Bug#1081986: [Pkg-javascript-devel] Bug#1081986: Should leaflet-image be removed from unstable?

[Yadd]

Control: severity -1 normal
Control: retitle -1 RM: leaflet-image -- RoM; rc-buggy
Control: reassign -1 ftp.debian.org
Control: affects -1 + src:leaflet-image


On 9/17/24 10:21, Helmut Grohne wrote:

Source: leaflet-image
Severity: important
User: helm...@debian.org
Usertags: sidremove

Dear maintainer,

I suggest removing leaflet-image from Debian for the following reasons:
  * It accumulated one RC-bug:
+ #1003260: leaflet-image: FTBFS with webpack5: Invalid configuration object
  Last modified: 1 year, 3 months

  * It is not part of bookworm or trixie and is not a key package.

This bug serves as a pre-removal warning. After one month, the bug will be
reassigned to ftp.debian.org to actually request removal of the package.

In case the package should be kept in unstable, please evaluate each of the
RC-bugs listed above.
  * If the bug is meant to permanently prevent the package from entering testing
or a stable release, but this package should stay part of unstable, please
add a usertag:

user helm...@debian.org
usertags NNN + sidremove-ignore

  * If the bug no longer applies, please close it. If it is closed, check
whether the fixed version is correct and adjust if necessary.

  * Is the bug really release-critical? If not, please downgrade.

  * If the bug still applies, please send a status update at least once a year.

Once all of the mentioned RC bugs have been acted upon in one way or another,
please close this bug.

In case the package should be removed from unstable, you may reassign this
bug report:

 Control: severity -1 normal
 Control: retitle -1 RM: leaflet-image -- RoM; rc-buggy
 Control: reassign -1 ftp.debian.org
 Control: affects -1 + src:leaflet-image

Alternatively, you may wait a month and have it reassigned.

In case you disagree with the above, please add a wontfix tag to this bug.

 Control: tags -1 + wontfix

Doing so will also prevent automatic reassignment.

Kind regards

A tool for automatically removing packages from unstable

This bug report has been automatically filed with little human intervention.
If the filing is unclear or in error, don't hesitate to contact
Helmut Grohne  for assistance.

Bug#1081983: [Pkg-javascript-devel] Bug#1081983: Should node-node-localstorage be removed from unstable?

[Yadd]

Control: severity -1 normal
Control: retitle -1 RM: node-node-localstorage -- RoM; rc-buggy
Control: reassign -1 ftp.debian.org
Control: affects -1 + src:node-node-localstorage

On 9/17/24 10:21, Helmut Grohne wrote:

Source: node-node-localstorage
Severity: important
User: helm...@debian.org
Usertags: sidremove

Dear maintainer,

I suggest removing node-node-localstorage from Debian for the following reasons:
  * It accumulated one RC-bug:
+ #1013621: node-node-localstorage: FTBFS: TypeError: 'set' on proxy: trap 
returned falsish for property 'length'
  Last modified: 1 year, 3 months

  * It is not part of bookworm or trixie and is not a key package.

This bug serves as a pre-removal warning. After one month, the bug will be
reassigned to ftp.debian.org to actually request removal of the package.

In case the package should be kept in unstable, please evaluate each of the
RC-bugs listed above.
  * If the bug is meant to permanently prevent the package from entering testing
or a stable release, but this package should stay part of unstable, please
add a usertag:

user helm...@debian.org
usertags NNN + sidremove-ignore

  * If the bug no longer applies, please close it. If it is closed, check
whether the fixed version is correct and adjust if necessary.

  * Is the bug really release-critical? If not, please downgrade.

  * If the bug still applies, please send a status update at least once a year.

Once all of the mentioned RC bugs have been acted upon in one way or another,
please close this bug.

In case the package should be removed from unstable, you may reassign this
bug report:

 Control: severity -1 normal
 Control: retitle -1 RM: node-node-localstorage -- RoM; rc-buggy
 Control: reassign -1 ftp.debian.org
 Control: affects -1 + src:node-node-localstorage

Alternatively, you may wait a month and have it reassigned.

In case you disagree with the above, please add a wontfix tag to this bug.

 Control: tags -1 + wontfix

Doing so will also prevent automatic reassignment.

Kind regards

A tool for automatically removing packages from unstable

This bug report has been automatically filed with little human intervention.
If the filing is unclear or in error, don't hesitate to contact
Helmut Grohne  for assistance.

Bug#1080052: [Pkg-javascript-devel] Bug#1080052: Should node-lockfile be removed from unstable?

[Yadd]

Control: severity -1 normal
Control: retitle -1 RM: node-lockfile -- RoM; rc-buggy
Control: reassign -1 ftp.debian.org
Control: affects -1 + src:node-lockfile


On 8/30/24 09:33, Helmut Grohne wrote:

Source: node-lockfile
Severity: serious
Justification: grab attention of maintainer
User: helm...@debian.org
Usertags: sidremove

Dear maintainer,

I suggest removing node-lockfile from Debian for the following reasons:
  * It accumulated one RC-bug:
+ #1005940: node-lockfile: Abandoned upstream
  Last modified: 2 years

  * It is not part of bookworm or trixie and is not a key package.


Hi,

sure this package is no more useful here.

Best regards,
Yadd

Bug#1079833: [Pkg-javascript-devel] Bug#1079833: node-minimatch: please provide a bundled version

[Yadd]

Hi Jérémy,

ready to review and push into salsa.d.o

Best regards,
Xavier

On 8/28/24 03:25, Jérémy Lal wrote:

Package: node-minimatch
Version: 9.0.3-4
Severity: wishlist

nodejs 20.17.0 includes minimatch, however the mecanism for
inclusion is somewhat convoluted, and it would be greatly easier
if a bundle was provided by node-minimatch.

This should work
rollup --format=commonjs -p @rollup/plugin-commonjs -p 
@rollup/plugin-node-resolve 
--file=debian/tmp/usr/share/nodejs/minimatch/dist/cjs/index.bundle.js -- 
dist/cjs/index.js

If nodejs were to create that bundle, it would need to be rebuilt when 
minimatch changes,
otherwise it doesn't really need it.

Thanks

-- System Information:
Debian Release: trixie/sid
   APT prefers testing
   APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.10.4-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages node-minimatch depends on:
ii  node-brace-expansion  2.0.1+~1.1.0-1

node-minimatch recommends no packages.

node-minimatch suggests no packages.

-- no debconf information

Bug#1079164: devscripts: Files-Excluded version of regexp should be documented and if not pcre Files-Excluded-PCRE should be created

[Yadd]

On 8/22/24 02:06, Bastien Roucariès wrote:

Le mercredi 21 août 2024, 11:07:17 UTC Niels Thykier a écrit :

On Tue, 20 Aug 2024 18:50:20 + Bastien =?ISO-8859-1?Q?Roucari=E8s?=
 wrote:

Package: devscripts
Version: 2.23.7
Severity: minor

Dear Maintainer,

I do not find the syntax of the regex used by  Files-Excluded.

I suppose it is POSIX RE.

It should be documented if it is the case

If it is not PCRE could be possible to add a  Files-Excluded-PCRE field ? It
will greatly help to remove all directory except one
in case of JS monorep

Rouca



Drive by remark, it uses the DEP-5 `Files` semantics (that is, not a
regex at all). For the use-case you have, I think you want to combine
`Files-Excluded` with `Files-Included`.

That was what I had for this bug.

