Bug#1081986: [Pkg-javascript-devel] Bug#1081986: Should leaflet-image be removed from unstable?
Control: severity -1 normal Control: retitle -1 RM: leaflet-image -- RoM; rc-buggy Control: reassign -1 ftp.debian.org Control: affects -1 + src:leaflet-image On 9/17/24 10:21, Helmut Grohne wrote: Source: leaflet-image Severity: important User: helm...@debian.org Usertags: sidremove Dear maintainer, I suggest removing leaflet-image from Debian for the following reasons: * It accumulated one RC-bug: + #1003260: leaflet-image: FTBFS with webpack5: Invalid configuration object Last modified: 1 year, 3 months * It is not part of bookworm or trixie and is not a key package. This bug serves as a pre-removal warning. After one month, the bug will be reassigned to ftp.debian.org to actually request removal of the package. In case the package should be kept in unstable, please evaluate each of the RC-bugs listed above. * If the bug is meant to permanently prevent the package from entering testing or a stable release, but this package should stay part of unstable, please add a usertag: user helm...@debian.org usertags NNN + sidremove-ignore * If the bug no longer applies, please close it. If it is closed, check whether the fixed version is correct and adjust if necessary. * Is the bug really release-critical? If not, please downgrade. * If the bug still applies, please send a status update at least once a year. Once all of the mentioned RC bugs have been acted upon in one way or another, please close this bug. In case the package should be removed from unstable, you may reassign this bug report: Control: severity -1 normal Control: retitle -1 RM: leaflet-image -- RoM; rc-buggy Control: reassign -1 ftp.debian.org Control: affects -1 + src:leaflet-image Alternatively, you may wait a month and have it reassigned. In case you disagree with the above, please add a wontfix tag to this bug. Control: tags -1 + wontfix Doing so will also prevent automatic reassignment. Kind regards A tool for automatically removing packages from unstable This bug report has been automatically filed with little human intervention. If the filing is unclear or in error, don't hesitate to contact Helmut Grohne for assistance.
Bug#1081983: [Pkg-javascript-devel] Bug#1081983: Should node-node-localstorage be removed from unstable?
Control: severity -1 normal Control: retitle -1 RM: node-node-localstorage -- RoM; rc-buggy Control: reassign -1 ftp.debian.org Control: affects -1 + src:node-node-localstorage On 9/17/24 10:21, Helmut Grohne wrote: Source: node-node-localstorage Severity: important User: helm...@debian.org Usertags: sidremove Dear maintainer, I suggest removing node-node-localstorage from Debian for the following reasons: * It accumulated one RC-bug: + #1013621: node-node-localstorage: FTBFS: TypeError: 'set' on proxy: trap returned falsish for property 'length' Last modified: 1 year, 3 months * It is not part of bookworm or trixie and is not a key package. This bug serves as a pre-removal warning. After one month, the bug will be reassigned to ftp.debian.org to actually request removal of the package. In case the package should be kept in unstable, please evaluate each of the RC-bugs listed above. * If the bug is meant to permanently prevent the package from entering testing or a stable release, but this package should stay part of unstable, please add a usertag: user helm...@debian.org usertags NNN + sidremove-ignore * If the bug no longer applies, please close it. If it is closed, check whether the fixed version is correct and adjust if necessary. * Is the bug really release-critical? If not, please downgrade. * If the bug still applies, please send a status update at least once a year. Once all of the mentioned RC bugs have been acted upon in one way or another, please close this bug. In case the package should be removed from unstable, you may reassign this bug report: Control: severity -1 normal Control: retitle -1 RM: node-node-localstorage -- RoM; rc-buggy Control: reassign -1 ftp.debian.org Control: affects -1 + src:node-node-localstorage Alternatively, you may wait a month and have it reassigned. In case you disagree with the above, please add a wontfix tag to this bug. Control: tags -1 + wontfix Doing so will also prevent automatic reassignment. Kind regards A tool for automatically removing packages from unstable This bug report has been automatically filed with little human intervention. If the filing is unclear or in error, don't hesitate to contact Helmut Grohne for assistance.
Bug#1080052: [Pkg-javascript-devel] Bug#1080052: Should node-lockfile be removed from unstable?
Control: severity -1 normal Control: retitle -1 RM: node-lockfile -- RoM; rc-buggy Control: reassign -1 ftp.debian.org Control: affects -1 + src:node-lockfile On 8/30/24 09:33, Helmut Grohne wrote: Source: node-lockfile Severity: serious Justification: grab attention of maintainer User: helm...@debian.org Usertags: sidremove Dear maintainer, I suggest removing node-lockfile from Debian for the following reasons: * It accumulated one RC-bug: + #1005940: node-lockfile: Abandoned upstream Last modified: 2 years * It is not part of bookworm or trixie and is not a key package. Hi, sure this package is no more useful here. Best regards, Yadd
Bug#1079833: [Pkg-javascript-devel] Bug#1079833: node-minimatch: please provide a bundled version
Hi Jérémy, ready to review and push into salsa.d.o Best regards, Xavier On 8/28/24 03:25, Jérémy Lal wrote: Package: node-minimatch Version: 9.0.3-4 Severity: wishlist nodejs 20.17.0 includes minimatch, however the mecanism for inclusion is somewhat convoluted, and it would be greatly easier if a bundle was provided by node-minimatch. This should work rollup --format=commonjs -p @rollup/plugin-commonjs -p @rollup/plugin-node-resolve --file=debian/tmp/usr/share/nodejs/minimatch/dist/cjs/index.bundle.js -- dist/cjs/index.js If nodejs were to create that bundle, it would need to be rebuilt when minimatch changes, otherwise it doesn't really need it. Thanks -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 6.10.4-amd64 (SMP w/4 CPU threads; PREEMPT) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages node-minimatch depends on: ii node-brace-expansion 2.0.1+~1.1.0-1 node-minimatch recommends no packages. node-minimatch suggests no packages. -- no debconf information
Bug#1079164: devscripts: Files-Excluded version of regexp should be documented and if not pcre Files-Excluded-PCRE should be created
On 8/22/24 02:06, Bastien Roucariès wrote: Le mercredi 21 août 2024, 11:07:17 UTC Niels Thykier a écrit : On Tue, 20 Aug 2024 18:50:20 + Bastien =?ISO-8859-1?Q?Roucari=E8s?= wrote: Package: devscripts Version: 2.23.7 Severity: minor Dear Maintainer, I do not find the syntax of the regex used by Files-Excluded. I suppose it is POSIX RE. It should be documented if it is the case If it is not PCRE could be possible to add a Files-Excluded-PCRE field ? It will greatly help to remove all directory except one in case of JS monorep Rouca Drive by remark, it uses the DEP-5 `Files` semantics (that is, not a regex at all). For the use-case you have, I think you want to combine `Files-Excluded` with `Files-Included`. That was what I had for this bug. No it is does not work: - Files-Included is not documented - Does not work with component For components, use "Files-Excluded-componentname" Files-Included-PCRE per component may be better I believe Best regards, Niels
Bug#1078880: [Pkg-javascript-devel] Bug#1078880: gettext.js: CVE-2024-43370
On 8/20/24 17:30, Salvatore Bonaccorso wrote: Hi, On Tue, Aug 20, 2024 at 05:20:38PM +0400, Yadd wrote: On 8/20/24 16:34, Moritz M??hlenhoff wrote: Hi Yadd, here is a simple patch for this issue The debdiff looks fine, but I don't believe this needs a DSA, can you please submit this for the next point update instead? Agree, but the bug was tagged as "grave" ;-) The severity and the no-dsa/dsa decision can be orthogonal in the following sense: Assume an issue is not severe enought to have an immediate DSA, but a point release is approaching, still the issue should be made sure to be fixed in the upper suite (considering it release critical) so we would not start latest trixie with the open issue. Having it at RC level ensures this, gives enough grace time (there won't be an imminent removal anyway) and raises the hint-flag. I choose such in particular when I see there is the same version across several releases, and a new upstream version exists to really make sure we avoid having the issue in the upper suite. Does this make sense? Or have you issues with the assessment as 'grave' in this case? No problem, I just filed issues for Bookworm and Bullseye Cheers, Xavier
Bug#1078880: [Pkg-javascript-devel] Bug#1078880: gettext.js: CVE-2024-43370
On 8/20/24 16:34, Moritz Mühlenhoff wrote: Hi Yadd, here is a simple patch for this issue The debdiff looks fine, but I don't believe this needs a DSA, can you please submit this for the next point update instead? Agree, but the bug was tagged as "grave" ;-) Cheers, Xavier
Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1
On 8/15/24 20:29, Adam D. Barratt wrote: On Thu, 2024-08-15 at 05:09 +0400, Yadd wrote: Hi Adam, can I do the same with Bullseye ? I've just replied to the bullseye request, but afaics it wasn't even filed at the point the above chase was posted. Regards, Adam Yes, sorry I forgot Bullseye when fixing Apache2. Thanks a lot, I just push Bullseye/apache2
Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1
Hi Adam, can I do the same with Bullseye ? On 8/15/24 00:33, Adam D. Barratt wrote: Control: tags -1 + confirmed On Thu, 2024-07-18 at 09:39 +0400, Yadd wrote: [ Reason ] Apache2 was updated to 2.4.61 due to 8 CVEs. However "a partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted". It's difficult to find in upstream commits what are "under some circumstances" neither in upstream explanations. Please go ahead. Regards, Adam
Bug#1078622: [Debian-pan-maintainers] Bug#1078622: jupyterlab: will FTBFS during trixie support period
Control: fixed -1 jupyterlab/4.0.11+ds1+~cs11.25.27-1 Control: close -1 Control: forcemerge -1 1060772 On 8/13/24 22:06, Santiago Vila wrote: Package: src:jupyterlab Version: 4.0.11+ds1-2 User: debian...@lists.debian.org Usertags: ftbfs-during-trixie-support-period Tags: ftbfs Dear maintainer: During a rebuild of all packages in unstable in the year 2028, your package failed to build: Duplicate of #1060772
Bug#1078579: RM: node-jupyterlab -- ROM; Replaced by src:jupyterlab
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: node-jupyter...@packages.debian.org, debian-pan-maintain...@alioth-lists.debian.net, y...@debian.org Control: affects -1 + src:node-jupyterlab User: ftp.debian@packages.debian.org Usertags: remove Hi, we just grouped python3-jupyterlab and node-jupyterlab into kupyterlab. That's why this package is no more needed. Best regards, Xavier
Bug#1077760: [Pkg-javascript-devel] Bug#1077760: pkg-js-tools: please allow to run a hook before testing
On 8/1/24 18:34, Bastien Roucariès wrote: Package: pkg-js-tools Version: 0.15.22 Severity: important Dear Maintainer, Could you run an hook like pre-test in tests that will run something like for instance regenerating certicate. It will avoid a lot a failure and manual work I can work arround using d/rules for build but not for test Bastien Hi, do you have an idea on how to do this ? For now I insert my pre-test into the debian/tests/pkg-js/test file (which is run with `sh -e`)
Bug#1077639: ITP: libcaptcha-recaptcha-v3-perl -- Perl implementation of reCAPTCHA API version v3
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org * Package name: libcaptcha-recaptcha-v3-perl Version : 0.05 Upstream Contact: worthmine * URL : https://metacpan.org/release/Captcha-reCAPTCHA-V3 * License : Artistic or GPL-1+ Programming Lang: Perl Description : Perl implementation of reCAPTCHA API version 3 Perl library for Google's reCAPTCHA version 3. API v2 and v3 are so different, so that this new module is totally distinct than libcaptcha-recaptcha-perl. Will be maintained under Perl Team umbrella
Bug#1077509: bookworm-pu: package cyrus-imapd/3.6.1-4+deb12u3
Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: cyrus-im...@packages.debian.org, y...@debian.org Control: affects -1 + src:cyrus-imapd User: release.debian@packages.debian.org Usertags: pu [ Reason ] There was a regression introduced by CVE-2024-34055 which breaks Cyrus-Imapd's murder (RC bug #1075853). [ Impact ] Installations with murder (more than one backend node) maybe broken. [ Tests ] No new test in these patches, however test and autopkgtest passed (https://salsa.debian.org/debian/cyrus-imapd/-/pipelines/708722) [ Risks ] Low risk, patch is not so big [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] I chose to keep patches as given in upstream release with upstream comments Best regards, Xavier diff --git a/debian/changelog b/debian/changelog index 39736966..8b7809d3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +cyrus-imapd (3.6.1-4+deb12u3) bookworm; urgency=medium + + * Fix regression introduced in CVE-2024-34055 fix (Closes: #1075853) + + -- Yadd Mon, 29 Jul 2024 12:43:50 +0400 + cyrus-imapd (3.6.1-4+deb12u2) bookworm-security; urgency=medium * Fix unbounded memory allocation (Closes: CVE-2024-34055) diff --git a/debian/patches/CVE-2024-34055-regressions-1.patch b/debian/patches/CVE-2024-34055-regressions-1.patch new file mode 100644 index ..f0d4e80c --- /dev/null +++ b/debian/patches/CVE-2024-34055-regressions-1.patch @@ -0,0 +1,57 @@ +Description: Instance: check backend sync to mupdate during murder shutdown +Author: ellie timoney +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commits/846f1f49 +Forwarded: not-needed +Applied-Upstream: 3.6.6 +Reviewed-By: Yadd +Last-Update: 2024-07-29 + +--- a/cassandane/Cassandane/Instance.pm b/cassandane/Cassandane/Instance.pm +@@ -1378,6 +1378,38 @@ + return; + } + ++sub _check_mupdate ++{ ++my ($self) = @_; ++ ++my $mupdate_server = $self->{config}->get('mupdate_server'); ++return if not $mupdate_server; # not in a murder ++ ++my $serverlist = $self->{config}->get('serverlist'); ++return if $serverlist; # don't sync mboxlist on frontends ++ ++# Run ctl_mboxlist -m to sync backend mailboxes with mupdate. ++# ++# You typically run this from START, and we do, but at test start ++# there's no mailboxes yet, so there's nothing to sync, and if ++# something is broken it probably won't be detected. ++my $basedir = $self->{basedir}; ++eval { ++$self->run_command({ ++redirects => { stdout => "$basedir/ctl_mboxlist.out", ++ stderr => "$basedir/ctl_mboxlist.err", ++ }, ++cyrus => 1, ++}, 'ctl_mboxlist', '-m'); ++}; ++if ($@) { ++my @err = slurp_file("$basedir/ctl_mboxlist.err"); ++chomp for @err; ++xlog "ctl_mboxlist -m failed: " . Dumper \@err; ++return "unable to sync local mailboxes with mupdate"; ++} ++} ++ + sub _check_sanity + { + my ($self) = @_; +@@ -1516,6 +1548,7 @@ + my @errors; + + push @errors, $self->_check_sanity(); ++push @errors, $self->_check_mupdate(); + + xlog "stop $self->{description}: basedir $self->{basedir}"; + diff --git a/debian/patches/CVE-2024-34055-regressions-2.patch b/debian/patches/CVE-2024-34055-regressions-2.patch new file mode 100644 index ..9ea66400 --- /dev/null +++ b/debian/patches/CVE-2024-34055-regressions-2.patch @@ -0,0 +1,142 @@ +Description: imapparse: add getmstring() for mupdate-specific parsing + The mupdate protocol uses LITERAL+ in server->client communications, whereas + in the IMAP protocol this is only permitted in client->server communications. + Adds a parser flag and corresponding macro to switch behaviours. + Fixes #4932 +Author: ellie timoney +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commits/e35707e7 +Forwarded: not-needed +Applied-Upstream: 3.6.6 +Reviewed-By: Yadd +Last-Update: 2024-07-29 + +--- a/imap/imapparse.c b/imap/imapparse.c +@@ -153,7 +153,10 @@ + buf_reset(buf); + c = getint32(pin, &len); + +-if (pin->isclient && c == '+') { ++/* For IMAP, LITERAL+ is only valid from client->server. For MUPDATE ++ * it's valid in either direction. ++ */ ++if ((pin->isclient || (flags & GXS_MUPDATE)) && c == '+') { + /* LITERAL- says maximum size is 4096! */ + if (lminus && len > 4096) { + /* Fail per RFC 7888, Section 4, choice 2 */ +--- a/i
Bug#1076904: [Pkg-javascript-devel] Bug#1076904: pkg-js-tools: FTBFS: help2man: can't get `--version' info from ./tools/debcheck-node-repo
On 7/27/24 07:15, Guillem Jover wrote: Control: reopen -1 Control: notfixed -1 dpkg/1.22.9 Control: affect -1 = src:pkg-js-tools Control: retitle -1 dpkg-dev: Make fragments lack internal dpkg_lazy_eval macros Control: tags -1 = On Fri, 2024-07-26 at 15:21:16 +0200, Santiago Vila wrote: unmerge 1076904 thanks Hi. I can indeed reproduce the error in unstable right now. (was your chroot uptodate?) Maybe this is one of the other subtle bugs reported by Michael Tokarev? In either case, please fix the metadata as necessary. Sorry, I try to help maintainers to discover the root cause of the bugs I report, when I can, but I don't always succeed. This FTBFS in pkg-js-tools is caused by that package (and several others), using the internal dpkg_lazy_eval macro from the dpkg Makefile fragment files. I'm going to revert the change that removed those macros, to avoid this and other breakage, but these packages should ideally not have used these macros. Although at this point I guess this has kind of become part of the API for those files. :/ And making them stop using the macros will require a coordinate transition or similar. Thanks, Guillem Hi, I pushed a workaround into version 1.15.22: DEVSCRIPTS_CHECK_DIRNAME_LEVEL=0 PERL5LIB=lib help2man --version-string=$(DEB_VERSION) --no-discard-stderr -n $* -N --help-option=-h ./tools/$* > $*.1 Fixing version workaround the problem with Exporter::import Best regards, Xavier
Bug#1076904: [Pkg-javascript-devel] Bug#1076904: pkg-js-tools: FTBFS: help2man: can't get `--version' info from ./tools/debcheck-node-repo
Control: tags -1 + moreinfo On 7/24/24 14:48, Santiago Vila wrote: Package: src:pkg-js-tools Version: 0.15.21 Severity: serious Tags: ftbfs Dear maintainer: During a rebuild of all packages in unstable, your package failed to build: Hi, I'm unable to reproduce in a schroot, could you share more info? Also I can see in your logs some dh_auto_test logs inside the dh_auto_install step, which looks to be launched before manpage build which are a prerequiste of override_sh_auto_install. Do you use a standard way to build? [...] debian/rules binary dh binary dh_update_autotools_config dh_autoreconf debian/rules override_dh_auto_configure make[1]: Entering directory '/<>' perl -i -pe 's/[\d\.]+/''/' lib/Debian/PkgJs/Version.pm dh_auto_configure /usr/bin/perl Makefile.PL INSTALLDIRS=vendor "OPTIMIZE=-g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/<>=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2" "LD=x86_64-linux-gnu-gcc -g -O2 -Werror=implicit-function-declaration -ffile-prefix-map=/<>=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -Wl,-z,relro" Checking if your kit is complete... Warning: the following files are missing in your kit: mjs2cjs/mjs2cjs.js t/dh_gulp2.t t/gulp2/debian/changelog [... snipped ...] dh_auto_install: warning: ### Missing comp-one/build/config.gypi, skipping dh_auto_install: warning: ### Missing comp-three/build/config.gypi, skipping dh_auto_install: warning: ### Missing comp-two/build/config.gypi, skipping t/dh_submodules.t .. 1..24 Link node_modules/comp-four -> ../comp-four Link node_modules/comp-three -> ../comp-three Link node_modules/comp_two -> ../comp-two Link comp-three/node_modules/comp_two -> ../../comp-two ok 1 - comp-one/nolink ok 2 - Main link ok 3 - good link ok 4 - Main link ok 5 - component_links ok 6 - good link No build command found, searching known files Found debian/nodejs/comp-one/build cd ./comp-one && sh -ex ../debian/nodejs/comp-one/build No build command found, searching known files No build command found, searching known files No build command found, searching known files ok 7 - build creates comp-one/a ln -s ../. node_modules/foo cd ./comp-one && sh -ex ../debian/nodejs/comp-one/test /bin/sh -ex debian/tests/pkg-js/test test launched Removing node_modules/foo ok 8 - File "foo" created Found "files" field in ./package.json, using it mkdir -p /<>/t/submodules/debian/foo//usr/share/nodejs/foo/ install -m 644 ./index.js /<>/t/submodules/debian/foo//usr/share/nodejs/foo// install -m 644 ./package.json /<>/t/submodules/debian/foo//usr/share/nodejs/foo// install -m 644 ./package.json /<>/t/submodules/debian/foo//usr/share/nodejs/foo// Found "files" field in comp-four/package.json, using it mkdir -p /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-four/ install -m 644 comp-four/package.json /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-four// install -m 644 comp-four/index.js /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-four// install -m 644 comp-four/package.json /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-four// No "files" field in comp-one/package.json, install all files Files to install: comp-one, !comp-one/build/config.gypi mkdir -p /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-one/ install -m 644 comp-one/index.js /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-one// install -m 644 comp-one/package.json /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-one// install -m 644 comp-one/bar /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-one// install -m 644 comp-one/package.json /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-one// Found "files" field in comp-three/package.json, using it mkdir -p /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-three/ install -m 644 comp-three/index.js /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-three// install -m 644 comp-three/test.js /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-three// install -m 644 comp-three/package.json /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-three// install -m 644 comp-three/package.json /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-three// Found "files" field in comp-two/package.json, using it mkdir -p /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp_two/ install -m 644 comp-two/index.js /<>/t/submodules/debian/foo//usr/share/nodejs/foo/node
Bug#1076378: [Pkg-javascript-devel] Bug#1076378: node-xterm: Unable to build package node-xterm from sources in Debian Bookworm because of error TS2769
Control: fixed -1 5.3.0-1 On 7/15/24 15:57, Sergei Semin wrote: Source: node-xterm Version: 3.8.1+~cs0.9.0-1 Severity: serious Tags: ftbfs Justification: fails to build from source X-Debbugs-Cc: syominser...@gmail.com Dear Maintainer, I tried to build node-xterm from sources in Debian Bookworm. I created new VM from official Debian vagrant image: https://app.vagrantup.com/debian/boxes/bookworm64/versions/12.20240503.1 Then I upgraded OS in VM using "apt update" and "apt upgrade", rebooted VM. Then I installed build deps for package node-xterm with "apt build-dep node-xterm". Then I downloaded sources of package node-xterm using command "apt source node-xterm". Version "3.8.1+~cs0.9.0-1" was downloaded. Then I entered into directory with sources and ran "dpkg-buildpackage". You can see log of dpkg-buildpackage here: This is due to Node.js update. Will fix that in next point release
Bug#1071632: Mark as done in 3.0.3
Hi, upstream marked this issue "done" in 3.0.3
Bug#1060772: [Debian-pan-maintainers] Unifying jupyterlab and node-jupyterlab
On 6/2/24 12:53, Yadd wrote: On 6/2/24 10:38, Yadd wrote: In my last commit, I added also a fix for #1060772: - jupyter-lab uses yarnpkg by default - in Debian build context, this can be overridden using YARN_COMMAND=pkgjs-install-minimal Better hook with "YARN_COMMAND=pkgjs" which uses the adapted pkgjs-* command And this produces the final bundle without Internet access => fixes #1060772 :-D then I reimported your hook executed after dh_install to launch `jupyter-lab build`. This seems to work but must be verified (and also python install looks bad). Best regards, Xavier On 6/2/24 07:40, Yadd wrote: Hi Roland, I merged Python and Node.js package into branch "merge-python-and-node", but I didnt yet import the "build" part you entered into dh_auto_install in Python package. Build works but has to be cleaned for the Python part. Hope this will help you. Best regards, Xavier On 6/1/24 17:33, Yadd wrote: On 5/31/24 17:10, Roland Mas wrote: Since I haven't managed to get 4.1 to build yet, I'm thinking of starting from a known-working version (4.0.10+ds1+~cs11.25.27-1). I expect that porting to 4.1 or later afterwards won't add extra work compared to doing both jobs at once. Roland. OK, I just pushed 4.0.11 into node-jupyterlab repo (reverting your upgrade to 4.1.6) Le 30/05/2024 à 05:36, Yadd a écrit : On 5/29/24 17:06, Yadd wrote: On 5/29/24 17:04, Roland Mas wrote: Hi Yadd and others, I'd like to go forward with the jupyterlab/node-jupyterlab merger, because I'm facing more and more problems with jupyterlab/ipywidgets not being up-to-date. I'm going to start from node-jupyterlab (whose build is more complex), create a merge-jupyterlab-and-node-jupyterlab branch in it, and add the Python parts in there, starting from the current working state of the package (and not the current state of the master branch, which doesn't build since I tried to import a new upstream release). I'll ask for review before merging into master, but any help or advice in the meantime will be welcome. I'll try to be present on IRC more often than usual during the operation. Hopefully upgrading one source package will be easier after the merger, and I'll work on ipywidgets after that. Roland. hi, OK, let's do that ;-) From which version of jupyterlab do you want to start? 4.0.11 or later?
Bug#1060772: [Debian-pan-maintainers] Unifying jupyterlab and node-jupyterlab
On 6/2/24 10:38, Yadd wrote: In my last commit, I added also a fix for #1060772: - jupyter-lab uses yarnpkg by default - in Debian build context, this can be overridden using YARN_COMMAND=pkgjs-install-minimal Better hook with "YARN_COMMAND=pkgjs" which uses the adapted pkgjs-* command then I reimported your hook executed after dh_install to launch `jupyter-lab build`. This seems to work but must be verified (and also python install looks bad). Best regards, Xavier On 6/2/24 07:40, Yadd wrote: Hi Roland, I merged Python and Node.js package into branch "merge-python-and-node", but I didnt yet import the "build" part you entered into dh_auto_install in Python package. Build works but has to be cleaned for the Python part. Hope this will help you. Best regards, Xavier On 6/1/24 17:33, Yadd wrote: On 5/31/24 17:10, Roland Mas wrote: Since I haven't managed to get 4.1 to build yet, I'm thinking of starting from a known-working version (4.0.10+ds1+~cs11.25.27-1). I expect that porting to 4.1 or later afterwards won't add extra work compared to doing both jobs at once. Roland. OK, I just pushed 4.0.11 into node-jupyterlab repo (reverting your upgrade to 4.1.6) Le 30/05/2024 à 05:36, Yadd a écrit : On 5/29/24 17:06, Yadd wrote: On 5/29/24 17:04, Roland Mas wrote: Hi Yadd and others, I'd like to go forward with the jupyterlab/node-jupyterlab merger, because I'm facing more and more problems with jupyterlab/ipywidgets not being up-to-date. I'm going to start from node-jupyterlab (whose build is more complex), create a merge-jupyterlab-and-node-jupyterlab branch in it, and add the Python parts in there, starting from the current working state of the package (and not the current state of the master branch, which doesn't build since I tried to import a new upstream release). I'll ask for review before merging into master, but any help or advice in the meantime will be welcome. I'll try to be present on IRC more often than usual during the operation. Hopefully upgrading one source package will be easier after the merger, and I'll work on ipywidgets after that. Roland. hi, OK, let's do that ;-) From which version of jupyterlab do you want to start? 4.0.11 or later?
