[Pkg-javascript-devel] Bug#981474: node-rollup-plugin-terser: test randomly fails due to timeout problems
Package: node-rollup-plugin-terser Version: 7.0.2-4 Severity: serious Tags: ftbfs Justification: Policy 2.1 https://ci.debian.net/packages/n/node-rollup-plugin-terser/testing/amd64/ shows that node-rollup-plugin-terser test randomly fails -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#981279: lintian: False positive: pkg-js-autopkgtest-file-does-not-exist packages/*/test
Package: lintian Version: 2.104.0 Severity: normal X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org Hi, lintian looks enable to understand `packages/*/test` expression when trying to verify that files declared in debian/tests/pkg-js/files exist. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#980032: RM: node-request/2.88.1-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org Hi, node-request is deprecated (#956423) and won't be part of Bullseye. I'd like to see it removed from testing after node-jsdom migration. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#980012: FTBFS: TypeError: Cannot read property 'register' of undefined
Package: coffeescript Version: 1.12.8~dfsg-4 Severity: serious coffeescript build seems broken. Logs: dpkg-source -b . dpkg-source: info: using source format '3.0 (quilt)' dpkg-source: info: building coffeescript using existing ./coffeescript_1.12.8~dfsg.orig.tar.gz dpkg-source: info: using patch list from debian/patches/series dpkg-source: info: building coffeescript in coffeescript_1.12.8~dfsg-5.debian.tar.xz dpkg-source: info: building coffeescript in coffeescript_1.12.8~dfsg-5.dsc debian/rules binary CDBS WARNING: copyright-check disabled - licensecheck is missing. test -x debian/rules dh_testroot dh_prep dh_installdirs -A mkdir -p "." Scanning upstream source for new/changed copyright notices... set -e; LC_ALL=C.UTF-8 /usr/bin/licensecheck --check '.*' --recursive --copyright --deb-fmt --ignore '^(debian/(changelog|copyright(|_hints|_newhints)))$' --lines 0 -- * | /usr/lib/cdbs/licensecheck2dep5 > debian/copyright_newhints /bin/sh: 1: /usr/bin/licensecheck: not found 0 combinations of copyright and licensing found. No new copyright notices found - assuming no news is good news... touch debian/stamp-copyright-check mkdir -p "debian/upstream-cruft" cp -a "lib" "debian/upstream-cruft/lib"; touch debian/stamp-upstream-cruft mkdir -p docs/v1/browser-compiler chmod +x bin/cake bin/cake build bin/cake build bin/cake build:browser bin/cake test (node:2439631) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead. (node:2439631) [DEP0124] DeprecationWarning: REPLServer.rli is deprecated passed 856 tests in 1.66 seconds bin/cake test:browser /<>/Cakefile:450 CoffeeScript.register(); ^ TypeError: Cannot read property 'register' of undefined at runTests (/<>/Cakefile:450:18) at Object.action (/<>/Cakefile:562:19) at invoke (/<>/lib/coffee-script/cake.js:44:26) at Object.exports.run (/<>/lib/coffee-script/cake.js:70:20) at Object. (/<>/bin/cake:15:42) at Module._compile (internal/modules/cjs/loader.js:999:30) at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10) at Module.load (internal/modules/cjs/loader.js:863:32) at Function.Module._load (internal/modules/cjs/loader.js:708:14) at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:60:12) at internal/main/run_main_module.js:17:47 -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#979874: node-cross-spawn-async: Keep out of testing
Package: node-cross-spawn-async Version: 2.2.5-4 Severity: serious As node-cross-spawn, node-cross-spawn-async shoul d be kept out of Bullseye -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#979587: ITP: ts-jest -- Node.js preprocessor with source maps support to help use TypeScript with Jest
Package: wnpp Severity: wishlist Owner: Xavier Guimard X-Debbugs-Cc: debian-de...@lists.debian.org, pkg-javascript-de...@lists.alioth.debian.org * Package name: ts-jest Version : 26.4.4 Upstream Author : Kulshekhar Kabra <https://github.com/kulshekhar> * URL : https://github.com/kulshekhar/ts-jest * License : Expat Programming Lang: JavaScript Description : Node.js preprocessor with source maps support to help use TypeScript with Jest Jest is a popular test framework for JavaScript projects. ts-jest extends jest to test projects written in Typescript. For now, some Debian packages keep untested due to the lack of this package (for example, all node-dom* packages). It was not possible to build ts-jest until now, due to lack of Jest typescript definitions (fixed now). ts-jest will be maintained under JS Team umbrella. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#979553: node-vinyl-fs: Please ship typescript definitions
Package: node-vinyl-fs Version: 3.0.3-5 Severity: normal Please embed typescript definitions -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#979475: node-gyp-build: Keep out of testing
Package: node-gyp-build Severity: serious Justification: Policy 2.1 node-gyp-rebuild replaces `node-gyp rebuild` using pre-compiled binaries. This is useless in Debian. I did an error when packaging it, this package should be removed from Debian archive, shouldn't it? -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#979457: RM: node-babel-preset-env -- ROM; Useless and replaced by node-babel7
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org Hi, all reverse dependencies to node-babel-preset-env have been updated to use node-babel7 (or virtual "node-babel-preset-env ≥ 7"), so this package can now be safely removed from Debian archive. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#979174: node-express-generator: Incompatible with current node-commander and node-mkdirp
Package: node-express-generator Version: 4.0.0-2 Severity: grave Tags: sid, ftbfs Justification: renders package unusable node-express-generator isn't compatible with current node-commander, neither node-mkdirp. As it has no reverse dependency, I suggest to remove it from Debian -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#978051: node-consolidate depends on babel-core 6
Package: node-consolidate Version: 0.15.1+repack-1 Severity: serious Enabling test proves that node-consolidate depends on node-babel-core 6: ``` function requireReact(module, filename) { var babel = requires.babel || (requires.babel = require('babel-core')); var compiled = babel.transformFileSync(filename, { presets: [ 'react' ] }).code; return module._compile(compiled, filename); } exports.requireReact = requireReact; /** * Converting a string into a node module. */ function requireReactString(src, filename) { var babel = requires.babel || (requires.babel = require('babel-core')); if (!filename) filename = ''; var m = new module.constructor(); filename = filename || ''; // Compile Using React var compiled = babel.transform(src, { presets: [ 'react' ] }).code; ``` -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#977963: node-terser: Please fix test to be compatible with node-commander ≥ 6
Package: node-terser Version: 4.1.2-7 Severity: important Tags: patch With commander 6, uglifyjs.terser displays: Usage: uglifyjs [options]... instead of: Usage: uglifyjs.terser [options]... The simple attached patch fixes test check with a more tolerant regex. Please apply this patch if you think it is useful, this will unblock node-commander upgrade (available in experimental). Cheers, Xavier diff --git a/debian/tests/uglifyjs.terser.t b/debian/tests/uglifyjs.terser.t index 7333e22..2412e1c 100644 --- a/debian/tests/uglifyjs.terser.t +++ b/debian/tests/uglifyjs.terser.t @@ -16,7 +16,7 @@ like stdout, qr/^terser [\d.]+$/, 'version, stdout'; cmp_ok stderr, 'eq', '', 'version, stderr'; run_ok $CMD, qw(--help); -like stdout, qr/^\s*Usage: $CMD \[options\] \[files\.\.\.\]\n/, 'help, stdout'; +like stdout, qr/^\s*Usage: uglifyjs\S* \[options\] \[files\.\.\.\]\n/, 'help, stdout'; cmp_ok stderr, 'eq', '', 'help, stderr'; done_testing; -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#977886: RM: node-samsam -- ROM; Obsolete, replaced by node-sinonjs-samsam