No it is does not work:
- Files-Included is not documented
- Does not work with component


For components, use "Files-Excluded-componentname"


Files-Included-PCRE per component may be better I believe


Best regards,
Niels

Bug#1078880: [Pkg-javascript-devel] Bug#1078880: gettext.js: CVE-2024-43370

[Yadd]

On 8/20/24 17:30, Salvatore Bonaccorso wrote:

Hi,

On Tue, Aug 20, 2024 at 05:20:38PM +0400, Yadd wrote:

On 8/20/24 16:34, Moritz M??hlenhoff wrote:

Hi Yadd,


here is a simple patch for this issue


The debdiff looks fine, but I don't believe this needs a
DSA, can you please submit this for the next point update
instead?


Agree, but the bug was tagged as "grave" ;-)


The severity and the no-dsa/dsa decision can be orthogonal in the
following sense: Assume an issue is not severe enought to have an
immediate DSA, but a point release is approaching, still the issue
should be made sure to be fixed in the upper suite (considering it
release critical) so we would not start latest trixie with the open
issue.

Having it at RC level ensures this, gives enough grace time (there
won't be an imminent removal anyway) and raises the hint-flag.

I choose such in particular when I see there is the same version
across several releases, and a new upstream version exists to really
make sure we avoid having the issue in the upper suite.

Does this make sense? Or have you issues with the assessment as
'grave' in this case?


No problem, I just filed issues for Bookworm and Bullseye

Cheers,
Xavier

Bug#1078880: [Pkg-javascript-devel] Bug#1078880: gettext.js: CVE-2024-43370

[Yadd]

On 8/20/24 16:34, Moritz Mühlenhoff wrote:

Hi Yadd,


here is a simple patch for this issue


The debdiff looks fine, but I don't believe this needs a
DSA, can you please submit this for the next point update
instead?


Agree, but the bug was tagged as "grave" ;-)

Cheers,
Xavier

Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1

[Yadd]

On 8/15/24 20:29, Adam D. Barratt wrote:

On Thu, 2024-08-15 at 05:09 +0400, Yadd wrote:

Hi Adam,

can I do the same with Bullseye ?


I've just replied to the bullseye request, but afaics it wasn't even
filed at the point the above chase was posted.

Regards,

Adam


Yes, sorry I forgot Bullseye when fixing Apache2.

Thanks a lot, I just push Bullseye/apache2

Bug#1076531: bookworm-pu: package apache2/2.4.62-1~deb12u1

[Yadd]

Hi Adam,

can I do the same with Bullseye ?

On 8/15/24 00:33, Adam D. Barratt wrote:

Control: tags -1 + confirmed

On Thu, 2024-07-18 at 09:39 +0400, Yadd wrote:

[ Reason ]
Apache2 was updated to 2.4.61 due to 8 CVEs. However "a partial fix
for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores
some use of the legacy content-type based configuration of handlers.
"AddType" and similar configuration, under some circumstances where
files are requested indirectly, result in source code disclosure of
local content. For example, PHP scripts may
be served instead of interpreted".

It's difficult to find in upstream commits what are "under some
circumstances" neither in upstream explanations.


Please go ahead.

Regards,

Adam

Bug#1078622: [Debian-pan-maintainers] Bug#1078622: jupyterlab: will FTBFS during trixie support period

[Yadd]

Control: fixed -1 jupyterlab/4.0.11+ds1+~cs11.25.27-1
Control: close -1
Control: forcemerge -1 1060772

On 8/13/24 22:06, Santiago Vila wrote:

Package: src:jupyterlab
Version: 4.0.11+ds1-2
User: debian...@lists.debian.org
Usertags: ftbfs-during-trixie-support-period
Tags: ftbfs

Dear maintainer:

During a rebuild of all packages in unstable in the year 2028, your 
package failed to build:


Duplicate of #1060772

Bug#1078579: RM: node-jupyterlab -- ROM; Replaced by src:jupyterlab

[Yadd]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: node-jupyter...@packages.debian.org, 
debian-pan-maintain...@alioth-lists.debian.net, y...@debian.org
Control: affects -1 + src:node-jupyterlab
User: ftp.debian@packages.debian.org
Usertags: remove


Hi,

we just grouped python3-jupyterlab and node-jupyterlab into kupyterlab.
That's why this package is no more needed.

Best regards,
Xavier

Bug#1077760: [Pkg-javascript-devel] Bug#1077760: pkg-js-tools: please allow to run a hook before testing

[Yadd]

On 8/1/24 18:34, Bastien Roucariès wrote:

Package: pkg-js-tools
Version: 0.15.22
Severity: important

Dear Maintainer,

Could you run an hook like pre-test in tests that will run something like for
instance regenerating certicate.

It will avoid a lot a failure and manual work

I can work arround using d/rules for build but not for test

Bastien


Hi,

do you have an idea on how to do this ? For now I insert my pre-test 
into the debian/tests/pkg-js/test file (which is run with `sh -e`)

Bug#1077639: ITP: libcaptcha-recaptcha-v3-perl -- Perl implementation of reCAPTCHA API version v3

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org

* Package name: libcaptcha-recaptcha-v3-perl
  Version : 0.05
  Upstream Contact: worthmine 
* URL : https://metacpan.org/release/Captcha-reCAPTCHA-V3
* License : Artistic or GPL-1+
  Programming Lang: Perl
  Description : Perl implementation of reCAPTCHA API version 3

Perl library for Google's reCAPTCHA version 3. API v2 and v3 are so
different, so that this new module is totally distinct than
libcaptcha-recaptcha-perl.

Will be maintained under Perl Team umbrella

Bug#1077509: bookworm-pu: package cyrus-imapd/3.6.1-4+deb12u3

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: cyrus-im...@packages.debian.org, y...@debian.org
Control: affects -1 + src:cyrus-imapd
User: release.debian@packages.debian.org
Usertags: pu

[ Reason ]
There was a regression introduced by CVE-2024-34055 which breaks
Cyrus-Imapd's murder (RC bug #1075853).

[ Impact ]
Installations with murder (more than one backend node) maybe broken.

[ Tests ]
No new test in these patches, however test and autopkgtest passed
(https://salsa.debian.org/debian/cyrus-imapd/-/pipelines/708722)

[ Risks ]
Low risk, patch is not so big

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
I chose to keep patches as given in upstream release with upstream
comments

Best regards,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 39736966..8b7809d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+cyrus-imapd (3.6.1-4+deb12u3) bookworm; urgency=medium
+
+  * Fix regression introduced in CVE-2024-34055 fix (Closes: #1075853)
+
+ -- Yadd   Mon, 29 Jul 2024 12:43:50 +0400
+
 cyrus-imapd (3.6.1-4+deb12u2) bookworm-security; urgency=medium
 
   * Fix unbounded memory allocation (Closes: CVE-2024-34055)
diff --git a/debian/patches/CVE-2024-34055-regressions-1.patch 
b/debian/patches/CVE-2024-34055-regressions-1.patch
new file mode 100644
index ..f0d4e80c
--- /dev/null
+++ b/debian/patches/CVE-2024-34055-regressions-1.patch
@@ -0,0 +1,57 @@
+Description: Instance: check backend sync to mupdate during murder shutdown
+Author: ellie timoney 
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commits/846f1f49
+Forwarded: not-needed
+Applied-Upstream: 3.6.6
+Reviewed-By: Yadd 
+Last-Update: 2024-07-29
+
+--- a/cassandane/Cassandane/Instance.pm
 b/cassandane/Cassandane/Instance.pm
+@@ -1378,6 +1378,38 @@
+ return;
+ }
+ 
++sub _check_mupdate
++{
++my ($self) = @_;
++
++my $mupdate_server = $self->{config}->get('mupdate_server');
++return if not $mupdate_server; # not in a murder
++
++my $serverlist = $self->{config}->get('serverlist');
++return if $serverlist; # don't sync mboxlist on frontends
++
++# Run ctl_mboxlist -m to sync backend mailboxes with mupdate.
++#
++# You typically run this from START, and we do, but at test start
++# there's no mailboxes yet, so there's nothing to sync, and if
++# something is broken it probably won't be detected.
++my $basedir = $self->{basedir};
++eval {
++$self->run_command({
++redirects => { stdout => "$basedir/ctl_mboxlist.out",
++   stderr => "$basedir/ctl_mboxlist.err",
++ },
++cyrus => 1,
++}, 'ctl_mboxlist', '-m');
++};
++if ($@) {
++my @err = slurp_file("$basedir/ctl_mboxlist.err");
++chomp for @err;
++xlog "ctl_mboxlist -m failed: " . Dumper \@err;
++return "unable to sync local mailboxes with mupdate";
++}
++}
++
+ sub _check_sanity
+ {
+ my ($self) = @_;
+@@ -1516,6 +1548,7 @@
+ my @errors;
+ 
+ push @errors, $self->_check_sanity();
++push @errors, $self->_check_mupdate();
+ 
+ xlog "stop $self->{description}: basedir $self->{basedir}";
+ 
diff --git a/debian/patches/CVE-2024-34055-regressions-2.patch 
b/debian/patches/CVE-2024-34055-regressions-2.patch
new file mode 100644
index ..9ea66400
--- /dev/null
+++ b/debian/patches/CVE-2024-34055-regressions-2.patch
@@ -0,0 +1,142 @@
+Description: imapparse: add getmstring() for mupdate-specific parsing
+ The mupdate protocol uses LITERAL+ in server->client communications, whereas
+ in the IMAP protocol this is only permitted in client->server communications.
+ Adds a parser flag and corresponding macro to switch behaviours.
+ Fixes #4932
+Author: ellie timoney 
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commits/e35707e7
+Forwarded: not-needed
+Applied-Upstream: 3.6.6
+Reviewed-By: Yadd 
+Last-Update: 2024-07-29
+
+--- a/imap/imapparse.c
 b/imap/imapparse.c
+@@ -153,7 +153,10 @@
+ buf_reset(buf);
+ c = getint32(pin, &len);
+ 
+-if (pin->isclient && c == '+') {
++/* For IMAP, LITERAL+ is only valid from client->server.  For MUPDATE
++ * it's valid in either direction.
++ */
++if ((pin->isclient || (flags & GXS_MUPDATE)) && c == '+') {
+ /* LITERAL- says maximum size is 4096! */
+ if (lminus && len > 4096) {
+ /* Fail per RFC 7888, Section 4, choice 2 */
+--- a/i

Bug#1076904: [Pkg-javascript-devel] Bug#1076904: pkg-js-tools: FTBFS: help2man: can't get `--version' info from ./tools/debcheck-node-repo

[Yadd]

On 7/27/24 07:15, Guillem Jover wrote:

Control: reopen -1
Control: notfixed -1 dpkg/1.22.9
Control: affect -1 = src:pkg-js-tools
Control: retitle -1 dpkg-dev: Make fragments lack internal dpkg_lazy_eval macros
Control: tags -1 =

On Fri, 2024-07-26 at 15:21:16 +0200, Santiago Vila wrote:

unmerge 1076904
thanks



Hi. I can indeed reproduce the error in unstable right now.
(was your chroot uptodate?)

Maybe this is one of the other subtle bugs reported by Michael Tokarev?

In either case, please fix the metadata as necessary.

Sorry, I try to help maintainers to discover the root cause of the bugs I 
report,
when I can, but I don't always succeed.


This FTBFS in pkg-js-tools is caused by that package (and several
others), using the internal dpkg_lazy_eval macro from the dpkg
Makefile fragment files.

I'm going to revert the change that removed those macros, to avoid this
and other breakage, but these packages should ideally not have used
these macros. Although at this point I guess this has kind of become
part of the API for those files. :/ And making them stop using the
macros will require a coordinate transition or similar.

Thanks,
Guillem


Hi,

I pushed a workaround into version 1.15.22:

DEVSCRIPTS_CHECK_DIRNAME_LEVEL=0 PERL5LIB=lib help2man 
--version-string=$(DEB_VERSION) --no-discard-stderr -n $* -N 
--help-option=-h ./tools/$* > $*.1


Fixing version workaround the problem with Exporter::import

Best regards,
Xavier

Bug#1076904: [Pkg-javascript-devel] Bug#1076904: pkg-js-tools: FTBFS: help2man: can't get `--version' info from ./tools/debcheck-node-repo

[Yadd]

Control: tags -1 + moreinfo

On 7/24/24 14:48, Santiago Vila wrote:

Package: src:pkg-js-tools
Version: 0.15.21
Severity: serious
Tags: ftbfs

Dear maintainer:

During a rebuild of all packages in unstable, your package failed to build:


Hi,

I'm unable to reproduce in a schroot, could you share more info? Also I 
can see in your logs some dh_auto_test logs inside the dh_auto_install 
step, which looks to be launched before manpage build which are a 
prerequiste of override_sh_auto_install.

Do you use a standard way to build?



[...]
  debian/rules binary
dh binary
    dh_update_autotools_config
    dh_autoreconf
    debian/rules override_dh_auto_configure
make[1]: Entering directory '/<>'
perl -i -pe 's/[\d\.]+/''/' lib/Debian/PkgJs/Version.pm
dh_auto_configure
 /usr/bin/perl Makefile.PL INSTALLDIRS=vendor "OPTIMIZE=-g -O2 
-Werror=implicit-function-declaration 
-ffile-prefix-map=/<>=. -fstack-protector-strong 
-fstack-clash-protection -Wformat -Werror=format-security 
-fcf-protection -Wdate-time -D_FORTIFY_SOURCE=2" 
"LD=x86_64-linux-gnu-gcc -g -O2 -Werror=implicit-function-declaration 
-ffile-prefix-map=/<>=. -fstack-protector-strong 
-fstack-clash-protection -Wformat -Werror=format-security 
-fcf-protection -Wl,-z,relro"

Checking if your kit is complete...
Warning: the following files are missing in your kit:
 mjs2cjs/mjs2cjs.js
 t/dh_gulp2.t
 t/gulp2/debian/changelog

[... snipped ...]


dh_auto_install: warning: ### Missing comp-one/build/config.gypi, skipping

dh_auto_install: warning: ### Missing comp-three/build/config.gypi, 
skipping


dh_auto_install: warning: ### Missing comp-two/build/config.gypi, skipping

t/dh_submodules.t ..
1..24
Link node_modules/comp-four -> ../comp-four
Link node_modules/comp-three -> ../comp-three
Link node_modules/comp_two -> ../comp-two
Link comp-three/node_modules/comp_two -> ../../comp-two
ok 1 - comp-one/nolink
ok 2 - Main link
ok 3 -  good link
ok 4 - Main link
ok 5 - component_links
ok 6 -  good link
No build command found, searching known files
Found debian/nodejs/comp-one/build
 cd ./comp-one && sh -ex ../debian/nodejs/comp-one/build
No build command found, searching known files
No build command found, searching known files
No build command found, searching known files
ok 7 - build creates comp-one/a
 ln -s ../. node_modules/foo
 cd ./comp-one && sh -ex ../debian/nodejs/comp-one/test
 /bin/sh -ex debian/tests/pkg-js/test
test launched
Removing node_modules/foo
ok 8 - File "foo" created
Found "files" field in ./package.json, using it
 mkdir -p 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/
 install -m 644 ./index.js 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo//
 install -m 644 ./package.json 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo//
 install -m 644 ./package.json 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo//

Found "files" field in comp-four/package.json, using it
 mkdir -p 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-four/
 install -m 644 comp-four/package.json 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-four//
 install -m 644 comp-four/index.js 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-four//
 install -m 644 comp-four/package.json 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-four//

No "files" field in comp-one/package.json, install all files
Files to install: comp-one, !comp-one/build/config.gypi
 mkdir -p 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-one/
 install -m 644 comp-one/index.js 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-one//
 install -m 644 comp-one/package.json 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-one//
 install -m 644 comp-one/bar 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-one//
 install -m 644 comp-one/package.json 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-one//

Found "files" field in comp-three/package.json, using it
 mkdir -p 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-three/
 install -m 644 comp-three/index.js 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-three//
 install -m 644 comp-three/test.js 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-three//
 install -m 644 comp-three/package.json 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-three//
 install -m 644 comp-three/package.json 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp-three//

Found "files" field in comp-two/package.json, using it
 mkdir -p 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node_modules/comp_two/
 install -m 644 comp-two/index.js 
/<>/t/submodules/debian/foo//usr/share/nodejs/foo/node

Bug#1076378: [Pkg-javascript-devel] Bug#1076378: node-xterm: Unable to build package node-xterm from sources in Debian Bookworm because of error TS2769

[Yadd]

Control: fixed -1 5.3.0-1

On 7/15/24 15:57, Sergei Semin wrote:

Source: node-xterm
Version: 3.8.1+~cs0.9.0-1
Severity: serious
Tags: ftbfs
Justification: fails to build from source
X-Debbugs-Cc: syominser...@gmail.com

Dear Maintainer,

I tried to build node-xterm from sources in Debian Bookworm.
I created new VM from official Debian vagrant image:
https://app.vagrantup.com/debian/boxes/bookworm64/versions/12.20240503.1

Then I upgraded OS in VM using "apt update" and "apt upgrade", rebooted VM.

Then I installed build deps for package node-xterm with "apt build-dep 
node-xterm".
Then I downloaded sources of package node-xterm using command "apt source 
node-xterm".
Version "3.8.1+~cs0.9.0-1" was downloaded.
Then I entered into directory with sources and ran "dpkg-buildpackage". You can 
see log of dpkg-buildpackage here:


This is due to Node.js update. Will fix that in next point release

Bug#1071632: Mark as done in 3.0.3

[Yadd]

Hi,

upstream marked this issue "done" in 3.0.3

Bug#1060772: [Debian-pan-maintainers] Unifying jupyterlab and node-jupyterlab

[Yadd]

On 6/2/24 12:53, Yadd wrote:

On 6/2/24 10:38, Yadd wrote:

In my last commit, I added also a fix for #1060772:
  - jupyter-lab uses yarnpkg by default
  - in Debian build context, this can be overridden using
    YARN_COMMAND=pkgjs-install-minimal


Better hook with "YARN_COMMAND=pkgjs" which uses the adapted pkgjs-* 
command


And this produces the final bundle without Internet access
 => fixes #1060772 :-D


then I reimported your hook executed after dh_install to launch
`jupyter-lab build`. This seems to work but must be verified (and also 
python install looks bad).


Best regards,
Xavier

On 6/2/24 07:40, Yadd wrote:

Hi Roland,

I merged Python and Node.js package into branch 
"merge-python-and-node", but I didnt yet import the "build" part you 
entered into dh_auto_install in Python package.


Build works but has to be cleaned for the Python part.

Hope this will help you.

Best regards,
Xavier

On 6/1/24 17:33, Yadd wrote:

On 5/31/24 17:10, Roland Mas wrote:
Since I haven't managed to get 4.1 to build yet, I'm thinking of 
starting from a known-working version (4.0.10+ds1+~cs11.25.27-1). I 
expect that porting to 4.1 or later afterwards won't add extra work 
compared to doing both jobs at once.


Roland.


OK, I just pushed 4.0.11 into node-jupyterlab repo (reverting your 
upgrade to 4.1.6)




Le 30/05/2024 à 05:36, Yadd a écrit :

On 5/29/24 17:06, Yadd wrote:

On 5/29/24 17:04, Roland Mas wrote:

Hi Yadd and others,

I'd like to go forward with the jupyterlab/node-jupyterlab 
merger, because I'm facing more and more problems with 
jupyterlab/ipywidgets not being up-to-date. I'm going to start 
from node-jupyterlab (whose build is more complex), create a 
merge-jupyterlab-and-node-jupyterlab branch in it, and add the 
Python parts in there, starting from the current working state 
of the package (and not the current state of the master branch, 
which doesn't build since I tried to import a new upstream 
release). I'll ask for review before merging into master, but 
any help or advice in the meantime will be welcome. I'll try to 
be present on IRC more often than usual during the operation.


Hopefully upgrading one source package will be easier after the 
merger, and I'll work on ipywidgets after that.


Roland.


hi,

OK, let's do that ;-)


From which version of jupyterlab do you want to start? 4.0.11 or 
later?

Bug#1060772: [Debian-pan-maintainers] Unifying jupyterlab and node-jupyterlab

[Yadd]

On 6/2/24 10:38, Yadd wrote:

In my last commit, I added also a fix for #1060772:
  - jupyter-lab uses yarnpkg by default
  - in Debian build context, this can be overridden using
    YARN_COMMAND=pkgjs-install-minimal


Better hook with "YARN_COMMAND=pkgjs" which uses the adapted pkgjs-* command


then I reimported your hook executed after dh_install to launch
`jupyter-lab build`. This seems to work but must be verified (and also 
python install looks bad).


Best regards,
Xavier

On 6/2/24 07:40, Yadd wrote:

Hi Roland,

I merged Python and Node.js package into branch 
"merge-python-and-node", but I didnt yet import the "build" part you 
entered into dh_auto_install in Python package.


Build works but has to be cleaned for the Python part.

Hope this will help you.

Best regards,
Xavier

On 6/1/24 17:33, Yadd wrote:

On 5/31/24 17:10, Roland Mas wrote:
Since I haven't managed to get 4.1 to build yet, I'm thinking of 
starting from a known-working version (4.0.10+ds1+~cs11.25.27-1). I 
expect that porting to 4.1 or later afterwards won't add extra work 
compared to doing both jobs at once.


Roland.


OK, I just pushed 4.0.11 into node-jupyterlab repo (reverting your 
upgrade to 4.1.6)




Le 30/05/2024 à 05:36, Yadd a écrit :

On 5/29/24 17:06, Yadd wrote:

On 5/29/24 17:04, Roland Mas wrote:

Hi Yadd and others,

I'd like to go forward with the jupyterlab/node-jupyterlab 
merger, because I'm facing more and more problems with 
jupyterlab/ipywidgets not being up-to-date. I'm going to start 
from node-jupyterlab (whose build is more complex), create a 
merge-jupyterlab-and-node-jupyterlab branch in it, and add the 
Python parts in there, starting from the current working state of 
the package (and not the current state of the master branch, 
which doesn't build since I tried to import a new upstream 
release). I'll ask for review before merging into master, but any 
help or advice in the meantime will be welcome. I'll try to be 
present on IRC more often than usual during the operation.


Hopefully upgrading one source package will be easier after the 
merger, and I'll work on ipywidgets after that.


Roland.


hi,

OK, let's do that ;-)


From which version of jupyterlab do you want to start? 4.0.11 or 
later?

Bug#1060772: [Debian-pan-maintainers] Unifying jupyterlab and node-jupyterlab

[Yadd]

In my last commit, I added also a fix for #1060772:
 - jupyter-lab uses yarnpkg by default
 - in Debian build context, this can be overridden using
   YARN_COMMAND=pkgjs-install-minimal

then I reimported your hook executed after dh_install to launch
`jupyter-lab build`. This seems to work but must be verified (and also 
python install looks bad).


Best regards,
Xavier

On 6/2/24 07:40, Yadd wrote:

Hi Roland,

I merged Python and Node.js package into branch "merge-python-and-node", 
but I didnt yet import the "build" part you entered into dh_auto_install 
in Python package.


Build works but has to be cleaned for the Python part.

Hope this will help you.

Best regards,
Xavier

On 6/1/24 17:33, Yadd wrote:

On 5/31/24 17:10, Roland Mas wrote:
Since I haven't managed to get 4.1 to build yet, I'm thinking of 
starting from a known-working version (4.0.10+ds1+~cs11.25.27-1). I 
expect that porting to 4.1 or later afterwards won't add extra work 
compared to doing both jobs at once.


Roland.


OK, I just pushed 4.0.11 into node-jupyterlab repo (reverting your 
upgrade to 4.1.6)




Le 30/05/2024 à 05:36, Yadd a écrit :

On 5/29/24 17:06, Yadd wrote:

On 5/29/24 17:04, Roland Mas wrote:

Hi Yadd and others,

I'd like to go forward with the jupyterlab/node-jupyterlab merger, 
because I'm facing more and more problems with 
jupyterlab/ipywidgets not being up-to-date. I'm going to start 
from node-jupyterlab (whose build is more complex), create a 
merge-jupyterlab-and-node-jupyterlab branch in it, and add the 
Python parts in there, starting from the current working state of 
the package (and not the current state of the master branch, which 
doesn't build since I tried to import a new upstream release). 
I'll ask for review before merging into master, but any help or 
advice in the meantime will be welcome. I'll try to be present on 
IRC more often than usual during the operation.


Hopefully upgrading one source package will be easier after the 
merger, and I'll work on ipywidgets after that.


Roland.


hi,

OK, let's do that ;-)


From which version of jupyterlab do you want to start? 4.0.11 or later?

Bug#1060772: [Python-modules-team] Bug#1060772: python3-jupyterlab: Using node-corepack downloads yarnpkg from Internet

[Yadd]

Hi,

depending on the use of "jupyterlab build":
 - when used manually, may prefer to launch yarnpkg
 - when used under Debian build/test, may prefer to use
   pkgjs-install-minimal

So proposition:
 - drop the patch 0003-Use-system-provided-yarn.js.patch
 - build a custom yarn.js that calls yarnpks or pkg-install-minimal
   depending on an environment variable

Bug#1072121: [Pkg-javascript-devel] Bug#1072121: node-ip: CVE-2024-29415

[Yadd]

On 5/29/24 00:40, Moritz Mühlenhoff wrote:

Source: node-ip
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for node-ip.

CVE-2024-29415[0]:
| The ip package through 2.0.1 for Node.js might allow SSRF because
| some IP addresses (such as 127.1, 01200034567, 012.1.2.3,
| 000:0:::01, and ::fFFf:127.0.0.1) are improperly categorized as
| globally routable via isPublic. NOTE: this issue exists because of
| an incomplete fix for CVE-2023-42282.

https://github.com/indutny/node-ip/issues/150
https://github.com/indutny/node-ip/pull/144
https://github.com/indutny/node-ip/pull/143


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-29415
 https://www.cve.org/CVERecord?id=CVE-2024-29415

Please adjust the affected versions in the BTS as needed.


The proposed patch changes node-ip behavior and needs recent nodejs. I 
just pushed it to experimental to have more test.

Bug#1071213: [Pkg-javascript-devel] Bug#1071213: pkg-js-tools: nodepath fails with nodejs 20 because it passes non-integer to process.exit

[Yadd]

On 5/16/24 13:16, Jérémy Lal wrote:

Package: pkg-js-tools
Version: 0.15.19
Severity: important

Hi,

this makes all automatic autopkgtest fail:

$ nodepath after
node:internal/errors:541
   throw error;
TypeError [ERR_INVALID_ARG_TYPE]: The "code" argument must be of type number. 
Received type boolean (true)

Since this is somewhat urgent, please tell me if I should do the fix.

Jérémy


Hi,

I just pushed your fix

Thanks!

Bug#1065722: FTBFS: /usr/lib/python3/dist-packages/torch/include/c10/util/C++17.h:27:2: error: #error You need C++17 to compile PyTorch

[Yadd]

Control: tags -1 + patch

Hi,

updating to 0.18 fixes the build issue: see 
https://salsa.debian.org/deeplearning-team/pytorch-vision/-/merge_requests/2


Best regards,
Xavier

Bug#1070831: ITP: python3-nxtomo -- Python API to edit NXtomo application

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org

* Package name: python3-nxtomo
  Version : 1.2.3
  Upstream Contact:  , Pierre Paleo 
 , Alessandro Mirone  , Jérôme Lesaint 

* URL : https://gitlab.esrf.fr/tomotools/nxtomo
* License : Expat
  Programming Lang: Python
  Description : Python API to edit NXtomo application

NXtomo is a application definition for x-ray or neutron tomography raw data.
See https://manual.nexusformat.org/classes/applications/NXtomo.html

python3-nxtomo provide a friendly API to create and edit NXtomo application.

This package will be maintained under Debian PAN Team.

Bug#1070408: ITP: python3-tabnet -- Attentive Interpretable Tabular Learning

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org

* Package name: python3-tabnet
  Version : 4.1.0
  Upstream Contact: DreamQuark <https://github.com/dreamquark-ai/tabnet/issues>
* URL : https://github.com/dreamquark-ai/tabnet
* License : Expat
  Programming Lang: Python
  Description : Attentive Interpretable Tabular Learning

python3-tabnet is a pyTorch implementation of Tabnet (TabNet: Attentive
Interpretable Tabular Learning, https://arxiv.org/pdf/1908.07442.pdf).
Please note that some different choices have been made overtime to improve
the library which can differ from the orginal paper.

This package is needed for jupyterlab. Will be maintained under
Debian Pan Maintainers Team umbrella.

Bug#1068862: ITP: node-microsoft-fast -- FAST monorepo, containing web component packages, tools, examples, and documentation

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-microsoft-fast
  Version : 0~20240320-1
  Upstream Contact: https://github.com/Microsoft/fast/issues
* URL : https://github.com/Microsoft/fast
* License : Expat
  Programming Lang: JavaScript
  Description : FAST monorepo, containing web component packages, tools, 
examples, and documentation

FAST is a collection of technologies built on Web Components and modern Web
Standards, designed to help you efficiently tackle some of the most common
challenges in website and application design and development.

* Create reusable UI components with `@microsoft/fast-element`, all based on
  W3C Web Component standards.
* Use `@microsoft/fast-foundation` library to rapidly build W3C OpenUI-based
  (https://open-ui.org/) design systems without re-implementing component
  logic.
* Leverage modern, W3C standards-based SSR for Web Components by plugging in
  `@microsoft/fast-ssr`.
* Bring all the pieces together to build SPAs and rich experiences with our
  Web Components router by installing `@microsoft/fast-router`.
* React users can drop in `@microsoft/fast-react-wrapper` to turn any Web
  Component into a native React component.
* Integrate FAST Web Components with any library, framework, or build system.

This monorepositopry will provide the following packages:
* node-microsoft-fast-colors
* node-microsoft-fast-element
* node-microsoft-fast-foundation
* node-microsoft-fast-react-wrapper
* node-microsoft-fast-router
* node-microsoft-fast-ssr
* node-microsoft-fast-web-utilities

This is required to update node-jupyterlab.

Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709

[Yadd]

On 4/5/24 15:58, Moritz Muehlenhoff wrote:

On Fri, Apr 05, 2024 at 08:16:43AM +0400, Yadd wrote:

On 4/4/24 22:51, Moritz Mühlenhoff wrote:

Source: apache2
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for apache2.

CVE-2024-27316[0]:
https://www.kb.cert.org/vuls/id/421644
https://www.openwall.com/lists/oss-security/2024/04/04/4

CVE-2024-24795[1]:
https://www.openwall.com/lists/oss-security/2024/04/04/5

CVE-2023-38709[2]:
https://www.openwall.com/lists/oss-security/2024/04/04/3

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-27316
  https://www.cve.org/CVERecord?id=CVE-2024-27316
[1] https://security-tracker.debian.org/tracker/CVE-2024-24795
  https://www.cve.org/CVERecord?id=CVE-2024-24795
[2] https://security-tracker.debian.org/tracker/CVE-2023-38709
  https://www.cve.org/CVERecord?id=CVE-2023-38709

Please adjust the affected versions in the BTS as needed.


Hi,

I'm ready to push 2.4.59 into bookworm-security. Note that this includes a
test-framework update


Target distribution needs to be bookworm-security, with that please upload.
Can you also preparea the equivalent change for bullseye-security?

The uploads can already happen, but let's keep the update unreleased until
next week, then we can look for regressions reported in unstable (and check
with Ondrej if we received reports based on his repo)

Cheers,
 Moritz


Both Bullseye and Bookworm uploaded. Bullseye version embeds also a 
copyright fix

Bug#1066749: FTBFS: dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit code 1

[Yadd]

Control: tags -1 + moreinfo

Hi,

I'm unable to reproduce this issue. Probably fixed elsewhere during 
time_t transition

Bug#1064558: [Pkg-javascript-devel] Bug#1064558: node-leveldown: FTBFS on mips64el: not ok 1397 Error: batch(array) element must be an object and not `null`

[Yadd]

On 2/24/24 13:10, Sebastian Ramacher wrote:

Source: node-leveldown
Version: 5.6.0+dfsg-4
Severity: serious
Tags: ftbfs
Justification: fails to build from source (but built successfully in the past)
X-Debbugs-Cc: sramac...@debian.org

https://buildd.debian.org/status/fetch.php?pkg=node-leveldown&arch=mips64el&ver=5.6.0%2Bdfsg-4%2Bb1&stamp=1708632735&raw=0

not ok 1397 Error: batch(array) element must be an object and not `null`
   ---
 operator: error
 stack: |-
   Error: batch(array) element must be an object and not `null`
   at AbstractLevelDOWN.batch 
(/usr/share/nodejs/abstract-leveldown/abstract-leveldown.js:163:33)
   at /<>/test/iterator-recursion-test.js:48:8
   at /usr/share/nodejs/abstract-leveldown/abstract-leveldown.js:41:5
   ...

Cheers


Hi Jérémy,

when trying to build on mips64el porterbox, i got this:

make[1]: Entering directory '/home/yadd/node-leveldown'
node-gyp clean
node: error while loading shared libraries: libnode.so.108: cannot open 
shared object file: No such file or directory

make[1]: *** [debian/rules:18: override_dh_auto_clean] Error 127
make[1]: Leaving directory '/home/yadd/node-leveldown'

Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs

[Yadd]

I closed this issue because:
 - I dropped all bad .h files from install
 - I added ABI flags to build
 - cyrus-dev has no reverse dependencies

If I'm wrong, please reopen this issue

Cheers,
Yadd

Bug#1063908: [Debian-pan-maintainers] Bug#1063908: node-jupyter-widgets-{base, base-manager, control}: ships files already in python3-widgetsnbextension

[Yadd]

On 2/14/24 20:26, Andreas Beckmann via Debian-pan-maintainers wrote:

Package: 
node-jupyter-widgets-base,node-jupyter-widgets-base-manager,node-jupyter-widgets-controls
Version: 6.0.7+~cs14.23.94-1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts

Hi,

during a test with piuparts I noticed your package failed to install
because it tries to overwrite other packages files without declaring a
Breaks+Replaces relation.

See policy 7.6 at
https://www.debian.org/doc/debian-policy/ch-relationships.html#overwriting-files-and-replacing-packages-replaces

 From the attached log (scroll to the bottom...):

   Preparing to unpack 
.../node-jupyter-widgets-base_6.0.7+~cs14.23.94-1_all.deb ...
   Unpacking node-jupyter-widgets-base (6.0.7+~cs14.23.94-1) ...
   dpkg: error processing archive 
/var/cache/apt/archives/node-jupyter-widgets-base_6.0.7+~cs14.23.94-1_all.deb 
(--unpack):
trying to overwrite 
'/usr/share/nodejs/@jupyter-widgets/base/css/index.css', which is also in 
package python3-widgetsnbextension 8.1.1-2
   Errors were encountered while processing:

/var/cache/apt/archives/node-jupyter-widgets-base_6.0.7+~cs14.23.94-1_all.deb


Hi,

why does python3-widgetsnbextension install an unusable node.js module 
into a nodejs directory ?

Bug#1063824: zenmap should depends on python3-gi-cairo

[Yadd]

Package: zenmap
Version: 7.94+git20230807.3be01efb1+dfsg-3
Severity: important
X-Debbugs-Cc: y...@debian.org

Hi,

when using zenmap, the "port" tab is broken unless python3-gi-cairo is
installed:

  TypeError: Couldn't find foreign struct converter for 'cairo.Context'

Cheers,
Yadd

Bug#1061341: Fwd: Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs

[Yadd]

On 2/7/24 06:31, ellie timoney wrote:

Hi Xavier,

On Mon, 29 Jan 2024, at 9:59 AM, ellie timoney wrote:

On Thu, 25 Jan 2024, at 3:53 PM, Yadd wrote:

yes there are other errors because some .h require unavailable .h like
config.h


Ooh interesting, I'll have a look


I'm still working on this, but the more I work on it, the more of it turns out 
to need fixing...

I think for now, it makes sense for you to proceed with the packaging changes 
assuming that 32 bit Cyrus will _not_ be ABI compatible when recompiled with 64 
bit time_t.  From the original email, I think that means you'll need to set up 
strict version dependencies between the cyrus-common, cyrus-admin and 
cyrus-clients packages, so that people can't partially upgrade and wind up with 
conflicts.

Cheers,

ellie


Hi,

dependencies are already strict (= ${binary:Version}).
To be able to render cyrus-dev headers compatible with ABI test, I'll 
have to remove the following (missing config.h,...):


/usr/include/cyrus/bufarray.h
/usr/include/cyrus/charset.h
/usr/include/cyrus/command.h
/usr/include/cyrus/crc32.h
/usr/include/cyrus/cyr_qsort_r.h
/usr/include/cyrus/glob.h
/usr/include/cyrus/imapurl.h
/usr/include/cyrus/mappedfile.h
/usr/include/cyrus/procinfo.h
/usr/include/cyrus/rfc822tok.h
/usr/include/cyrus/sieve/sieve_err.h
/usr/include/cyrus/sieve/sieve_interface.h
/usr/include/cyrus/sqldb.h
/usr/include/cyrus/tok.h
/usr/include/cyrus/vparse.h
/usr/include/cyrus/wildmat.h

Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs

[Yadd]

On 1/28/24 20:21, Steve Langasek wrote:

On Tue, Jan 23, 2024 at 08:32:18AM +0400, Yadd wrote:

Control: tags -1 + moreinfo



On 1/23/24 00:43, Steve Langasek wrote:

Package: cyrus-common
Version: 3.8.1-1
Severity: serious
User: debian-...@lists.debian.org
Usertags: time-t



Dear maintainers,



Analysis of the archive for the 64-bit time_t transition[0][1] identifies
cyrus-common as an affected package, on the basis that the headers could not
be compiled and analyzed out of the box using abi-compliance-checker[2], so
we have to assume it's affected.



However, cyrus-commons's shlibs file declares a dependency on a library
package name that contains no ABI information:



according to 
https://adrien.dcln.fr/misc/armhf-time_t/2024-01-17/logs/cyrus-dev/base/log.txt
, this issue looks like a false-positive: test failed because of C error,
not bad report



Am I right here ?


We do not *know* that it's a false positive; we only know that we were
unable to analyze the header files under a-c-c to prove that the ABI is not
affected.

Patches to the check-armhf-time_t script at
https://salsa.debian.org/vorlon/armhf-time_t/-/blob/main/check-armhf-time_t?ref_type=heads
to quirk this package and allow its headers to be analyzed, or changes to
the source package to not ship uncompilable headers ("apt-file search
lib/strarray.h" returns no results), would both be welcome.

Thanks,


Hi,

is it possible to build a salsa-ci job to test this on i386 ?

Best regards,
Yadd

Bug#1061341: cyrus-common: identified for time_t transition but no ABI in shlibs

[Yadd]

Control: tags -1 + moreinfo

On 1/23/24 00:43, Steve Langasek wrote:

Package: cyrus-common
Version: 3.8.1-1
Severity: serious
User: debian-...@lists.debian.org
Usertags: time-t

Dear maintainers,

Analysis of the archive for the 64-bit time_t transition[0][1] identifies
cyrus-common as an affected package, on the basis that the headers could not
be compiled and analyzed out of the box using abi-compliance-checker[2], so
we have to assume it's affected.

However, cyrus-commons's shlibs file declares a dependency on a library
package name that contains no ABI information:


Hi,

according to 
https://adrien.dcln.fr/misc/armhf-time_t/2024-01-17/logs/cyrus-dev/base/log.txt 
, this issue looks like a false-positive: test failed because of C 
error, not bad report


Am I right here ?

Best regards,
Xavier

Bug#1027859: Fwd: pkg-js-tools_0.15.17~bpo11+1_sourceonly.changes REJECTED

[Yadd]

Control: tags -1 + wontfix

>  Forwarded Message 
> Subject: pkg-js-tools_0.15.17~bpo11+1_sourceonly.changes REJECTED
> Date: Wed, 17 Jan 2024 09:17:48 +
> From: Debian FTP Masters 
> To: Yadd , Debian Javascript Maintainers  javascript-de...@lists.alioth.debian.org>
>
>
> not in stable - belongs to sloppy

Update refused, so bug won't be fixed

Regards,
Yadd

Bug#1059829: Thank you

[Yadd]

On 1/16/24 20:36, Georges Khaznadar wrote:

Hello,

Javascript/Npm are not my cup of tea; so, please receive many thanks
about the help you provided to my poor packaging efforts.

If node-html5-qrcode happens to be dfsg-free, which should be the right
umbrella to host it on salsa.d.o? https://salsa.debian.org/js-team or
https://salsa.debian.org/georgesk ?


Hi,

yes I already push it on js-team/node-html5-qrcode. It is fixed now in 
it and ready to be pushed. Do you want I push it ?



I saw that you managed to let salsa's automaton pass 53 of the upstream
tests, and I would like to learn such magics. Please have you some
useful links about them?


Most of JS Team packages uses dh-sequence-nodejs. To start with it: 
https://wiki.debian.org/Javascript/Tutorial and then pkg-js-tools(7)


However, the changes I did here need a minimum knowledge of npm because 
the package doesn't follow exactly the common way (see dh_auto_install hook)



Best regards,   Georges.


Cheers,
Yadd

Bug#1060772: python3-jupyterlab: Using node-corepack downloads yarnpkg from Internet

[Yadd]

Package: python3-jupyterlab
Version: 4.0.9+ds1-1
Severity: important
X-Debbugs-Cc: y...@debian.org

Hi,

the patch 0003-Use-system-provided-yarn.js.patch replaces missing
yarn.js by node-corepack. Please keep in mind that
node-corepack/../yarn.js is a wrapper that downloads yarnpkg from
Internet instead of using Debian's one.

Cheers,
Yadd

Bug#1060312: ITP: node-yarn-plugin-apt -- Yarn plugin to resolve dependencies from packages installed in apt

[Yadd]

On 1/9/24 16:09, Uche wrote:

Package: wnpp
Severity: wishlist
Owner: Robinson Uchechukwu <mailto:estherchidinma...@gmail.com>>
X-Debbugs-CC: debian-de...@lists.debian.org 
<mailto:debian-de...@lists.debian.org>


* Package name    : node-yarn-plugin-apt
   Version         : 1.0.0
   Upstream Author : Debian JavaScript Team
* URL             : https://salsa.debian.org/js-team/yarn-plugin-apt 
<https://salsa.debian.org/js-team/yarn-plugin-apt>

* License         : Expat
   Programming Lang: JavaScript
   Description     : Yarn plugin to resolve dependencies from packages 
installed in apt


  This yarn plugin allows apt installed packages satisfy a nodejs
  project's dependencies.

  The package is a valuable addition to Debian because if facilitates 
the management of
  nodejs projects dependencies by leveraging locally avaliable 
apt-installed packages

  .
  Node.js is an event-based server-side JavaScript engine.


Hi,

take a look also at pkgjs-install and pkgjs-install-minimal

Best regards,
Yadd

Bug#1060152: python3-jupyterlab should provide jupyterlab

[Yadd]

Package: python3-jupyterlab
Severity: normal
X-Debbugs-Cc: y...@debian.org

Hi,

python3-jupyterlab provides bin/jupyterlab, then it should
"Provides: jupyterlab (= ${binary:Version})"

Bug#1059829: node-html5-qrcode: Build using libraries downloaded from Internet during build

[Yadd]

On 1/2/24 09:50, Yadd wrote:

Package: node-html5-qrcode
Version: 2.3.8+repack-3
Severity: serious
Justification: not-dfsg
X-Debbugs-Cc: y...@debian.org

node-html5-qrcode is built using "npm install" which downloads libraries
from Internet. This is totally out of DFSG.