Bug#1060772: [Debian-pan-maintainers] Unifying jupyterlab and node-jupyterlab
In my last commit, I added also a fix for #1060772: - jupyter-lab uses yarnpkg by default - in Debian build context, this can be overridden using YARN_COMMAND=pkgjs-install-minimal then I reimported your hook executed after dh_install to launch `jupyter-lab build`. This seems to work but must be verified (and also python install looks bad). Best regards, Xavier On 6/2/24 07:40, Yadd wrote: Hi Roland, I merged Python and Node.js package into branch "merge-python-and-node", but I didnt yet import the "build" part you entered into dh_auto_install in Python package. Build works but has to be cleaned for the Python part. Hope this will help you. Best regards, Xavier On 6/1/24 17:33, Yadd wrote: On 5/31/24 17:10, Roland Mas wrote: Since I haven't managed to get 4.1 to build yet, I'm thinking of starting from a known-working version (4.0.10+ds1+~cs11.25.27-1). I expect that porting to 4.1 or later afterwards won't add extra work compared to doing both jobs at once. Roland. OK, I just pushed 4.0.11 into node-jupyterlab repo (reverting your upgrade to 4.1.6) Le 30/05/2024 à 05:36, Yadd a écrit : On 5/29/24 17:06, Yadd wrote: On 5/29/24 17:04, Roland Mas wrote: Hi Yadd and others, I'd like to go forward with the jupyterlab/node-jupyterlab merger, because I'm facing more and more problems with jupyterlab/ipywidgets not being up-to-date. I'm going to start from node-jupyterlab (whose build is more complex), create a merge-jupyterlab-and-node-jupyterlab branch in it, and add the Python parts in there, starting from the current working state of the package (and not the current state of the master branch, which doesn't build since I tried to import a new upstream release). I'll ask for review before merging into master, but any help or advice in the meantime will be welcome. I'll try to be present on IRC more often than usual during the operation. Hopefully upgrading one source package will be easier after the merger, and I'll work on ipywidgets after that. Roland. hi, OK, let's do that ;-) From which version of jupyterlab do you want to start? 4.0.11 or later?
Bug#1060772: [Python-modules-team] Bug#1060772: python3-jupyterlab: Using node-corepack downloads yarnpkg from Internet
Hi, depending on the use of "jupyterlab build": - when used manually, may prefer to launch yarnpkg - when used under Debian build/test, may prefer to use pkgjs-install-minimal So proposition: - drop the patch 0003-Use-system-provided-yarn.js.patch - build a custom yarn.js that calls yarnpks or pkg-install-minimal depending on an environment variable
Bug#1072121: [Pkg-javascript-devel] Bug#1072121: node-ip: CVE-2024-29415
On 5/29/24 00:40, Moritz Mühlenhoff wrote: Source: node-ip X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-ip. CVE-2024-29415[0]: | The ip package through 2.0.1 for Node.js might allow SSRF because | some IP addresses (such as 127.1, 01200034567, 012.1.2.3, | 000:0:::01, and ::fFFf:127.0.0.1) are improperly categorized as | globally routable via isPublic. NOTE: this issue exists because of | an incomplete fix for CVE-2023-42282. https://github.com/indutny/node-ip/issues/150 https://github.com/indutny/node-ip/pull/144 https://github.com/indutny/node-ip/pull/143 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29415 https://www.cve.org/CVERecord?id=CVE-2024-29415 Please adjust the affected versions in the BTS as needed. The proposed patch changes node-ip behavior and needs recent nodejs. I just pushed it to experimental to have more test.
Bug#1071213: [Pkg-javascript-devel] Bug#1071213: pkg-js-tools: nodepath fails with nodejs 20 because it passes non-integer to process.exit
On 5/16/24 13:16, Jérémy Lal wrote: Package: pkg-js-tools Version: 0.15.19 Severity: important Hi, this makes all automatic autopkgtest fail: $ nodepath after node:internal/errors:541 throw error; TypeError [ERR_INVALID_ARG_TYPE]: The "code" argument must be of type number. Received type boolean (true) Since this is somewhat urgent, please tell me if I should do the fix. Jérémy Hi, I just pushed your fix Thanks!
Bug#1065722: FTBFS: /usr/lib/python3/dist-packages/torch/include/c10/util/C++17.h:27:2: error: #error You need C++17 to compile PyTorch
Control: tags -1 + patch Hi, updating to 0.18 fixes the build issue: see https://salsa.debian.org/deeplearning-team/pytorch-vision/-/merge_requests/2 Best regards, Xavier
Bug#1070831: ITP: python3-nxtomo -- Python API to edit NXtomo application
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org * Package name: python3-nxtomo Version : 1.2.3 Upstream Contact: , Pierre Paleo , Alessandro Mirone , Jérôme Lesaint * URL : https://gitlab.esrf.fr/tomotools/nxtomo * License : Expat Programming Lang: Python Description : Python API to edit NXtomo application NXtomo is a application definition for x-ray or neutron tomography raw data. See https://manual.nexusformat.org/classes/applications/NXtomo.html python3-nxtomo provide a friendly API to create and edit NXtomo application. This package will be maintained under Debian PAN Team.
Bug#1070408: ITP: python3-tabnet -- Attentive Interpretable Tabular Learning
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org * Package name: python3-tabnet Version : 4.1.0 Upstream Contact: DreamQuark <https://github.com/dreamquark-ai/tabnet/issues> * URL : https://github.com/dreamquark-ai/tabnet * License : Expat Programming Lang: Python Description : Attentive Interpretable Tabular Learning python3-tabnet is a pyTorch implementation of Tabnet (TabNet: Attentive Interpretable Tabular Learning, https://arxiv.org/pdf/1908.07442.pdf). Please note that some different choices have been made overtime to improve the library which can differ from the orginal paper. This package is needed for jupyterlab. Will be maintained under Debian Pan Maintainers Team umbrella.
Bug#1068862: ITP: node-microsoft-fast -- FAST monorepo, containing web component packages, tools, examples, and documentation
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-microsoft-fast Version : 0~20240320-1 Upstream Contact: https://github.com/Microsoft/fast/issues * URL : https://github.com/Microsoft/fast * License : Expat Programming Lang: JavaScript Description : FAST monorepo, containing web component packages, tools, examples, and documentation FAST is a collection of technologies built on Web Components and modern Web Standards, designed to help you efficiently tackle some of the most common challenges in website and application design and development. * Create reusable UI components with `@microsoft/fast-element`, all based on W3C Web Component standards. * Use `@microsoft/fast-foundation` library to rapidly build W3C OpenUI-based (https://open-ui.org/) design systems without re-implementing component logic. * Leverage modern, W3C standards-based SSR for Web Components by plugging in `@microsoft/fast-ssr`. * Bring all the pieces together to build SPAs and rich experiences with our Web Components router by installing `@microsoft/fast-router`. * React users can drop in `@microsoft/fast-react-wrapper` to turn any Web Component into a native React component. * Integrate FAST Web Components with any library, framework, or build system. This monorepositopry will provide the following packages: * node-microsoft-fast-colors * node-microsoft-fast-element * node-microsoft-fast-foundation * node-microsoft-fast-react-wrapper * node-microsoft-fast-router * node-microsoft-fast-ssr * node-microsoft-fast-web-utilities This is required to update node-jupyterlab.
Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
On 4/5/24 15:58, Moritz Muehlenhoff wrote: On Fri, Apr 05, 2024 at 08:16:43AM +0400, Yadd wrote: On 4/4/24 22:51, Moritz Mühlenhoff wrote: Source: apache2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for apache2. CVE-2024-27316[0]: https://www.kb.cert.org/vuls/id/421644 https://www.openwall.com/lists/oss-security/2024/04/04/4 CVE-2024-24795[1]: https://www.openwall.com/lists/oss-security/2024/04/04/5 CVE-2023-38709[2]: https://www.openwall.com/lists/oss-security/2024/04/04/3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27316 https://www.cve.org/CVERecord?id=CVE-2024-27316 [1] https://security-tracker.debian.org/tracker/CVE-2024-24795 https://www.cve.org/CVERecord?id=CVE-2024-24795 [2] https://security-tracker.debian.org/tracker/CVE-2023-38709 https://www.cve.org/CVERecord?id=CVE-2023-38709 Please adjust the affected versions in the BTS as needed. Hi, I'm ready to push 2.4.59 into bookworm-security. Note that this includes a test-framework update Target distribution needs to be bookworm-security, with that please upload. Can you also preparea the equivalent change for bullseye-security? The uploads can already happen, but let's keep the update unreleased until next week, then we can look for regressions reported in unstable (and check with Ondrej if we received reports based on his repo) Cheers, Moritz Both Bullseye and Bookworm uploaded. Bullseye version embeds also a copyright fix
Bug#1066749: FTBFS: dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit code 1
Control: tags -1 + moreinfo Hi, I'm unable to reproduce this issue. Probably fixed elsewhere during time_t transition
Bug#1064558: [Pkg-javascript-devel] Bug#1064558: node-leveldown: FTBFS on mips64el: not ok 1397 Error: batch(array) element must be an object and not `null`
On 2/24/24 13:10, Sebastian Ramacher wrote: Source: node-leveldown Version: 5.6.0+dfsg-4 Severity: serious Tags: ftbfs Justification: fails to build from source (but built successfully in the past) X-Debbugs-Cc: sramac...@debian.org https://buildd.debian.org/status/fetch.php?pkg=node-leveldown&arch=mips64el&ver=5.6.0%2Bdfsg-4%2Bb1&stamp=1708632735&raw=0 not ok 1397 Error: batch(array) element must be an object and not `null` --- operator: error stack: |- Error: batch(array) element must be an object and not `null` at AbstractLevelDOWN.batch (/usr/share/nodejs/abstract-leveldown/abstract-leveldown.js:163:33) at /<>/test/iterator-recursion-test.js:48:8 at /usr/share/nodejs/abstract-leveldown/abstract-leveldown.js:41:5 ... Cheers Hi Jérémy, when trying to build on mips64el porterbox, i got this: make[1]: Entering directory '/home/yadd/node-leveldown' node-gyp clean node: error while loading shared libraries: libnode.so.108: cannot open shared object file: No such file or directory make[1]: *** [debian/rules:18: override_dh_auto_clean] Error 127 make[1]: Leaving directory '/home/yadd/node-leveldown'
Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs
I closed this issue because: - I dropped all bad .h files from install - I added ABI flags to build - cyrus-dev has no reverse dependencies If I'm wrong, please reopen this issue Cheers, Yadd
Bug#1063908: [Debian-pan-maintainers] Bug#1063908: node-jupyter-widgets-{base, base-manager, control}: ships files already in python3-widgetsnbextension
On 2/14/24 20:26, Andreas Beckmann via Debian-pan-maintainers wrote: Package: node-jupyter-widgets-base,node-jupyter-widgets-base-manager,node-jupyter-widgets-controls Version: 6.0.7+~cs14.23.94-1 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package failed to install because it tries to overwrite other packages files without declaring a Breaks+Replaces relation. See policy 7.6 at https://www.debian.org/doc/debian-policy/ch-relationships.html#overwriting-files-and-replacing-packages-replaces From the attached log (scroll to the bottom...): Preparing to unpack .../node-jupyter-widgets-base_6.0.7+~cs14.23.94-1_all.deb ... Unpacking node-jupyter-widgets-base (6.0.7+~cs14.23.94-1) ... dpkg: error processing archive /var/cache/apt/archives/node-jupyter-widgets-base_6.0.7+~cs14.23.94-1_all.deb (--unpack): trying to overwrite '/usr/share/nodejs/@jupyter-widgets/base/css/index.css', which is also in package python3-widgetsnbextension 8.1.1-2 Errors were encountered while processing: /var/cache/apt/archives/node-jupyter-widgets-base_6.0.7+~cs14.23.94-1_all.deb Hi, why does python3-widgetsnbextension install an unusable node.js module into a nodejs directory ?
Bug#1063824: zenmap should depends on python3-gi-cairo
Package: zenmap Version: 7.94+git20230807.3be01efb1+dfsg-3 Severity: important X-Debbugs-Cc: y...@debian.org Hi, when using zenmap, the "port" tab is broken unless python3-gi-cairo is installed: TypeError: Couldn't find foreign struct converter for 'cairo.Context' Cheers, Yadd
Bug#1061341: Fwd: Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs
On 2/7/24 06:31, ellie timoney wrote: Hi Xavier, On Mon, 29 Jan 2024, at 9:59 AM, ellie timoney wrote: On Thu, 25 Jan 2024, at 3:53 PM, Yadd wrote: yes there are other errors because some .h require unavailable .h like config.h Ooh interesting, I'll have a look I'm still working on this, but the more I work on it, the more of it turns out to need fixing... I think for now, it makes sense for you to proceed with the packaging changes assuming that 32 bit Cyrus will _not_ be ABI compatible when recompiled with 64 bit time_t. From the original email, I think that means you'll need to set up strict version dependencies between the cyrus-common, cyrus-admin and cyrus-clients packages, so that people can't partially upgrade and wind up with conflicts. Cheers, ellie Hi, dependencies are already strict (= ${binary:Version}). To be able to render cyrus-dev headers compatible with ABI test, I'll have to remove the following (missing config.h,...): /usr/include/cyrus/bufarray.h /usr/include/cyrus/charset.h /usr/include/cyrus/command.h /usr/include/cyrus/crc32.h /usr/include/cyrus/cyr_qsort_r.h /usr/include/cyrus/glob.h /usr/include/cyrus/imapurl.h /usr/include/cyrus/mappedfile.h /usr/include/cyrus/procinfo.h /usr/include/cyrus/rfc822tok.h /usr/include/cyrus/sieve/sieve_err.h /usr/include/cyrus/sieve/sieve_interface.h /usr/include/cyrus/sqldb.h /usr/include/cyrus/tok.h /usr/include/cyrus/vparse.h /usr/include/cyrus/wildmat.h
Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs
On 1/28/24 20:21, Steve Langasek wrote: On Tue, Jan 23, 2024 at 08:32:18AM +0400, Yadd wrote: Control: tags -1 + moreinfo On 1/23/24 00:43, Steve Langasek wrote: Package: cyrus-common Version: 3.8.1-1 Severity: serious User: debian-...@lists.debian.org Usertags: time-t Dear maintainers, Analysis of the archive for the 64-bit time_t transition[0][1] identifies cyrus-common as an affected package, on the basis that the headers could not be compiled and analyzed out of the box using abi-compliance-checker[2], so we have to assume it's affected. However, cyrus-commons's shlibs file declares a dependency on a library package name that contains no ABI information: according to https://adrien.dcln.fr/misc/armhf-time_t/2024-01-17/logs/cyrus-dev/base/log.txt , this issue looks like a false-positive: test failed because of C error, not bad report Am I right here ? We do not *know* that it's a false positive; we only know that we were unable to analyze the header files under a-c-c to prove that the ABI is not affected. Patches to the check-armhf-time_t script at https://salsa.debian.org/vorlon/armhf-time_t/-/blob/main/check-armhf-time_t?ref_type=heads to quirk this package and allow its headers to be analyzed, or changes to the source package to not ship uncompilable headers ("apt-file search lib/strarray.h" returns no results), would both be welcome. Thanks, Hi, is it possible to build a salsa-ci job to test this on i386 ? Best regards, Yadd
Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs
Control: tags -1 + moreinfo On 1/23/24 00:43, Steve Langasek wrote: Package: cyrus-common Version: 3.8.1-1 Severity: serious User: debian-...@lists.debian.org Usertags: time-t Dear maintainers, Analysis of the archive for the 64-bit time_t transition[0][1] identifies cyrus-common as an affected package, on the basis that the headers could not be compiled and analyzed out of the box using abi-compliance-checker[2], so we have to assume it's affected. However, cyrus-commons's shlibs file declares a dependency on a library package name that contains no ABI information: Hi, according to https://adrien.dcln.fr/misc/armhf-time_t/2024-01-17/logs/cyrus-dev/base/log.txt , this issue looks like a false-positive: test failed because of C error, not bad report Am I right here ? Best regards, Xavier
Bug#1027859: Fwd: pkg-js-tools_0.15.17~bpo11+1_sourceonly.changes REJECTED
Control: tags -1 + wontfix > Forwarded Message > Subject: pkg-js-tools_0.15.17~bpo11+1_sourceonly.changes REJECTED > Date: Wed, 17 Jan 2024 09:17:48 + > From: Debian FTP Masters > To: Yadd , Debian Javascript Maintainers javascript-de...@lists.alioth.debian.org> > > > not in stable - belongs to sloppy Update refused, so bug won't be fixed Regards, Yadd
Bug#1059829: Thank you
On 1/16/24 20:36, Georges Khaznadar wrote: Hello, Javascript/Npm are not my cup of tea; so, please receive many thanks about the help you provided to my poor packaging efforts. If node-html5-qrcode happens to be dfsg-free, which should be the right umbrella to host it on salsa.d.o? https://salsa.debian.org/js-team or https://salsa.debian.org/georgesk ? Hi, yes I already push it on js-team/node-html5-qrcode. It is fixed now in it and ready to be pushed. Do you want I push it ? I saw that you managed to let salsa's automaton pass 53 of the upstream tests, and I would like to learn such magics. Please have you some useful links about them? Most of JS Team packages uses dh-sequence-nodejs. To start with it: https://wiki.debian.org/Javascript/Tutorial and then pkg-js-tools(7) However, the changes I did here need a minimum knowledge of npm because the package doesn't follow exactly the common way (see dh_auto_install hook) Best regards, Georges. Cheers, Yadd
Bug#1060772: python3-jupyterlab: Using node-corepack downloads yarnpkg from Internet
Package: python3-jupyterlab Version: 4.0.9+ds1-1 Severity: important X-Debbugs-Cc: y...@debian.org Hi, the patch 0003-Use-system-provided-yarn.js.patch replaces missing yarn.js by node-corepack. Please keep in mind that node-corepack/../yarn.js is a wrapper that downloads yarnpkg from Internet instead of using Debian's one. Cheers, Yadd
Bug#1060312: ITP: node-yarn-plugin-apt -- Yarn plugin to resolve dependencies from packages installed in apt
On 1/9/24 16:09, Uche wrote: Package: wnpp Severity: wishlist Owner: Robinson Uchechukwu <mailto:estherchidinma...@gmail.com>> X-Debbugs-CC: debian-de...@lists.debian.org <mailto:debian-de...@lists.debian.org> * Package name : node-yarn-plugin-apt Version : 1.0.0 Upstream Author : Debian JavaScript Team * URL : https://salsa.debian.org/js-team/yarn-plugin-apt <https://salsa.debian.org/js-team/yarn-plugin-apt> * License : Expat Programming Lang: JavaScript Description : Yarn plugin to resolve dependencies from packages installed in apt This yarn plugin allows apt installed packages satisfy a nodejs project's dependencies. The package is a valuable addition to Debian because if facilitates the management of nodejs projects dependencies by leveraging locally avaliable apt-installed packages . Node.js is an event-based server-side JavaScript engine. Hi, take a look also at pkgjs-install and pkgjs-install-minimal Best regards, Yadd
Bug#1060152: python3-jupyterlab should provide jupyterlab
Package: python3-jupyterlab Severity: normal X-Debbugs-Cc: y...@debian.org Hi, python3-jupyterlab provides bin/jupyterlab, then it should "Provides: jupyterlab (= ${binary:Version})"
Bug#1059829: node-html5-qrcode: Build using libraries downloaded from Internet during build
On 1/2/24 09:50, Yadd wrote: Package: node-html5-qrcode Version: 2.3.8+repack-3 Severity: serious Justification: not-dfsg X-Debbugs-Cc: y...@debian.org node-html5-qrcode is built using "npm install" which downloads libraries from Internet. This is totally out of DFSG. For now, the --omit-dev avoid downloading anything until this package will have dependencies but npm still access to Internet for "audit". Easy to fix: use "pkgjs-run build" instead of npm (and drop build dependency to npm) second bug: package is unusable because not installed correctly (that's probably why autopkgtest was disabled...), also third_party/ is missing in install A fixed version of this package is available at https://salsa.debian.org/js-team/node-html5-qrcode
Bug#1059829: node-html5-qrcode: Build using libraries downloaded from Internet during build
Package: node-html5-qrcode Version: 2.3.8+repack-3 Severity: serious Justification: not-dfsg X-Debbugs-Cc: y...@debian.org node-html5-qrcode is built using "npm install" which downloads libraries from Internet. This is totally out of DFSG.
Bug#1058863: libqwt-qt5-dev: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’
On 12/30/23 00:58, Gudjon I. Gudjonsson wrote: Hi Yadd I did try to build Ovito with qwt 6.2 and it works with minor fixes to ovito. Ovito is compiled with Qt6 so you need to change your dependencies to qwt-qt6. I suggest that you build against the experimental version of libqwt-qt6-dev and I will try to get it into unstable as soon as possible. Regards Gudjon Hi Gudjon, thanks a lot, I'll try to build Oviti with qwt 6.2. Can you share the fix you wrote ? Best regards, Yadd
Bug#1058863: libqwt-qt5-dev: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’
Hi Gudjon, yes I'm trying to build ovito. you can find my temporary repository on g...@salsa.debian.org:yadd/ovito.git Best regards, Yadd
Bug#1059469: ITP: node-ipydatagrid -- Fast Datagrid widget for the Jupyter Notebook and JupyterLab
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-ipydatagrid Version : 1.2.0 Upstream Contact: https://github.com/Bloomberg/ipydatagrid/issues * URL : https://github.com/Bloomberg/ipydatagrid * License : BSD-3-Clause Programming Lang: JavaScript Description : Fast Datagrid widget for the Jupyter Notebook and JupyterLab node-ipydatagrid provides a fast Datagrid widget for the Jupyter Notebook and JupyterLab. This package will be maintained under Debian PAN Maintainers Team
Bug#1059336: ITP: node-html5-qrcode -- qr-code and bar-code scanning library for the web
On 12/22/23 22:58, Georges Khaznadar wrote: Package: wnpp Severity: wishlist Owner: Georges Khaznadar X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-html5-qrcode Version : 2.3.8 Upstream Contact: https://github.com/mebjas/html5-qrcode/issues * URL : https://github.com/mebjas/html5-qrcode * License : Apache-2.0, GPL2 Programming Lang: nodejs, typescript Description : qr-code and bar-code scanning library for the web Use this lightweight library to easily / quickly integrate QR code, bar code, and other common code scanning capabilities to your web application. So far, debian is missing a package to scan qrcodes and barcodes from a web page. I intend to maintain this package as a dependency for a future package SLM, school library management, which I am developping actively. This latter package allows students to find and recognize books inside a library by scanning a few qr-codes. The package node-html5-qrcode is uploaded to https://salsa.debian.org/georgesk/node-html5-qrcode.git Hi, your debian/rules uses npm to build instead of launching direct commands but the worst is that you call "npm install" which imports files from Internet, this is not compliant with policy. Cheers, Yadd
Bug#1058868: [Debichem-devel] Bug#1058868: gemmi: Please build shared library
Control: tags -1 + wontfix On 12/19/23 12:43, Andrius Merkys wrote: Hi, On 2023-12-17 11:31, Yadd wrote: currently src:gemmi builds gemmi and gemmi-dev. This doesn't permit to build any software using gemmi-dev without static linking. The proposed patch adds package libgemmi1 which contains the shared library. I looked into the shared library provided by gemmi v0.6.4 (newer upstream release than in your patch). This version of gemmi builds the shared library by default. However, the produced shared library does not carry a soversion, thus according to Debian principles it is not suitable to be packaged as public shared library, alas. Thus static linking is the only option for now. Best wishes, Andrius Noted, thank you very much for your time! Cheers, Yadd
Bug#1058868: gemmi: Please build shared library
> I appreciate the idea and your patch, thanks for giving gemmi a look. > However, I am hesitant to package gemmi shared library for Debian for > now. The previous two releases had breaking API changes each. If > upstream handles this properly and bumps the soversion, then this is > fine, although having to undergo a transition twice a year is still > quite some work. However, if the upstream does not maintain ABI > stability inside the same soversion, then I would say the shared > library is not yet ready for Debian. > > You have marked this bug as severity:important. Does this mean you > need gemmi's shared library for some package? Hi, yas I'm going to package ovito which depends on it. If shared library isn't provided, cmake automatically uses libgemmi_cpp.a which then embed gemmi into ovito :-( > I never had the need to manually trigger the ldconfig before. The > issue might be the lack of 'Section: libs' in binary package > description. Maybe it's the issue Best regards, Yadd
Bug#1058868: gemmi: Please build shared library
Source: gemmi Version: 0.6.3+ds-1 Severity: important Tags: patch X-Debbugs-Cc: y...@debian.org Hi, currently src:gemmi builds gemmi and gemmi-dev. This doesn't permit to build any software using gemmi-dev without static linking. The proposed patch adds package libgemmi1 which contains the shared library. -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (900, 'testing'), (100, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.5.0-5-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- no debconf information diff --git a/debian/control b/debian/control index 9f5e3d6..0490b00 100644 --- a/debian/control +++ b/debian/control @@ -28,6 +28,7 @@ Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, + libgemmi1 (= ${binary:Version}) Description: library for structural biology - executable Library for macromolecular crystallography and structural bioinformatics. For working with coordinate files (mmCIF, PDB, mmJSON), refinement restraints @@ -38,11 +39,27 @@ Description: library for structural biology - executable . This package contains main gemmi executable. +Package: libgemmi1 +Architecture: any +Depends: + ${misc:Depends}, + ${shlibs:Depends}, +Description: sharred library for structural biology + Library for macromolecular crystallography and structural bioinformatics. For + working with coordinate files (mmCIF, PDB, mmJSON), refinement restraints + (monomer library), electron density maps (CCP4), and crystallographic + reflection data (MTZ, SF-mmCIF). It understands crystallographic symmetries, + it knows how to switch between the real and reciprocal space and it can do a + few other things. + . + This package contains main gemmi shared library. + Package: gemmi-dev Architecture: any Section: libdevel Depends: ${misc:Depends}, + libgemmi1 (= ${binary:Version}) Description: library for structural biology Library for macromolecular crystallography and structural bioinformatics. For working with coordinate files (mmCIF, PDB, mmJSON), refinement restraints diff --git a/debian/gemmi-dev.install b/debian/gemmi-dev.install index 91a7942..7de1c21 100644 --- a/debian/gemmi-dev.install +++ b/debian/gemmi-dev.install @@ -1,2 +1,2 @@ usr/include/gemmi -usr/lib/${DEB_HOST_MULTIARCH} +usr/lib/${DEB_HOST_MULTIARCH}/cmake diff --git a/debian/libgemmi1.install b/debian/libgemmi1.install new file mode 100644 index 000..65440b7 --- /dev/null +++ b/debian/libgemmi1.install @@ -0,0 +1 @@ +usr/lib/${DEB_HOST_MULTIARCH}/*.so diff --git a/debian/libgemmi1.postinst b/debian/libgemmi1.postinst new file mode 100644 index 000..fb2c2d8 --- /dev/null +++ b/debian/libgemmi1.postinst @@ -0,0 +1,8 @@ +#!/bin/sh + +if [ "$1" = "triggered" ] || [ "$1" = "configure" ]; then + ldconfig -r "$DPKG_ROOT/" || ldconfig --verbose -r "$DPKG_ROOT/" + exit 0 +fi + +exit 0 diff --git a/debian/rules b/debian/rules index 8228c67..b3e31be 100755 --- a/debian/rules +++ b/debian/rules @@ -11,7 +11,7 @@ export DEB_CXXFLAGS_MAINT_APPEND = -fexcess-precision=fast # See #1042379 dh $@ --buildsystem cmake --with python3 override_dh_auto_configure: - dh_auto_configure -- -DUSE_PYTHON=1 -DINSTALL_EGG_INFO=OFF + dh_auto_configure -- -DUSE_PYTHON=1 -DINSTALL_EGG_INFO=OFF -DBUILD_SHARED_LIBS=ON override_dh_auto_test: dh_auto_build -- check
Bug#1058864: ITP: ovito -- scientific data visualization and analysis software for particle-based simulations
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org * Package name: ovito Version : 3.9.4 Upstream Contact: https://gitlab.com/stuko/ovito/-/issues * URL : https://www.ovito.org * License : GPL-3 or Expat Programming Lang: C++ Description : scientific data visualization and analysis software for particle-based simulations OVITO is a scientific data visualization and analysis software for atomistic, molecular and other particle-based simulations. This package is part of Jupyterlab ecosystem.
Bug#1058863: libqwt-qt5-dev: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’
Package: libqwt-qt5-dev Version: 6.1.4-2 Severity: important X-Debbugs-Cc: y...@debian.org Hi, when trying to compile ovito, I got the following error (with a simple #include ): /usr/include/qwt/qwt_plot_layout.h:84:51: error: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’ [-fpermissive] 84 | const QRectF &plotRect, Options options = 0x00 ); | ^~~~ | | | int In file included from /usr/include/x86_64-linux-gnu/qt6/QtCore/qglobal.h:1401, from /usr/include/x86_64-linux-gnu/qt6/QtCore/qcoreapplication.h:7, from /usr/include/x86_64-linux-gnu/qt6/QtCore/QCoreApplication:1, from /home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/core/Core.h:61, from /home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/gui/base/GUIBase.h:30, from /home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/gui/desktop/GUI.h:30, from /home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/stdobj/gui/StdObjGui.h:30, from /home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/obj-x86_64-linux-gnu/src/ovito/stdobj/gui/CMakeFiles/StdObjGui.dir/cmake_pch.hxx:5, from : Best regeards, Yadd -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (900, 'testing'), (100, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.5.0-5-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libqwt-qt5-dev depends on: ii libc62.37-12 ii libgcc-s113.2.0-7 ii libqt5core5a 5.15.10+dfsg-5 ii libqt5designer5 5.15.10-5 ii libqt5gui5 5.15.10+dfsg-5 ii libqt5widgets5 5.15.10+dfsg-5 ii libqwt-qt5-6 6.1.4-2 ii libstdc++6 13.2.0-7 libqwt-qt5-dev recommends no packages. libqwt-qt5-dev suggests no packages. -- no debconf information
Bug#1058784: esbuild: [armel] install @esbuild/arm
Package: esbuild Version: 0.19.8-1 Severity: serious Tags: ftbfs patch Justification: node-esbuild-unusable-on-armel X-Debbugs-Cc: y...@debian.org Hi, my armel patch was wrong: armel build uses @esbuild/arm, not @esbuild/armel. I fixed this in a merge request [MR4] [MR4]: https://salsa.debian.org/go-team/packages/golang-github-evanw-esbuild/-/merge_requests/4
Bug#1058596: [Pkg-javascript-devel] Bug#1058596: yarnpkg broken on bookworm - yarnpkg --help fails with TypeError: commander.on is not a function
On 12/13/23 19:17, Praveen Arimbrathodiyil wrote: Control: fixed -1 1.22.19+~cs24.27.18-4 On Wed, 13 Dec 2023 20:39:39 +0530 Pirate Praveen wrote: We should backport the patches in unstable to bookworm as well. Updating the fixed info. Hi, since severity is grave, please prepare an update for stable also Cheers, Yadd
Bug#1058513: [Pkg-javascript-devel] Bug#1058513: node-signal-exit: FTBFS: SyntaxError: Cannot use import statement outside a module
Control: tags -1 + moreinfo On 12/13/23 00:52, Lucas Nussbaum wrote: Source: node-signal-exit Version: 4.1.0-6 Severity: serious Justification: FTBFS Tags: trixie sid ftbfs User: lu...@debian.org Usertags: ftbfs-20231212 ftbfs-trixie Hi, During a rebuild of all packages in sid, your package failed to build on amd64. Relevant part (hopefully): make[1]: Entering directory '/<>' tsc -p tsconfig.json tsc -p tsconfig-esm.json sh ./scripts/fixup.sh #cp debian/index.cjs dist/cjs/ make[1]: Leaving directory '/<>' dh_auto_test --buildsystem=nodejs ln -s ../. node_modules/signal-exit /bin/sh -ex debian/tests/pkg-js/test + tap -T -R spec test/all-integration-test.ts test/signal-exit-test.ts /<>/test/all-integration-test.ts:1 import assert from 'assert' ^^ Hi, I'm unable to reproduce this issue.
Bug#1058078: [Pkg-javascript-devel] Bug#1058078: FTBFS: ESLint couldn't find the config "not-an-aardvark/node" to extend from
Control: tags -1 + patch On 12/12/23 09:59, Yadd wrote: Package: node-eslint-plugin-eslint-plugin Version: 2.3.0+~0.3.0-4 Severity: serious Tags: ftbfs Justification: ftbfs Hi, when trying to reproduce node-eslint-plugin-eslint-plugin build, sbuild fails. Below relevant logs: eslint --format tap Xcomposer TAP version 13 1..2 ok 1 - /<>/Xcomposer/lib/rule-composer.js ok 2 - /<>/Xcomposer/tests/lib/rule-composer.js eslint --format tap . --ignore-pattern '!.*' Oops! Something went wrong! :( ESLint: 6.4.0. ESLint couldn't find the config "not-an-aardvark/node" to extend from. Please check that the name of the config is correct. The config "not-an-aardvark/node" was referenced from the config file in "/<>/.pc/2002_avoid_eslint-plugin-self.patch/.eslintrc.yml". If you still have problems, please stop by https://gitter.im/eslint/eslint to chat with the team. make[1]: *** [debian/rules:38: override_dh_auto_test] Error 2 Hi Jonas, this patch seems to fix the problem: --- a/debian/rules +++ b/debian/rules @@ -35,7 +35,7 @@ override_dh_auto_build: $(DOCS) $(CHANGELOGS) override_dh_auto_test: $(ESLINT) Xcomposer - $(ESLINT) . --ignore-pattern '!.*' + $(ESLINT) . --ignore-pattern .pc $(MOCHA) --recursive Xcomposer/tests $(MOCHA) --recursive tests
Bug#1058080: node-eslint-plugin-eslint-plugin: Please add this patch for node-ajv >= 8
Package: node-eslint-plugin-eslint-plugin Version: 2.3.0+~0.3.0-3 Severity: important Tags: ftbfs patch upstream X-Debbugs-Cc: y...@debian.org Hi, here is a patch that updates AJV schemas. It is compatible with current node-ajv 6 and node-ajv >= 8 Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index e799068..317e5a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-eslint-plugin-eslint-plugin (2.3.0+~0.3.0-4) UNRELEASED; urgency=medium + + * Team upload + + -- Yadd Tue, 12 Dec 2023 09:38:42 +0400 + node-eslint-plugin-eslint-plugin (2.3.0+~0.3.0-3) unstable; urgency=medium * add patch cherry-picked upstream diff --git a/debian/patches/2006_prepare-for-ajv-8.patch b/debian/patches/2006_prepare-for-ajv-8.patch new file mode 100644 index 000..669 --- /dev/null +++ b/debian/patches/2006_prepare-for-ajv-8.patch @@ -0,0 +1,27 @@ +Description: prepare for ajv 8 +Author: Yadd +Forwarded: no +Last-Update: 2023-12-12 + +--- a/lib/rules/meta-property-ordering.js b/lib/rules/meta-property-ordering.js +@@ -21,7 +21,7 @@ + fixable: 'code', + schema: [{ + type: 'array', +- elements: { type: 'string' }, ++ items: { type: 'string' }, + }], + }, + +--- a/lib/rules/test-case-property-ordering.js b/lib/rules/test-case-property-ordering.js +@@ -22,7 +22,7 @@ + fixable: 'code', + schema: [{ + type: 'array', +- elements: { type: 'string' }, ++ items: { type: 'string' }, + }], + }, + diff --git a/debian/patches/series b/debian/patches/series index 5eb779a..1de9aa5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ 2003_avoid_eslint-config-not-an-aardvark.patch 2004_avoid_eslint-config-airbnb-base.patch 2005_no-require-jsdoc.patch +2006_prepare-for-ajv-8.patch
Bug#1058078: FTBFS: ESLint couldn't find the config "not-an-aardvark/node" to extend from
Package: node-eslint-plugin-eslint-plugin Version: 2.3.0+~0.3.0-4 Severity: serious Tags: ftbfs Justification: ftbfs Hi, when trying to reproduce node-eslint-plugin-eslint-plugin build, sbuild fails. Below relevant logs: eslint --format tap Xcomposer TAP version 13 1..2 ok 1 - /<>/Xcomposer/lib/rule-composer.js ok 2 - /<>/Xcomposer/tests/lib/rule-composer.js eslint --format tap . --ignore-pattern '!.*' Oops! Something went wrong! :( ESLint: 6.4.0. ESLint couldn't find the config "not-an-aardvark/node" to extend from. Please check that the name of the config is correct. The config "not-an-aardvark/node" was referenced from the config file in "/<>/.pc/2002_avoid_eslint-plugin-self.patch/.eslintrc.yml". If you still have problems, please stop by https://gitter.im/eslint/eslint to chat with the team. make[1]: *** [debian/rules:38: override_dh_auto_test] Error 2
Bug#1057707: [Pkg-javascript-devel] Bug#1057707: eslint is incompatible with node-ajv >= 8
On 12/8/23 03:59, Jonas Smedegaard wrote: Quoting Yadd (2023-12-07 14:37:31) Control: tags -1 + patch On 12/7/23 15:52, Jérémy Lal wrote: Le jeu. 7 déc. 2023 à 12:45, Yadd mailto:y...@debian.org>> a écrit : Package: eslint Version: 6.4.0~dfsg+~6.1.9-7 Severity: important Tags: ftbfs upstream Hi, eslint depends on node-ajv 6 and is incompatible with node-ajv 8 (available in exeprimental branch). All is in lib/shared/ajv.js: - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no more available - eslint tries to set `ajv._opts.defaultMeta` which is `ajv.opts.defaultMeta` in node-ajv 8. Changing "ajv/lib/refs/json-schema-draft-04.json" to "ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this patch which looks to work but 27 tests fail (not the good error string). It uses default ajv schemas. Help needed here ;-) I suppose you tried https://github.com/eslint/eslint/pull/13911/commits <https://github.com/eslint/eslint/pull/13911/commits> ? Thanks a lot Jérémy! Based on your suggestion, I succeed to build a patch. @Jonas, do you agree if I push this to experimental ? If it succeeds the testsuite then by all means, go for it. Hi, sure, all test passed now. Only error strings had to be updated Cheers, Yadd
Bug#1057707: [Pkg-javascript-devel] Bug#1057707: eslint is incompatible with node-ajv >= 8
Control: tags -1 + patch On 12/7/23 15:52, Jérémy Lal wrote: Le jeu. 7 déc. 2023 à 12:45, Yadd <mailto:y...@debian.org>> a écrit : Package: eslint Version: 6.4.0~dfsg+~6.1.9-7 Severity: important Tags: ftbfs upstream Hi, eslint depends on node-ajv 6 and is incompatible with node-ajv 8 (available in exeprimental branch). All is in lib/shared/ajv.js: - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no more available - eslint tries to set `ajv._opts.defaultMeta` which is `ajv.opts.defaultMeta` in node-ajv 8. Changing "ajv/lib/refs/json-schema-draft-04.json" to "ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this patch which looks to work but 27 tests fail (not the good error string). It uses default ajv schemas. Help needed here ;-) I suppose you tried https://github.com/eslint/eslint/pull/13911/commits <https://github.com/eslint/eslint/pull/13911/commits> ? Thanks a lot Jérémy! Based on your suggestion, I succeed to build a patch. @Jonas, do you agree if I push this to experimental ? Best regards, Yadddiff --git a/debian/control b/debian/control index 10b6f6fc..35786a59 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Build-Depends: help2man , jq, mocha , - node-ajv , + node-ajv (>= 8) , node-babel-core (>= 7) , node-babel-loader (>= 7) , node-babel-preset-env (>= 7) , diff --git a/debian/patches/2012_fix-for-ajv-8.patch b/debian/patches/2012_fix-for-ajv-8.patch new file mode 100644 index ..f0a2d132 --- /dev/null +++ b/debian/patches/2012_fix-for-ajv-8.patch @@ -0,0 +1,351 @@ +Description: fix for node-ajv >= 8 +Author: Evgeny Poberezkin <https://github.com/epoberezkin> +Origin: upstream, https://github.com/eslint/eslint/pull/13911/files +Bug: https://github.com/eslint/eslint/issues/13888 +Bug-Debian: https://bugs.debian.org/1057707 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2023-12-07 + +--- a/conf/config-schema.js b/conf/config-schema.js +@@ -11,8 +11,7 @@ + globals: { type: "object" }, + overrides: { + type: "array", +-items: { $ref: "#/definitions/overrideConfig" }, +-additionalItems: false ++items: { $ref: "#/definitions/overrideConfig" } + }, + parser: { type: ["string", "null"] }, + parserOptions: { type: "object" }, +@@ -33,8 +32,7 @@ + { type: "string" }, + { + type: "array", +-items: { type: "string" }, +-additionalItems: false ++items: { type: "string" } + } + ] + }, +@@ -44,7 +42,6 @@ + { + type: "array", + items: { type: "string" }, +-additionalItems: false, + minItems: 1 + } + ] +--- a/lib/rule-tester/rule-tester.js b/lib/rule-tester/rule-tester.js +@@ -48,7 +48,7 @@ + { getRuleOptionsSchema, validate } = require("../shared/config-validator"), + { Linter, SourceCodeFixer, interpolate } = require("../linter"); + +-const ajv = require("../shared/ajv")({ strictDefaults: true }); ++const ajv = require("../shared/ajv")({ strictSchema: true }); + + const { SourceCode } = require("../source-code"); + +@@ -398,7 +398,7 @@ + + if (ajv.errors) { + const errors = ajv.errors.map(error => { +-const field = error.dataPath[0] === "." ? error.dataPath.slice(1) : error.dataPath; ++const field = error.instancePath[0] === "." ? error.instancePath.slice(1) : error.instancePath; + + return `\t${field}: ${error.message}`; + }).join("\n"); +--- a/lib/rules/array-element-newline.js b/lib/rules/array-element-newline.js +@@ -23,7 +23,6 @@ + }, + + fixable: "whitespace", +- + schema: [ + { + oneOf: [ +--- a/lib/rules/eqeqeq.js b/lib/rules/eqeqeq.js +@@ -43,8 +43,7 @@ + }, + additionalProperties: false + } +-], +-additionalItems: false ++] + }, + { + type: "array", +@@ -52,8 +51,7 @@ + { + enum: ["smart", "allow-null"] + } +-], +-additionalItems: false ++
Bug#1057707: eslint is incompatible with node-ajv >= 8
Package: eslint Version: 6.4.0~dfsg+~6.1.9-7 Severity: important Tags: ftbfs upstream Hi, eslint depends on node-ajv 6 and is incompatible with node-ajv 8 (available in exeprimental branch). All is in lib/shared/ajv.js: - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no more available - eslint tries to set `ajv._opts.defaultMeta` which is `ajv.opts.defaultMeta` in node-ajv 8. Changing "ajv/lib/refs/json-schema-draft-04.json" to "ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this patch which looks to work but 27 tests fail (not the good error string). It uses default ajv schemas. Help needed here ;-) --- a/lib/shared/ajv.js +++ b/lib/shared/ajv.js @@ -8,8 +8,7 @@ // Requirements //-- -const Ajv = require("ajv"), -metaSchema = require("ajv/lib/refs/json-schema-draft-04.json"); +const Ajv = require("ajv"); //-- // Public Interface @@ -17,6 +16,7 @@ module.exports = (additionalOptions = {}) => { const ajv = new Ajv({ +strict: false, meta: false, useDefaults: true, validateSchema: false, @@ -26,9 +26,5 @@ ...additionalOptions }); -ajv.addMetaSchema(metaSchema); -// eslint-disable-next-line no-underscore-dangle -ajv._opts.defaultMeta = metaSchema.id; - return ajv; };
Bug#1056705: node-mqtt: Missing dependency to node-lru-cache
Package: node-mqtt Version: 4.3.7-2 Severity: serious Tags: patch Justification: Failure X-Debbugs-Cc: y...@debian.org Hi, node-mqtt autopkgtest shows that this package requires node-lru-cache, however it is not listed in debian/control and then start to fail when one of its dependencies no more depend on node-lru-cache. Best regards, Yadd Ref: https://ci.debian.net/data/autopkgtest/testing/amd64/n/node-mqtt/40126282/log.gz
Bug#1056334: [Pkg-javascript-devel] Bug#1056334: node-ast-types: autopkgtest failure
Control: tags -1 + moreinfo On 11/21/23 12:28, Gianfranco Costamagna wrote: Source: node-ast-types Version: 0.16.1-2 Severity: serious Hello, according to ci, the package autopkgtests looks failing. https://ci.debian.net/packages/n/node-ast-types/unstable/amd64/39617621/ 66s autopkgtest [20:34:26]: test pkg-js-autopkgtest: [--- 66s # Using ./package.(json|yaml) 66s # Node module name is ast-types 66s # Build files found: tsconfig.json 66s # Test files found: 66s # Found debian/tests/pkg-js/files, let's use it 66s # Files/dir to be installed from source: src 66s test 66s tsconfig* 66s ls: cannot access 'test': No such file or directory This is strange: it seems that the test isn't launched from source directory (which has a test subdir) 66s # Copy debian/tests/pkg-js content 66s 'debian/tests/pkg-js' -> '/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js' 66s 'debian/tests/pkg-js/test' -> '/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js/test' 66s 'debian/tests/pkg-js/files' -> '/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js/files' 66s Found debian/tests/test_modules 66s # let's copy it 66s Found debian/nodejs/extlinks 67s @babel/parser linked into node_modules 67s @babel/types linked into node_modules 68s tslib linked into node_modules 68s @types/esprima linked into node_modules 69s @types/estree linked into node_modules 69s @types/glob linked into node_modules 70s @types/mocha linked into node_modules 70s # Searching module in /usr/lib/nodejs/ast-types 70s # Searching module in /usr/lib/*/nodejs/ast-types 70s # Searching module in /usr/share/nodejs/ast-types 70s # Found /usr/share/nodejs/ast-types 70s # Searching files to link in /usr/share/nodejs/ast-types 70s # Launch debian/tests/pkg-js/test with sh -ex 70s + test /tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp != 70s + rm -rf lib 70s + tsc 70s Version 4.8.4 70s tsc: The TypeScript Compiler - Version 4.8.4 70s 70s COMMON COMMANDS The "copy" part of pkg-js-autopkgtest failed, then "tsconfig.json" is missing then tsc display this.
Bug#1055525: cryptojs: CVE-2023-46233
Hi, this bug is still unfixed even if patch is trivial. Here is a template for an updatediff --git a/debian/changelog b/debian/changelog index 558cbac..849d0f4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +cryptojs (3.1.2+dfsg-3+deb12u1) bookworm-security; urgency=medium + + * Change default hash algorithm and iteration's for PBKDF2 +(Closes: #1055525) + + -- Yadd Thu, 16 Nov 2023 10:53:45 +0400 + cryptojs (3.1.2+dfsg-3) unstable; urgency=medium * Add upstream metadata. diff --git a/debian/patches/CVE-2023-46233.patch b/debian/patches/CVE-2023-46233.patch new file mode 100644 index 000..c321f49 --- /dev/null +++ b/debian/patches/CVE-2023-46233.patch @@ -0,0 +1,38 @@ +Description: Change default hash algorithm and iteration's for PBKDF2 + to prevent weak security by using the default configuration +Author: evanvosberg +Origin: upstream, https://github.com/brix/crypto-js/commit/421dd538 +Bug: https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf +Bug-Debian: https://bugs.debian.org/1055525 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2023-11-16 + +--- a/components/pbkdf2.js b/components/pbkdf2.js +@@ -11,7 +11,7 @@ + var Base = C_lib.Base; + var WordArray = C_lib.WordArray; + var C_algo = C.algo; +-var SHA1 = C_algo.SHA1; ++var SHA256 = C_algo.SHA256; + var HMAC = C_algo.HMAC; + + /** +@@ -22,13 +22,13 @@ + * Configuration options. + * + * @property {number} keySize The key size in words to generate. Default: 4 (128 bits) +- * @property {Hasher} hasher The hasher to use. Default: SHA1 ++ * @property {Hasher} hasher The hasher to use. Default: SHA256 + * @property {number} iterations The number of iterations to perform. Default: 1 + */ + cfg: Base.extend({ + keySize: 128/32, +-hasher: SHA1, +-iterations: 1 ++hasher: SHA256, ++iterations: 25 + }), + + /** diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..4fdeacb --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-46233.patch
Bug#1056014: cryptojs: Library no more maintained, please keep out of next Debian stable
Source: cryptojs Severity: serious Tags: security upstream Justification: security X-Debbugs-Cc: y...@debian.org, Debian Security Team Hi, according to https://github.com/brix/crypto-js#readme it seems that cryptojs is no more maintained. I just dropped the only one reverse dependency so cryptojs can be safely removed from Debian.
Bug#1054853: node-katex: FTBFS: TypeError: Cannot read properties of undefined (reading '.cjs')
Control: reassign -1 node-postcss-loader Control: affects -1 node-katex Control: found -1 7.3.3-1 It seems that node-postcss-loader 7.3.3 needs node-cosmiconfig 8 and "jiti".
Bug#1055480: ITP: libwebservice-s3-tiny-perl -- Perl module for using S3 or compatible APIs
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org * Package name: libwebservice-s3-tiny-perl Version : 0.003 Upstream Contact: James Raspass * URL : https://metacpan.org/release/WebService-S3-Tiny * License : Artistic or GPL-1+ (and part under Apache-2.0) Programming Lang: Perl Description : Perl module for using S3 or compatible APIs WebService::S3::Tiny is a little Perl module for using any S3 or compatible APIs. It will be maintained under Perl Team umbrella.
Bug#1054432: Not a bug
Control: severity -1 wishlist Files are readable
Bug#1054667: [Pkg-javascript-devel] Bug#1054667: node-browserify-sign: CVE-2023-46234
On 10/27/23 20:20, Moritz Mühlenhoff wrote: Source: node-browserify-sign X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for node-browserify-sign. CVE-2023-46234[0]: | browserify-sign is a package to duplicate the functionality of | node's crypto public key functions, much of this is based on Fedor | Indutny's work on indutny/tls.js. An upper bound check issue in | `dsaVerify` function allows an attacker to construct signatures that | can be successfully verified by any public key, thus leading to a | signature forgery attack. All places in this project that involve | DSA verification of user-input signatures will be affected by this | vulnerability. This issue has been patched in version 4.2.2. https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46234 https://www.cve.org/CVERecord?id=CVE-2023-46234 Please adjust the affected versions in the BTS as needed. Hi, please find attached the debdiff for Bookworm Kind regards, Yadddiff --git a/debian/changelog b/debian/changelog index 5e3404f..c421503 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-browserify-sign (4.2.1-3+deb12u1) bookworm-security; urgency=high + + * Team upload + * Properly check the upper bound for DSA signatures (Closes: #1054667, CVE-2023-46234) + + -- Yadd Sat, 28 Oct 2023 12:03:04 +0400 + node-browserify-sign (4.2.1-3) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-46234.patch b/debian/patches/CVE-2023-46234.patch new file mode 100644 index 000..152fd72 --- /dev/null +++ b/debian/patches/CVE-2023-46234.patch @@ -0,0 +1,68 @@ +Description: properly check the upper bound for DSA signatures +Author: roadicing +Origin: upstream, https://github.com/browserify/browserify-sign/commit/85994cd6 +Bug: https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw +Bug-Debian: https://bugs.debian.org/1054667 +Forwarded: not-needed +Applied-Upstream: 4.2.2, commit: 85994cd6 +Reviewed-By: Yadd +Last-Update: 2023-10-28 + +--- a/browser/verify.js b/browser/verify.js +@@ -78,7 +78,7 @@ + + function checkValue (b, q) { + if (b.cmpn(0) <= 0) throw new Error('invalid sig') +- if (b.cmp(q) >= q) throw new Error('invalid sig') ++ if (b.cmp(q) >= 0) throw new Error('invalid sig') + } + + module.exports = verify +--- a/test/index.js b/test/index.js +@@ -4,6 +4,8 @@ + var nCrypto = require('crypto') + var bCrypto = require('../browser') + var fixtures = require('./fixtures') ++var BN = require('bn.js') ++var parseKeys = require('parse-asn1') + + function isNode10 () { + return parseInt(process.version.split('.')[1], 10) <= 10 +@@ -100,6 +102,35 @@ + t.end() + }) + } ++ ++ var s = parseKeys(pub).data.q; ++ test( ++f.message + ' against a fake signature', ++{ skip: !s || '(this test only applies to DSA signatures and not EC signatures, this is ' + f.scheme + ')' }, ++function (t) { ++ var messageBase64 = Buffer.from(f.message, 'base64'); ++ ++ // forge a fake signature ++ var r = new BN('1'); ++ ++ try { ++var fakeSig = asn1.signature.encode({ r: r, s: s }, 'der'); ++ } catch (e) { ++t.ifError(e); ++t.end(); ++return; ++ } ++ ++ var bVer = bCrypto.createVerify(f.scheme); ++ t['throws']( ++function () { bVer.update(messageBase64).verify(pub, fakeSig); }, ++Error, ++'fake signature is invalid' ++ ); ++ ++ t.end(); ++} ++ ); + }) + + fixtures.valid.kvectors.forEach(function (f) { diff --git a/debian/patches/series b/debian/patches/series index 8aafdeb..86ff972 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ drop-rmd160-support.patch +CVE-2023-46234.patch
Bug#1054175: Closing: not a bug
Control: close -1 Control: notfound -1 2.0.0-2 Closing: unable to reproduce
Bug#1054443: node-graphql: website is build with Docusaurus not packaged for debian
Control: severity -1 wishlist On 10/23/23 23:21, Bastien Roucariès wrote: Source: node-graphql Version: 16.8.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/node-graphql/16.8.1-1/website/src/pages/index.jsx/?hl=2#L2 You should repack or package docusaurus and rebuild Bastien No unreadable files here
Bug#1054435: [Pkg-javascript-devel] Bug#1054435: node-react-redux: website is build with Docusaurus not packaged for debian
Control: severity -1 wishlist On 10/23/23 23:08, Bastien Roucariès wrote: Source: node-react-redux Version: 8.1.2+dfsg1+~cs1.2.3-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory You should repack or package docusaurus and rebuild Bastien No unreadable file here
Bug#1054439: [Pkg-javascript-devel] Bug#1054439: node-rjsf: website is build with Docusaurus not packaged for debian
Control: severity -1 wishlist On 10/23/23 23:15, Bastien Roucariès wrote: Source: node-rjsf Version: 5.6.2+~5.0.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/node-rjsf/5.6.2+~5.0.1-1/packages/docs/docusaurus.config.js/?hl=54#L54 You should repack or package docusaurus and rebuild Bastien No unreadable files here
Bug#1054439: node-rjsf: website is build with Docusaurus not packaged for debian
Control: severity -1 wishlist On 10/23/23 23:15, Bastien Roucariès wrote: Source: node-rjsf Version: 5.6.2+~5.0.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/src/node-rjsf/5.6.2+~5.0.1-1/packages/docs/docusaurus.config.js/?hl=54#L54 You should repack or package docusaurus and rebuild Bastien No unreadable file here
Bug#1054441: node-ts-jest: website is build with Docusaurus not packaged for debian
Control: severity -1 wishlist On 10/23/23 23:18, Bastien Roucariès wrote: Source: node-ts-jest Version: 29.1.1+~cs0.2.6-2 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory https://sources.debian.org/data/main/n/node-ts-jest/29.1.1%2B~cs0.2.6-2/website/ You should repack or package docusaurus and rebuild Bastien No unreadable file here
Bug#1054434: [Pkg-javascript-devel] Bug#1054434: Bug#1054434: node-redux: website is build with Docusaurus not packaged for debian
On 10/24/23 06:25, Yadd wrote: Control: tags -1 + moreinfo On 10/23/23 23:07, Bastien Roucariès wrote: Source: node-redux Version: 4.2.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory You should repack or package docusaurus and rebuild Bastien Hello, directory docs contains only .md files, totally readable. What is the serious bug here ? Also website/ directory, no unreadable file, no serialized files,... Do we have to consider html files as no source because they were written with a non free tool ?
Bug#1054434: [Pkg-javascript-devel] Bug#1054434: node-redux: website is build with Docusaurus not packaged for debian
Control: tags -1 + moreinfo On 10/23/23 23:07, Bastien Roucariès wrote: Source: node-redux Version: 4.2.1-1 Severity: serious Tags: ftbfs Justification: FTBFS Control: block -1 by 1054426 Dear Maintainer, The documentation is build with docusaurus. See website directory You should repack or package docusaurus and rebuild Bastien Hello, directory docs contains only .md files, totally readable. What is the serious bug here ?
Bug#1054167: [Pkg-javascript-devel] Bug#1054167: ftbfs: AssertionError in tests
Control: severity -1 important Hi, not really a serious-bug since it exists only when using a color term. Fixed anyway in version 2.0.0-4 Cheers, Yadd
Bug#1054175: [Pkg-javascript-devel] Bug#1054175: node-require-main-filename: failing dh_auto_test
Control: tags -1 + moreinfo On 10/18/23 20:27, Tianyu Chen wrote: Source: node-require-main-filename Version: 2.0.0-2 Severity: serious Tags: ftbfs Justification: fails to build from source X-Debbugs-Cc: sweetyf...@deepin.org Hi, During a rebuild of your package in unstable, your package fails to build from source. Full log can be accessed at: https://build.opensuse.org/package/live_build_log/home:utsweetyfish:node-202309/node-require-main-filename/Debian_Unstable/aarch64 Tail of log for your package: # Subtest: should default to process.cwd() if require.main is undefined not ok 1 - expected '/usr/src/packages/BUILD' to match /(?:.*autopkgtest.*|require-main-filename)/ --- [...] 1..1 # failed 1 test # time=95.325ms not ok 1 - test.js # time=95.325ms --- env: {} file: test.js timeout: 3 command: /usr/bin/node args: - test.js stdio: - 0 - pipe - 2 cwd: /usr/src/packages/BUILD exitCode: 1 ... 1..1 # failed 1 test # time=1113.041ms --|-|--|-|-|--- File | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s --|-|--|-|-|--- All files | 100 | 100 | 100 | 100 | index.js | 100 | 100 | 100 | 100 | --|-|--|-|-|--- dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit code 1 make: *** [debian/rules:8: binary] Error 25 dpkg-buildpackage: error: debian/rules binary subprocess returned exit status 2 Thanks! Tianyu Chen @ deepin Hi, I'm not able to reproduce this issue
Bug#1053895: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-und...@packages.debian.org Control: affects -1 + src:node-undici [ Reason ] node-undici doesn't clear Cookie and Host headers on cross-origin redirect. [ Impact ] Medium security issue [ Tests ] No new test here [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Drop headers Host/Cookie unless same-origin Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 92c0de8..168ee34 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2) bookworm; urgency=medium + + * Delete cookie and host headers on cross-origin redirect +(Closes: #1053879, CVE-2023-45143) + + -- Yadd Fri, 13 Oct 2023 22:14:45 +0400 + node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium * Fix security issues (Closes: #1031418): diff --git a/debian/patches/CVE-2023-45143.patch b/debian/patches/CVE-2023-45143.patch new file mode 100644 index 000..c196bd2 --- /dev/null +++ b/debian/patches/CVE-2023-45143.patch @@ -0,0 +1,24 @@ +Description: delete 'cookie' and 'host' headers on cross-origin redirect +Author: Khafra +Origin: upstream, https://github.com/nodejs/undici/commit/e041de35 +Bug: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g + https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp +Bug-Debian: https://bugs.debian.org/1053879 +Forwarded: not-needed +Applied-Upstream: 5.26.2, commit:e041de35 +Reviewed-By: Yadd +Last-Update: 2023-10-13 + +--- a/lib/fetch/index.js b/lib/fetch/index.js +@@ -1204,6 +1204,10 @@ + if (!sameOrigin(requestCurrentURL(request), locationURL)) { + // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name + request.headersList.delete('authorization') ++ ++// "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. ++request.headersList.delete('cookie') ++request.headersList.delete('host') + } + + // 14. If request’s body is non-null, then set request’s body to the first return diff --git a/debian/patches/series b/debian/patches/series index ce1440a..297000a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ drop-ssl-tests.patch CVE-2023-23936.patch CVE-2023-24807.patch update-httpbin.org-test-timeout.patch +CVE-2023-45143.patch
Bug#1053782: RFP: node-vite -- Next Generation Frontend Tooling
On 10/11/23 10:30, Andrius Merkys wrote: Package: wnpp Severity: wishlist X-Debbugs-Cc: debian-de...@lists.debian.org Control: block 1042095 by -1 * Package name : node-vite Version : 4.4.11 Upstream Author : Evan You * URL : https://github.com/vitejs/vite * License : Expat Programming Lang: JavaScript Description : Next Generation Frontend Tooling Vite is a frontend build tool, including development server and build command bundling code with Rollup, pre-configured to output optimized static assets for production. Vite is needed to produce CSS and JS files for sphinx-press-theme. An estimate of work needed to package Vite: $ npm2deb depends vite Dependencies: NPM Debian vite (4.4.11) None ├─ esbuild (^0.18.10) None ├─ fsevents (~2.3.2) None ├─ postcss (^8.4.27) node-postcss (8.4.20+~cs8.0.23-1) └─ rollup (^3.27.1) node-rollup (3.28.0-2) Build dependencies: NPM Debian @ampproject/remapping (^2.2.1) node-ampproject-remapping (2.2.0+~cs5.15.37-1) @babel/parser (^7.22.7) None @babel/types (^7.22.5) node-babel (6.26.0+repack-3~bpo10+1) @jridgewell/trace-mapping (^0.3.18) None @rollup/plugin-alias (^4.0.4) node-rollup-plugin-alias (5.0.0~ds-1) @rollup/plugin-commonjs (^25.0.3) node-rollup-plugin-commonjs (25.0.4+ds1-1) @rollup/plugin-dynamic-import-vars (^2.0.4) None @rollup/plugin-json (^6.0.0) node-rollup-plugin-json (6.0.0+ds1-2) @rollup/plugin-node-resolve (15.1.0) node-rollup-plugin-node-resolve (15.1.0+ds-1) @rollup/plugin-typescript (^11.1.2) node-rollup-plugin-typescript (11.1.2~ds+~1.0.1-1) @rollup/pluginutils (^5.0.2) node-rollup-pluginutils (5.0.2~ds+~2.8.2-1) @types/escape-html (^1.0.2) None @types/pnpapi (^0.0.2) None acorn (^8.10.0) acorn (8.8.1+ds+~cs25.17.7-2) acorn-walk (^8.2.0) None cac (^6.7.14) None chokidar (^3.5.3) node-chokidar (3.5.3-2) connect (^3.7.0) node-connect (3.7.0+~3.4.35-1) connect-history-api-fallback (^2.0.0) None convert-source-map (^2.0.0) node-convert-source-map (1.9.0+~1.5.2-1) cors (^2.8.5) node-cors (2.8.5-1) cross-spawn (^7.0.3) node-cross-spawn (5.1.0-2) debug (^4.3.4) node-debug (4.3.4+~cs4.1.7-1) dep-types (link:./src/types) None dotenv (^16.3.1) None dotenv-expand (^9.0.0) None es-module-lexer (^1.3.0) node-es-module-lexer (1.1.0+dfsg-2) escape-html (^1.0.3) node-escape-html (1.0.3+~1.0.2-2) estree-walker (^3.0.3) node-estree-walker (2.0.2-5) etag (^1.8.1) node-etag (1.8.1-3) fast-glob (^3.3.1) None http-proxy (^1.18.1) node-http-proxy (1.18.1-8) json-stable-stringify (^1.0.2) node-json-stable-stringify (1.0.2+repack1+~cs1.0.34-2) launch-editor-middleware (^2.6.0) None lightningcss (^1.21.5) None magic-string (^0.30.2) node-magic-string (0.30.1-1) micromatch (^4.0.5) node-micromatch (4.0.5+~4.0.2-1) mlly (^1.4.0) None mrmime (^1.0.1) None okie (^1.0.1) None open (^8.4.2) node-open (8.4.0-6) parse5 (^7.1.2) node-parse5 (7.1.2+dfsg-2) periscopic (^3.1.0) None picocolors (^1.0.0) node-picocolors (1.0.0-4) picomatch (^2.3.1) node-anymatch (3.1.3+~cs4.6.1-2) postcss-import (^15.1.0) None postcss-load-config (^4.0.1) node-postcss-load-config (2.1.2+~cs6.0.0-1) postcss-modules (^6.0.0) node-postcss-modules (6.0.0+~cs5.1.3-2) resolve.exports (^2.0.2) None rollup-plugin-license (^3.0.1) None sirv (^2.0.3) None source-map-support (^0.5.21) node-source-map-support (0.5.21+ds+~0.5.4-1) strip-ansi (^7.1.0) node-strip-ansi (6.0.1-2) strip-literal (^1.3.0) None tsconfck (^2.1.2) None tslib (^2.6.1)
Bug#1040679: bullseye-pu: package node-dottie/2.0.2-4+deb11u1
On 10/8/23 16:10, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
On 10/8/23 16:04, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1036975: bullseye-pu: package node-url-parse/1.5.3-1+deb11u2
On 10/8/23 16:03, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1034665: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1
On 10/8/23 15:55, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org Control: affects -1 + src:lemonldap-ng [ Reason ] Two new vulnerabilities have been dicovered and fixed in lemonldap-ng: - an open redirection due to incorrect escape handling - an open redirection only when configuration is edited by hand and doesn't follow OIDC specifications - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol: A little-know feature of OIDC allows the OpenID Provider to fetch the Authorization request parameters itself by indicating a request_uri parameter. This feature is now restricted to a white list using this patch [ Impact ] Two low and one medium security issue. [ Tests ] Patches includes test updates [ Risks ] Outside of test changes, patches are not so big and the test coverage provided by upstream is good, so risk is moderate. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] - open redirection patch: use `URI->new($url)->as_string` in each redirections - OIDC open redirection patch: just rejects requests with `redirect_uri` if relying party configuration has no declared redirect URIs. - SSRF patch: * add new configuration parameter to list authorized "request_uris" * change the algorithm that manage request_uri parameter Cheers, Yadd diff --git a/debian/NEWS b/debian/NEWS index c4d7ee951..ba4a14a12 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium + + A little-know feature of OIDC allows the OpenID Provider to fetch the + Authorization request parameters itself by indicating a request_uri + parameter. + By default, this feature is now restricted to a white list. See + Relying-Party security option to fill this field. + + -- Yadd Fri, 29 Sep 2023 17:38:51 +0400 + lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium AuthBasic now enforces 2FA activation (CVE-2023-28862): diff --git a/debian/changelog b/debian/changelog index 5d2c62ac0..35d5599a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium + + * Fix open redirection when OIDC RP has no redirect uris + * Fix open redirection due to incorrect escape handling + * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469) + + -- Yadd Fri, 29 Sep 2023 16:35:14 +0400 + lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium * Fix 2FA issue when using AuthBasic handler (CVE-2023-28862) @@ -19,7 +27,7 @@ lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium - * Fix auth process in password-testing plugins (Closes: CVE-2021-20874) + * Fix auth process in password-testing plugins (Closes: #1005302, CVE-2021-40874) -- Yadd Thu, 24 Feb 2022 15:16:09 +0100 diff --git a/debian/clean b/debian/clean index 73f167814..cdb4a5ae4 100644 --- a/debian/clean +++ b/debian/clean @@ -1,3 +1,4 @@ +doc/pages/documentation/current/.buildinfo lemonldap-ng-manager/site/htdocs/static/js/conftree.js lemonldap-ng-manager/site/htdocs/static/struct.json lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch new file mode 100644 index 0..dce756430 --- /dev/null +++ b/debian/patches/SSRF-issue.patch @@ -0,0 +1,627 @@ +Description: fix SSRF vulnerability + Issue described here: https://security.lauritz-holtmann.de/post/sso-security-ssrf/ +Author: Maxime Besson +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998 +Forwarded: not-needed +Applied-Upstream: 2.17.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs +Reviewed-By: Yadd +Last-Update: 2023-09-23 + +--- a/doc/sources/admin/idpopenidconnect.rst b/doc/sources/admin/idpopenidconnect.rst +@@ -278,6 +278,11 @@ + the Session Browser. +- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``): Allow the use of the :ref:`Resource Owner Password Credentials Grant ` by this client. This feature only works if you have configured a form-based authentication module. +- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): Allow the use of the :ref:`Resource Owner Password Credentials Grant ` by this client. ++ - **Allowed URLs for fetching Request Object**: (since version ``2.17.1``): ++ which URLs may be called by the portal to fetch the request object (see ++ `request_uri ++ <https://openid.net/specs/openid-connect-core-1_0.
Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org Control: affects -1 + src:lemonldap-ng [ Reason ] Two new vulnerabilities have been dicovered and fixed in lemonldap-ng: - an open redirection only when configuration is edited by hand and doesn't follow OIDC specifications - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol: A little-know feature of OIDC allows the OpenID Provider to fetch the Authorization request parameters itself by indicating a request_uri parameter. This feature is now restricted to a white list using this patch [ Impact ] One low and one medium security issue. [ Tests ] Patches includes test updates [ Risks ] Outside of test changes, patches are not so big and the test coverage provided by upstream is good, so risk is moderate. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] - open redirection patch: just rejects requests with `redirect_uri` if relying party configuration has no declared redirect URIs. - SSRF patch: * add new configuration parameter to list authorized "request_uris" * change the algorithm that manage request_uri parameter Cheers, Xavier diff --git a/debian/NEWS b/debian/NEWS index b8955920b..5295a3cbb 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium + + A little-know feature of OIDC allows the OpenID Provider to fetch the + Authorization request parameters itself by indicating a request_uri + parameter. + By default, this feature is now restricted to a white list. See + Relying-Party security option to fill this field. + + -- Yadd Fri, 29 Sep 2023 17:15:03 +0400 + lemonldap-ng (2.0.9+ds-1) unstable; urgency=medium CVE-2020-24660 diff --git a/debian/changelog b/debian/changelog index cd4c8a023..148164a94 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium + + * Fix open redirection when OIDC RP has no redirect uris + * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469) + + -- Yadd Fri, 29 Sep 2023 17:18:12 +0400 + lemonldap-ng (2.16.1+ds-deb12u1) bookworm; urgency=medium * Apply login control to auth-slave requests diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch new file mode 100644 index 0..3c6ca8b51 --- /dev/null +++ b/debian/patches/SSRF-issue.patch @@ -0,0 +1,795 @@ +Description: fix SSRF vulnerability + Issue described here: https://security.lauritz-holtmann.de/post/sso-security-ssrf/ +Author: Maxime Besson +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998 +Forwarded: not-needed +Applied-Upstream: 2.17.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs +Reviewed-By: Yadd +Last-Update: 2023-09-22 + +--- a/doc/sources/admin/idpopenidconnect.rst b/doc/sources/admin/idpopenidconnect.rst +@@ -247,6 +247,11 @@ + This feature only works if you have configured a form-based authentication module. +- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): Allow the use of the + :ref:`Client Credentials Grant ` by this client. ++ - **Allowed URLs for fetching Request Object**: (since version ``2.17.1``): ++ which URLs may be called by the portal to fetch the request object (see ++ `request_uri ++ <https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter>`__ ++ in OIDC specifications). These URLs may use wildcards (``https://app.example.com/*``). +- **Authentication level**: Required authentication level to access this application +- **Access rule**: Lets you specify a :doc:`Perl rule` to restrict access to this client + +--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm +@@ -4656,6 +4656,7 @@ + oidcRPMetaDataOptionsComment => { type => 'longtext' }, + oidcRPMetaDataOptionsOfflineSessionExpiration => { type => 'int' }, + oidcRPMetaDataOptionsRedirectUris => { type => 'text', }, ++oidcRPMetaDataOptionsRequestUris => { type => 'text', }, + oidcRPMetaDataOptionsExtraClaims => { + type=> 'keyTextContainer', + keyTest => qr/^[\x21\x23-\x5B\x5D-\x7E]+$/, +--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manage
Bug#1052428: node-minimatch: please update to 9.x
On 9/22/23 00:10, Jérémy Lal wrote: Package: node-minimatch Version: 5.1.1+~5.1.2-1 Severity: normal Hi, nodejs 18.18.0 depends on node-minimatch 9.0.3. It'd be nice if someone could update that module. Regards, Jérémy Hi, I'm going to push version 9.0.3 to experimental (breaking changes) Cheers, Yadd
Bug#1052301: ITP: node-stdlib -- Standard library for JavaScript and Node.js
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-stdlib Version : 0.0.96 Upstream Contact: The Stdlib Authors <https://github.com/stdlib-js/stdlib/graphs/contributors> * URL : https://github.com/stdlib-js/stdlib * License : Apache-2.0 Programming Lang: JavaScript Description : Standard library for JavaScript and Node.js node-stdlib is a standard library for JavaScript and Node.js, with an emphasis on numerical and scientific computing applications. The library provides a collection of robust, high performance libraries for mathematics, statistics, data processing, streams, and more and includes many utilities expected from a standard library. node-stdlib is a build dependency of node-jupyterlab. Will be maintained under JS Team umbrella.
Bug#1052246: ITP: node-vdom-to-html -- Node.js library to turn virtual-dom nodes into HTML
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-vdom-to-html Version : 2.3.1 Upstream Contact: Nathan Tran * URL : https://github.com/nthtran/vdom-to-html * License : Expat Programming Lang: JavaScript Description : Node.js library to turn virtual-dom nodes into HTML node-vdom-to-html turn virtual-dom nodes into HTML. virtual-dom is a collection of modules designed to provide a declarative way of representing the DOM. This is a dependency of node-stdlib which is needed to build node-jupyterlab. Will be maintained under JS Team umbrella.
Bug#1052170: ITP: node-playwright -- JavaScript framework for Web Testing and Automation
On 9/18/23 21:26, Jérémy Lal wrote: Le lun. 18 sept. 2023 à 19:15, Yadd <mailto:y...@debian.org>> a écrit : Package: wnpp Severity: wishlist Owner: Yadd mailto:y...@debian.org>> X-Debbugs-Cc: debian-de...@lists.debian.org <mailto:debian-de...@lists.debian.org> * Package name : node-playwright Version : 1.38.0 Upstream Contact: Microsoft Corporation <https://github.com/Microsoft/playwright/issues <https://github.com/Microsoft/playwright/issues>> * URL : https://github.com/Microsoft/playwright <https://github.com/Microsoft/playwright> * License : Apache-2.0 Programming Lang: JavaScript Description : JavaScript framework for Web Testing and Automation node-playwright is a framework for Web Testing and Automation. It allows testing Chromium, Firefox and WebKit with a single API. Playwright is built to enable cross-browser web automation that is ever-green, capable, reliable and fast. Hi, I am a heavy user of node-playwright, so this interests me. Note that latest version of playwright stopped downloading automatically the needed browser, which is a good thing. Playwright is also able to use system-installed chromium, but maybe not firefox, and I'm pretty sure it won't work out of the box with webkitgtk. Cheers, Jérémy Hi, happy to help you ! You can test my work, available on salsa. Best regards, Yadd
Bug#1052170: ITP: node-playwright -- JavaScript framework for Web Testing and Automation
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-playwright Version : 1.38.0 Upstream Contact: Microsoft Corporation <https://github.com/Microsoft/playwright/issues> * URL : https://github.com/Microsoft/playwright * License : Apache-2.0 Programming Lang: JavaScript Description : JavaScript framework for Web Testing and Automation node-playwright is a framework for Web Testing and Automation. It allows testing Chromium, Firefox and WebKit with a single API. Playwright is built to enable cross-browser web automation that is ever-green, capable, reliable and fast. Another node-jupyterlab dependency, will be maintained under JS Team umbrella.
Bug#1052147: ITP: node-source-map-loader -- Node.js library to extract source maps
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-source-map-loader Version : 4.0.1 Upstream Contact: JS Founadation <https://github.com/webpack-contrib/source-map-loader/issues> * URL : https://github.com/webpack-contrib/source-map-loader * License : Expat Programming Lang: JavaScript Description : Node.js library to extract source maps node-source-map-loader is a JS library to extracts source maps from existing source files. Can be used in a node-webpack rule. It's a build dependency of node-jupyterlab, will be maintained under JS Team umbrella.
Bug#1052143: ITP: node-html-loader -- Node module that exports HTML as string
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-html-loader Version : 4.2.0 Upstream Contact: JS Foundation <https://github.com/webpack-contrib/html-loader/issues> * URL : https://github.com/webpack-contrib/html-loader * License : Expat Programming Lang: JavaScript Description : Node module that exports HTML as string node-html-loader exports HTML as string. HTML is minimized when the compiler demands. It is typically used as node-webpack plugin. node-html-loader is a dependency of node-jupyterlab and will be maintained under JS Team umbrella
Bug#1052140: ITP: node-html-webpack-plugin -- node-webpack plugin to create HTML files
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-html-webpack-plugin Version : 5.5.3 Upstream Contact: JS Foundation <https://github.com/jantimon/html-webpack-plugin/issues> * URL : https://github.com/jantimon/html-webpack-plugin * License : JavaScript Programming Lang: Expat Description : node-webpack plugin to create HTML files node-html-webpack-plugin is a node-webpack plugin that simplifies creation of HTML files to serve a node-webpack bundle.This is especially useful for bundles that include a hash in the filename which changes every compilations It's a build dependency of node-jupyterlab. Will be maintained under JS Team umbrella.
Bug#1052076: ITP: node-mathjax-full -- JavaScript library to display math in browsers
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-mathjax-full Version : 3.2.2 Upstream Contact: The MathJax Consortium <https://github.com/mathjax/Mathjax-src/issues> * URL : https://github.com/mathjax/Mathjax-src * License : Apache-2.0 Programming Lang: JavaScript Description : JavaScript library to display math in browsers MathJax is an open-source JavaScript display engine for LaTeX, MathML, and AsciiMath notation that works in all modern browsers. It was designed with the goal of consolidating the recent advances in web technologies into a single, definitive, math-on-the-web platform supporting the major browsers and operating systems. It requires no setup on the part of the user (no plugins to download or software to install), so the page author can write web documents that include mathematics and be confident that users will be able to view it naturally and easily. Simply include MathJax and some mathematics in a web page, and MathJax does the rest. node-mathjax-full is a dependency of node-jupyterlab. It will be maintained under JS Team umbrella.
Bug#1052075: ITP: node-speech-rule-engine -- NodeJS version of the ChromeVox speech rule engine
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-speech-rule-engine Version : 3.2.2 Upstream Contact: Volker Sorge * URL : https://github.com/zorkow/speech-rule-engine * License : Apache-2.0 Programming Lang: JavaScript Description : NodeJS version of the ChromeVox speech rule engine node-speech-rule-engine (SRE) can translate XML expressions into speech strings according to rules that can be specified in a syntax using Xpath expressions. It's a dependnecy of node-mathjax-full, needed to build node-jupyterlab. Will be maintained under JS Team upbrella.
Bug#1052054: ITP: node-sort-package-json -- Node.js library to sort package.json
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-sort-package-json Version : 2.5.1 Upstream Contact: Keith Cirkel * URL : https://github.com/fisker/git-hooks-list * License : Expat Programming Lang: JavaScript Description : Node.js library to sort package.json node-sort-package-json is a small library useful to sort package.json files of Node.js modules, not in alphabetic order but in logical order (starting by name and version). It's a dependency of node-jupyterlab and will be maintained under JS Team umbrella.
Bug#1051991: ITP: node-sixel -- Node.js library to manage Sixel images
Package: wnpp Severity: wishlist Owner: Yadd X-Debbugs-Cc: debian-de...@lists.debian.org * Package name: node-sixel Version : 0.16.0 Upstream Contact: Joerg Breitbart * URL : https://github.com/jerch/node-sixel/ * License : Expat Programming Lang: JavaScript Description : Node.js library to manage Sixel images node-sixel is a image decoding / encoding library for node and the browser. It is a build dependency of node-xterm 5 which is required for node-jupyterlab. Will be maintained under JS Team umbrella.