Hi, [CC'ing node-undici uploader]
On Wed, Dec 20, 2023 at 09:12:36PM +0100, J??r??my Lal wrote: > Le mer. 19 juil. 2023 ?? 21:51, J??r??my Lal <kapo...@melix.org> a ??crit : > > > > > > > Le mer. 19 juil. 2023 ?? 14:18, Moritz M??hlenhoff <j...@inutil.org> a > > ??crit : > > > >> Am Fri, Jun 30, 2023 at 08:12:37PM +0200 schrieb J??r??my Lal: > >> > Hi, > >> > > >> > Le ven. 30 juin 2023 ?? 19:21, Salvatore Bonaccorso <car...@debian.org> > >> a > >> > ??crit : > >> > > >> > > Source: nodejs > >> > > Version: 18.13.0+dfsg1-1 > >> > > Severity: important > >> > > Tags: security upstream > >> > > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > >> > > t...@security.debian.org> > >> > > > >> > > Hi, > >> > > > >> > > The following vulnerabilities were published for nodejs. > >> > > > >> > > CVE-2023-30581[0], CVE-2023-30588[1], CVE-2023-30589[2] and > >> > > CVE-2023-30590[3]. > >> > > > >> > > > >> > > If you fix the vulnerabilities please also make sure to include the > >> > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > >> > > > >> > > >> > It would be interesting to know if we adopt the same plan we had with > >> > security team: > >> > full upstream updates in the same branch, 18.x here. > >> > >> Ack, let's do that. Could you prepare bookworm-security updates > >> based on 18.17.0 (after it has landed in unstable)? > > > > > nodejs 18.19.0 has landed in testing. > It rebuilds fine in bookworm, and test-suite-during-build pass on amd64. > > It also requires "node-undici", precisely for that change: > > node-undici (5.28.2+dfsg1+~cs23.11.12.3-2) unstable; urgency=medium > > * Build and publish undici-types, needed by new @types/node > > Is there a way to deal with this ? Then I guess we need this as pre-requisite upload to bookworm as well. Maybe Moritz has a better idea, but one option is to propose this update regularly as bookworm-pu and once it's in proposed update ask DSA to make the security chroots pick as well updates from prpopsoed-updates if we plan to release nodejs via a DSA (or otherwise via bookworm-pu as well). One other alternative is to make a non-security upload for node-unidici containing that change to the security archive, which the nodejs update can pick. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel