Bug#981474: node-rollup-plugin-terser: test randomly fails due to timeout problems

[Xavier Guimard]

Package: node-rollup-plugin-terser
Version: 7.0.2-4
Severity: serious
Tags: ftbfs
Justification: Policy 2.1

https://ci.debian.net/packages/n/node-rollup-plugin-terser/testing/amd64/
shows that node-rollup-plugin-terser test randomly fails

Bug#981279: lintian: False positive: pkg-js-autopkgtest-file-does-not-exist packages/*/test

[Xavier Guimard]

Package: lintian
Version: 2.104.0
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

lintian looks enable to understand `packages/*/test` expression when
trying to verify that files declared in debian/tests/pkg-js/files exist.

Bug#981222: update-alternatives: please provide a way to change a master alternative into a slave one

[Xavier Guimard]

Package: dpkg
Version: 1.20.7.1
Severity: normal

Hi,

I made an error using master alternatives to install some manpages, but
I can't change this because update-alternatives refuse to replace a
master alternative into a slave one during upgrade. Could you provide a
way to do this in debian/alternatives file ?

Cheers,
Xavier

Versions of packages dpkg depends on:
ii  libbz2-1.0   1.0.8-4
ii  libc62.31-9
ii  liblzma5 5.2.5-1.0
ii  libselinux1  3.1-2+b2
ii  tar  1.32+dfsg-1
ii  zlib1g   1:1.2.11.dfsg-2

dpkg recommends no packages.

Versions of packages dpkg suggests:
ii  apt2.1.18
pn  debsig-verify  

-- no debconf information

Bug#980805: RM: node-express-generator -- ROM; RC buggy and useless

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

node-express-generator isn't compatible with current node-commander and
node-mkdirp. It has no reverse dependencies, so I thinks it should be
removed from Debian.

Bug#980259: buster-pu: package cyrus-imapd/3.0.8-6+deb10u5

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
The /etc/cron.daily/cyrus-imapd cron script is not executed because the
Cyrus version check does not match the cyrus version installed on Debian
Buster

[ Impact ]
Dala loss risk

[ Tests ]
No test added

[ Risks ]
Trivial patch

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable (see #935431)

[ Changes ]
Regex fix

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index c96adf9c..240d1f4d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+cyrus-imapd (3.0.8-6+deb10u5) buster; urgency=medium
+
+  * Fix cron script (Closes: #980240)
+
+ -- Xavier Guimard   Sat, 16 Jan 2021 21:34:16 +0100
+
 cyrus-imapd (3.0.8-6+deb10u4) buster; urgency=medium
 
   * Add BACKUP type to cyrus-upgrade-db (Closes: #930764)
diff --git a/debian/cyrus-common.cyrus-imapd.cron.daily 
b/debian/cyrus-common.cyrus-imapd.cron.daily
index eca5ffe5..c92eca15 100644
--- a/debian/cyrus-common.cyrus-imapd.cron.daily
+++ b/debian/cyrus-common.cyrus-imapd.cron.daily
@@ -33,7 +33,7 @@ umask 022
 && [ -f /usr/lib/cyrus/cyrus-hardwired-config.txt ] \
 || exit 0
 # Check if Cyrus is installed (vs. removed but not purged)
-grep -qE '^PACKAGE_VERSION[[:blank:]]+[30][.][245]' \
+grep -qE '^PACKAGE_VERSION[[:blank:]]+3.0[.][2458]' \
/usr/lib/cyrus/cyrus-hardwired-config.txt >/dev/null 2>&1 || exit 0
 
 # 1. backup mailbox database

Bug#980032: RM: node-request/2.88.1-5

[Xavier Guimard]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

node-request is deprecated (#956423) and won't be part of Bullseye. I'd
like to see it removed from testing after node-jsdom migration.

Cheers,
Xavier

Bug#980012: FTBFS: TypeError: Cannot read property 'register' of undefined

[Xavier Guimard]

Package: coffeescript
Version: 1.12.8~dfsg-4
Severity: serious

coffeescript build seems broken. Logs:

 dpkg-source -b .
dpkg-source: info: using source format '3.0 (quilt)'
dpkg-source: info: building coffeescript using existing 
./coffeescript_1.12.8~dfsg.orig.tar.gz
dpkg-source: info: using patch list from debian/patches/series
dpkg-source: info: building coffeescript in 
coffeescript_1.12.8~dfsg-5.debian.tar.xz
dpkg-source: info: building coffeescript in coffeescript_1.12.8~dfsg-5.dsc
 debian/rules binary
CDBS WARNING:  copyright-check disabled - licensecheck is missing.
test -x debian/rules
dh_testroot
dh_prep
dh_installdirs -A
mkdir -p "."

Scanning upstream source for new/changed copyright notices...

set -e; LC_ALL=C.UTF-8 /usr/bin/licensecheck --check '.*' --recursive 
--copyright --deb-fmt --ignore 
'^(debian/(changelog|copyright(|_hints|_newhints)))$' --lines 0 -- * | 
/usr/lib/cdbs/licensecheck2dep5 > debian/copyright_newhints
/bin/sh: 1: /usr/bin/licensecheck: not found
0 combinations of copyright and licensing found.
No new copyright notices found - assuming no news is good news...
touch debian/stamp-copyright-check
mkdir -p "debian/upstream-cruft"
cp -a "lib" "debian/upstream-cruft/lib";
touch debian/stamp-upstream-cruft
mkdir -p docs/v1/browser-compiler
chmod +x bin/cake
bin/cake build
bin/cake build
bin/cake build:browser
bin/cake test
(node:2439631) [DEP0005] DeprecationWarning: Buffer() is deprecated due to 
security and usability issues. Please use the Buffer.alloc(), 
Buffer.allocUnsafe(), or Buffer.from() methods instead.
(node:2439631) [DEP0124] DeprecationWarning: REPLServer.rli is deprecated
passed 856 tests in 1.66 seconds
bin/cake test:browser
/<>/Cakefile:450
CoffeeScript.register();
 ^

TypeError: Cannot read property 'register' of undefined
at runTests (/<>/Cakefile:450:18)
at Object.action (/<>/Cakefile:562:19)
at invoke (/<>/lib/coffee-script/cake.js:44:26)
at Object.exports.run (/<>/lib/coffee-script/cake.js:70:20)
at Object. (/<>/bin/cake:15:42)
at Module._compile (internal/modules/cjs/loader.js:999:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
at Module.load (internal/modules/cjs/loader.js:863:32)
at Function.Module._load (internal/modules/cjs/loader.js:708:14)
at Function.executeUserEntryPoint [as runMain] 
(internal/modules/run_main.js:60:12)
at internal/main/run_main_module.js:17:47

Bug#979874: node-cross-spawn-async: Keep out of testing

[Xavier Guimard]

Package: node-cross-spawn-async
Version: 2.2.5-4
Severity: serious

As node-cross-spawn, node-cross-spawn-async shoul d be kept out of
Bullseye

Bug#979587: ITP: ts-jest -- Node.js preprocessor with source maps support to help use TypeScript with Jest

[Xavier Guimard]

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org, 
pkg-javascript-de...@lists.alioth.debian.org

* Package name: ts-jest
  Version : 26.4.4
  Upstream Author : Kulshekhar Kabra <https://github.com/kulshekhar>
* URL : https://github.com/kulshekhar/ts-jest
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js preprocessor with source maps support to help use 
TypeScript with Jest

Jest is a popular test framework for JavaScript projects. ts-jest
extends jest to test projects written in Typescript.

For now, some Debian packages keep untested due to the lack of this
package (for example, all node-dom* packages). It was not possible to
build ts-jest until now, due to lack of Jest typescript definitions
(fixed now).

ts-jest will be maintained under JS Team umbrella.

Bug#979553: node-vinyl-fs: Please ship typescript definitions

[Xavier Guimard]

Package: node-vinyl-fs
Version: 3.0.3-5
Severity: normal

Please embed typescript definitions

Bug#979475: node-gyp-build: Keep out of testing

[Xavier Guimard]

Package: node-gyp-build
Severity: serious
Justification: Policy 2.1

node-gyp-rebuild replaces `node-gyp rebuild` using pre-compiled
binaries. This is useless in Debian.

I did an error when packaging it, this package should be removed from
Debian archive, shouldn't it?

Bug#979457: RM: node-babel-preset-env -- ROM; Useless and replaced by node-babel7

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

all reverse dependencies to node-babel-preset-env have been updated to
use node-babel7 (or virtual "node-babel-preset-env ≥ 7"), so this
package can now be safely removed from Debian archive.

Cheers,
Xavier

Bug#979174: node-express-generator: Incompatible with current node-commander and node-mkdirp

[Xavier Guimard]

Package: node-express-generator
Version: 4.0.0-2
Severity: grave
Tags: sid, ftbfs
Justification: renders package unusable

node-express-generator isn't compatible with current node-commander,
neither node-mkdirp. As it has no reverse dependency, I suggest to
remove it from Debian

Bug#978418: RM: node-cross-spawn-async -- ROM; Useless and FTBFS

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

like node-cross-spawn (already removed), node-cross-spawn-async is
useless in Debian ad should be removed. It has no reverse dependencies.

Cheers,
Xavier

Bug#978051: node-consolidate depends on babel-core 6

[Xavier Guimard]

Package: node-consolidate
Version: 0.15.1+repack-1
Severity: serious

Enabling test proves that node-consolidate depends on node-babel-core 6:

```
  function requireReact(module, filename) {
var babel = requires.babel || (requires.babel = require('babel-core'));
  
var compiled = babel.transformFileSync(filename, { presets: [ 'react' ] 
}).code;
  
return module._compile(compiled, filename);
  }
  
  exports.requireReact = requireReact;
  
  /**
   *  Converting a string into a node module.
   */
  function requireReactString(src, filename) {
var babel = requires.babel || (requires.babel = require('babel-core'));
  
if (!filename) filename = '';
var m = new module.constructor();
filename = filename || '';
  
// Compile Using React
var compiled = babel.transform(src, { presets: [ 'react' ] }).code;
```

Bug#977963: node-terser: Please fix test to be compatible with node-commander ≥ 6

[Xavier Guimard]

Package: node-terser
Version: 4.1.2-7
Severity: important
Tags: patch

With commander 6, uglifyjs.terser displays:

  Usage: uglifyjs [options]...

instead of:

  Usage: uglifyjs.terser [options]...

The simple attached patch fixes test check with a more tolerant regex.
Please apply this patch if you think it is useful, this will unblock
node-commander upgrade (available in experimental).

Cheers,
Xavier
diff --git a/debian/tests/uglifyjs.terser.t b/debian/tests/uglifyjs.terser.t
index 7333e22..2412e1c 100644
--- a/debian/tests/uglifyjs.terser.t
+++ b/debian/tests/uglifyjs.terser.t
@@ -16,7 +16,7 @@ like stdout, qr/^terser [\d.]+$/, 'version, stdout';
 cmp_ok stderr, 'eq', '', 'version, stderr';
 
 run_ok $CMD, qw(--help);
-like stdout, qr/^\s*Usage: $CMD \[options\] \[files\.\.\.\]\n/, 'help, stdout';
+like stdout, qr/^\s*Usage: uglifyjs\S* \[options\] \[files\.\.\.\]\n/, 'help, 
stdout';
 cmp_ok stderr, 'eq', '', 'help, stderr';
 
 done_testing;

Bug#977886: RM: node-samsam -- ROM; Obsolete, replaced by node-sinonjs-samsam

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

node-samsam is deprecated. It is now @sinonjs/samsam
(node-sinonjs-samsam) which is part of node-sinon.
node-samsam has no reverse dependencies, it should be removed from
Debian archive.

Cheers,
Xavier

Bug#977864: libjs-bootstrap4: Missing maintscript blocks upgrade

[Xavier Guimard]

Package: libjs-bootstrap4
Version: 4.5.2+dfsg1-3
Severity: serious

Version 4.5.2+dfsg1-2 transform /usr/share/javascript/bootstrap4 from
symlink to dir without any maintscript. This break updates.

Bug#977735: buster-pu: package node-ini/1.3.5-1+deb10u1

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-ini is vulnearable to CVE-2020-7788: if an attacker submits a malicious
INI file to an application that parses it with ini.parse, they will pollute
the prototype on the application. This can be exploited further depending
on the context. (#977718)

[ Impact ]
Little vulnerability

[ Tests ]
Patch includes a test

[ Risks ]
Change just adds 2 checks, No risk.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
2 checks to avoid prototype pollution
diff --git a/debian/changelog b/debian/changelog
index 4d4fc30..a153918 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-ini (1.3.5-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Do not allow invalid hazardous string as section name
+(Closes: #977718, CVE-2020-7788)
+
+ -- Xavier Guimard   Sat, 19 Dec 2020 20:48:36 +0100
+
 node-ini (1.3.5-1) unstable; urgency=medium
 
   * Team Upload
diff --git a/debian/patches/CVE-2020-7788.patch 
b/debian/patches/CVE-2020-7788.patch
new file mode 100644
index 000..54f5bbe
--- /dev/null
+++ b/debian/patches/CVE-2020-7788.patch
@@ -0,0 +1,87 @@
+Description: do not allow invalid hazardous string as section name
+Author: isaacs 
+Bug: https://snyk.io/vuln/SNYK-JS-INI-1048974
+Bug-Debian: https://bugs.debian.org/977718
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-12-19
+
+--- a/ini.js
 b/ini.js
+@@ -80,6 +80,12 @@
+ if (!match) return
+ if (match[1] !== undefined) {
+   section = unsafe(match[1])
++  if (section === '__proto__') {
++// not allowed
++// keep parsing the section, but don't attach it.
++p = {}
++return
++  }
+   p = out[section] = out[section] || {}
+   return
+ }
+@@ -94,6 +100,7 @@
+ // Convert keys with '[]' suffix to an array
+ if (key.length > 2 && key.slice(-2) === '[]') {
+   key = key.substring(0, key.length - 2)
++  if (key === '__proto__') return
+   if (!p[key]) {
+ p[key] = []
+   } else if (!Array.isArray(p[key])) {
+@@ -125,6 +132,7 @@
+ var l = parts.pop()
+ var nl = l.replace(/\\\./g, '.')
+ parts.forEach(function (part, _, __) {
++  if (part === '__proto__') return
+   if (!p[part] || typeof p[part] !== 'object') p[part] = {}
+   p = p[part]
+ })
+--- /dev/null
 b/test/proto.js
+@@ -0,0 +1,45 @@
++var ini = require('../')
++var t = require('tap')
++
++var data = `
++__proto__ = quux
++foo = baz
++[__proto__]
++foo = bar
++[other]
++foo = asdf
++[kid.__proto__.foo]
++foo = kid
++[arrproto]
++hello = snyk
++__proto__[] = you did a good job
++__proto__[] = so you deserve arrays
++thanks = true
++`
++var res = ini.parse(data)
++t.deepEqual(res, {
++  foo: 'baz',
++  other: {
++foo: 'asdf',
++  },
++  kid: {
++foo: {
++  foo: 'kid',
++},
++  },
++  arrproto: {
++hello: 'snyk',
++thanks: true,
++  },
++})
++t.equal(res.__proto__, Object.prototype)
++t.equal(res.kid.__proto__, Object.prototype)
++t.equal(res.kid.foo.__proto__, Object.prototype)
++t.equal(res.arrproto.__proto__, Object.prototype)
++t.equal(Object.prototype.foo, undefined)
++t.equal(Object.prototype[0], undefined)
++t.equal(Object.prototype['0'], undefined)
++t.equal(Object.prototype[1], undefined)
++t.equal(Object.prototype['1'], undefined)
++t.equal(Array.prototype[0], undefined)
++t.equal(Array.prototype[1], undefined)
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..c281569
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2020-7788.patch

Bug#977712: RM: node-jsv -- ROM; Unmaintained and orphaned

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

node-jsv isn't maintained upstream for 8 years, useless and unmaintained
in Debian. It has no reverse dependencies and could be safely removed.

Bug#977710: libjs-milligram is not maintained by JS Team

[Xavier Guimard]

Package: libjs-milligram
Severity: serious
Tags: security

libjs-milligram is marked as maintained by JS Team, howeber uploader is
not member of this team and repository isn't under /js-team/ tree.

Bug#977677: FTBFS: dependency to node-babel-runtime >=7 isn't understood by deb tools

[Xavier Guimard]

Package: node-regenerator-transform
Version: 0.14.5-2
Severity: serious
Tags: ftbfs

Since 0.14.5-2, dependency to node-babel7 was replaced by a dependency to
node-babel-runtime (>= 7) which is provided by:
 * node-babel-runtime (src node-babel 6)
 * virtual node-babel-runtime provided by node-babel7

Debian tools ignore virtual package here and then don't succeed to
resolve node-babel-runtime (>= 7).

Either wait for node-babel7 split or revert that change.

Bug#977472: ITP: node-gyp-build -- Node.js build tool and bindings loader that supports prebuilds

[Xavier Guimard]

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org, 
pkg-javascript-de...@lists.alioth.debian.org

* Package name: node-gyp-build
  Version : 4.2.3
  Upstream Author : Mathias Buus 
* URL : https://github.com/prebuild/node-gyp-build
* License : Expat
  Programming Lang: Javascript
  Description : Node.js build tool and bindings loader that supports 
prebuilds

node-gyp-build works similar to "node-gyp build"  except that it will check
if a build or rebuild is present before rebuilding your project.

It's main intended use is as an npm install script and bindings loader for
native modules that bundle prebuilds using prebuildify.

This is a new dependency of node-websocket. It will be maintained under
JS Team umbrella.

Bug#977269: node-rollup-plugin-terser seems incompatible with current node-terser

[Xavier Guimard]

Package: node-rollup-plugin-terser
Version: 7.0.2-2
Severity: grave
Justification: renders package unusable

When trying current rollup-plugin-terser (7.0.2)  with current
node-terser (4.1.2), package is unuseable:

$ rollup -c

index.js → dist/pako.js, dist/pako.min.js...
[!] (plugin terser) Error: Cannot find module 
'/home/xavier/dev/debian/src/pkg-js/packages/node-pako/node_modules/terser/dist/bundle.min.js'.
 Please verify that the package.json has a valid "main" entry
Error: Cannot find module 
'/home/xavier/dev/debian/src/pkg-js/packages/node-pako/node_modules/terser/dist/bundle.min.js'.
 Please verify that the package.json has a valid "main" entry
at tryPackage (internal/modules/cjs/loader.js:315:19)
at Function.Module._findPath (internal/modules/cjs/loader.js:528:18)
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:818:27)
at Function.Module._load (internal/modules/cjs/loader.js:687:27)
at Module.require (internal/modules/cjs/loader.js:903:19)
at require (internal/modules/cjs/helpers.js:74:18)
at Object. 
(/home/xavier/dev/debian/src/pkg-js/packages/node-pako/node_modules/rollup-plugin-terser/transform.js:1:20)
at Module._compile (internal/modules/cjs/loader.js:1015:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1035:10)
at Module.load (internal/modules/cjs/loader.js:879:32)


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')

Kernel: Linux 5.9.0-4-amd64
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages node-rollup-plugin-terser depends on:
ii  node-babel77.12.9+~cs150.130.99-1
ii  node-jest-worker   26.6.3+repack+~cs61.38.31-2
ii  node-serialize-javascript  5.0.1-2
ii  node-terser4.1.2-7

node-rollup-plugin-terser recommends no packages.

node-rollup-plugin-terser suggests no packages.

-- no debconf information

Bug#976955: FTBFS: semver not found

[Xavier Guimard]

Package: ts-node
Version: 9.0.0-1
Severity: serious
Tags: ftbfs

Here is the relevant part of build log:

make[1]: Entering directory '/<>'
tsc
src/index.spec.ts(4,25): error TS2307: Cannot find module 'semver' or its 
corresponding type declarations.
make[1]: *** [debian/rules:7: override_dh_auto_build] Error 2

This can be fixed easily using dh-sequence-nodejs: set "semver" in
debian/nodejs/extlinks (workaround tsc path problems)

Bug#976839: node-istanbul: @types/istanbul-lib-instrument depends on deprecated babel-types

[Xavier Guimard]

Package: node-istanbul
Version: 0.4.5+ds+~cs53.14.45-1
Severity: important

babel-types should be replaced by @babel/types

Bug#976713: RM: node-formatio -- ROM; Useless and unmaintained upstream

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

node-formatio isn't maintained upstream [1]: it has been replaced by
@sinonjs/formatio which is included in node-sinon. No package depend on
it, so I think it should be removed from Debian archive.

Cheers,
Xavier

[1]: https://www.npmjs.com/package/formatio

Bug#976392: buster-pu: package node-y18n/3.2.1-2+deb10u1

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-y18n is vulnerable to prototype pollution

[ Impact ]
Little security risk

[ Tests ]
Test added in autopkgtest, and verified: fails without patch, succeeds
with patch

[ Risks ]
Low risk, upstream test + CVE test shows that all works

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just a little change in variable initialization

Note: package already uploaded

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 72257ee..d969c10 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-y18n (3.2.1-2+deb10u1) buster; urgency=medium
+
+  * Team upload.
+  * Fix prototype pollution (Closes: #976390, CVE-2020-7774)
+
+ -- Xavier Guimard   Fri, 04 Dec 2020 15:41:08 +0100
+
 node-y18n (3.2.1-2) unstable; urgency=medium
 
   * Enable tests 
diff --git a/debian/patches/CVE-2020-7774.patch 
b/debian/patches/CVE-2020-7774.patch
new file mode 100644
index 000..2e292c1
--- /dev/null
+++ b/debian/patches/CVE-2020-7774.patch
@@ -0,0 +1,20 @@
+Description: fix for CVE-2020-7774
+Author: bcoe 
+Origin: upstream, bcoe 
+Bug: https://github.com/yargs/y18n/issues/96
+Bug-Debian: https://bugs.debian.org/976390
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-12-04
+
+--- a/index.js
 b/index.js
+@@ -11,7 +11,7 @@
+   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? 
opts.fallbackToLanguage : true
+ 
+   // internal stuff.
+-  this.cache = {}
++  this.cache = Object.create(null)
+   this.writeQueue = []
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..7d69b10
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2020-7774.patch
diff --git a/debian/tests/CVE-2020-7774-check b/debian/tests/CVE-2020-7774-check
new file mode 100755
index 000..8b5ff40
--- /dev/null
+++ b/debian/tests/CVE-2020-7774-check
@@ -0,0 +1,14 @@
+#!/usr/bin/nodejs
+
+const y18n = require('y18n')();
+//var polluted;
+y18n.setLocale('__proto__');
+y18n.updateLocale({polluted: true});
+try {
+if(polluted) console.error('Vulnerable to CVE-2020-7774');
+process.exit(polluted);
+}
+catch(e) {
+console.log('Not vulnerable to CVE-2020-7774');
+process.exit(0);
+}
diff --git a/debian/tests/control b/debian/tests/control
index 57de701..b19a2bc 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,4 +1,4 @@
-Tests: require
+Tests: require, CVE-2020-7774-check
 Depends: node-y18n
 
 Test-Command: mocha -R spec

Bug#976262: RM: node-htmlparser -- ROM; Useless and deprecated

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

node-htmlparser has been deprecated in favor of node-htmlparser2. It is
no more maintained upstream and here and has no reverse dependencies.

Cheers,
Xavier

Bug#976197: RM: node-databank -- ROM; Unmaintained and useless

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

node-databank is unmaintained in Debian for a while and useless: no
reverse dependency, popcon ~0,...

I think it should be removed from Debian.

Cheers,
Xavier

Bug#976186: node-backbone: Please provides typescript definition

[Xavier Guimard]

Package: node-backbone
Version: 1.3.3~dfsg-5
Severity: important

node-typescript-types is deprecated, please embed @types/backbone in
node-backbone.

Bug#975952: RM: node-libnpx -- ROM; No more used, npx is provided by npm

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

npx is provided by npm, this old library is:
 * no more used in Debian
 * orphaned upstream (npm integrated it directly)

I thinks it should be removed from Debian.

Cheers,
Xavier

Bug#975942: RM: node-cross-spawn -- ROM; unneeded for Debian, does risky path mangling

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

following #958403, node-cross-spawn does risky path mangling and should
be rremoved from Debian.

Cheers,
Xavier

Bug#975877: libjs-sizzle: Please embed typescript definitions

[Xavier Guimard]

Package: libjs-sizzle
Version: 1.10.18-1
Severity: important
Tags: patch ftbfs

Hi,

following #974218 discussion, node-typescript-types no more embeds
@types/sizzle, please embed it in libjs-sizzle.

A proposal package is ready in https://salsa.debian/org/js-team/sizzle,
it fixes this and the 2 other bugs:
 * #751606 [n|P|  ] [libjs-sizzle] libjs-sizzle: Embedded copy of "RequireJS 
text"
 * #892834 [n|P|♔] [libjs-sizzle] libjs-sizzle: Please package new version 2.3.3

Cheers,
Xavier

Note: JS Team can take maintenance if you want.

Bug#975508: ITP: node-yaml -- Nodejs parser and stringifier for YAML standard

[Xavier Guimard]

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-yaml
  Version : 1.10.0
  Upstream Author : Eemeli Aro 
* URL : https://github.com/eemeli/yaml
* License : ISC
  Programming Lang: JavaScript
  Description : Nodejs parser and stringifier for YAML standard

yaml is a JavaScript parser and stringifier for YAML, a human friendly data
serialization standard. It supports both parsing and stringifying data using
all versions of YAML, along with all common data schemas. As a particularly
distinguishing feature, yaml fully supports reading and writing comments and
blank lines in YAML documents.

This is a (optional) dependency of many packages like npm,
node-coffee-loader, node-tap,... It's not easy to replace it by
node-js-yaml since API and behavior are really different.

node-yaml will be maintained under JS Team umbrella

Bug#975405: wabt: Please build wabt.js

[Xavier Guimard]

Package: wabt
Version: 1.0.20-1
Severity: important
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

wabt.js upstream repository is a minified file built from wabt. This
package is a reverse dependency of many packages in Debian (via webpack,
webassembly, jest,...). Without it, those packages works but some
features are missing.

You can either build the full nodejs package or simply wabt.js (and then
I'll create node-wabt.js with a link to your files.

I posted a question to know which target corresponds to this build (see
https://github.com/AssemblyScript/wabt.js/issues/20).

Cheers,
Xavier

Bug#975009: node-schema-utils breacking change

[Xavier Guimard]

Package: node-schema-utils
Version: 2.6.6-1
Severity: serious

node-schema-utils API changed: `require("schema-utils")` becomes
`require("schema-utils").validate`

Bug#974906: RM: node-minimalistic-assert -- ROM; Useless and too small package

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi ftpmasters,

node-minimalistic-assert is a very small package, unused in Debian and
never migrates to testing (#860483: too small package).
I think this package should be removed from Debian.

Cheers,
Xavier

Bug#974670: lintian-brush: "Re-export upstream signing key without extra signatures" is not optimal

[Xavier Guimard]

Package: lintian-brush
Version: 0.86
Severity: normal

Hi,

when launching lintian-brush in apache2 source directories, it says that
upstream signing key were optimized but I still have:

  public-upstream-key-not-minimal upstream/signing-key.asc has 2 extra 
signature(s) for keyid 193F180AB55D9977
  public-upstream-key-not-minimal upstream/signing-key.asc has 283 extra 
signature(s) for keyid 7D6DBFD1F08E012A
  public-upstream-key-not-minimal upstream/signing-key.asc has 63 extra 
signature(s) for keyid 8B3A601F08C975E5

Cheers and thanks for this tool !

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.9.0-1-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lintian-brush depends on:
ii  devscripts   2.20.4
ii  python3  3.8.6-1
ii  python3-breezy   3.1.0-6
ii  python3-debian   0.1.38
ii  python3-debmutate0.14
ii  python3-distro-info  0.24
ii  python3-dulwich  0.20.2-1
ii  python3-iniparse 0.4-3
ii  python3-ruamel.yaml  0.16.12-2

Versions of packages lintian-brush recommends:
ii  decopy   0.2.4.4-0.1
ii  dos2unix 7.4.1-1
ii  gpg  2.2.20-1
ii  libdebhelper-perl13.2.1
ii  lintian  2.101.0
ii  python3-asyncpg  0.21.0-1+b1
ii  python3-bs4  4.9.3-1
ii  python3-levenshtein  0.12.0-5+b2
ii  python3-pyinotify0.9.6-1.3
ii  python3-toml 0.10.1-1

Versions of packages lintian-brush suggests:
pn  breezy-debian  
pn  gnome-pkg-tools
ii  po-debconf 1.0.21
ii  postgresql-common  221

-- no debconf information

Bug#974587: node-uuid: Bad "exports" field?

[Xavier Guimard]

Package: node-uuid
Version: 8.2.0-1
Severity: important

Hi,

node-uuid breaks dependent package with error like:

  Package subpath './v1' is not defined by "exports" in 
/usr/share/nodejs/uuid/package.json

(same error with any of v{1,2,3,4}.js)

Cheers,
Xavier

Bug#974218: node-requirejs: Please embed typescript definitions

[Xavier Guimard]

Package: node-requirejs
Version: 2.3.6-2
Severity: important
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

Hi,

to avoid version conflicts, JS team decided to remove typescript
definitions (node-typescript-types) and embed them directly in the
relevant packages.

node-requirejs isn't under JS Team umbrella, so we can't do it for
@types/requirejs. But we need to synchronize this work (needs to
repack node-typescript-types and add a "Breaks" in your package).
Could you do it or give us its maintenance?

Adding such types is easy with pkg-js-tools:

 $ add-node-component @types/requirejs

If your package uses pkg-js-tools auto installer, don't forget to add
this:

 $ mkdir debian/nodejs
 $ echo '*' >debian/nodejs/root_modules

Cheers,
Xavier

Bug#974191: RM: node-crypto-cacerts -- ROM; Useless and unmaintained

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

node-crypto-cacerts is:
 * very small (should be embedded)
 * unmaintained upstream (only one commit 5 years ago)
 * useless in Debian

So I think it should be removed from Debian.

Cheers,
Xavier

Bug#974190: RM: node-capture-stream -- ROM; Useless and unmaintained

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

node-capture-stream is:
 * very small (should be embedded)
 * unmaintained upstream (no commit for 5 years)
 * useless in Debian

So I think it should be removed from Debian.

Cheers,
Xavier

Bug#974189: RM: node-array-series -- ROM; Useless and unmaintained

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

node-array-series is:
 * very small (should be embedded)
 * unmaintained upstream (no commit for 7 years
 * useless in Debian

So I think it should be removed from Debian.

Cheers,
Xavier

Bug#974188: RM: node-array-parallel -- ROM; Useless and orphaned

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

node-array-parallel is:
 * very small (should be embedded)
 * unmaintained upstream (no changes for 6 years)
 * useless in Debian

So I think it should be removed from Debian.

Cheers,
Xavier

Bug#974187: RM: node-absolute-path -- ROM; Useless and unmaintained upstream

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

node-absolute-path is:
 * very small (should be embedded)
 * unmaintained upstream (only one commit 7 years ago)
 * useless in Debian

So I think it should be removed from Debian.

Cheers,
Xavier

Bug#974064: node-client-sessions: Remove dependency to (deprecated) node-request

[Xavier Guimard]

Package: node-client-sessions
Version: 0.8.0-2
Severity: serious
Tags: ftbfs upstream

Hi,

node-request won't be part of bullseye, please patch
node-client-sessions to replace node-request by another library
(node-got, node-fetch, node-axios,...).

Bug#973975: ITP: node-prompts -- Nodejs lightweight, beautiful and user-friendly interactive prompts

[Xavier Guimard]

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-prompts
  Version : 2.4.0
  Upstream Author : Terkel Gjervig Nielsen 
* URL : https://github.com/terkelg/prompts
* License : Expat
  Programming Lang: JavaScript
  Description : Nodejs lightweight, beautiful and user-friendly interactive 
prompts

prompts permits to easy use cli prompts to enquire users for information:
 * User friendly: prompt uses layout and colors to create beautiful cli
  interfaces.
 * Promised: uses promises and `async`/`await`. No callback hell.
 * Flexible: all prompts are independent and can be used on their own.
 * Testable: provides a way to submit answers programmatically.
 * Unified: consistent experience across all [prompts](#-types).

node-prompts is a dependency of node-jest, needed to fix this package (2
RC bugs)

Bug#973954: ITP: node-sane -- Nodejs fast, small, and reliable file system watcher

[Xavier Guimard]

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-sane
  Version : 4.1.0
  Upstream Author : Amjad Masad 
* URL : https://github.com/amasad/sane
* License : Expat
  Programming Lang: JavaScript
  Description : Nodejs fast, small, and reliable file system watcher

Sane aims to be fast, small, and reliable file system watcher. It does
that by:
* By default stays away from fs polling because it's very slow and cpu
  intensive
* Uses `fs.watch` by default and sensibly works around the various issues
* Maintains a consistent API across different platforms
* Where `fs.watch` is not reliable you have the choice of using the following
  alternatives:
  * the facebook watchman library (embedded)
  * the watchexec library (embedded)
  * polling

This package is required to update node-jest: a powerful and widely used
JavaScript test framework.

Bug#973946: ITP: node-emittery -- Nodejs simple and modern async event emitter

[Xavier Guimard]

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-emittery
  Version : 0.7.2
  Upstream Author : Sindre Sorhus 
* URL : https://github.com/sindresorhus/emittery
* License : Expat
  Programming Lang: JavaScript
  Description : Nodejs and browser simple and modern async event emitter

Emitting events asynchronously is important for production code where you
want the least amount of synchronous operations. Since JavaScript is
single-threaded, no other code can run while doing synchronous operations.
For Node.js, that means it will block other requests, defeating the strength
of the platform, which is scalability through async. In the browser, a
synchronous operation could potentially cause lags and block user interaction.

emittery solves this providing a simple but powerful API.

This package is a dependency of new node-jest. I think it should not be
embedded since it's too big.

Cheers,
Xavier

Bug#973913: RM: eyes.js -- ROM; Orphaned upstream

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@alioth-lists.debian.net

Hi,

eyes.js is no longer maintained upstream. I patched its reverse
dependency (vows) to remove this link. No eyes.js can be safely removed
from Debian.

This removal has been discussed in RC-bug #961507

Cheers,
Xavier

Bug#973814: uscan: add "compat" target to download a compatible component

[Xavier Guimard]

Package: devscripts
Version: 2.20.4
Severity: wishlist
Control: user -1 devscri...@packages.debian.org
Control: usertags -1 uscan

uscan offers some target for components: ignore, same,... "same" is
strict and matches only the exact same version, while "ignore" doesn't
check anything.
It could be interesting to have a "compat" target that accept to
download the last component whose version is compatible (using Semver).
Example: nodejs needs to embed a compatible @types/node nodejs module.
Nodejs unstable version is 12 and @types/node does not follow any minor
version of nodejs, so:
 * "same" will often fail
 * "ignore" will download @types/node version ≥ 14, corresponding to
   last published version

The "compat" target (with group-compat and checksum-compat) will avoid
to modify debian/watch regexp.

Bug#973702: licensecheck should read "license" field from package.json files

[Xavier Guimard]

Package: licensecheck
Version: 3.0.47-1
Severity: minor

Hi,

when launching licensecheck in a nodejs module, I'd like to see
licensecheck reveals which license is used in package.json

Cheers,
Xavier

Bug#973696: ITP: node-source-map-resolve -- Node module to resolve source map and/or sources for a generated file

[Xavier Guimard]

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org, 
pkg-javascript-de...@lists.alioth.debian.org

* Package name: node-source-map-resolve
  Version : 0.6.0
  Upstream Author : Simon Lydell
* URL : https://github.com/lydell/source-map-resolve
* License : Expat
  Programming Lang: JavaScript
  Description : Node module to resolve source map and/or sources for a 
generated file

source-map-resolve resolves the source map for a given generated file by
looking for a sourceMappingURL comment. The spec defines yet a way to
provide the URL to the source map: by sending the `SourceMap: ` header
along with the generated file.

This module is currently embedded in node-css and is a dependency of
future node-rollup-plugin-sourcemap. It's also a dependency of many
other node modules, including some react plugins (see [1]).

If this module is accepted, node-css will be repackaged to no more
include source-map-resolve, decode-uri-component and atob.

[1]: https://www.npmjs.com/package/source-map-resolve

Bug#973470: ftp.debian.org: dak rejects unstable uploads

[Xavier Guimard]

Package: ftp.debian.org
Severity: grave
Justification: renders package unusable
User: ftp.debian@packages.debian.org
Usertags: dak

Today dak rejected 4 of my uploads with:

  Processing raised an exception: a bytes-like object is required, not 'str'.
  Traceback (most recent call last):
File "/srv/ftp-master.debian.org/dak/daklib/archive.py", line 1037, in check
  chk().check(self)
File "/srv/ftp-master.debian.org/dak/daklib/checks.py", line 938, in check
  rejects = list(lintian.generate_reject_messages(parsed_tags, lintiantags))
File "/srv/ftp-master.debian.org/dak/daklib/lintian.py", line 88, in 
generate_reject_messages
  for tag in parsed_tags:
File "/srv/ftp-master.debian.org/dak/daklib/lintian.py", line 65, in 
parse_lintian_output
  for line in output.split('\n'):
  TypeError: a bytes-like object is required, not 'str'

Bug#973429: autopkgtest: Update Architecture field to permit to set "flaky" to a specified arch

[Xavier Guimard]

Package: autopkgtest
Version: 5.15
Severity: wishlist

Hi,

thanks for the new "Architecture" field. I'd like to propose an
improvment. node-millstone test randomly fails on i386 arch (it's a
arch=all package). For now, I disabled i386 autopkgtest, but I'd like to
have a autopkgtest feature that allows to set "flaky" to this arch.
Something like:

  Tests: test
  Restrictions: flaky(i386)

or

  Tests: test
  Restrictions-i386: flaky

or

  Tests: test
  Architecture: amd64, armhf, arm64, i386=flaky

Cheers,
Xavier

Bug#973342: buster-pu: package libdbi-perl/1.642-1+deb10u2

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-p...@lists.debian.org

[ Reason ]
libdbi-perl is still vulnerable to CVE-2014-10401: DBD::File drivers can
open files from folders other than those specifically passed via the f_dir
attribute.

[ Impact ]
Moderate vulnerability

[ Tests ]
Upstream test related to this issue is included in this patch

[ Risks ]
Low risk, patch is simple and test is provided

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just a better check of user's arguments
diff --git a/debian/changelog b/debian/changelog
index 3ea2f5e..33cbebf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libdbi-perl (1.642-1+deb10u2) buster; urgency=medium
+
+  [ Salvatore Bonaccorso ]
+  * t/51dbm_file.t: add test from RT#99508
+  * lib/DBD/File.pm: fix CVE-2014-10401 (Closes: #972180)
+
+ -- Xavier Guimard   Thu, 29 Oct 2020 07:35:08 +0100
+
 libdbi-perl (1.642-1+deb10u1) buster; urgency=medium
 
   * Fix memory corruption in XS functions when Perl stack is reallocated
diff --git a/debian/patches/lib-DBD-File.pm-fix-CVE-2014-10401.patch 
b/debian/patches/lib-DBD-File.pm-fix-CVE-2014-10401.patch
new file mode 100644
index 000..178349f
--- /dev/null
+++ b/debian/patches/lib-DBD-File.pm-fix-CVE-2014-10401.patch
@@ -0,0 +1,43 @@
+From: Jens Rehsack 
+Date: Tue, 6 Oct 2020 10:22:17 +0200
+Subject: [2/2] lib/DBD/File.pm: fix CVE-2014-10401
+Origin: 
https://github.com/perl5-dbi/dbi/commit/19d0fb169eed475e1c053e99036b8668625cfa94
+Bug: https://github.com/perl5-dbi/dbi/pull/93
+Bug-Debian: https://bugs.debian.org/972180
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2014-10402
+
+Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and
+figure out that DBI->parse_dsn is the wrong helper to parse our attributes in
+DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes
+parse_dsn to bailout.
+
+Parsing on our own similar to parse_dsn shows the way out.
+
+Signed-off-by: Jens Rehsack 
+---
+ lib/DBD/File.pm | 7 +--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/lib/DBD/File.pm
 b/lib/DBD/File.pm
+@@ -109,7 +109,11 @@
+ # We do not (yet) care about conflicting attributes here
+ # my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => 
"text" });
+ # will test here that both test and text should exist
+-if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) {
++#
++# Parsing on our own similar to parse_dsn to find attributes in 'dbname' 
parameter.
++if ($dbname) {
++  my @attrs = split /;/ => $dbname;
++  my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs };
+   if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) {
+   my $msg = "No such directory '$attr_hash->{f_dir}";
+   $drh->set_err (2, $msg);
+@@ -120,7 +124,6 @@
+ if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) {
+   my $msg = "No such directory '$attr->{f_dir}";
+   $drh->set_err (2, $msg);
+-  $attr->{RaiseError} and croak $msg;
+   return;
+   }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 1b64514..f2bb032 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,5 @@ spelling.patch
 CVE-2020-14392.patch
 CVE-2020-14393.patch
 CVE-2019-20919.patch
+t-51dbm_file.t-add-test-from-RT-99508.patch
+lib-DBD-File.pm-fix-CVE-2014-10401.patch
diff --git a/debian/patches/t-51dbm_file.t-add-test-from-RT-99508.patch 
b/debian/patches/t-51dbm_file.t-add-test-from-RT-99508.patch
new file mode 100644
index 000..a1a1085
--- /dev/null
+++ b/debian/patches/t-51dbm_file.t-add-test-from-RT-99508.patch
@@ -0,0 +1,55 @@
+From: Jens Rehsack 
+Date: Tue, 6 Oct 2020 08:23:55 +0200
+Subject: [1/2] t/51dbm_file.t: add test from RT#99508
+Origin: 
https://github.com/perl5-dbi/dbi/commit/27b10b5c3aacabc091046beaba478e671bb6111c
+Bug: https://github.com/perl5-dbi/dbi/pull/93
+Bug-Debian: https://bugs.debian.org/972180
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2014-10402
+
+Add test with f_dir="something-not-existing" as reported in RT#99508
+to verify when it's fixed for real.
+
+Signed-off-by: Jens Rehsack 
+---
+ t/51dbm_file.t | 23 +++
+ 1 file changed, 23 insertions(+)
+
+--- a/t/51dbm_file.t
 b/t/51dbm_file.t
+@@ -15,6 +15,27 @@
+ 
+ do "./t/lib.pl";
+ 
++{
++# test issue reported in RT#99508
++my @msg;
++eval {
++  local $SIG{__DIE__} = sub { push @msg, @_ };
++  my $dbh = DBI->connect 
(&

Bug#972932: node-eslint-scope: Please embed @types/eslint-scope

[Xavier Guimard]

Package: node-eslint-scope
Version: 5.0.0-2
Severity: important

Hi,

@types/eslint-scope is required at least to upgrade webpak. Please embed
it.

Cheers,
Xavier

Bug#972931: eslint: Please embed @types/eslint

[Xavier Guimard]

Package: eslint
Version: 5.16.0~dfsg-7
Severity: important

Hi,

@types/eslint is required at least to update webpack. Please embed it.

Cheers,
Xavier

Bug#972903: buster-pu: package node-pathval/1.1.0-3+deb10u1

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-pathval is vulnerable to a prototype pollution (CVE-2020-7751,
#972895)

[ Impact ]
Little security risk

[ Tests ]
The same patch is applied to debian/sid (same version) and tests are
enabled (and succeeds of course)

[ Risks ]
No risk, patch just adds a check

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just one check
diff --git a/debian/changelog b/debian/changelog
index 91b3ad0..05749be 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-pathval (1.1.0-3+deb10u1) buster; urgency=medium
+
+  * Fix prototype pollution (Closes: #972895, CVE-2020-7751)
+
+ -- Xavier Guimard   Mon, 26 Oct 2020 04:44:16 +0100
+
 node-pathval (1.1.0-3) unstable; urgency=medium
 
   * Point d/watch to /releases instead of /tags.
diff --git a/debian/patches/CVE-2020-7751.diff 
b/debian/patches/CVE-2020-7751.diff
new file mode 100644
index 000..7d1ed9a
--- /dev/null
+++ b/debian/patches/CVE-2020-7751.diff
@@ -0,0 +1,21 @@
+Description: fix prototype pollution
+Author: Adam Gold 
+Origin: upstream, https://github.com/chaijs/pathval/commit/21a9046
+Bug: https://snyk.io/vuln/SNYK-JS-PATHVAL-596926
+Bug-Debian: https://bugs.debian.org/972895
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-10-25
+
+--- a/index.js
 b/index.js
+@@ -76,6 +76,9 @@
+   var str = path.replace(/([^\\])\[/g, '$1.[');
+   var parts = str.match(/(\\\.|[^.]+?)+/g);
+   return parts.map(function mapMatches(value) {
++if (value === "constructor" || value === "__proto__" || value === 
"prototype") {
++  return {}
++}
+ var regexp = /^\[(\d+)\]$/;
+ var mArr = regexp.exec(value);
+ var parsed = null;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..2c7bbd9
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2020-7751.diff

Bug#972694: buster-pu: package node-object-path/0.11.4-2+deb10u1

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-object-path is vulnerable to a prototype pollution (CVE-2020-15256)

[ Impact ]
Little prototype vulnerability available

[ Tests ]
Upstream test change seems to big to be included here (see link in
patch).

[ Risks ]
Low risk, patch just adds a check on prototype

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just a new security check
diff --git a/debian/changelog b/debian/changelog
index f85777e..da6bfd9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-object-path (0.11.4-2+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Fix prototype pollution in set() (Closes: CVE-2020-15256)
+
+ -- Xavier Guimard   Thu, 22 Oct 2020 18:38:10 +0200
+
 node-object-path (0.11.4-2) unstable; urgency=medium
 
   * Update Vcs fields for migration to https://salsa.debian.org/
diff --git a/debian/patches/CVE-2020-15256.diff 
b/debian/patches/CVE-2020-15256.diff
new file mode 100644
index 000..97ee479
--- /dev/null
+++ b/debian/patches/CVE-2020-15256.diff
@@ -0,0 +1,21 @@
+Description: Fix prototype pollution in set()
+Author: Mario Casciaro 
+Origin: upstream, https://github.com/mariocasciaro/object-path/commit/2be3354c6
+Bug: 
https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-10-22
+
+--- a/index.js
 b/index.js
+@@ -105,6 +105,10 @@
+   }
+   var currentPath = path[0];
+   var currentValue = getShallowProperty(obj, currentPath);
++  if (options.includeInheritedProps && (currentPath === '__proto__' ||
++(currentPath === 'constructor' && typeof currentValue === 
'function'))) {
++throw new Error('For security reasons, object\'s magic properties 
cannot be set')
++  }
+   if (path.length === 1) {
+ if (currentValue === void 0 || !doNotReplace) {
+   obj[currentPath] = value;
diff --git a/debian/patches/series b/debian/patches/series
index f99effd..f80fc45 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 port-to-chai4.patch
+CVE-2020-15256.diff

Bug#972614: lintian: False positive: package-does-not-install-examples debian/examples

[Xavier Guimard]

Package: lintian
Version: 2.98.0
Severity: normal

Hi all,

last lintian shows a strange false positive info:

  package-does-not-install-examples debian/examples

Cheers,
Xavier

Bug#972575: npm2deb should search node modules in virtual packages

[Xavier Guimard]

Package: npm2deb
Version: 0.3.0-5
Severity: important

npm2deb currently uses salsa repository to know if a package already
exists or not. This is a bad way because:
 * some node packages are not under pkg-js umbrella (node-almond,...)
 * lintian warns when a package does not declare its modules installed
   in nodejs root directories
 * some packages exists in js-team repo while they've been removed from
   archive

Then I think we should switch to (virtual) package search.

Cheers,
Xavier

Bug#972570: node-lightgallery is built using minified files

[Xavier Guimard]

Package: node-lightgallery
Version: 1.6.11+dfsg-1
Severity: serious
Justification: 4

Hi,

debian/source/lintian-overrides overwrites some real problems: the
"concat" part of Gulpfile uses modules/* files which are all obfuscated
using minification (downloaded from distinct sources).
A possible solution could be to ignore modules/* files during import and
add related components using uscan components (with a build).

Bug#972414: node-pruddy-error: Please enable test

[Xavier Guimard]

Package: node-pruddy-error
Version: 2.0.2-1
Severity: important
Tags: patch

Hi,

test is not enabled in this package, while it is easy to enable it:
 * `echo mocha >debian/tests/pkg-js/test`
 * install "assume" and "fn.name" in debian/tests/test_modules
   and update debian/copyright
 * update build dependencies:
   mocha , node-deep-eql , node-is-node ,
   node-object-inspect , node-pathval 
 * fix test using a little patch:

   --- a/test.js
   +++ b/test.js
   @@ -45,7 +45,7 @@
  pruddy(fixture, {
read: function read(data) {
  assume(data).is.a('object');
   -  assume(data.filename).contains('pruddy-error/test.js');
   +  //assume(data.filename).contains('pruddy-error/test.js');
  assume(data.line).equals(5);
  assume(data.col).equals(19);

Bug#971833: node-babel7 should depends on node-regenerator-runtime

[Xavier Guimard]

Package: node-babel7
Version: 7.11.6+~cs65.71.39-1
Severity: normal

This is required by @babel/runtime/regenerator/index.js

Bug#971785: libconfig-model-dpkg-perl: cme should accept "needs-internet" autopkgtest restriction

[Xavier Guimard]

Package: libconfig-model-dpkg-perl
Version: 2.139
Severity: normal

All is in the subject ;-)

Cheers,
Xavier

Bug#971784: libconfig-model-dpkg-perl: cme should not warn on "unknown dh-sequence-nodejs package"

[Xavier Guimard]

Package: libconfig-model-dpkg-perl
Version: 2.139
Severity: minor

Hi,

Since all dh-sequence-* build dependencies are virtual packages, cme
should ignore related warnings.

Cheers,
Xavier

Bug#971656: lintian: dh_addons should accept dh-sequence-nodejs as a replacement for pkg-js-tools

[Xavier Guimard]

Package: lintian
Version: 2.97.0
Severity: normal
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org

When building nodejs packages, using dh-sequence-nodejs, lintian
reports:

  E: node-rollup-plugin-typescript source: 
missing-build-dependency-for-dh-addon nodejs => pkg-js-tools

This is a false positive since dh-sequence-* are some aliases which
automatic "dh --with foo".

Cheers,
Xavier

Bug#971519: node-locate-character: Rebuild from sources

[Xavier Guimard]

Package: node-locate-character
Version: 2.0.5-1
Severity: serious
Justification: source-is-missing

2.0.5 is packaged from npm registry temporarily to be able to build
rollup 2. Upstream didn't push 2.0.5 source in git repo (last github
release/HEAD is 2.0.1), then 2.0.5 was packaged from npm registry instead.

This bug is a reminder to avoid having 2.0.5-1 pushed outside
experimental

Bug#970651: rollup: Unable to build with current tsc

[Xavier Guimard]

Package: rollup
Version: 1.12.0-2
Severity: serious
Tags: ftbfs
Justification: Policy 7.7.7

node-rollup 1.12.0 can't be build with current typescript (4.0.2). It
requires tsc 3.4.5 (tested with success). Output:

$ tsc --esModuleInterop
src/ModuleLoader.ts:59:3 - error TS2322: Type '(id: string) => boolean' is not 
assignable to type '(id: string, ...args: T) => boolean'.
  Types of parameters 'id' and 'id' are incompatible.
Type '[id: string, ...args: T]' is not assignable to type '[id: string]'.
  Source has 2 element(s) but target allows only 1.

59  return id => ids.has(id);
~

Bug#970506: ITP: node-deepmerge -- Node.js module to merge properties of two objects deeply

[Xavier Guimard]

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org, 
pkg-javascript-de...@lists.alioth.debian.org

* Package name: node-deepmerge
  Version : 4.2.2
  Upstream Author : Josh Duff 
* URL : https://github.com/TehShrike/deepmerge
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js module to merge properties of two objects deeply

deepmerge is a node.js module written to deep (recursive) merge Javascript
objects.

It is required to update node-rollup-plugin* packages, especially
node-rollup-node-resolve.

Bug#970307: buster-pu: package node-mysql/2.16.0-1+deb10u1

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-mysql is vulnerable to CVE-2019-14939 (#934712)

[ Impact ]
Default "LOAD DATA LOCAL INFILE" is too permissive

[ Tests ]
Sadly tests were not enabled in buster

[ Risks ]
Patch is exactly upstream one, seems low risky (it just adds a new
option)

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Add a `localInfile` option that permits to change default LOCAL_FILES
flag
diff --git a/debian/changelog b/debian/changelog
index 8717915..a67cec7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-mysql (2.16.0-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Add localInfile option to control LOAD DATA LOCAL INFILE
+(Closes: #934712, CVE-2019-14939)
+
+ -- Xavier Guimard   Mon, 14 Sep 2020 15:57:57 +0200
+
 node-mysql (2.16.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2019-14939.patch 
b/debian/patches/CVE-2019-14939.patch
new file mode 100644
index 000..8fe1dc7
--- /dev/null
+++ b/debian/patches/CVE-2019-14939.patch
@@ -0,0 +1,312 @@
+Description: Add localInfile option to control LOAD DATA LOCAL INFILE
+Author: Douglas Christopher Wilson 
+Origin: upstream, https://github.com/mysqljs/mysql/commit/337e87ae
+Bug: https://github.com/mysqljs/mysql/issues/2257
+Bug-Debian: https://bugs.debian.org/934712
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-09-14
+
+--- a/Readme.md
 b/Readme.md
+@@ -229,6 +229,7 @@
+ * `trace`: Generates stack traces on `Error` to include call site of library
+entrance ("long stack traces"). Slight performance penalty for most calls.
+(Default: `true`)
++* `localInfile`: Allow `LOAD DATA INFILE` to use the `LOCAL` modifier. 
(Default: `true`)
+ * `multipleStatements`: Allow multiple mysql statements per query. Be careful
+   with this, it could increase the scope of SQL injection attacks. (Default: 
`false`)
+ * `flags`: List of connection flags to use other than the default ones. It is
+@@ -1362,7 +1363,8 @@
+ - `FOUND_ROWS` - Send the found rows instead of the affected rows as 
`affectedRows`.
+ - `IGNORE_SIGPIPE` - Old; no effect.
+ - `IGNORE_SPACE` - Let the parser ignore spaces before the `(` in queries.
+-- `LOCAL_FILES` - Can use `LOAD DATA LOCAL`.
++- `LOCAL_FILES` - Can use `LOAD DATA LOCAL`. This flag is controlled by the 
connection
++  option `localInfile`. (Default on)
+ - `LONG_FLAG`
+ - `LONG_PASSWORD` - Use the improved version of Old Password Authentication.
+ - `MULTI_RESULTS` - Can handle multiple resultsets for COM_QUERY.
+--- a/lib/ConnectionConfig.js
 b/lib/ConnectionConfig.js
+@@ -33,6 +33,9 @@
+   this.ssl= (typeof options.ssl === 'string')
+ ? ConnectionConfig.getSSLProfile(options.ssl)
+ : (options.ssl || false);
++  this.localInfile= (options.localInfile === undefined)
++? true
++: options.localInfile;
+   this.multipleStatements = options.multipleStatements || false;
+   this.typeCast   = (options.typeCast === undefined)
+ ? true
+@@ -114,6 +117,11 @@
+ '+TRANSACTIONS'   // Expects status flags
+   ];
+ 
++  if (options && options.localInfile !== undefined && !options.localInfile) {
++// Disable LOCAL modifier for LOAD DATA INFILE
++defaultFlags.push('-LOCAL_FILES');
++  }
++
+   if (options && options.multipleStatements) {
+ // May send multiple statements per COM_QUERY and COM_STMT_PREPARE
+ defaultFlags.push('+MULTI_STATEMENTS');
+--- a/lib/protocol/packets/EmptyPacket.js
 b/lib/protocol/packets/EmptyPacket.js
+@@ -2,5 +2,8 @@
+ function EmptyPacket() {
+ }
+ 
++EmptyPacket.prototype.parse = function parse() {
++};
++
+ EmptyPacket.prototype.write = function write() {
+ };
+--- /dev/null
 b/lib/protocol/packets/LocalInfileRequestPacket.js
+@@ -0,0 +1,21 @@
++module.exports = LocalInfileRequestPacket;
++function LocalInfileRequestPacket(options) {
++  options = options || {};
++
++  this.filename = options.filename;
++}
++
++LocalInfileRequestPacket.prototype.parse = function parse(parser) {
++  if (parser.parseLengthCodedNumber() !== null) {
++var err  = new TypeError('Received invalid field length');
++err.code = 'PARSER_INVALID_FIELD_LENGTH';
++throw err;
++  }
++
++  this.filename = parser.parsePacketTerminatedString();
++};
++
++LocalInfileRequestPacket.prototype.write = function write(writer) {
++  writer.writeLengthCodedNumber(null);
++  writer.writeString(this.filename);
++};
+--- a/lib/protocol/packets/ResultSetHeaderPacket.js
 b/lib/protocol/packets/ResultSetHeaderPacket.js
+@@ -3,23 +3,12 @@
+   o

Bug#970096: buster-pu: package libdbi-perl/1.642-1+deb10u1

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-p...@lists.debian.org

[ Reason ]
libdbi-perl is vulnerable to (low) security bug (CVE-2020-14392)

[ Impact ]
libdbi-perl may crash if an attacker can give a malformed login

[ Tests ]
No new test, current passed

[ Risks ]
This patch is very simple

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Returned values are more tested
diff --git a/debian/changelog b/debian/changelog
index d2e35cc..d0ad39a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libdbi-perl (1.642-1+deb10u1) buster; urgency=medium
+
+  * Fix memory corruption in XS functions when Perl stack is reallocated
+(Closes: CVE-2020-14392)
+
+ -- Xavier Guimard   Thu, 10 Sep 2020 10:04:13 +0200
+
 libdbi-perl (1.642-1) unstable; urgency=medium
 
   [ Xavier Guimard ]
diff --git a/debian/patches/CVE-2020-14392.patch 
b/debian/patches/CVE-2020-14392.patch
new file mode 100644
index 000..99c7a3e
--- /dev/null
+++ b/debian/patches/CVE-2020-14392.patch
@@ -0,0 +1,318 @@
+Description: Fix memory corruption in XS functions when Perl stack is 
reallocated
+ Macro ST(*) returns pointer to Perl stack. Other Perl functions which use
+ Perl stack (e.g. eval) may reallocate Perl stack and therefore pointer
+ returned by ST(*) macro is invalid.
+ .
+ Construction like this:
+ .
+ ST(0) = dbd_db_login6_sv(dbh, imp_dbh, dbname, username, password, attribs) ? 
&PL_sv_yes : &PL_sv_no;
+ .
+ where dbd_db_login6_sv() driver function calls eval may lead to
+ reallocating Perl stack and therefore invalidating ST(0) pointer.
+ So that construction would cause memory corruption as left part of
+ assignment is resolved prior executing dbd_db_login6_sv() function.
+ .
+ Correct way how to handle this problem: First call dbd_db_login6_sv()
+ function and then call ST(0) to retrieve stack pointer.
+ .
+ In this patch are fixes all occurrences of such constructions.
+ .
+ When running perl under valgrind I got memory corruption in DBD::ODBC
+ driver in that dbd_db_login6_sv() function due to above problem.
+Author: Pali 
+Origin: upstream, https://github.com/perl5-dbi/dbi/commit/ea99b6aa
+Bug: https://security-tracker.debian.org/tracker/CVE-2020-14392
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-09-10
+
+--- a/DBI.xs
 b/DBI.xs
+@@ -5252,9 +5252,12 @@
+ SV *col
+ SV *ref
+ SV *attribs
++PREINIT:
++SV *ret;
+ CODE:
+ DBD_ATTRIBS_CHECK("bind_col", sth, attribs);
+-ST(0) = boolSV(dbih_sth_bind_col(sth, col, ref, attribs));
++ret = boolSV(dbih_sth_bind_col(sth, col, ref, attribs));
++ST(0) = ret;
+ (void)cv;
+ 
+ 
+@@ -5492,21 +5495,27 @@
+ FETCH(h, keysv)
+ SV *h
+ SV *keysv
++PREINIT:
++SV *ret;
+ CODE:
+-ST(0) = dbih_get_attr_k(h, keysv, 0);
++ret = dbih_get_attr_k(h, keysv, 0);
++ST(0) = ret;
+ (void)cv;
+ 
+ void
+ DELETE(h, keysv)
+ SV *h
+ SV *keysv
++PREINIT:
++SV *ret;
+ CODE:
+ /* only private_* keys can be deleted, for others DELETE acts like FETCH 
*/
+ /* because the DBI internals rely on certain handle attributes existing  
*/
+ if (strnEQ(SvPV_nolen(keysv),"private_",8))
+-ST(0) = hv_delete_ent((HV*)SvRV(h), keysv, 0, 0);
++ret = hv_delete_ent((HV*)SvRV(h), keysv, 0, 0);
+ else
+-ST(0) = dbih_get_attr_k(h, keysv, 0);
++ret = dbih_get_attr_k(h, keysv, 0);
++ST(0) = ret;
+ (void)cv;
+ 
+ 
+--- a/Driver.xst
 b/Driver.xst
+@@ -60,7 +60,7 @@
+ #ifdef dbd_discon_all
+ 
+ # disconnect_all renamed and ALIAS'd to avoid length clash on VMS :-(
+-void
++bool
+ discon_all_(drh)
+ SV *drh
+ ALIAS:
+@@ -68,7 +68,9 @@
+ CODE:
+ D_imp_drh(drh);
+ PERL_UNUSED_VAR(ix);
+-ST(0) = dbd_discon_all(drh, imp_drh) ? &PL_sv_yes : &PL_sv_no;
++RETVAL = dbd_discon_all(drh, imp_drh);
++OUTPUT:
++RETVAL
+ 
+ #endif /* dbd_discon_all */
+ 
+@@ -102,7 +104,7 @@
+ MODULE = DBD::~DRIVER~PACKAGE = DBD::~DRIVER~::db
+ 
+ 
+-void
++bool
+ _login(dbh, dbname, username, password, attribs=Nullsv)
+ SV *dbh
+ SV *dbname
+@@ -118,14 +120,16 @@
+ char *p = (SvOK(password)) ? SvPV(password,lna) : (char*)"";
+ #endif
+ #ifdef dbd_db_login6_sv
+-ST(0) = dbd_db_login6_sv(dbh, imp_dbh, dbname, username, password, 
attribs) ? &PL_sv_yes : &PL_sv_no;
++RETVAL = dbd_db_login6_sv(dbh, imp_dbh, dbname, username, password, 
attribs);
+ #elif defined(dbd_db_login6)
+-ST(0) = dbd_db_login6(dbh, imp_dbh, SvPV_nolen(dbname), u, p, attribs) ? 
&PL_sv_yes : &PL_sv_no;
++RET

Bug#969719: lintian: Unable to override team/pkg-perl/testsuite/no-team-tests

[Xavier Guimard]

Package: lintian
Version: 2.93.0
Severity: normal

Hi,

I'm unable to override team/pkg-perl/testsuite/no-team-tests. When
adding

  source: team/pkg-perl/testsuite/no-team-tests autopkgtest

lintian report a `bad override` and when adding

  package source: team/pkg-perl/testsuite/no-team-tests autopkgtest

lintian just ignores this override and still displays the warning.

Cheers,
Xavier

Bug#969706: buster-pu: package grunt/1.0.1-8+deb10u1

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
grunt is vulnerable to a medium CVE (CVE-2020-7729, #969668)

[ Impact ]
The package grunt before 1.3.0 are vulnerable to Arbitrary Code
Execution due to the default usage of the function load() instead of
its secure replacement safeLoad() of the package js-yaml inside
grunt.file.readYAML.

[ Tests ]
Patch contains new upstream test. autopkgtest is OK

[ Risks ]
Low risk: the patch just adds some checks

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Upstream patch is imported without changes. It adds some checks during
YAML file read and a little test.

[ Other info ]
Thanks for your work!
diff --git a/debian/changelog b/debian/changelog
index eaf56cc..f15438c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+grunt (1.0.1-8+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Use `safeLoad` for loading YML files via `file.readYAML`
+(Closes: #969668, CVE-2020-7729)
+
+ -- Xavier Guimard   Sun, 06 Sep 2020 23:41:10 +0200
+
 grunt (1.0.1-8) unstable; urgency=medium
 
   [ Harish K ]
diff --git a/debian/patches/CVE-2020-7729.patch 
b/debian/patches/CVE-2020-7729.patch
new file mode 100644
index 000..64bed12
--- /dev/null
+++ b/debian/patches/CVE-2020-7729.patch
@@ -0,0 +1,53 @@
+Description: Switch to use `safeLoad` for loading YML files via 
`file.readYAML`.
+Author: Vlad Filippov 
+Origin: upstream, https://github.com/gruntjs/grunt/commit/e350cea1
+Bug: https://snyk.io/vuln/SNYK-JS-GRUNT-597546
+Bug-Debian: https://bugs.debian.org/969668
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-09-06
+
+--- a/lib/grunt/file.js
 b/lib/grunt/file.js
+@@ -252,12 +252,21 @@
+ };
+ 
+ // Read a YAML file, parse its contents, return an object.
+-file.readYAML = function(filepath, options) {
++file.readYAML = function(filepath, options, yamlOptions) {
++  if (!options) { options = {}; }
++  if (!yamlOptions) { yamlOptions = {}; }
++
+   var src = file.read(filepath, options);
+   var result;
+   grunt.verbose.write('Parsing ' + filepath + '...');
+   try {
+-result = YAML.load(src);
++// use the recommended way of reading YAML files
++// https://github.com/nodeca/js-yaml#safeload-string---options-
++if (yamlOptions.unsafeLoad) {
++  result = YAML.load(src);
++} else {
++  result = YAML.safeLoad(src);
++}
+ grunt.verbose.ok();
+ return result;
+   } catch (e) {
+--- a/test/grunt/file_test.js
 b/test/grunt/file_test.js
+@@ -452,10 +452,13 @@
+ test.done();
+   },
+   'readYAML': function(test) {
+-test.expect(3);
++test.expect(4);
+ var obj;
+ obj = grunt.file.readYAML('test/fixtures/utf8.yaml');
+-test.deepEqual(obj, this.object, 'file should be read as utf8 by default 
and parsed correctly.');
++test.deepEqual(obj, this.object, 'file should be safely read as utf8 by 
default and parsed correctly.');
++
++obj = grunt.file.readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad: 
true});
++test.deepEqual(obj, this.object, 'file should be unsafely read as utf8 by 
default and parsed correctly.');
+ 
+ obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml', {encoding: 
'iso-8859-1'});
+ test.deepEqual(obj, this.object, 'file should be read using the specified 
encoding.');
diff --git a/debian/patches/series b/debian/patches/series
index fcd76bd..a874060 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 add-root-variable.patch
 reproducible-build.patch
 adapt-gruntfile.patch
+CVE-2020-7729.patch

Bug#969369: buster-pu: package node-elliptic/6.4.1_dfsg-1+deb10u1

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-elliptic allows ECDSA signature maleability via variations in
encoding, leading '\0' bytes, or integer overflows (CVE-2020-13822).

[ Impact ]
This could conceivably have a security-relevant impact if an application
relied on a single canonical signature.

[ Tests ]
No new test, however upstream tests are OK during build and autopkgtest

[ Risks ]
Upstream change is little (just some tests on inputs) and test coverage
seems good

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Just some checks on inputs
diff --git a/debian/changelog b/debian/changelog
index 74b516f..3bc7a59 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-elliptic (6.4.1~dfsg-1+deb10u1) buster; urgency=medium
+
+  * Prevent malleability and overflows (Closes: CVE-2020-13822)
+
+ -- Xavier Guimard   Tue, 01 Sep 2020 13:24:44 +0200
+
 node-elliptic (6.4.1~dfsg-1) unstable; urgency=medium
 
   [ upstream ]
diff --git a/debian/patches/CVE-2020-13822.patch 
b/debian/patches/CVE-2020-13822.patch
new file mode 100644
index 000..179ecb9
--- /dev/null
+++ b/debian/patches/CVE-2020-13822.patch
@@ -0,0 +1,89 @@
+Description: signature: prevent malleability and overflows
+ CVE-2020-13822
+Author: Fedor Indutny 
+Origin: upstream, https://github.com/indutny/elliptic/commit/856fe4d9
+Bug: https://github.com/indutny/elliptic/issues/226
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-09-01
+
+--- a/lib/elliptic/ec/signature.js
 b/lib/elliptic/ec/signature.js
+@@ -33,11 +33,24 @@
+ return initial;
+   }
+   var octetLen = initial & 0xf;
++
++  // Indefinite length or overflow
++  if (octetLen === 0 || octetLen > 4) {
++return false;
++  }
++
+   var val = 0;
+   for (var i = 0, off = p.place; i < octetLen; i++, off++) {
+ val <<= 8;
+ val |= buf[off];
++val >>>= 0;
+   }
++
++  // Leading zeroes
++  if (val <= 0x7f) {
++return false;
++  }
++
+   p.place = off;
+   return val;
+ }
+@@ -61,6 +74,9 @@
+ return false;
+   }
+   var len = getLength(data, p);
++  if (len === false) {
++return false;
++  }
+   if ((len + p.place) !== data.length) {
+ return false;
+   }
+@@ -68,21 +84,37 @@
+ return false;
+   }
+   var rlen = getLength(data, p);
++  if (rlen === false) {
++return false;
++  }
+   var r = data.slice(p.place, rlen + p.place);
+   p.place += rlen;
+   if (data[p.place++] !== 0x02) {
+ return false;
+   }
+   var slen = getLength(data, p);
++  if (slen === false) {
++return false;
++  }
+   if (data.length !== slen + p.place) {
+ return false;
+   }
+   var s = data.slice(p.place, slen + p.place);
+-  if (r[0] === 0 && (r[1] & 0x80)) {
+-r = r.slice(1);
+-  }
+-  if (s[0] === 0 && (s[1] & 0x80)) {
+-s = s.slice(1);
++  if (r[0] === 0) {
++if (r[1] & 0x80) {
++  r = r.slice(1);
++} else {
++  // Leading zeroes
++  return false;
++}
++  }
++  if (s[0] === 0) {
++if (s[1] & 0x80) {
++  s = s.slice(1);
++} else {
++  // Leading zeroes
++  return false;
++}
+   }
+ 
+   this.r = new BN(r);
diff --git a/debian/patches/series b/debian/patches/series
index 0ee9429..d86ab76 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 use-assert.patch
+CVE-2020-13822.patch

Bug#969366: buster-pu: package node-url-parse/1.2.0-2+deb10u1

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
Insufficient validation and sanitization of user input exists in url-parse
npm package version 1.4.4 and earlier may allow attacker to bypass security
checks.

[ Impact ]
Medium security risk

[ Tests ]
Upstream test related to this vulnerability is included in patch. I ran
both build & autopkgtest tests

[ Risks ]
Low risk: test covers all features including CVE fix, change just trim left
to prevent unsantitized input from generating false positives

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
1. "mocha" was missing in build dependencies, causing test failures
2. the upstream fix adds security checks without modifying algorithm

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 04127dd..ee819f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-url-parse (1.2.0-2+deb10u1) buster; urgency=medium
+
+  * Add missing test dependency: mocha
+  * Fix insufficient validation and sanitization of user input
+(Closes: CVE-2020-8124)
+
+ -- Xavier Guimard   Tue, 01 Sep 2020 12:55:09 +0200
+
 node-url-parse (1.2.0-2) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 2c683c6..8433ca7 100644
--- a/debian/control
+++ b/debian/control
@@ -7,6 +7,7 @@ Testsuite: autopkgtest-pkg-nodejs
 Build-Depends:
  debhelper (>= 9)
  , dh-buildinfo
+ , mocha 
  , nodejs
  , webpack
  , node-deep-eql 
diff --git a/debian/patches/CVE-2020-8124.diff 
b/debian/patches/CVE-2020-8124.diff
new file mode 100644
index 000..129c377
--- /dev/null
+++ b/debian/patches/CVE-2020-8124.diff
@@ -0,0 +1,93 @@
+Description: Fix CVE 2020-8124
+ Insufficient validation and sanitization of user input exists in url-parse
+ npm package version 1.4.4 and earlier may allow attacker to bypass security
+ checks.
+Author: Arnout Kazemier 
+Origin: upstream, https://github.com/unshiftio/url-parse/commit/3ecd256f
+Bug: https://hackerone.com/reports/496293
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-09-01
+
+--- a/index.js
 b/index.js
+@@ -2,8 +2,20 @@
+ 
+ var required = require('requires-port')
+   , qs = require('querystringify')
++  , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//
+   , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\S\s]*)/i
+-  , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//;
++  , whitespace = 
'[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]'
++  , left = new RegExp('^'+ whitespace +'+');
++
++/**
++ * Trim a given string.
++ *
++ * @param {String} str String to trim.
++ * @public
++ */
++function trimLeft(str) {
++  return (str || '').replace(left, '');
++}
+ 
+ /**
+  * These are the parse rules for the URL parser, it informs the parser
+@@ -94,6 +106,7 @@
+  * @api private
+  */
+ function extractProtocol(address) {
++  address = trimLeft(address);
+   var match = protocolre.exec(address);
+ 
+   return {
+@@ -149,6 +162,8 @@
+  * @api public
+  */
+ function URL(address, location, parser) {
++  address = trimLeft(address);
++
+   if (!(this instanceof URL)) {
+ return new URL(address, location, parser);
+   }
+@@ -414,6 +429,7 @@
+ //
+ URL.extractProtocol = extractProtocol;
+ URL.location = lolcation;
++URL.trimLeft = trimLeft;
+ URL.qs = qs;
+ 
+ module.exports = URL;
+--- a/test/test.js
 b/test/test.js
+@@ -31,6 +31,14 @@
+ 
+   describe('extractProtocol', function () {
+ it('extracts the protocol data', function () {
++  assume(parse.extractProtocol('http://example.com')).eql({
++slashes: true,
++protocol: 'http:',
++rest: 'example.com'
++  });
++});
++
++it('extracts the protocol data for nothing', function () {
+   assume(parse.extractProtocol('')).eql({
+ slashes: false,
+ protocol: '',
+@@ -49,6 +57,15 @@
+ });
+   });
+ 
++
++  it('trimsLeft', function () {
++assume(parse.extractProtocol(' javascript://foo')).eql({
++  slashes: true,
++  protocol: 'javascript:',
++  rest: 'foo'
++});
++  });
++
+   it('parses the query string into an object', function () {
+ var url = 'http://google.com/?foo=bar'
+   , data = parse(url, true);
diff --git a/debian/patches/series b/debian/patches/series
index 1ae99bc..c24e259 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 CVE-2018-3774.diff
+CVE-2020-8124.diff

Bug#969348: buster-pu: package node-bl/1.1.2-1+deb10u1

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
node-bl is vunerable to CVE-2020-8244 (#969309): A buffer over-read
vulnerability exists which could allow an attacker to supply user input
(even typed) that if it ends up in consume() argument and can become
negative, the BufferList state can be corrupted, tricking it into exposing
uninitialized memory via regular .slice() calls.

I simply imported upstream change
Origin: https://github.com/rvagg/bl/commit/d3e240e3
Bug:https://hackerone.com/reports/966347
Bug-Debian: https://bugs.debian.org/969309

[ Impact ]
Vulnerability stays.

[ Tests ]
Change is simple and test passed (during build)

[ Risks ]
Low risk: change isn't big and test passed

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
The patch just check better buffer size
diff --git a/debian/changelog b/debian/changelog
index c041e5a..462fb49 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-bl (1.1.2-1+deb10u1) buster; urgency=medium
+
+  * Team upload
+  * Add patch to fix over-read vulnerability (Closes: #969309, CVE-2020-8244)
+
+ -- Xavier Guimard   Mon, 31 Aug 2020 10:35:09 +0200
+
 node-bl (1.1.2-1) unstable; urgency=low
 
   * Team upload.
diff --git a/debian/patches/CVE-2020-8244.diff 
b/debian/patches/CVE-2020-8244.diff
new file mode 100644
index 000..5512d60
--- /dev/null
+++ b/debian/patches/CVE-2020-8244.diff
@@ -0,0 +1,53 @@
+Description: fix buffer over-read vulnerability
+ CVE-2020-8244:
+ A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and
+ <2.2.1 which could allow an attacker to supply user input (even
+ typed) that if it ends up in consume() argument and can become
+ negative, the BufferList state can be corrupted, tricking it into
+ exposing uninitialized memory via regular .slice() calls.
+Author: Matteo Collina 
+Origin: upstream, https://github.com/rvagg/bl/commit/d3e240e3
+Bug: https://hackerone.com/reports/966347
+Bug-Debian: https://bugs.debian.org/969309
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-08-31
+
+--- a/bl.js
 b/bl.js
+@@ -159,18 +159,22 @@
+ 
+ if (bytes > l) {
+   this._bufs[i].copy(dst, bufoff, start)
++  bufoff += l
+ } else {
+   this._bufs[i].copy(dst, bufoff, start, start + bytes)
++  bufoff += l
+   break
+ }
+ 
+-bufoff += l
+ bytes -= l
+ 
+ if (start)
+   start = 0
+   }
+ 
++  // safeguard so that we don't return uninitialized memory
++  if (dst.length > bufoff) return dst.slice(0, bufoff)
++
+   return dst
+ }
+ 
+@@ -179,6 +183,11 @@
+ }
+ 
+ BufferList.prototype.consume = function consume (bytes) {
++  // first, normalize the argument, in accordance with how Buffer does it
++  bytes = Math.trunc(bytes)
++  // do nothing if not a positive number
++  if (Number.isNaN(bytes) || bytes <= 0) return this
++
+   while (this._bufs.length) {
+ if (bytes >= this._bufs[0].length) {
+   bytes -= this._bufs[0].length
diff --git a/debian/patches/series b/debian/patches/series
index 6d46f5b..762aa7d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 00-readable_stream.patch
 01-use_tap.patch
+CVE-2020-8244.diff

Bug#969318: ITP: liburi-normalize-perl -- Perl module to normalize URIs according to RFC 3986

[Xavier Guimard]

Package: wnpp
Severity: wishlist
Owner: Xavier Guimard 
X-Debbugs-Cc: debian-de...@lists.debian.org, debian-p...@lists.debian.org

* Package name: liburi-normalize-perl
  Version : 0.002
  Upstream Author : Andrew Sterling Hanenkamp 
* URL : https://metacpan.org/pod/URI::Normalize
* License : GPL-2+ or Artistic
  Programming Lang: Perl
  Description : Perl module to normalize URIs according to RFC 3986

Section 6 of RFC 3986 describes a process of URI normalization. URI::Normalize
implements syntax-based normalization and may include some schema-based and
protocol-based normalization. This includes implementing the
remove_dot_segments algorithm described in Section 5.2.3 of the RFC.

This has a number of useful applications in allowing URIs to be compared with
fewer false negatives.

This package is new dependency of next lemonldap-ng and provides a
security improvement in it. It will be maintain under Pkg-Perl umbrella.

Bug#969163: buster-pu: package npm/5.8.0+ds6-4+deb10u2

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

[ Reason ]
npm is vulnerable to CVE-2020-15095: password in URL are stored in logs.
This fixes import upstream commit to fix it.

[ Impact ]
(What is the impact for the user if the update isn't approved?)
Little CVE: URL containing password (https://user:pwd@xxx) are stored in
logs

[ Tests ]
autopkgtest tested, no specific test for this CVE

[ Risks ]
(Discussion of the risks involved. E.g. code is trivial or
complex, alternatives available.)
Low risk: minor change in logs only

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
(Explain *all* the changes)
Log strings are parsed by a new "lib/utils/replace-info.js" to delete
password in URLs before logging

[ Other info ]
None
diff --git a/debian/changelog b/debian/changelog
index d7b986f..a567e2e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+npm (5.8.0+ds6-4+deb10u2) buster; urgency=medium
+
+  * Team upload
+  * Don't show password in logs (Closes: CVE-2020-15095)
+
+ -- Xavier Guimard   Fri, 28 Aug 2020 13:36:33 +0200
+
 npm (5.8.0+ds6-4+deb10u1) buster; urgency=medium
 
   * Add patches to fix arbitrary path access
diff --git a/debian/patches/CVE-2020-15095.diff 
b/debian/patches/CVE-2020-15095.diff
new file mode 100644
index 000..9188249
--- /dev/null
+++ b/debian/patches/CVE-2020-15095.diff
@@ -0,0 +1,133 @@
+Description: chore: remove auth info from logs
+Author: claudiahdz 
+Origin: upstream, https://github.com/npm/cli/commit/a9857b8f
+Bug: https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard 
+Last-Update: 2020-08-28
+
+--- a/bin/npm-cli.js
 b/bin/npm-cli.js
+@@ -35,6 +35,7 @@
+   var npm = require('../lib/npm.js')
+   var npmconf = require('../lib/config/core.js')
+   var errorHandler = require('../lib/utils/error-handler.js')
++  var replaceInfo = require('../lib/utils/replace-info.js')
+   var output = require('../lib/utils/output.js')
+ 
+   var configDefs = npmconf.defs
+@@ -48,7 +49,8 @@
+ process.argv.splice(1, 1, 'npm', '-g')
+   }
+ 
+-  log.verbose('cli', process.argv)
++  var args = replaceInfo(process.argv)
++  log.verbose('cli', args)
+ 
+   var conf = nopt(types, shorthands)
+   npm.argv = conf.argv.remain
+--- a/lib/fetch-package-metadata.js
 b/lib/fetch-package-metadata.js
+@@ -3,6 +3,7 @@
+ const deprCheck = require('./utils/depr-check')
+ const path = require('path')
+ const log = require('npmlog')
++const pacote = require('pacote')
+ const readPackageTree = require('read-package-tree')
+ const rimraf = require('rimraf')
+ const validate = require('aproba')
+@@ -10,8 +11,8 @@
+ const npm = require('./npm')
+ const npmlog = require('npmlog')
+ const limit = require('call-limit')
+-const tempFilename = require('./utils/temp-filename')
+-const pacote = require('pacote')
++const tempFilename = require('./utils/temp-filename.js')
++const replaceInfo = require('./utils/replace-info.js')
+ let pacoteOpts
+ const isWindows = require('./utils/is-windows.js')
+ 
+@@ -19,7 +20,9 @@
+   validate('SOF|SZF|OOF|OZF', [spec, tracker, done])
+   return (er, pkg) => {
+ if (er) {
+-  log.silly('fetchPackageMetaData', 'error for ' + String(spec), 
er.message)
++  er.message = replaceInfo(er.message)
++  var spc = replaceInfo(String(spec))
++  log.silly('fetchPackageMetaData', 'error for ' + spc, er.message)
+   if (tracker) tracker.finish()
+ }
+ return done(er, pkg)
+--- a/lib/utils/error-handler.js
 b/lib/utils/error-handler.js
+@@ -13,6 +13,7 @@
+ var chain = require('slide').chain
+ var writeFileAtomic = require('write-file-atomic')
+ var errorMessage = require('./error-message.js')
++var replaceInfo = require('./replace-info.js')
+ var stopMetrics = require('./metrics.js').stop
+ var mkdirp = require('mkdirp')
+ var fs = require('graceful-fs')
+@@ -176,14 +177,16 @@
+   ].forEach(function (k) {
+ var v = er[k]
+ if (!v) return
++v = replaceInfo(v)
+ log.verbose(k, v)
+   })
+ 
+   log.verbose('cwd', process.cwd())
+ 
+   var os = require('os')
++  var args = replaceInfo(process.argv)
+   log.verbose('', os.type() + ' ' + os.release())
+-  log.verbose('argv', process.argv.map(JSON.stringify).join(' '))
++  log.verbose('argv', args.map(

Bug#969081: gyp should not stay under pkg-js umbrella

[Xavier Guimard]

Package: gyp
Version: 0.1+20200513gitcaa6002-1
Severity: normal

Hi,

gyp is currently maintain under pkg-js umbrella. This package is a cross
platform tool written in Python and stored in salsa.d.o/debian/ area.
Then I don't understand the link with pkg-js team.

Cheers,
Xavier

Bug#962586: autodep8: debian/tests/autopkgtest-pkg-${type}.conf is not read

[Xavier Guimard]

Package: autodep8
Version: 0.23
Severity: important

Hi,

when trying to use new debian/tests/autopkgtest-pkg-${type}.conf, it
seems to be unread. Example with pkg-js-tools (after removing current
debian/tests/control and adding Testsuite):

  $ cat debian/tests/autopkgtest-pkg-perl.conf
  pkg_perl_extra_depends=grunt, node-grunt-contrib-concat

  $ autodep8
  pkg_perl_extra_depends=grunt, node-grunt-contrib-concat
  Test-Command: /usr/share/pkg-perl-autopkgtest/runner build-deps
  Depends: @, @builddeps@, pkg-perl-autopkgtest,
  Restrictions: skippable,
  Features: test-name=autodep8-perl-build-deps
  
  Test-Command: /usr/share/pkg-perl-autopkgtest/runner runtime-deps
  Depends: @, pkg-perl-autopkgtest,
  Restrictions: skippable, superficial,
  Features: test-name=autodep8-perl
  
  Test-Command: /usr/share/pkg-perl-autopkgtest/runner 
runtime-deps-and-recommends
  Depends: @, pkg-perl-autopkgtest,
  Restrictions: needs-recommends, skippable, superficial,
  Features: test-name=autodep8-perl-recommends

And then grunt tests are skipped:

  $ autopkgtest -B ../pkg-js-tools*.deb -- schroot unstable-amd64-sbuild
  [...]
  t/dh_grunt.t 
  1..3
  ok 1 # skip grunt is not installed
  ok 2 # skip grunt is not installed
  ok 3 # skip grunt is not installed
  ok
  t/dh_grunt2.t ...
  1..3
  ok 1 # skip grunt is not installed
  ok 2 # skip grunt is not installed
  ok 3 # skip grunt is not installed
  [...]

Bug#962168: loggerhead: Depends on yui3 which is going to be removed

[Xavier Guimard]

Source: loggerhead
Severity: serious

Hi,

as explained one year ago ([1] without any response), yui3 is going to
be removed (#962167). Please remove dependency to this library
(libjs-yui3-min).

As yui3 never entered in testing due to DFSG problems, I chose to set
severity to serious here.

Cheers,
Xavier

[1]: 
https://alioth-lists.debian.net/pipermail/pkg-bazaar-maint/2019-August/008343.html
[1]: 
https://alioth-lists.debian.net/pipermail/pkg-javascript-devel/2019-August/034865.html

Bug#962167: RM: yui3 -- ROM; unmaintained

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

yui3 was uploaded in 2012 and never maintained since except one NMU by
security team. I wrote a mail 1 year ago o the bazaar team which has the
only one reverse dep (loggerhead), without any response [4].

yui3 has DFSG problem and should not stay as this in Debian archive
(#788319).

Here is the mail content that resumes other problems with this package:
> yui3 package has many problems:
>  - Debian problems:
>* RC/DFSG bug (#788319)
>* never updated since old-old-stable (except a Security Team change)
>* not released in stable, neither old-stable
>* debian/watch points to a site now redirected to a GitHub repo that
>  builds a "yui" library [1]
>  - Consistency problems:
>* "yui" npmjs package points to [1]
>* "yui" npm module is "YUI 3: The Yahoo User Interface Library"
>* our packages are named libjs*yui3*
>* "yui3" npmjs package points to [2] with a very different content
>  than our
>* [2] is a fork of [3]
>* [1] seems unmaintained for 5 years
>* [2] seems unmaintained for 8 years
>* [3] seems unmaintained for 7 years
> 
> yui3 is a reverse dependency of loggerhead:
>  * maintained by Bazaar Team
>  * not in stable, neither in testing (blocked by yui3 of course)
> 
> loggerhead has no reverse dependencies
> 
> So my question are:
>  * Does Bazaar Team wanted to maintain loggerhead in Debian?
>=> if no, please ROM-RM to permits our ROM-RM of yui3
>=> if yes, does Bazaar Team want to maintain yui3 by itself?
>   * if yes, please go ahead
>   * if no:
> - which yui repo is the good dependency of loggerhead
> - does JS Team want to clean and maintain this?
>   (yadd advice is "**no**")
>
> [1]: https://github.com/yui/yui3
> [2]: https://github.com/davglass/nodejs-yui3
> [3]: https://github.com/yui/nodejs-yui3

[4]: 
https://alioth-lists.debian.net/pipermail/pkg-javascript-devel/2019-August/034865.html

Bug#961840: RM: node-diffie-hellman -- ROM; unmaintained upstream

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

node-diffie-hellman never entered in testing due to security issue [1].
Upstream did not fix it for 3 years.

node-diffie-hellman was introduced to be able to package
node-browserify, but this package no more needs it. Then I think
node-diffie-hellman should be removed from Debian.

Cheers,
Xavier

[1]: https://bugs.debian.org/860939 and 
https://github.com/crypto-browserify/diffie-hellman/issues/22

Bug#961646: node-deep-for-each breaks node-grunt-webpack

[Xavier Guimard]

Package: node-deep-for-each
Version: 3.0.0-1
Severity: serious
Control: affects -1 node-grunt-webpack

Version 3.0.0 breaks node-grunt-webpack. Probably due to this change:

> This library is no longer built with Babel, you must compile it
> yourself within your app

Revert to a version 2.x may solve this issue

Bug#961487: node-code: Remove this package and replace it by node-hapi-code

[Xavier Guimard]

Package: node-code
Version: 6.0.0-3
Severity: important

Hi,

node-code is useless and has a name that could be ambiguous. Upstream
name is now @hapi/code.

I think we should remove this package. If a package needs @hapi/code,
we could package it later.

Bug#960808: node-babel7: upgrade to 7.9.6

[Xavier Guimard]

Package: node-babel7
Version: 7.4.5+~cs6.2.2-2
Severity: important
Control: affects -1 twitter-boostrap4

Please upgrade to last published version (7.9.6). This is required at
least to upgrade twitter-bootstrap to 4.5.0

Bug#960684: RM: node-babel-plugin-transform-builtin-extend -- ROM; Useless with node-babel7

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

node-babel-plugin-transform-builtin-extend is deprecated with
node-babel7. It should be removed from Debian archive

Bug#960658: src:cyrus-imapd: test fails on all big endian arch

[Xavier Guimard]

Package: src:cyrus-imapd
Version: 3.2.0-3
Severity: serious
Control: forwarded -1 https://github.com/cyrusimap/cyrus-imapd/issues/3040

Test fails on all big endian arch

Bug#960657: libdpkg-perl: dpkg-buildpackage should accept pkg.$sourcepackage.$anything DEB_BUILD_OPTIONS flags

[Xavier Guimard]

Package: libdpkg-perl
Version: 1.19.7
Severity: normal

Hi,

while trying to use pkg.$sourcepackage.$anything in DEB_BUILD_OPTIONS,
dkg-buildpackage reports:

  dpkg-buildpackage: warning: invalid flag in DEB_BUILD_OPTIONS: 
pkg.node-yarnpkg.test

However it seems that
https://wiki.debian.org/BuildProfileSpec#Registered_profile_names
authorizes such flags

Cheers,
Xavier

Bug#960575: buster-pu: package node-dot-prop/4.1.1-1+deb10u2

[Xavier Guimard]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Hi,

CVE-2020-8116 fix introduced a regression that affects npm (#960283).
This little fix solves the problem.

Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index f7509b9..9b6d599 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-dot-prop (4.1.1-1+deb10u2) buster; urgency=medium
+
+  * Fix regression introduced in CVE-2020-8116 fix (Closes: #960283)
+
+ -- Xavier Guimard   Thu, 14 May 2020 09:42:34 +0200
+
 node-dot-prop (4.1.1-1+deb10u1) buster; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2020-8116.diff 
b/debian/patches/CVE-2020-8116.diff
index b7d34f1..6d11ff8 100644
--- a/debian/patches/CVE-2020-8116.diff
+++ b/debian/patches/CVE-2020-8116.diff
@@ -38,7 +38,7 @@ Last-Update: 2020-02-06
}
  
const pathArr = getPathSegments(path);
-+  if (pathArray.length === 0) {
++  if (pathArr.length === 0) {
 +  return;
 +  }
  
@@ -48,7 +48,7 @@ Last-Update: 2020-02-06
}
  
const pathArr = getPathSegments(path);
-+  if (pathArray.length === 0) {
++  if (pathArr.length === 0) {
 +  return;
 +  }
  
@@ -58,7 +58,7 @@ Last-Update: 2020-02-06
}
  
const pathArr = getPathSegments(path);
-+  if (pathArray.length === 0) {
++  if (pathArr.length === 0) {
 +return;
 +}
  

Bug#960488: eslint: autopkgtest failure: missing test dependency to node-babel7

[Xavier Guimard]

Package: eslint
Version: 5.16.0~dfsg-5
Severity: serious
Justification: unknwon

Hi,

node-babel7 seems required by autopkgtest test:

not ok 344 - 
/tmp/autopkgtest-lxc.9p09fhxf/downtmp/build.w0w/src/lib/formatters/codeframe.js
  ---
  message: '"@babel/code-frame" is not found.'
  severity: error
  data:
line: 8
column: 38
ruleId: node/no-missing-require
  ...

Cheers,
Xavier

Bug#960483: RM: node-babel-plugin-precompile-charcodes -- ROM; Useless with node-babel7

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi all,

node-babel-plugin-precompile-charcodes is deprecated with node-babel7 and
depends on node-babel 6 which is going to be removed. It should be
removed from Debian archive.

Bug#960484: RM: node-babel-preset-es2015-loose -- ROM; Useless with node-babel7

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi all,

node-babel-preset-es2015-loose is deprecated with node-babel7 and
depends on node-babel 6 which is going to be removed. It should be
removed from Debian archive.

Bug#960482: rainloop: Build with node-babel7

[Xavier Guimard]

Package: rainloop
Version: 1.12.1-2
Severity: important

Hi,

rainloop build-depends on node-babel* 6 which are going to be removed.
Please fix this.

Bug#960440: RM: node-babel-plugin-transform-async-to-bluebird -- ROM; Useless with node-babel7

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

node-babel-plugin-transform-async-to-bluebird is deprecated by
node-babel7. It should be removed from Debian.

Cheers,
Xavier

Bug#960432: RM: node-babel-preset-flow-vue -- ROM; Useless with node-babel7

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

node-babel-preset-flow-vue is deprecated with node-babel7 and not used. It
should be removed.

Cheers,
Xavier

Bug#960433: RM: node-babel-preset-airbnb -- ROM; Useless with node-babel7

[Xavier Guimard]

Package: ftp.debian.org
Severity: normal

Hi,

Useless with node-babel7 is deprecated with node-babel7 and not used. It
should be removed.

Cheers,
Xavier