Your message dated Wed, 17 Jun 2026 12:07:14 +0000
with message-id <[email protected]>
and subject line Bug#1140098: fixed in pkg-js-tools 0.17.5
has caused the Debian Bug report #1140098,
regarding dh-nodejs: Generates unreproducible pkgjs-lock.json files if nocheck
specified
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140098: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140098
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dh-nodejs
Version: 0.17.4
Severity: important
Tags: patch
Dear Maintainer,
Many packages using dh-nodejs are unreproducible right now because
dh-nodejs can generate unreproducible pkgjs-lock.json files depending
on whether nocheck is specified or not.
The potential "pissue" is that link_external_modules() / _extLinks() in
Debian::PkgJs::Utils will skip generating node_modules/foo symlinks for
test-only modules, and so when Debian::PkgJs::PackageLock goes to
generate the pkgjs-lock.json, nodepath will return different paths
that are used in the JSON.
For example, node-tsx's debian/nodes/extlinks has:
esbuild
chalk
@ampproject/remapping
chokidar
es-module-lexer
get-tsconfig
magic-string
slash
execa test <--------------------
memfs test
strip-ansi test
strip-indent test
... which results in, for instance, the links for "execa" to not be
generated if nocheck is specified.
The pkgjs-lock.json file then contains (in the nocheck case):
"/usr/share/nodejs/execa": {
"name": "execa",
"version": "8.0.1"
},
... and in the normal case (ie. when the tests are run), the
pkgjs-lock.json contains:
"node_modules/execa": {
"name": "execa",
"version": "8.0.1"
}
One fix *could* be to generate the links regardless whether nocheck is
specified. I've attached this patch, although it's a very ugly diff due
to the dedenting.
However, I lack the understanding about how nodejs paths work to know
whether this the right solution. Specifically, if a Build-Depends is
listed as <!nocheck> and the package is *not* installed as a result, I
don't know whether that will result in nodepath returning different/
broken results, or even cause a failure. (In the above example, the
node-execa package was installed in both cases which cannot be
guaranteed due to it being specified with <!nocheck>; it is hard to
test what happens if node-execa is not installed as some other packages
have transitive dependencies on it.)
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` [email protected] / chris-lamb.co.uk
`-
diff --git lib/Debian/PkgJs/Utils.pm lib/Debian/PkgJs/Utils.pm
index c4d2e67..f744c19 100644
--- lib/Debian/PkgJs/Utils.pm
+++ lib/Debian/PkgJs/Utils.pm
@@ -469,68 +469,50 @@ sub _extLinks {
# Drop " test" if exists
$_ =~ s/\s+(\S*).*?$//;
- # If " test" exists, link/copy module only if !nocheck
- if (
- $1
- and $1 eq 'test'
- and (
- (
- $ENV{DEB_BUILD_OPTIONS}
- and $ENV{DEB_BUILD_OPTIONS} =~ /\bnocheck\b/
- )
- or ( $ENV{DEB_BUILD_PROFILES}
- and $ENV{DEB_BUILD_PROFILES} =~ /\bnocheck\b/ )
- )
- )
- {
- print STDERR "Skipping $_ link\n";
- }
- else {
- # Search module using nodepath
- my ($src);
- spawn(
- exec => [ 'nodepath', '-B', $_ ],
- wait_child => 1,
- to_string => \$src,
- no_check => 1,
- # XXX: Backwards compatibility, remove after dpkg
1.24.0.
- nocheck => 1,
- );
-
- # Fail if not found
- if ( $? or not $src ) {
- print STDERR "### $_ is required by "
- . "debian/nodejs/$dir/ext$type"
- . " but not available\n";
- if ( $_ =~ s#^\@types/## ) {
- print STDERR "# Typescript definition "
- . "detected, Fallback to main module\n";
- spawn(
- exec => [ 'nodepath', '-B', $_ ],
- wait_child => 1,
- to_string => \$src,
- no_check => 1,
- # XXX: Backwards compatibility, remove
after dpkg 1.24.0.
- nocheck => 1,
- );
- if ( $? or not $src ) {
- print STDERR "### $_ isn't available
too\n";
- $exit++;
- }
- print STDERR "### You SHOULD update your "
- . "debian/nodejs/$dir/ext$type file!\n";
- }
- else {
+ # Search module using nodepath
+ my ($src);
+ spawn(
+ exec => [ 'nodepath', '-B', $_ ],
+ wait_child => 1,
+ to_string => \$src,
+ no_check => 1,
+ # XXX: Backwards compatibility, remove after dpkg
1.24.0.
+ nocheck => 1,
+ );
+
+ # Fail if not found
+ if ( $? or not $src ) {
+ print STDERR "### $_ is required by "
+ . "debian/nodejs/$dir/ext$type"
+ . " but not available\n";
+ if ( $_ =~ s#^\@types/## ) {
+ print STDERR "# Typescript definition "
+ . "detected, Fallback to main module\n";
+ spawn(
+ exec => [ 'nodepath', '-B', $_ ],
+ wait_child => 1,
+ to_string => \$src,
+ no_check => 1,
+ # XXX: Backwards compatibility, remove after
dpkg 1.24.0.
+ nocheck => 1,
+ );
+ if ( $? or not $src ) {
+ print STDERR "### $_ isn't available too\n";
$exit++;
}
+ print STDERR "### You SHOULD update your "
+ . "debian/nodejs/$dir/ext$type file!\n";
}
else {
- chomp $src;
- my $tmp = $src;
- $tmp =~ s#^.*?nodejs/##;
- $cmds{$type}->( $src, $tmp );
+ $exit++;
}
}
+ else {
+ chomp $src;
+ my $tmp = $src;
+ $tmp =~ s#^.*?nodejs/##;
+ $cmds{$type}->( $src, $tmp );
+ }
} open_file("debian/nodejs/$dir/ext$type");
exit $exit if $exit;
}
--- End Message ---
--- Begin Message ---
Source: pkg-js-tools
Source-Version: 0.17.5
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
pkg-js-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated pkg-js-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 17 Jun 2026 13:39:58 +0200
Source: pkg-js-tools
Architecture: source
Version: 0.17.5
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1140098
Changes:
pkg-js-tools (0.17.5) unstable; urgency=medium
.
[ Xavier Guimard ]
* Declare compliance with policy 4.7.4
* Drop "Priority: optional"
.
[ Chris Lamb ]
* Fix pkgjs-lock.json files if nocheck specified (Closes: #1140098)
Checksums-Sha1:
03c60c8324a72b9f15a68e5b7571912a1a1e1890 2692 pkg-js-tools_0.17.5.dsc
7b8fba00200afb98dc7e866c7f38672e30f77559 90920 pkg-js-tools_0.17.5.tar.xz
Checksums-Sha256:
cc7b0edf9fc5eed6e8ed9728440f8ccb64f5729e7ed9873893c5a57de8980d5e 2692
pkg-js-tools_0.17.5.dsc
4b09c5f33b518f98bc1e1e8988f89739aec5d70e91718c7400c7a6f714f7075a 90920
pkg-js-tools_0.17.5.tar.xz
Files:
327d40f1df87a56d9e0d5a9647fd2974 2692 devel optional pkg-js-tools_0.17.5.dsc
23084024aa83badfe04d3b3eaa8b3803 90920 devel optional
pkg-js-tools_0.17.5.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmoyiUEACgkQ9tdMp8mZ
7ukzUQ/+Owkox6HZc4ypNUaHyCTnaZgQFlhRZ99hItVm7+agfIrglsM2Ijer4kYG
gQftHMvkGBtTbev2f5JIHr/CkOEISCTLrqmZhEIUfMmvZL3uN9MIBLz+rTJpXoSn
9GmSZJTTri7u3Ak+63wqUWE3RtfudA1eN7xgP9wAecF1rR81Mt+CwZgFcz/1UAKA
X3WDsFqp8vCSrqUo6E49or6X5b2bivMbOeKsFaAFL2r+oyAwnvvhqRMZST7n0OnS
qGR2iYx8i8utTyp1aM97h0jGOyAyUSK8r6EJhycgA7FcWpuJ+IeYh65GjAIUTEzL
SOvOiD0MPaq5iSFfUPf+i8Tsa0zJaiWKVpnmN+aqwLcZKUWR69L1cV4mXAvWm//y
KkvH3/lLuw4g+iU7a3Pqm2VsUAauRK1q+dlhDlrp7qBrT1As5AnLks65IhaQA5Q9
EuRJuHjfcPoDcjekcRfFXgz0iauOAdrruohmJiKDMbN8X56QpFsf+aNvQlPQ1uZX
8OP6nNSSsx7mYVa2X2+wG3wq9soERPEt09Sv3QluiHJCMeLTnBoBQhI+y65gi45e
7dSbO+NDQ755kgKNewQzlVXRrGnIx0tR24X6D3CL/gajnpQdUymCyPkaHGlcSamT
Zz/K1n1sNv7CTlFeEGrhLCtmw5dXjmWPI3gVLozqxDGkhe5bNDM=
=YNhd
-----END PGP SIGNATURE-----
pgpKtmm2YbrVF.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