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org Hi, node-samsam is deprecated. It is now @sinonjs/samsam (node-sinonjs-samsam) which is part of node-sinon. node-samsam has no reverse dependencies, it should be removed from Debian archive. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#977864: libjs-bootstrap4: Missing maintscript blocks upgrade
Package: libjs-bootstrap4 Version: 4.5.2+dfsg1-3 Severity: serious Version 4.5.2+dfsg1-2 transform /usr/share/javascript/bootstrap4 from symlink to dir without any maintscript. This break updates. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#977712: RM: node-jsv -- ROM; Unmaintained and orphaned
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org node-jsv isn't maintained upstream for 8 years, useless and unmaintained in Debian. It has no reverse dependencies and could be safely removed. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#977710: libjs-milligram is not maintained by JS Team
Package: libjs-milligram Severity: serious Tags: security libjs-milligram is marked as maintained by JS Team, howeber uploader is not member of this team and repository isn't under /js-team/ tree. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#977677: FTBFS: dependency to node-babel-runtime >=7 isn't understood by deb tools
Package: node-regenerator-transform Version: 0.14.5-2 Severity: serious Tags: ftbfs Since 0.14.5-2, dependency to node-babel7 was replaced by a dependency to node-babel-runtime (>= 7) which is provided by: * node-babel-runtime (src node-babel 6) * virtual node-babel-runtime provided by node-babel7 Debian tools ignore virtual package here and then don't succeed to resolve node-babel-runtime (>= 7). Either wait for node-babel7 split or revert that change. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#977472: ITP: node-gyp-build -- Node.js build tool and bindings loader that supports prebuilds
Package: wnpp Severity: wishlist Owner: Xavier Guimard X-Debbugs-Cc: debian-de...@lists.debian.org, pkg-javascript-de...@lists.alioth.debian.org * Package name: node-gyp-build Version : 4.2.3 Upstream Author : Mathias Buus * URL : https://github.com/prebuild/node-gyp-build * License : Expat Programming Lang: Javascript Description : Node.js build tool and bindings loader that supports prebuilds node-gyp-build works similar to "node-gyp build" except that it will check if a build or rebuild is present before rebuilding your project. It's main intended use is as an npm install script and bindings loader for native modules that bundle prebuilds using prebuildify. This is a new dependency of node-websocket. It will be maintained under JS Team umbrella. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#977269: node-rollup-plugin-terser seems incompatible with current node-terser
Package: node-rollup-plugin-terser Version: 7.0.2-2 Severity: grave Justification: renders package unusable When trying current rollup-plugin-terser (7.0.2) with current node-terser (4.1.2), package is unuseable: $ rollup -c index.js → dist/pako.js, dist/pako.min.js... [!] (plugin terser) Error: Cannot find module '/home/xavier/dev/debian/src/pkg-js/packages/node-pako/node_modules/terser/dist/bundle.min.js'. Please verify that the package.json has a valid "main" entry Error: Cannot find module '/home/xavier/dev/debian/src/pkg-js/packages/node-pako/node_modules/terser/dist/bundle.min.js'. Please verify that the package.json has a valid "main" entry at tryPackage (internal/modules/cjs/loader.js:315:19) at Function.Module._findPath (internal/modules/cjs/loader.js:528:18) at Function.Module._resolveFilename (internal/modules/cjs/loader.js:818:27) at Function.Module._load (internal/modules/cjs/loader.js:687:27) at Module.require (internal/modules/cjs/loader.js:903:19) at require (internal/modules/cjs/helpers.js:74:18) at Object. (/home/xavier/dev/debian/src/pkg-js/packages/node-pako/node_modules/rollup-plugin-terser/transform.js:1:20) at Module._compile (internal/modules/cjs/loader.js:1015:30) at Object.Module._extensions..js (internal/modules/cjs/loader.js:1035:10) at Module.load (internal/modules/cjs/loader.js:879:32) -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Kernel: Linux 5.9.0-4-amd64 Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages node-rollup-plugin-terser depends on: ii node-babel77.12.9+~cs150.130.99-1 ii node-jest-worker 26.6.3+repack+~cs61.38.31-2 ii node-serialize-javascript 5.0.1-2 ii node-terser4.1.2-7 node-rollup-plugin-terser recommends no packages. node-rollup-plugin-terser suggests no packages. -- no debconf information -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#976955: FTBFS: semver not found
Package: ts-node Version: 9.0.0-1 Severity: serious Tags: ftbfs Here is the relevant part of build log: make[1]: Entering directory '/<>' tsc src/index.spec.ts(4,25): error TS2307: Cannot find module 'semver' or its corresponding type declarations. make[1]: *** [debian/rules:7: override_dh_auto_build] Error 2 This can be fixed easily using dh-sequence-nodejs: set "semver" in debian/nodejs/extlinks (workaround tsc path problems) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#976839: node-istanbul: @types/istanbul-lib-instrument depends on deprecated babel-types
Package: node-istanbul Version: 0.4.5+ds+~cs53.14.45-1 Severity: important babel-types should be replaced by @babel/types -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#976713: RM: node-formatio -- ROM; Useless and unmaintained upstream
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org Hi, node-formatio isn't maintained upstream [1]: it has been replaced by @sinonjs/formatio which is included in node-sinon. No package depend on it, so I think it should be removed from Debian archive. Cheers, Xavier [1]: https://www.npmjs.com/package/formatio -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#976186: node-backbone: Please provides typescript definition
Package: node-backbone Version: 1.3.3~dfsg-5 Severity: important node-typescript-types is deprecated, please embed @types/backbone in node-backbone. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#975405: wabt: Please build wabt.js
Package: wabt Version: 1.0.20-1 Severity: important X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org Hi, wabt.js upstream repository is a minified file built from wabt. This package is a reverse dependency of many packages in Debian (via webpack, webassembly, jest,...). Without it, those packages works but some features are missing. You can either build the full nodejs package or simply wabt.js (and then I'll create node-wabt.js with a link to your files. I posted a question to know which target corresponds to this build (see https://github.com/AssemblyScript/wabt.js/issues/20). Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#975009: node-schema-utils breacking change
Package: node-schema-utils Version: 2.6.6-1 Severity: serious node-schema-utils API changed: `require("schema-utils")` becomes `require("schema-utils").validate` -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#974587: node-uuid: Bad "exports" field?
Package: node-uuid Version: 8.2.0-1 Severity: important Hi, node-uuid breaks dependent package with error like: Package subpath './v1' is not defined by "exports" in /usr/share/nodejs/uuid/package.json (same error with any of v{1,2,3,4}.js) Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#974218: node-requirejs: Please embed typescript definitions
Package: node-requirejs Version: 2.3.6-2 Severity: important X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org Hi, to avoid version conflicts, JS team decided to remove typescript definitions (node-typescript-types) and embed them directly in the relevant packages. node-requirejs isn't under JS Team umbrella, so we can't do it for @types/requirejs. But we need to synchronize this work (needs to repack node-typescript-types and add a "Breaks" in your package). Could you do it or give us its maintenance? Adding such types is easy with pkg-js-tools: $ add-node-component @types/requirejs If your package uses pkg-js-tools auto installer, don't forget to add this: $ mkdir debian/nodejs $ echo '*' >debian/nodejs/root_modules Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#974064: node-client-sessions: Remove dependency to (deprecated) node-request
Package: node-client-sessions Version: 0.8.0-2 Severity: serious Tags: ftbfs upstream Hi, node-request won't be part of bullseye, please patch node-client-sessions to replace node-request by another library (node-got, node-fetch, node-axios,...). -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#973913: RM: eyes.js -- ROM; Orphaned upstream
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: pkg-javascript-devel@alioth-lists.debian.net Hi, eyes.js is no longer maintained upstream. I patched its reverse dependency (vows) to remove this link. No eyes.js can be safely removed from Debian. This removal has been discussed in RC-bug #961507 Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#973696: ITP: node-source-map-resolve -- Node module to resolve source map and/or sources for a generated file
Package: wnpp Severity: wishlist Owner: Xavier Guimard X-Debbugs-Cc: debian-de...@lists.debian.org, pkg-javascript-de...@lists.alioth.debian.org * Package name: node-source-map-resolve Version : 0.6.0 Upstream Author : Simon Lydell * URL : https://github.com/lydell/source-map-resolve * License : Expat Programming Lang: JavaScript Description : Node module to resolve source map and/or sources for a generated file source-map-resolve resolves the source map for a given generated file by looking for a sourceMappingURL comment. The spec defines yet a way to provide the URL to the source map: by sending the `SourceMap: ` header along with the generated file. This module is currently embedded in node-css and is a dependency of future node-rollup-plugin-sourcemap. It's also a dependency of many other node modules, including some react plugins (see [1]). If this module is accepted, node-css will be repackaged to no more include source-map-resolve, decode-uri-component and atob. [1]: https://www.npmjs.com/package/source-map-resolve -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#972932: node-eslint-scope: Please embed @types/eslint-scope
Package: node-eslint-scope Version: 5.0.0-2 Severity: important Hi, @types/eslint-scope is required at least to upgrade webpak. Please embed it. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#972931: eslint: Please embed @types/eslint
Package: eslint Version: 5.16.0~dfsg-7 Severity: important Hi, @types/eslint is required at least to update webpack. Please embed it. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#972575: npm2deb should search node modules in virtual packages
Package: npm2deb Version: 0.3.0-5 Severity: important npm2deb currently uses salsa repository to know if a package already exists or not. This is a bad way because: * some node packages are not under pkg-js umbrella (node-almond,...) * lintian warns when a package does not declare its modules installed in nodejs root directories * some packages exists in js-team repo while they've been removed from archive Then I think we should switch to (virtual) package search. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#972570: node-lightgallery is built using minified files
Package: node-lightgallery Version: 1.6.11+dfsg-1 Severity: serious Justification: 4 Hi, debian/source/lintian-overrides overwrites some real problems: the "concat" part of Gulpfile uses modules/* files which are all obfuscated using minification (downloaded from distinct sources). A possible solution could be to ignore modules/* files during import and add related components using uscan components (with a build). -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#972414: node-pruddy-error: Please enable test
Package: node-pruddy-error Version: 2.0.2-1 Severity: important Tags: patch Hi, test is not enabled in this package, while it is easy to enable it: * `echo mocha >debian/tests/pkg-js/test` * install "assume" and "fn.name" in debian/tests/test_modules and update debian/copyright * update build dependencies: mocha , node-deep-eql , node-is-node , node-object-inspect , node-pathval * fix test using a little patch: --- a/test.js +++ b/test.js @@ -45,7 +45,7 @@ pruddy(fixture, { read: function read(data) { assume(data).is.a('object'); - assume(data.filename).contains('pruddy-error/test.js'); + //assume(data.filename).contains('pruddy-error/test.js'); assume(data.line).equals(5); assume(data.col).equals(19); -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#971833: node-babel7 should depends on node-regenerator-runtime
Package: node-babel7 Version: 7.11.6+~cs65.71.39-1 Severity: normal This is required by @babel/runtime/regenerator/index.js -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#971656: lintian: dh_addons should accept dh-sequence-nodejs as a replacement for pkg-js-tools
Package: lintian Version: 2.97.0 Severity: normal X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org When building nodejs packages, using dh-sequence-nodejs, lintian reports: E: node-rollup-plugin-typescript source: missing-build-dependency-for-dh-addon nodejs => pkg-js-tools This is a false positive since dh-sequence-* are some aliases which automatic "dh --with foo". Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#971519: node-locate-character: Rebuild from sources
Package: node-locate-character Version: 2.0.5-1 Severity: serious Justification: source-is-missing 2.0.5 is packaged from npm registry temporarily to be able to build rollup 2. Upstream didn't push 2.0.5 source in git repo (last github release/HEAD is 2.0.1), then 2.0.5 was packaged from npm registry instead. This bug is a reminder to avoid having 2.0.5-1 pushed outside experimental -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#970651: rollup: Unable to build with current tsc
Package: rollup Version: 1.12.0-2 Severity: serious Tags: ftbfs Justification: Policy 7.7.7 node-rollup 1.12.0 can't be build with current typescript (4.0.2). It requires tsc 3.4.5 (tested with success). Output: $ tsc --esModuleInterop src/ModuleLoader.ts:59:3 - error TS2322: Type '(id: string) => boolean' is not assignable to type '(id: string, ...args: T) => boolean'. Types of parameters 'id' and 'id' are incompatible. Type '[id: string, ...args: T]' is not assignable to type '[id: string]'. Source has 2 element(s) but target allows only 1. 59 return id => ids.has(id); ~ -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#970506: ITP: node-deepmerge -- Node.js module to merge properties of two objects deeply
Package: wnpp Severity: wishlist Owner: Xavier Guimard X-Debbugs-Cc: debian-de...@lists.debian.org, pkg-javascript-de...@lists.alioth.debian.org * Package name: node-deepmerge Version : 4.2.2 Upstream Author : Josh Duff * URL : https://github.com/TehShrike/deepmerge * License : Expat Programming Lang: JavaScript Description : Node.js module to merge properties of two objects deeply deepmerge is a node.js module written to deep (recursive) merge Javascript objects. It is required to update node-rollup-plugin* packages, especially node-rollup-node-resolve. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#969081: gyp should not stay under pkg-js umbrella
Package: gyp Version: 0.1+20200513gitcaa6002-1 Severity: normal Hi, gyp is currently maintain under pkg-js umbrella. This package is a cross platform tool written in Python and stored in salsa.d.o/debian/ area. Then I don't understand the link with pkg-js team. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#961646: node-deep-for-each breaks node-grunt-webpack
Package: node-deep-for-each Version: 3.0.0-1 Severity: serious Control: affects -1 node-grunt-webpack Version 3.0.0 breaks node-grunt-webpack. Probably due to this change: > This library is no longer built with Babel, you must compile it > yourself within your app Revert to a version 2.x may solve this issue -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#961487: node-code: Remove this package and replace it by node-hapi-code
Package: node-code Version: 6.0.0-3 Severity: important Hi, node-code is useless and has a name that could be ambiguous. Upstream name is now @hapi/code. I think we should remove this package. If a package needs @hapi/code, we could package it later. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#960808: node-babel7: upgrade to 7.9.6
Package: node-babel7 Version: 7.4.5+~cs6.2.2-2 Severity: important Control: affects -1 twitter-boostrap4 Please upgrade to last published version (7.9.6). This is required at least to upgrade twitter-bootstrap to 4.5.0 -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#960684: RM: node-babel-plugin-transform-builtin-extend -- ROM; Useless with node-babel7
Package: ftp.debian.org Severity: normal Hi, node-babel-plugin-transform-builtin-extend is deprecated with node-babel7. It should be removed from Debian archive -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#960488: eslint: autopkgtest failure: missing test dependency to node-babel7
Package: eslint Version: 5.16.0~dfsg-5 Severity: serious Justification: unknwon Hi, node-babel7 seems required by autopkgtest test: not ok 344 - /tmp/autopkgtest-lxc.9p09fhxf/downtmp/build.w0w/src/lib/formatters/codeframe.js --- message: '"@babel/code-frame" is not found.' severity: error data: line: 8 column: 38 ruleId: node/no-missing-require ... Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#960264: libjs-webrtc-adapter: Please remove dependency to node-babel-preset-env
Source: libjs-webrtc-adapter Severity: important Hi, please remove dependency to node-babel-preset-env: this package seems useless with node-babel7 and is going to be removed with node-babel 6. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#960261: node-babel7: @babel/polyfill depends on old core-js
Package: node-babel7 Version: 7.4.5-8 Severity: important Control: affects -1 node-string-decoder @babel/polyfill requires core-js/es6 and some other core-js files that are not available with node-core-js ≥ 3 -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#960018: node-babel7: @babel/register depends on node-pirates which is not packaged
Package: node-babel7 Version: 7.4.5-8 Severity: important Control: affects -1 node-crc @babel/register depends on node-pirates which is not available in Debian archives. This blocks node-crc update to node-babel7. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#959933: RM: node-vue-template-compiler -- ROM; Provided by node-vue 2.6.11
Package: ftp.debian.org Severity: normal Hi, node-vue-template-compiler has the same source than node-vue. Since node-vue 2.6.11+dfsg-1, this package is provided by node-vue Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#959777: RM: jquery -- ROM; Provided by node-jquery
Package: ftp.debian.org Severity: normal Hi, following #940975, I unified node-jquery and libjs-jquery (same source) in src:node-jquery source package. Then no need to keep src:jquery in Debian archive. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#950654: node-eslint-plugin-html seems unusable without eslint
Package: node-eslint-plugin-html Version: 3.2.1-3 Followup-For: Bug #950654 Hi, in previous upload, eslint was moved from binary dependency to "Enhances". This breaks autopkgtest. Please revert that change. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#955201: node-doctrine: Project is no longer maintained
Package: node-doctrine Version: 3.0.0-1 Severity: important Following [1], node-doctrine is deprecated. Should be removed after eslint >6 update. [1]: https://github.com/eslint/doctrine#deprecation-notice -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#954835: buster-pu: package node-yargs-parser/11.1.1-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, node-yargs-parser is vulnerable to prototype pollution. I fixed it and added a basic test taken from [1]. Sid version is fixed (18.1.1-1). Cheers, Xavier [1] https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381 diff --git a/debian/changelog b/debian/changelog index 481bfc4..5f18499 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-yargs-parser (11.1.1-1+deb10u1) unstable; urgency=medium + + * Team upload + * Fix prototype pollution and add test (Closes: CVE-2020-7608) + + -- Xavier Guimard Tue, 24 Mar 2020 10:22:44 +0100 + node-yargs-parser (11.1.1-1) unstable; urgency=medium [ Utkarsh Gupta ] diff --git a/debian/patches/CVE-2020-7608.diff b/debian/patches/CVE-2020-7608.diff new file mode 100644 index 000..262102e --- /dev/null +++ b/debian/patches/CVE-2020-7608.diff @@ -0,0 +1,51 @@ +Description: fix prototype pollution +Author: Benjamin E. Coe +Bug: https://github.com/yargs/yargs-parser/pull/258 + https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2020-03-24 + +--- a/index.js b/index.js +@@ -618,10 +618,11 @@ + if (!configuration['dot-notation']) keys = [keys.join('.')] + + keys.slice(0, -1).forEach(function (key) { +- o = (o[key] || {}) ++ key = sanitizeKey(key) ++ o = (o[key]) + }) + +-var key = keys[keys.length - 1] ++var key = sanitizeKey(keys[keys.length - 1]) + + if (typeof o !== 'object') return false + else return key in o +@@ -633,6 +634,7 @@ + if (!configuration['dot-notation']) keys = [keys.join('.')] + + keys.slice(0, -1).forEach(function (key, index) { ++ key = sanitizeKey(key) + if (typeof o === 'object' && o[key] === undefined) { + o[key] = {} + } +@@ -652,7 +654,7 @@ + } + }) + +-var key = keys[keys.length - 1] ++var key = sanitizeKey(keys[keys.length - 1]) + + var isTypeArray = checkAllAliases(keys.join('.'), flags.arrays) + var isValueArray = Array.isArray(value) +@@ -863,4 +865,9 @@ + return parse(args.slice(), opts) + } + ++function sanitizeKey (key) { ++ if (key === '__proto__') return '___proto___' ++ return key ++} ++ + module.exports = Parser diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..348ca56 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2020-7608.diff diff --git a/debian/rules b/debian/rules index b39f453..9787e73 100755 --- a/debian/rules +++ b/debian/rules @@ -10,4 +10,8 @@ override_dh_auto_test: ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS))) mocha test/*.js + if node debian/tests/CVE-2020-7608.js|egrep ^baz; then \ + echo "Vulnerable to CVE-2020-7608"; \ + exit 1; \ + fi endif diff --git a/debian/tests/CVE-2020-7608.js b/debian/tests/CVE-2020-7608.js new file mode 100644 index 000..b61cef2 --- /dev/null +++ b/debian/tests/CVE-2020-7608.js @@ -0,0 +1,3 @@ +const parser = require("../.."); +console.log(parser('--foo.__proto__.bar baz')); +console.log(({}).bar); -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#954832: RM: node-run-sequence -- ROM; Deprecated since node-gulp 4
Package: ftp.debian.org Severity: normal Hi, node-run-sequence is a sort of plugin for gulp 3 to be able to launch tasks in series/parallel. Since version 4, gulp has its own system (gulp.series and gulp.parallel) and node-run-sequence isn't compatible with it [#954557]. I fixed all reverse dependencies of node-run-sequence and now dak is OK [2]. Cheers, Xavier [954557] https://bugs.debian.org/954557 [2] dak output: Will remove the following packages from unstable: node-run-sequence |2.2.1-1 | source, all Maintainer: Debian Javascript Maintainers --- Reason --- -- Checking reverse dependencies... No dependency problem found. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#954429: node-acorn: Please rename binary to node-acorn
Package: node-acorn Version: 6.2.1+ds+~0.4.0+~4.0.0+really4.0.0+~1.0.0+~5.0.1+ds+~1.7.0+ds+~0.1.1+~0.3.1+~0.2.0+~0.1.0+~0.3.0+~0.3.0-14 Severity: normal Hi, node-acorn bu=inary has been renamed to node-debbundle-acorn. Most of our packages depends on node-acorn which is now a virtual package provided by node-debbundle-acorn. Versionned dependencies on virtual packages are known to cause problems, that's why I'd to see node-debbundle-acorn renamed to node-acorn. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#954400: RM: node-acorn-dynamic-import -- ROM; Replaced by node-acorn
Package: ftp.debian.org Severity: normal Hi, node-acorn-dynamic-import is now included in node-acorn. This package should be removed from unstable. I fixed all packages mentionned in dak report (replaced by node-acorn): 8< Will remove the following packages from unstable: node-acorn-dynamic-import | 4.0.0+really3.0.0-1 | source Maintainer: Debian Javascript Maintainers --- Reason --- -- Checking reverse dependencies... # Broken Depends: node-buble: node-buble node-rollup: rollup node-webpack: webpack # Broken Build-Depends: codemirror-js: node-acorn-dynamic-import node-rollup: node-acorn-dynamic-import (>= 4~) node-webpack: node-acorn-dynamic-import Dependency problem found. >8 -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#954166: node-debug: Please add @types/debug component
Package: node-debug Version: 4.1.1-2 Severity: wishlist Hi, could you add @types/debug component in node-debug ? This is required to update node-ws Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#954028: ITP: node-babel7 -- compiler for next generation JavaScript
Package: wnpp Severity: wishlist Owner: Xavier Guimard * Package name: node-babel7 Version : 7.4.5 Upstream Author : Sebastian McKenzie * URL : https://babeljs.io/ * License : Expat Programming Lang: JavaScript Description : compiler for next generation JavaScript Debian currently has a node-babel version 6. Version 7 is really different and can cohabit with node-babel=6 (I already add an alternative for /usr/bin/babeljs in node-babel 6). I'd like to build a distinct node-babel7 since: * transition from node-babel 6 to node-babel 7 will be long * the 2 can cohabit: no common files (except alternative /usr/bin/babeljs) Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#953286: RM: node-srs/0.4.8+dfsg-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, current node-srs is not compatible with Node.js ≥ 12. Upgrade is not possible for now since it requires an update of libgdal (and upgraded version is not compatible with Node.js ≥ 12 too). To help Node.js 12 migration, I would like to ask for its testing-only removal with node-millstone, its reverse dependency. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#953028: node-nodedbi: Not compatible with Node.js ≥ 12
Package: node-nodedbi Severity: grave Tags: upstream Justification: renders package unusable Hi, node-nodedbi is not compatible with Node.js ≥ 12. This RC bug will permit to remove this (useless for now) package from testing to permit Node.js 12 migration. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#952785: buster-pu: package dojo/1.15.0+dfsg1-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, dojo is vulnerable to Cross-site Scripting. This is due to dojox.xmpp.util.xmlEncode only encoding the first occurrence of each character, not all of them. This upstream patch fixes this issue Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 14447b52..0e5dc462 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +dojo (1.15.0+dfsg1-1+deb10u1) buster; urgency=medium + + * Team upload + * Cleanup improper regex usage (Closes: #952771, 2019, 10785) + + -- Xavier Guimard Sat, 29 Feb 2020 09:07:02 +0100 + dojo (1.15.0+dfsg1-1) unstable; urgency=medium * New upstream version : diff --git a/debian/patches/CVE-2019-10785.patch b/debian/patches/CVE-2019-10785.patch new file mode 100644 index ..67ab40f2 --- /dev/null +++ b/debian/patches/CVE-2019-10785.patch @@ -0,0 +1,45 @@ +Description: Cleanup improper regex usage +Author: Paul +Origin: upstream, https://github.com/dojo/dojox/pull/317 +Bug: https://github.com/dojo/dojox/pull/315 +Bug-Debian: https://bugs.debian.org/952771 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2020-02-29 + +--- a/dojox/dtl/dom.js b/dojox/dtl/dom.js +@@ -94,7 +94,7 @@ define([ + var replacement = ""; + for(var p = 2, pl = pair.length; p < pl; p++){ + if(p == 2){ +- replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace('"', '\\"') + ' %}">'; ++ replacement += "<" + tag + ' dtlinstruction="{% ' + token[k].replace(/"/g, '\\"') + ' %}">'; + }else if(tag == pair[p]) { + continue; + }else{ +--- a/dojox/widget/RollingList.js b/dojox/widget/RollingList.js +@@ -1050,7 +1050,7 @@ dojo.declare("dojox.widget.RollingList", + widgetItem.store = this.store; + widgetItem.item = item; + if(!widgetItem.label){ +- widgetItem.attr("label", this.store.getLabel(item).replace(/", "").replace("<", "").replace("'", "").replace('"', ""); +- } +- return str; ++ return dojo.string.escape(str); + }; + + dojox.xmpp.util.encodeJid = function(jid) { diff --git a/debian/patches/series b/debian/patches/series index f39e7f29..6051ed59 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 0001-Compatibility-patch-for-newer-rhino.patch 0002-Do-notrun-test-suite-in-build.patch 0003-Disable-flash-storage.patch +#CVE-2019-10785.patch -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#952457: node-regenerator-transform depends on @babel/preset-env which is not available
Package: node-regenerator-transform Version: 0.14.1-2 Severity: important package.json mention a preset to @babel/preset-env which is not available. This affects node-crc build. -- System Information: Architecture: amd64 (x86_64) Kernel: Linux 5.4.0-3-amd64 Versions of packages node-regenerator-transform depends on: ii node-babel-runtime 6.26.0+repack-2 ii node-babel-types6.26.0+repack-2 ii node-private0.1.8-3 ii nodejs 10.17.0~dfsg-2 node-regenerator-transform recommends no packages. node-regenerator-transform suggests no packages. -- no debconf information -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#951862: node-fetch should be renamed node-node-fetch to avoid confusion with libjs-fetch
Package: node-fetch Version: 1.7.3-1 Severity: normal Hi, all is in the title ;-) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#951562: RM: validator.js -- ROM; Unmaintained
Package: ftp.debian.org Severity: normal Hi, validator.js is unmaintained (locked in unstable for a while). Dak reports no dependency. Then I think it is safe to remove it from Debian. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#950827: RM: node-simplesmtp -- ROM; Orphaned & unmaintained
Package: ftp.debian.org Severity: normal Hi, I propose to remove node-simplesmtp: * it looks orphaned upstream (last commit 2015-02-16) * it is deprecated in favor of "smtp-server" [1] * enabling tests shows that library is buggy * popcon rank ~ 14 * dak reports shows no reverse build deps [1]: https://www.npmjs.com/package/simplesmtp -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#950657: node-eslint-plugin-flowtype: needed files not built
Package: node-eslint-plugin-flowtype Version: 2.25.0-1 Severity: serious Package is unusable since files are not built during build -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#950568: node-copy-webpack-plugin FTBFS: test failures
Package: node-copy-webpack-plugin Version: 4.3.0-6 Followup-For: Bug #950568 This package depends on webpack-log which is not packaged. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#950654: FTBFS: node-eslint-plugin-html seems unusable without eslint
Package: node-eslint-plugin-html Version: 3.2.1-1 Severity: serious This package seems unusable without eslint. See https://ci.debian.net/data/autopkgtest/unstable/amd64/n/node-eslint-plugin-html/3801441/log.gz -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#949874: RM: node-tilelive-vector -- ROM; Unmaintained and future missing dependency
Package: ftp.debian.org Severity: normal Hi, node-tilelive-vector depends on node-mapnik which is going to be removed. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#949873: RM: node-tilelive-mapnik -- ROM; Unmaintained and future missing dependency
Package: ftp.debian.org Severity: normal Hi, node-tilelive-mapnik depends on node-mapnik which is going to be removed. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#949872: RM: node-tilelive-bridge -- ROM; Unmaintained and future missing dependency
Package: ftp.debian.org Severity: normal Hi, node-tilelive-bridge depends on node-mapnik which is going to be removed. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#949871: RM: node-mapnik -- ROM; Incompatible with Node.js 12
Package: ftp.debian.org Severity: normal Hi, node-mapnik 3.7.x is incompatible with Node.js ≥ 12 and it seems that mapnik itself can't be upgraded, then we can't upgrade node-mapnik to 4.x. This package is used only by node-tilelive-* package which seem unmaintained also. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#949615: node-lodash: lodash does not export runInContext()
Package: node-lodash Version: 4.17.15+dfsg-1 Severity: important Hi, our lodash does not export while npm registry one export it. This affects node-grunt-legacy-util upgrade. To reproduce this, try node-grunt-legacy-util test from salsa: $ dh_quilt_patch $ sh debian/tests/pkg-js/test (node:1971963) [DEP0016] DeprecationWarning: 'root' is deprecated, use 'global' Running "nodeunit:util" (nodeunit) task Fatal error: require(...).runInContext is not a function Then install lodash from np registry in node_modules and relauch test, it works. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#949121: buster-pu: package node-kind-of/6.0.2+dfsg-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, node-kind-of is vulnerable to CVE-2019-20149: it allows external user input to overwrite certain internal attributes via a conflicting name. This little patch fixes this issue. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index f69a6ac..93d28bf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-kind-of (6.0.2+dfsg-1+deb10u1) buster; urgency=medium + + * Team upload + * fix type checking vul in ctorName (Closes: #948095, CVE-2019-20149) + + -- Xavier Guimard Fri, 17 Jan 2020 06:19:37 +0100 + node-kind-of (6.0.2+dfsg-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2019-20149.diff b/debian/patches/CVE-2019-20149.diff new file mode 100644 index 000..0129c8e --- /dev/null +++ b/debian/patches/CVE-2019-20149.diff @@ -0,0 +1,20 @@ +Description: fix type checking vul in ctorName + CVE-2019-20149 +Author: Brian Woodward +Bug: https://github.com/jonschlinkert/kind-of/pull/30 +Bug-Debian: https://bugs.debian.org/948095 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2020-01-17 + +--- a/index.js b/index.js +@@ -66,7 +66,7 @@ + }; + + function ctorName(val) { +- return val.constructor ? val.constructor.name : null; ++ return typeof val.constructor === 'function' ? val.constructor.name : null; + } + + function isArray(val) { diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..4228152 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2019-20149.diff -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#947867: RM: src:libjs-i18next -- ROM; Duplicate of node-i18next
Package: ftp.debian.org Severity: normal Hi, binary libjs-i18next is provided by: * src: node-i18next * src: libjs-i18next The first is up-to-date and provide both browser and node libraries, not the second. So I propose to remove src:libjs-i18next from our archive. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#947760: yarnpkg should depends on npm
Package: yarnpkg Version: 1.19.1-1 Severity: important Hi, yarnpkg does not depends on npm but this package is required to use it -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#947758: buster-pu: package node-handlebars/3:4.1.0-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, node-handlebars is vulnearable to prototype pollution (CVE-2019-19919). This patch is exactly the one of upstream. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index b985661..95811b9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-handlebars (3:4.1.0-1+deb10u1) buster; urgency=medium + + * Team upload + * Disallow calling "helperMissing" and "blockHelperMissing" directly +(Closes: CVE-2019-19919) + + -- Xavier Guimard Mon, 30 Dec 2019 07:46:39 +0100 + node-handlebars (3:4.1.0-1) unstable; urgency=medium * New upstream version 4.1.0 (Closes: #923042) diff --git a/debian/patches/CVE-2019-19919.patch b/debian/patches/CVE-2019-19919.patch new file mode 100644 index 000..f63f106 --- /dev/null +++ b/debian/patches/CVE-2019-19919.patch @@ -0,0 +1,213 @@ +Description: Disallow calling "helperMissing" and "blockHelperMissing" directly + Fix for CVE-2019-19919 +Author: Nils Knappmeier +Origin: upstream, https://github.com/wycats/handlebars.js/commit/2078c72 +Bug: https://github.com/wycats/handlebars.js/issues/1558 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2019-12-30 + +--- a/lib/handlebars/compiler/javascript-compiler.js b/lib/handlebars/compiler/javascript-compiler.js +@@ -311,7 +311,7 @@ + // replace it on the stack with the result of properly + // invoking blockHelperMissing. + blockValue: function(name) { +-let blockHelperMissing = this.aliasable('helpers.blockHelperMissing'), ++let blockHelperMissing = this.aliasable('container.hooks.blockHelperMissing'), + params = [this.contextName(0)]; + this.setupHelperArgs(name, 0, params); + +@@ -329,7 +329,7 @@ + // On stack, after, if lastHelper: value + ambiguousBlockValue: function() { + // We're being a bit cheeky and reusing the options value from the prior exec +-let blockHelperMissing = this.aliasable('helpers.blockHelperMissing'), ++let blockHelperMissing = this.aliasable('container.hooks.blockHelperMissing'), + params = [this.contextName(0)]; + this.setupHelperArgs('', 0, params, true); + +@@ -622,18 +622,31 @@ + // If the helper is not found, `helperMissing` is called. + invokeHelper: function(paramSize, name, isSimple) { + let nonHelper = this.popStack(), +-helper = this.setupHelper(paramSize, name), +-simple = isSimple ? [helper.name, ' || '] : ''; ++helper = this.setupHelper(paramSize, name); + +-let lookup = ['('].concat(simple, nonHelper); ++let possibleFunctionCalls = []; ++ ++if (isSimple) { // direct call to helper ++ possibleFunctionCalls.push(helper.name); ++} ++// call a function from the input object ++possibleFunctionCalls.push(nonHelper); + if (!this.options.strict) { +- lookup.push(' || ', this.aliasable('helpers.helperMissing')); ++ possibleFunctionCalls.push(this.aliasable('container.hooks.helperMissing')); + } +-lookup.push(')'); +- +-this.push(this.source.functionCall(lookup, 'call', helper.callParams)); ++let functionLookupCode = ['(', this.itemsSeparatedBy(possibleFunctionCalls, '||'), ')']; ++let functionCall = this.source.functionCall(functionLookupCode, 'call', helper.callParams); ++this.push(functionCall); + }, + ++ itemsSeparatedBy: function(items, separator) { ++let result = []; ++result.push(items[0]); ++for (let i = 1; i < items.length; i++) { ++ result.push(separator, items[i]); ++} ++return result; ++ }, + // [invokeKnownHelper] + // + // On stack, before: hash, inverse, program, params..., ... +@@ -673,7 +686,7 @@ + lookup[0] = '(helper = '; + lookup.push( + ' != null ? helper : ', +-this.aliasable('helpers.helperMissing') ++this.aliasable('container.hooks.helperMissing') + ); + } + +--- a/lib/handlebars/runtime.js b/lib/handlebars/runtime.js +@@ -1,6 +1,7 @@ + import * as Utils from './utils'; + import Exception from './exception'; +-import { COMPILER_REVISION, REVISION_CHANGES, createFrame } from './base'; ++import {COMPILER_REVISION, createFrame, REVISION_CHANGES} from './base'; ++import {moveHelperToHooks} from './helpers'; + + export function checkRevision(compilerInfo) { + const compilerRevision = compilerInfo && compilerInfo[0] || 1, +@@ -44,11 +45,14 @@ + } + + partial = env.VM.resolvePartial.call(this, partial, context, options); +-let result = env.VM.invokePartial.call(this, partial, context, options); ++ ++let optionsWithHooks = Utils.extend({}, options, {hooks: this.hooks}); ++ ++let result = env.VM.invokePartial.call(this, partial, context, optionsWithHooks); + + if (result == null && env.compile) { + options.partials[options.name] = env.compile(p
[Pkg-javascript-devel] Bug#947422: node-babel depends on itself for build, then updating core-js is blocked
Source: node-babel Severity: important Hi, node-babel depends on itself during build. Then when I try to update it with node-core-js ≥3, I got this: Error: Cannot find module 'core-js/library/fn/get-iterator' at Function.Module._resolveFilename (internal/modules/cjs/loader.js:636:15) at Function.Module._load (internal/modules/cjs/loader.js:562:25) at Module.require (internal/modules/cjs/loader.js:692:17) at require (internal/modules/cjs/helpers.js:25:18) at Object. (/usr/lib/nodejs/babel-runtime/core-js/get-iterator.js:1:31) Then I can not fix babel code source since error comes from an earlier babel. The best should be to find a way to build babel without babel. Else a patched version of babel-runtime could perhaps be embedded. This affects the migration of node-cloneable-readable, node-readable-stream,... -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#947172: buster-pu: package npm/5.8.0+ds6-4+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, npm is vulnerable to some CVEs (CVE-2019-16775, CVE-2019-16776, CVE-2019-16777). This patch groups patches from differents sub modules affected and add a new module (npm-normalize-package-bin package) used by these fixes. After discussion with security team, these CVEs will be tagged as no-dsa. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 85e9028..d7b986f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +npm (5.8.0+ds6-4+deb10u1) buster; urgency=medium + + * Add patches to fix arbitrary path access +(Closes: CVE-2019-16775, CVE-2019-16776, CVE-2019-16777) + + -- Xavier Guimard Sun, 15 Dec 2019 16:19:02 +0100 + npm (5.8.0+ds6-4) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2019-16775-add-npm-normalize-package-bin.diff b/debian/patches/CVE-2019-16775-add-npm-normalize-package-bin.diff new file mode 100644 index 000..a3c7b45 --- /dev/null +++ b/debian/patches/CVE-2019-16775-add-npm-normalize-package-bin.diff @@ -0,0 +1,167 @@ +Description: Add npm-normalize-package-bin package + Needed to CVE-2019-16775 fix +Author: isaacs +Bug: https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2019-12-15 + +--- /dev/null b/node_modules/npm-normalize-package-bin/LICENSE +@@ -0,0 +1,15 @@ ++The ISC License ++ ++Copyright (c) npm, Inc. ++ ++Permission to use, copy, modify, and/or distribute this software for any ++purpose with or without fee is hereby granted, provided that the above ++copyright notice and this permission notice appear in all copies. ++ ++THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES ++WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF ++MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ++ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ++ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR ++IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +--- /dev/null b/node_modules/npm-normalize-package-bin/README.md +@@ -0,0 +1,14 @@ ++# npm-normalize-package-bin ++ ++Turn any flavor of allowable package.json bin into a normalized object. ++ ++## API ++ ++```js ++const normalize = require('npm-normalize-package-bin') ++const pkg = {name: 'foo', bin: 'bar'} ++console.log(normalize(pkg)) // {name:'foo', bin:{foo: 'bar'}} ++``` ++ ++Also strips out weird dots and slashes to prevent accidental and/or ++malicious bad behavior when the package is installed. +--- /dev/null b/node_modules/npm-normalize-package-bin/index.js +@@ -0,0 +1,60 @@ ++// pass in a manifest with a 'bin' field here, and it'll turn it ++// into a properly santized bin object ++const {join, basename} = require('path') ++ ++const normalize = pkg => ++ !pkg.bin ? removeBin(pkg) ++ : typeof pkg.bin === 'string' ? normalizeString(pkg) ++ : Array.isArray(pkg.bin) ? normalizeArray(pkg) ++ : typeof pkg.bin === 'object' ? normalizeObject(pkg) ++ : removeBin(pkg) ++ ++const normalizeString = pkg => { ++ if (!pkg.name) ++return removeBin(pkg) ++ pkg.bin = { [pkg.name]: pkg.bin } ++ return normalizeObject(pkg) ++} ++ ++const normalizeArray = pkg => { ++ pkg.bin = pkg.bin.reduce((acc, k) => { ++acc[basename(k)] = k ++return acc ++ }, {}) ++ return normalizeObject(pkg) ++} ++ ++const removeBin = pkg => { ++ delete pkg.bin ++ return pkg ++} ++ ++const normalizeObject = pkg => { ++ const orig = pkg.bin ++ const clean = {} ++ let hasBins = false ++ Object.keys(orig).forEach(binKey => { ++const base = join('/', basename(binKey.replace(/\\|:/g, '/'))).substr(1) ++ ++if (typeof orig[binKey] !== 'string' || !base) ++ return ++ ++const binTarget = join('/', orig[binKey]) ++ .replace(/\\/g, '/').substr(1) ++ ++if (!binTarget) ++ return ++ ++clean[base] = binTarget ++hasBins = true ++ }) ++ ++ if (hasBins) ++pkg.bin = clean ++ else ++delete pkg.bin ++ ++ return pkg ++} ++ ++module.exports = normalize +--- /dev/null b/node_modules/npm-normalize-package-bin/package.json +@@ -0,0 +1,58 @@ ++{ ++ "_from": "npm-normalize-package-bin", ++ "_id": "npm-normalize-package-bin@1.0.1", ++ "_inBundle": false, ++ "_integrity": "sha512-EPfafl6JL5/rU+ot6P3gRSCpPDW5VmIzX959Ob1+ySFUuuYHWHekXpwdUZcKP5C+DS4GEtdJluwBjnsNDl+fSA==", ++ "_location": "/npm-normalize-package-bin", ++ "_phantomChildren": {}, ++ "_requested": { ++"type": "tag", ++"registry": true, ++"raw": "npm-normalize-package-bin", ++"nam
[Pkg-javascript-devel] Bug#947042: node-express isn't compatible with node-path-to-regexp ≥ 6
Package: node-express Version: 4.17.1-1 Severity: important Tags: upstream Forwarded: https://github.com/expressjs/express/issues/4136 Hi, node-express is not compatible with recent node-path-to-regex. This affects node-superagent tests and renders part of express unusable. The fix is simple but then test fail: 8< diff --git a/lib/router/layer.js b/lib/router/layer.js index 4dc8e86..cc96d56 100644 --- a/lib/router/layer.js +++ b/lib/router/layer.js @@ -13,7 +13,7 @@ * @private */ -var pathRegexp = require('path-to-regexp'); +const { pathToRegexp } = require('path-to-regexp'); var debug = require('debug')('express:router:layer'); /** @@ -42,7 +42,7 @@ function Layer(path, options, fn) { this.name = fn.name || ''; this.params = undefined; this.path = undefined; - this.regexp = pathRegexp(path, this.keys = [], opts); + this.regexp = pathToRegexp(path, this.keys = [], opts); // set fast path flags this.regexp.fast_star = path === '*' >8 -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#942809: node-typescript: Please embed ts-node
Package: node-typescript Version: 3.6.4-1 Severity: wishlist Hi, ts-node is often used in conjunction with typescript. It could be useful to embed it in node-typescript. > TypeScript execution and REPL for node.js, with source map support. > > # Execute a script as `node` + `tsc`. > ts-node script.ts > > # Starts a TypeScript REPL. > ts-node > > # Execute code with TypeScript. > ts-node -e 'console.log("Hello, world!")' > > # Execute, and print, code with TypeScript. > ts-node -p -e '"Hello, world!"' > > # Pipe scripts to execute with TypeScript. > echo "console.log('Hello, world!')" | ts-node -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#942425: RM: node-passport-oauth -- ROM; Obsolete and unmaintained upstream
Package: ftp.debian.org Severity: normal node-passport-oauth seems unmaintained. It is based on node-oauth which seems not maintained anymore [1] and is not compatible with recent Google/Facebook API. node-passport-oauth has no reverse dependencies Cheers, Xavier [1]: https://github.com/ciaranj/node-oauth/issues/349 -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#942424: RM: node-oauth -- ROM; Obsolete and unmaintained upstream
Package: ftp.debian.org Severity: normal node-oauth seems unmaintained upstream [1] and is not compatible with recent Google/Facebook API. Its only one revese dependency (node-passport-oauth) seems also unmaintained. A "dak rN" shows that node-oauth and node-passport-oauth can be removed safely. Cheers, Xavier [1]: https://github.com/ciaranj/node-oauth/issues/349 -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#941683: buster-pu: package node-yarnpkg/1.13.0-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, node-yarnpkg is vulnerable: it exports auth data in http requests (#941354, CVE-2019-5448). This patch imports upstream fix. Cheers, Xavier diff --git a/debian/changelog b/debian/changelog index 01fe7d70d..6c4b5fef1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-yarnpkg (1.13.0-1+deb10u1) buster; urgency=medium + + * Team upload + * Add patch to force using https for the regular registries +(Closes: #941354, CVE-2019-5448) + + -- Xavier Guimard Thu, 03 Oct 2019 18:23:54 +0200 + node-yarnpkg (1.13.0-1) unstable; urgency=low * Initial release (Closes: #843021) diff --git a/debian/patches/CVE-2019-5448.diff b/debian/patches/CVE-2019-5448.diff new file mode 100644 index 0..8bb7442c8 --- /dev/null +++ b/debian/patches/CVE-2019-5448.diff @@ -0,0 +1,75 @@ +Description: Forces using https for the regular registries +Author: Maël Nison <https://github.com/arcanis> +Origin: upstream, https://github.com/yarnpkg/yarn/commit/2f08a740 +Bug: https://hackerone.com/reports/640904 +Bug-Debian: https://bugs.debian.org/941354 +Forwarded: not-needed +Reviewed-By: Xavier Guimard +Last-Update: 2019-10-03 + +--- a/__tests__/registries/npm-registry.js b/__tests__/registries/npm-registry.js +@@ -750,6 +750,30 @@ + + expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual('https://my.registry.co/registry/foo/bar/baz'); + }); ++ ++ for (const host of [`registry.yarnpkg.com`, `registry.npmjs.org`, `registry.npmjs.com`]) { ++test(`enforces loading packages through https when they come from ${host}`, () => { ++ const testCwd = '.'; ++ const {mockRequestManager, mockRegistries, mockReporter} = createMocks(); ++ const npmRegistry = new NpmRegistry(testCwd, mockRegistries, mockRequestManager, mockReporter, true, []); ++ const registry = `http://${host}/registry`; ++ const pathname = 'foo/bar/baz'; ++ ++ expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual(`https://${host}/registry/foo/bar/baz`); ++}); ++ } ++ ++ test("doesn't change the protocol for packages from other registries", () => { ++const testCwd = '.'; ++const {mockRequestManager, mockRegistries, mockReporter} = createMocks(); ++const npmRegistry = new NpmRegistry(testCwd, mockRegistries, mockRequestManager, mockReporter, true, []); ++const registry = 'http://registry.mylittlepony.org/registry'; ++const pathname = 'foo/bar/baz'; ++ ++expect(npmRegistry.getRequestUrl(registry, pathname)).toEqual( ++ 'http://registry.mylittlepony.org/registry/foo/bar/baz', ++); ++ }); + }); + + describe('getScope functional test', () => { +--- a/src/registries/npm-registry.js b/src/registries/npm-registry.js +@@ -22,6 +22,7 @@ + import ini from 'ini'; + + const DEFAULT_REGISTRY = 'https://registry.npmjs.org/'; ++const REGEX_REGISTRY_ENFORCED_HTTPS = /^https?:\/\/([^\/]+\.)?(yarnpkg\.com|npmjs\.(org|com))(\/|$)/; + const REGEX_REGISTRY_HTTP_PROTOCOL = /^https?:/i; + const REGEX_REGISTRY_PREFIX = /^(https?:)?\/\//i; + const REGEX_REGISTRY_SUFFIX = /registry\/?$/; +@@ -112,13 +113,17 @@ + } + + getRequestUrl(registry: string, pathname: string): string { +-const isUrl = REGEX_REGISTRY_PREFIX.test(pathname); ++let resolved = pathname; + +-if (isUrl) { +- return pathname; +-} else { +- return url.resolve(addSuffix(registry, '/'), pathname); ++if (!REGEX_REGISTRY_PREFIX.test(pathname)) { ++ resolved = url.resolve(addSuffix(registry, '/'), pathname); + } ++ ++if (REGEX_REGISTRY_ENFORCED_HTTPS.test(resolved)) { ++ resolved = resolved.replace(/^http:\/\//, 'https://'); ++} ++ ++return resolved; + } + + isRequestToRegistry(requestUrl: string, registryUrl: string): boolean { diff --git a/debian/patches/series b/debian/patches/series index f3c856f99..7c03222a8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ 08-cli-table3.diff 09-buffer_from.diff 10-babel-plugin-inline-import.diff +CVE-2019-5448.diff -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#941227: buster-pu: package node-set-value/0.4.0-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, node-set-value is vulnerable to prototype pollution (#941189, CVE-2019-10747). I imported and adapted upstream patch and added a test inspired from CVE report [1]. I think this could be safely added to next buster point release. Cheers, Xavier [1]: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213 -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#940836: ITP: node-rxjs -- reactive extensions for JavaScript
Package: wnpp Severity: wishlist Owner: Xavier Guimard * Package name: node-rxjs Version : 6.5.3 Upstream Author : Ben Lesh * URL : https://github.com/ReactiveX/RxJS * License : Apache-2.0 Programming Lang: JavaScript Description : reactive extensions for JavaScript rxjs is a popular node module (more yhan 12.000.000 weekly downloads) and a dependency of more than 15.000 node modules. RxJS is a library for reactive programming using Observables, to make it easier to compose asynchronous or callback-based code. This project is a rewrite of Reactive-Extensions/RxJS with better performance, better modularity, better debuggable call stacks, while staying mostly backwards compatible, with some breaking changes that reduce the API surface. This module is needed to upgrade some Debian nodejs modules. It will be maintained under pkg-js team umbrella. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#936451: node-regenerator-transform is not built from sources
Package: node-regenerator-transform Version: 0.9.8-2 Severity: important node-regenerator-transform is taken from npm registry. Its source comes from node-regenerator [1] which provides: * node-regenerator (not in Debian) * node-regenerator-preset(not in Debian) * node-regenerator-transform * node-regenerator-runtime node-regenerator-runtime is directly written in JS while so no bug. node-regenerator-transform source is written in ES6 and compiled with babel 7. Issue was found using pkg-js-tools lintian profile ("lintian --profile pkg-js --profile pkg-js-extra) which returns "inconsistency-debian-watch" and then `debcheck-node-repo` that proposes to update debian/watch when github source tags are good. [1]: https://github.com/facebook/regenerator -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#935979: node-object-assign: Don't publish object.assign module
Package: node-object-assign Version: 4.1.1-2 Severity: important node-object-assign publishes a /usr/lib/nodejs/object.assign link, this is bad since object.assign is a different module with different functions (getPolyfill function for example). -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#935437: RM: mirror.js -- ROM; Useless and unmaintained
Package: ftp.debian.org Severity: normal Hi all, mirror.js is upstream unmaintained for at least 7 years. It has no reverse dependencies so I think it should be removed from Debian. Regards, Xavier # dak output $ dak -rN mirror.js Will remove the following packages from unstable: mirror.js |0.3.3-3 | source node-mirror |0.3.3-3 | all Maintainer: Debian Javascript Maintainers --- Reason --- -- Checking reverse dependencies... No dependency problem found. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#935436: RM: languages4translatewiki -- ROM; Useless and unmaintained
Package: ftp.debian.org Severity: normal Hi all, languages4translatewiki is upstream unmaintained at least for 7 years. It has no reverse dependencies, so I think it should be removed from Debian. Cheers, Xavier # dak output $ dak -rN languages4translatewiki Will remove the following packages from unstable: languages4translatewiki |0.1.3-1 | source libjs-languages4translatewiki |0.1.3-1 | all node-languages4translatewiki |0.1.3-1 | all Maintainer: Debian Javascript Maintainers --- Reason --- -- Checking reverse dependencies... No dependency problem found. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#935434: RM: polymaps -- ROM; Useless and unmaintained
Package: ftp.debian.org Severity: normal Hi all, polymaps has no reverse dependencies and is no more upstream maintained for at least 8 years. I think it should be removed from Debian. Cheers, Xavier # dak output: $ dak rm -Rn Will remove the following packages from unstable: libjs-polymaps | 2.5.1+ds1-1 | all polymaps | 2.5.1+ds1-1 | source Maintainer: Debian Javascript Maintainers --- Reason --- -- Checking reverse dependencies... No dependency problem found. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#935433: RM: backbone-dirty.js -- ROM; Unmaintained and useless
Package: ftp.debian.org Severity: normal Hi all, backbone-dirty.js is no more updated for at least 7 years, has no reverse dependencies and has not been updated since old-old-stable. So I think it should be removed from Debian. Best regards, Xavier # dak output: $ dak rm -Rn backbone-dirty.js Will remove the following packages from unstable: backbone-dirty.js |1.1.2-3 | source node-backbone-dirty |1.1.2-3 | all Maintainer: Debian Javascript Maintainers --- Reason --- -- Checking reverse dependencies... No dependency problem found. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#935428: rainloop: Replace node-json3 dependency by native JSON.parse/JSON.stringify
Package: rainloop Version: 1.12.1-2 Severity: important Hi, node-json3 is unmaintained and easy to replace by native JSON.parse and JSON.stringify functions. rainloop is the last package that still use this old library. Could you patch rainloop to permits a ROM-RM of node-json3? Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#935323: mocha: Keep oxygen-icon-theme dependency only for build
Package: mocha Version: 4.1.0+ds3-5 Severity: normal Hi all, mocha depends on oxygen-icon-theme just for 2 links on very little icons (749 B and 1343 B). I think we could copy these 2 files during build and no more binary-depends on oxygen-icon-theme. The dependency on a such big package affects sbuild and other build systems. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#935029: pkg-js-tools: Don't build depends on any node module
Package: pkg-js-tools Version: 0.9.5 Severity: wishlist Hi all, I suggest to remove all node-* modules from build dependencies and enable build tests (grunt) only in autopkgtest tests. This will avoid some circular build dependencies. Only nodejs will stay in build deps. Do you agree? -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#935016: pkg-js-tools: An unannounced change in "debhelper" breaks pkg-js-tools
Package: pkg-js-tools Version: 0.9.5 Severity: grave Justification: renders package unusable pkg-js-tools was based on add_command_options which disappears in Debhelper 12.5.1. This renders pkg-js-tools unusable. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#934734: RM: libv8-3.14 -- ROM; outdated and useless library
Package: ftp.debian.org Severity: normal Hi all, libv8-3.14 is an outdated library with many security issue [1]. It had one reverse dependency which is ROM-RM also (#934243, done). Then I think it should be removed from Debian. Cheers, Xavier [1]: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no=libv8-3.14 -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#934732: RM: jscommunicator -- ROM; Orphaned upstream
Package: ftp.debian.org Severity: normal Hi all, jscommunicator has been removed from testing 3 years ago. 26 issues are opened upstream [1], but there is no changes for 4 years. jscommunicator has no reverse dependencies. That's why I think it should be removed from Debian. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#934730: RM: node-yawl -- ROM; orphaned upstream - FTBFS
Package: ftp.debian.org Severity: normal Hi all, node-yawl never entered to testing due to FTBFS. Issue posted to upstream [1], but nobody answers. node-yawl has no reverse dependencies. That's why I propose to remove it from Debian Cheers, Xavier [1]: https://github.com/andrewrk/node-yawl/issues/5 -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel