ', this.aliasable('helpers.helperMissing'));
++  
possibleFunctionCalls.push(this.aliasable('container.hooks.helperMissing'));
+ }
+-lookup.push(')');
+-
+-this.push(this.source.functionCall(lookup, 'call', helper.callParams));
++let functionLookupCode = ['(', 
this.itemsSeparatedBy(possibleFunctionCalls, '||'), ')'];
++let functionCall = this.source.functionCall(functionLookupCode, 'call', 
helper.callParams);
++this.push(functionCall);
+   },
+ 
++  itemsSeparatedBy: function(items, separator) {
++let result = [];
++result.push(items[0]);
++for (let i = 1; i < items.length; i++) {
++  result.push(separator, items[i]);
++}
++return result;
++  },
+   // [invokeKnownHelper]
+   //
+   // On stack, before: hash, inverse, program, params..., ...
+@@ -673,7 +686,7 @@
+   lookup[0] = '(helper = ';
+   lookup.push(
+ ' != null ? helper : ',
+-this.aliasable('helpers.helperMissing')
++this.aliasable('container.hooks.helperMissing')
+   );
+ }
+ 
+--- a/lib/handlebars/runtime.js
 b/lib/handlebars/runtime.js
+@@ -1,6 +1,7 @@
+ import * as Utils from './utils';
+ import Exception from './exception';
+-import { COMPILER_REVISION, REVISION_CHANGES, createFrame } from './base';
++import {COMPILER_REVISION, createFrame, REVISION_CHANGES} from './base';
++import {moveHelperToHooks} from './helpers';
+ 
+ export function checkRevision(compilerInfo) {
+   const compilerRevision = compilerInfo && compilerInfo[0] || 1,
+@@ -44,11 +45,14 @@
+ }
+ 
+ partial = env.VM.resolvePartial.call(this, partial, context, options);
+-let result = env.VM.invokePartial.call(this, partial, context, options);
++
++let optionsWithHooks = Utils.extend({}, options, {hooks: this.hooks});
++
++let result = env.VM.invokePartial.call(this, partial, context, 
optionsWithHooks);
+ 
+ if (result == null && env.compile) {
+   options.partials[options.name] = env.compile(p

[Pkg-javascript-devel] Bug#947422: node-babel depends on itself for build, then updating core-js is blocked

2019-12-26 Thread Xavier Guimard

Source: node-babel
Severity: important

Hi,

node-babel depends on itself during build. Then when I try to update it with
node-core-js ≥3, I got this:

Error: Cannot find module 'core-js/library/fn/get-iterator'
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:636:15)
at Function.Module._load (internal/modules/cjs/loader.js:562:25)
at Module.require (internal/modules/cjs/loader.js:692:17)
at require (internal/modules/cjs/helpers.js:25:18)
at Object. 
(/usr/lib/nodejs/babel-runtime/core-js/get-iterator.js:1:31)

Then I can not fix babel code source since error comes from an earlier
babel.

The best should be to find a way to build babel without babel. Else a
patched version of babel-runtime could perhaps be embedded.

This affects the migration of node-cloneable-readable, node-readable-stream,...
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#947172: buster-pu: package npm/5.8.0+ds6-4+deb10u1

2019-12-22 Thread Xavier Guimard

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

npm is vulnerable to some CVEs (CVE-2019-16775, CVE-2019-16776,
CVE-2019-16777). This patch groups patches from differents sub modules
affected and add a new module (npm-normalize-package-bin package) used
by these fixes.

After discussion with security team, these CVEs will be tagged as
no-dsa.

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 85e9028..d7b986f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+npm (5.8.0+ds6-4+deb10u1) buster; urgency=medium
+
+  * Add patches to fix arbitrary path access
+(Closes: CVE-2019-16775, CVE-2019-16776, CVE-2019-16777)
+
+ -- Xavier Guimard   Sun, 15 Dec 2019 16:19:02 +0100
+
 npm (5.8.0+ds6-4) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2019-16775-add-npm-normalize-package-bin.diff 
b/debian/patches/CVE-2019-16775-add-npm-normalize-package-bin.diff
new file mode 100644
index 000..a3c7b45
--- /dev/null
+++ b/debian/patches/CVE-2019-16775-add-npm-normalize-package-bin.diff
@@ -0,0 +1,167 @@
+Description: Add npm-normalize-package-bin package
+ Needed to CVE-2019-16775 fix
+Author: isaacs
+Bug: https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2019-12-15
+
+--- /dev/null
 b/node_modules/npm-normalize-package-bin/LICENSE
+@@ -0,0 +1,15 @@
++The ISC License
++
++Copyright (c) npm, Inc.
++
++Permission to use, copy, modify, and/or distribute this software for any
++purpose with or without fee is hereby granted, provided that the above
++copyright notice and this permission notice appear in all copies.
++
++THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
++IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+--- /dev/null
 b/node_modules/npm-normalize-package-bin/README.md
+@@ -0,0 +1,14 @@
++# npm-normalize-package-bin
++
++Turn any flavor of allowable package.json bin into a normalized object.
++
++## API
++
++```js
++const normalize = require('npm-normalize-package-bin')
++const pkg = {name: 'foo', bin: 'bar'}
++console.log(normalize(pkg)) // {name:'foo', bin:{foo: 'bar'}}
++```
++
++Also strips out weird dots and slashes to prevent accidental and/or
++malicious bad behavior when the package is installed.
+--- /dev/null
 b/node_modules/npm-normalize-package-bin/index.js
+@@ -0,0 +1,60 @@
++// pass in a manifest with a 'bin' field here, and it'll turn it
++// into a properly santized bin object
++const {join, basename} = require('path')
++
++const normalize = pkg =>
++  !pkg.bin ? removeBin(pkg)
++  : typeof pkg.bin === 'string' ? normalizeString(pkg)
++  : Array.isArray(pkg.bin) ? normalizeArray(pkg)
++  : typeof pkg.bin === 'object' ? normalizeObject(pkg)
++  : removeBin(pkg)
++
++const normalizeString = pkg => {
++  if (!pkg.name)
++return removeBin(pkg)
++  pkg.bin = { [pkg.name]: pkg.bin }
++  return normalizeObject(pkg)
++}
++
++const normalizeArray = pkg => {
++  pkg.bin = pkg.bin.reduce((acc, k) => {
++acc[basename(k)] = k
++return acc
++  }, {})
++  return normalizeObject(pkg)
++}
++
++const removeBin = pkg => {
++  delete pkg.bin
++  return pkg
++}
++
++const normalizeObject = pkg => {
++  const orig = pkg.bin
++  const clean = {}
++  let hasBins = false
++  Object.keys(orig).forEach(binKey => {
++const base = join('/', basename(binKey.replace(/\\|:/g, '/'))).substr(1)
++
++if (typeof orig[binKey] !== 'string' || !base)
++  return
++
++const binTarget = join('/', orig[binKey])
++  .replace(/\\/g, '/').substr(1)
++
++if (!binTarget)
++  return
++
++clean[base] = binTarget
++hasBins = true
++  })
++
++  if (hasBins)
++pkg.bin = clean
++  else
++delete pkg.bin
++
++  return pkg
++}
++
++module.exports = normalize
+--- /dev/null
 b/node_modules/npm-normalize-package-bin/package.json
+@@ -0,0 +1,58 @@
++{
++  "_from": "npm-normalize-package-bin",
++  "_id": "npm-normalize-package-bin@1.0.1",
++  "_inBundle": false,
++  "_integrity": 
"sha512-EPfafl6JL5/rU+ot6P3gRSCpPDW5VmIzX959Ob1+ySFUuuYHWHekXpwdUZcKP5C+DS4GEtdJluwBjnsNDl+fSA==",
++  "_location": "/npm-normalize-package-bin",
++  "_phantomChildren": {},
++  "_requested": {
++"type": "tag",
++"registry": true,
++"raw": "npm-normalize-package-bin",
++"nam

[Pkg-javascript-devel] Bug#947042: node-express isn't compatible with node-path-to-regexp ≥ 6

2019-12-19 Thread Xavier Guimard

Package: node-express
Version: 4.17.1-1
Severity: important
Tags: upstream
Forwarded: https://github.com/expressjs/express/issues/4136

Hi,

node-express is not compatible with recent node-path-to-regex. This
affects node-superagent tests and renders part of express unusable.

The fix is simple but then test fail:

 8< 
diff --git a/lib/router/layer.js b/lib/router/layer.js
index 4dc8e86..cc96d56 100644
--- a/lib/router/layer.js
+++ b/lib/router/layer.js
@@ -13,7 +13,7 @@
  * @private
  */

-var pathRegexp = require('path-to-regexp');
+const { pathToRegexp } = require('path-to-regexp');
 var debug = require('debug')('express:router:layer');

 /**
@@ -42,7 +42,7 @@ function Layer(path, options, fn) {
   this.name = fn.name || '';
   this.params = undefined;
   this.path = undefined;
-  this.regexp = pathRegexp(path, this.keys = [], opts);
+  this.regexp = pathToRegexp(path, this.keys = [], opts);

   // set fast path flags
   this.regexp.fast_star = path === '*'
 >8 

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#942809: node-typescript: Please embed ts-node

2019-10-21 Thread Xavier Guimard

Package: node-typescript
Version: 3.6.4-1
Severity: wishlist

Hi,

ts-node is often used in conjunction with typescript. It could be useful
to embed it in node-typescript.

> TypeScript execution and REPL for node.js, with source map support.
>
> # Execute a script as `node` + `tsc`.
> ts-node script.ts
>
> # Starts a TypeScript REPL.
> ts-node
>
> # Execute code with TypeScript.
> ts-node -e 'console.log("Hello, world!")'
>
> # Execute, and print, code with TypeScript.
> ts-node -p -e '"Hello, world!"'
>
> # Pipe scripts to execute with TypeScript.
> echo "console.log('Hello, world!')" | ts-node

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#942425: RM: node-passport-oauth -- ROM; Obsolete and unmaintained upstream

2019-10-15 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

node-passport-oauth seems unmaintained. It is based on node-oauth which
seems not maintained anymore [1] and is not compatible with recent
Google/Facebook API.

node-passport-oauth has no reverse dependencies

Cheers,
Xavier

[1]: https://github.com/ciaranj/node-oauth/issues/349

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#942424: RM: node-oauth -- ROM; Obsolete and unmaintained upstream

2019-10-15 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

node-oauth seems unmaintained upstream [1] and is not compatible with
recent Google/Facebook API.

Its only one revese dependency (node-passport-oauth) seems also
unmaintained. A "dak rN" shows that node-oauth and node-passport-oauth
can be removed safely.

Cheers,
Xavier

[1]: https://github.com/ciaranj/node-oauth/issues/349

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#941683: buster-pu: package node-yarnpkg/1.13.0-1+deb10u1

2019-10-03 Thread Xavier Guimard

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

node-yarnpkg is vulnerable: it exports auth data in http requests
(#941354, CVE-2019-5448). This patch imports upstream fix.

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 01fe7d70d..6c4b5fef1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-yarnpkg (1.13.0-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Add patch to force using https for the regular registries
+(Closes: #941354, CVE-2019-5448)
+
+ -- Xavier Guimard   Thu, 03 Oct 2019 18:23:54 +0200
+
 node-yarnpkg (1.13.0-1) unstable; urgency=low
 
   * Initial release (Closes: #843021)
diff --git a/debian/patches/CVE-2019-5448.diff 
b/debian/patches/CVE-2019-5448.diff
new file mode 100644
index 0..8bb7442c8
--- /dev/null
+++ b/debian/patches/CVE-2019-5448.diff
@@ -0,0 +1,75 @@
+Description: Forces using https for the regular registries
+Author: Maël Nison <https://github.com/arcanis>
+Origin: upstream, https://github.com/yarnpkg/yarn/commit/2f08a740
+Bug: https://hackerone.com/reports/640904
+Bug-Debian: https://bugs.debian.org/941354
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2019-10-03
+
+--- a/__tests__/registries/npm-registry.js
 b/__tests__/registries/npm-registry.js
+@@ -750,6 +750,30 @@
+ 
+ expect(npmRegistry.getRequestUrl(registry, 
pathname)).toEqual('https://my.registry.co/registry/foo/bar/baz');
+   });
++
++  for (const host of [`registry.yarnpkg.com`, `registry.npmjs.org`, 
`registry.npmjs.com`]) {
++test(`enforces loading packages through https when they come from 
${host}`, () => {
++  const testCwd = '.';
++  const {mockRequestManager, mockRegistries, mockReporter} = 
createMocks();
++  const npmRegistry = new NpmRegistry(testCwd, mockRegistries, 
mockRequestManager, mockReporter, true, []);
++  const registry = `http://${host}/registry`;
++  const pathname = 'foo/bar/baz';
++
++  expect(npmRegistry.getRequestUrl(registry, 
pathname)).toEqual(`https://${host}/registry/foo/bar/baz`);
++});
++  }
++
++  test("doesn't change the protocol for packages from other registries", () 
=> {
++const testCwd = '.';
++const {mockRequestManager, mockRegistries, mockReporter} = createMocks();
++const npmRegistry = new NpmRegistry(testCwd, mockRegistries, 
mockRequestManager, mockReporter, true, []);
++const registry = 'http://registry.mylittlepony.org/registry';
++const pathname = 'foo/bar/baz';
++
++expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual(
++  'http://registry.mylittlepony.org/registry/foo/bar/baz',
++);
++  });
+ });
+ 
+ describe('getScope functional test', () => {
+--- a/src/registries/npm-registry.js
 b/src/registries/npm-registry.js
+@@ -22,6 +22,7 @@
+ import ini from 'ini';
+ 
+ const DEFAULT_REGISTRY = 'https://registry.npmjs.org/';
++const REGEX_REGISTRY_ENFORCED_HTTPS = 
/^https?:\/\/([^\/]+\.)?(yarnpkg\.com|npmjs\.(org|com))(\/|$)/;
+ const REGEX_REGISTRY_HTTP_PROTOCOL = /^https?:/i;
+ const REGEX_REGISTRY_PREFIX = /^(https?:)?\/\//i;
+ const REGEX_REGISTRY_SUFFIX = /registry\/?$/;
+@@ -112,13 +113,17 @@
+   }
+ 
+   getRequestUrl(registry: string, pathname: string): string {
+-const isUrl = REGEX_REGISTRY_PREFIX.test(pathname);
++let resolved = pathname;
+ 
+-if (isUrl) {
+-  return pathname;
+-} else {
+-  return url.resolve(addSuffix(registry, '/'), pathname);
++if (!REGEX_REGISTRY_PREFIX.test(pathname)) {
++  resolved = url.resolve(addSuffix(registry, '/'), pathname);
+ }
++
++if (REGEX_REGISTRY_ENFORCED_HTTPS.test(resolved)) {
++  resolved = resolved.replace(/^http:\/\//, 'https://');
++}
++
++return resolved;
+   }
+ 
+   isRequestToRegistry(requestUrl: string, registryUrl: string): boolean {
diff --git a/debian/patches/series b/debian/patches/series
index f3c856f99..7c03222a8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@
 08-cli-table3.diff
 09-buffer_from.diff
 10-babel-plugin-inline-import.diff
+CVE-2019-5448.diff
-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1

2019-09-26 Thread Xavier Guimard

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

node-set-value is vulnerable to prototype pollution (#941189,
CVE-2019-10747). I imported and adapted upstream patch and added a test
inspired from CVE report [1]. I think this could be safely added to next
buster point release.

Cheers,
Xavier

[1]: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#940836: ITP: node-rxjs -- reactive extensions for JavaScript

2019-09-20 Thread Xavier Guimard

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 

* Package name: node-rxjs
  Version : 6.5.3
  Upstream Author : Ben Lesh 
* URL : https://github.com/ReactiveX/RxJS
* License : Apache-2.0
  Programming Lang: JavaScript
  Description : reactive extensions for JavaScript

rxjs is a popular node module (more yhan 12.000.000 weekly downloads)
and a dependency of more than 15.000 node modules.

RxJS is a library for reactive programming using Observables, to make it
easier to compose asynchronous or callback-based code.
This project is a rewrite of Reactive-Extensions/RxJS with better performance,
better modularity, better debuggable call stacks, while staying mostly
backwards compatible, with some breaking changes that reduce the API surface.

This module is needed to upgrade some Debian nodejs modules.

It will be maintained under pkg-js team umbrella.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#936451: node-regenerator-transform is not built from sources

2019-08-30 Thread Xavier Guimard

Package: node-regenerator-transform
Version: 0.9.8-2
Severity: important

node-regenerator-transform is taken from npm registry. Its source comes
from node-regenerator [1] which provides:
 * node-regenerator   (not in Debian)
 * node-regenerator-preset(not in Debian)
 * node-regenerator-transform
 * node-regenerator-runtime

node-regenerator-runtime is directly written in JS while so no bug.
node-regenerator-transform source is written in ES6 and compiled with
babel 7.

Issue was found using pkg-js-tools lintian profile
("lintian --profile pkg-js --profile pkg-js-extra) which returns
"inconsistency-debian-watch" and then `debcheck-node-repo` that proposes
to update debian/watch when github source tags are good.

[1]: https://github.com/facebook/regenerator

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#935979: node-object-assign: Don't publish object.assign module

2019-08-28 Thread Xavier Guimard

Package: node-object-assign
Version: 4.1.1-2
Severity: important

node-object-assign publishes a /usr/lib/nodejs/object.assign link, this
is bad since object.assign is a different module with different
functions (getPolyfill function for example).

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#935437: RM: mirror.js -- ROM; Useless and unmaintained

2019-08-22 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi all,

mirror.js is upstream unmaintained for at least 7 years. It has no
reverse dependencies so I think it should be removed from Debian.

Regards,
Xavier

# dak output
$ dak -rN mirror.js
Will remove the following packages from unstable:

 mirror.js |0.3.3-3 | source
node-mirror |0.3.3-3 | all

Maintainer: Debian Javascript Maintainers 


--- Reason ---

--

Checking reverse dependencies...
No dependency problem found.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#935436: RM: languages4translatewiki -- ROM; Useless and unmaintained

2019-08-22 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi all,

languages4translatewiki is upstream unmaintained at least for 7 years.
It has no reverse dependencies, so I think it should be removed from
Debian.

Cheers,
Xavier

# dak output
$ dak -rN languages4translatewiki
Will remove the following packages from unstable:

languages4translatewiki |0.1.3-1 | source
libjs-languages4translatewiki |0.1.3-1 | all
node-languages4translatewiki |0.1.3-1 | all

Maintainer: Debian Javascript Maintainers 


--- Reason ---

--

Checking reverse dependencies...
No dependency problem found.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#935434: RM: polymaps -- ROM; Useless and unmaintained

2019-08-22 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi all,

polymaps has no reverse dependencies and is no more upstream maintained
for at least 8 years. I think it should be removed from Debian.

Cheers,
Xavier

# dak output:
$ dak rm -Rn
Will remove the following packages from unstable:

libjs-polymaps | 2.5.1+ds1-1 | all
  polymaps | 2.5.1+ds1-1 | source

Maintainer: Debian Javascript Maintainers 


--- Reason ---

--

Checking reverse dependencies...
No dependency problem found.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#935433: RM: backbone-dirty.js -- ROM; Unmaintained and useless

2019-08-22 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi all,

backbone-dirty.js is no more updated for at least 7 years, has no
reverse dependencies and has not been updated since old-old-stable. So I
think it should be removed from Debian.

Best regards,
Xavier

# dak output:
$ dak rm -Rn backbone-dirty.js
Will remove the following packages from unstable:

backbone-dirty.js |1.1.2-3 | source
node-backbone-dirty |1.1.2-3 | all

Maintainer: Debian Javascript Maintainers 


--- Reason ---

--

Checking reverse dependencies...
No dependency problem found.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#935428: rainloop: Replace node-json3 dependency by native JSON.parse/JSON.stringify

2019-08-22 Thread Xavier Guimard

Package: rainloop
Version: 1.12.1-2
Severity: important

Hi,

node-json3 is unmaintained and easy to replace by native JSON.parse and
JSON.stringify functions. rainloop is the last package that still use
this old library. Could you patch rainloop to permits a ROM-RM of
node-json3?

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#935323: mocha: Keep oxygen-icon-theme dependency only for build

2019-08-21 Thread Xavier Guimard

Package: mocha
Version: 4.1.0+ds3-5
Severity: normal

Hi all,

mocha depends on oxygen-icon-theme just for 2 links on very little icons
(749 B and 1343 B). I think we could copy these 2 files during build and
no more binary-depends on oxygen-icon-theme.

The dependency on a such big package affects sbuild and other build
systems.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#935029: pkg-js-tools: Don't build depends on any node module

2019-08-18 Thread Xavier Guimard

Package: pkg-js-tools
Version: 0.9.5
Severity: wishlist

Hi all,

I suggest to remove all node-* modules from build dependencies and
enable build tests (grunt) only in autopkgtest tests. This will avoid
some circular build dependencies. Only nodejs will stay in build deps.

Do you agree?

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#935016: pkg-js-tools: An unannounced change in "debhelper" breaks pkg-js-tools

2019-08-18 Thread Xavier Guimard

Package: pkg-js-tools
Version: 0.9.5
Severity: grave
Justification: renders package unusable

pkg-js-tools was based on add_command_options which disappears in
Debhelper 12.5.1. This renders pkg-js-tools unusable.

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#934734: RM: libv8-3.14 -- ROM; outdated and useless library

2019-08-14 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi all,

libv8-3.14 is an outdated library with many security issue [1]. It had
one reverse dependency which is ROM-RM also (#934243, done).

Then I think it should be removed from Debian.

Cheers,
Xavier

[1]: 
https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=libv8-3.14

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#934732: RM: jscommunicator -- ROM; Orphaned upstream

2019-08-14 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi all,

jscommunicator has been removed from testing 3 years ago. 26 issues are
opened upstream [1], but there is no changes for 4 years. jscommunicator
has no reverse dependencies.

That's why I think it should be removed from Debian.

Cheers,
Xavier

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#934730: RM: node-yawl -- ROM; orphaned upstream - FTBFS

2019-08-14 Thread Xavier Guimard

Package: ftp.debian.org
Severity: normal

Hi all,

node-yawl never entered to testing due to FTBFS. Issue posted to
upstream [1], but nobody answers. node-yawl has no reverse dependencies.

That's why I propose to remove it from Debian

Cheers,
Xavier

[1]: https://github.com/andrewrk/node-yawl/issues/5

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

1 2 >

1 - 100 of 126 matches

Mail list logo