For now, the --omit-dev avoid downloading anything until this package 
will have dependencies but npm still access to Internet for "audit".


Easy to fix: use "pkgjs-run build" instead of npm (and drop build 
dependency to npm)


second bug: package is unusable because not installed correctly (that's 
probably why autopkgtest was disabled...), also third_party/ is missing 
in install


A fixed version of this package is available at
https://salsa.debian.org/js-team/node-html5-qrcode

Bug#1059829: node-html5-qrcode: Build using libraries downloaded from Internet during build

[Yadd]

Package: node-html5-qrcode
Version: 2.3.8+repack-3
Severity: serious
Justification: not-dfsg
X-Debbugs-Cc: y...@debian.org

node-html5-qrcode is built using "npm install" which downloads libraries
from Internet. This is totally out of DFSG.

Bug#1058863: libqwt-qt5-dev: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’

[Yadd]

On 12/30/23 00:58, Gudjon I. Gudjonsson wrote:

Hi Yadd

I did try to build Ovito with qwt 6.2 and it works with minor fixes to ovito.
Ovito is compiled with Qt6 so you need to change your dependencies to qwt-qt6.

I suggest that you build against the experimental version of libqwt-qt6-dev
and I will try to get it into unstable as soon as possible.

Regards
Gudjon


Hi Gudjon,

thanks a lot, I'll try to build Oviti with qwt 6.2. Can you share the 
fix you wrote ?


Best regards,
Yadd

Bug#1058863: libqwt-qt5-dev: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’

[Yadd]

Hi Gudjon,

yes I'm trying to build ovito. you can find my temporary repository on 
g...@salsa.debian.org:yadd/ovito.git


Best regards,
Yadd

Bug#1059469: ITP: node-ipydatagrid -- Fast Datagrid widget for the Jupyter Notebook and JupyterLab

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-ipydatagrid
  Version : 1.2.0
  Upstream Contact: https://github.com/Bloomberg/ipydatagrid/issues
* URL : https://github.com/Bloomberg/ipydatagrid
* License : BSD-3-Clause
  Programming Lang: JavaScript
  Description : Fast Datagrid widget for the Jupyter Notebook and JupyterLab

node-ipydatagrid provides a fast Datagrid widget for the Jupyter Notebook and
JupyterLab.

This package will be maintained under Debian PAN Maintainers Team

Bug#1059336: ITP: node-html5-qrcode -- qr-code and bar-code scanning library for the web

[Yadd]

On 12/22/23 22:58, Georges Khaznadar wrote:

Package: wnpp
Severity: wishlist
Owner: Georges Khaznadar 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-html5-qrcode
   Version : 2.3.8
   Upstream Contact: https://github.com/mebjas/html5-qrcode/issues
* URL : https://github.com/mebjas/html5-qrcode
* License : Apache-2.0, GPL2
   Programming Lang: nodejs, typescript
   Description : qr-code and bar-code scanning library for the web

  Use this lightweight library to easily / quickly integrate QR code,
  bar code, and other common code scanning capabilities to your web
  application.

So far, debian is missing a package to scan qrcodes and barcodes from
a web page. I intend to maintain this package as a dependency for a
future package SLM, school library management, which I am developping
actively. This latter package allows students to find and recognize
books inside a library by scanning a few qr-codes.

The package node-html5-qrcode is uploaded to
https://salsa.debian.org/georgesk/node-html5-qrcode.git


Hi,

your debian/rules uses npm to build instead of launching direct commands 
but the worst is that you call "npm install" which imports files from 
Internet, this is not compliant with policy.


Cheers,
Yadd

Bug#1058868: [Debichem-devel] Bug#1058868: gemmi: Please build shared library

[Yadd]

Control: tags -1 + wontfix

On 12/19/23 12:43, Andrius Merkys wrote:

Hi,

On 2023-12-17 11:31, Yadd wrote:

currently src:gemmi builds gemmi and gemmi-dev. This doesn't permit to
build any software using gemmi-dev without static linking.

The proposed patch adds package libgemmi1 which contains the shared
library.


I looked into the shared library provided by gemmi v0.6.4 (newer 
upstream release than in your patch). This version of gemmi builds the 
shared library by default. However, the produced shared library does not 
carry a soversion, thus according to Debian principles it is not 
suitable to be packaged as public shared library, alas. Thus static 
linking is the only option for now.


Best wishes,
Andrius


Noted, thank you very much for your time!

Cheers,
Yadd

Bug#1058868: gemmi: Please build shared library

[Yadd]

> I appreciate the idea and your patch, thanks for giving gemmi a look.
> However, I am hesitant to package gemmi shared library for Debian for
> now. The previous two releases had breaking API changes each. If
> upstream handles this properly and bumps the soversion, then this is
> fine, although having to undergo a transition twice a year is still
> quite some work. However, if the upstream does not maintain ABI
> stability inside the same soversion, then I would say the shared
> library is not yet ready for Debian.
>
> You have marked this bug as severity:important. Does this mean you
>  need gemmi's shared library for some package?

Hi,

yas I'm going to package ovito which depends on it. If shared library 
isn't provided, cmake automatically uses libgemmi_cpp.a which then embed 
gemmi into ovito :-(


> I never had the need to manually trigger the ldconfig before. The
> issue might be the lack of 'Section: libs' in binary package
> description.

Maybe it's the issue

Best regards,
Yadd

Bug#1058868: gemmi: Please build shared library

[Yadd]

Source: gemmi
Version: 0.6.3+ds-1
Severity: important
Tags: patch
X-Debbugs-Cc: y...@debian.org

Hi,

currently src:gemmi builds gemmi and gemmi-dev. This doesn't permit to
build any software using gemmi-dev without static linking.

The proposed patch adds package libgemmi1 which contains the shared
library.

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (100, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-5-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-- no debconf information
diff --git a/debian/control b/debian/control
index 9f5e3d6..0490b00 100644
--- a/debian/control
+++ b/debian/control
@@ -28,6 +28,7 @@ Architecture: any
 Depends:
  ${misc:Depends},
  ${shlibs:Depends},
+ libgemmi1 (= ${binary:Version})
 Description: library for structural biology - executable
  Library for macromolecular crystallography and structural bioinformatics. For
  working with coordinate files (mmCIF, PDB, mmJSON), refinement restraints
@@ -38,11 +39,27 @@ Description: library for structural biology - executable
  .
  This package contains main gemmi executable.
 
+Package: libgemmi1
+Architecture: any
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Description: sharred library for structural biology
+ Library for macromolecular crystallography and structural bioinformatics. For
+ working with coordinate files (mmCIF, PDB, mmJSON), refinement restraints
+ (monomer library), electron density maps (CCP4), and crystallographic
+ reflection data (MTZ, SF-mmCIF). It understands crystallographic symmetries,
+ it knows how to switch between the real and reciprocal space and it can do a
+ few other things.
+ .
+ This package contains main gemmi shared library.
+
 Package: gemmi-dev
 Architecture: any
 Section: libdevel
 Depends:
  ${misc:Depends},
+ libgemmi1 (= ${binary:Version})
 Description: library for structural biology
  Library for macromolecular crystallography and structural bioinformatics. For
  working with coordinate files (mmCIF, PDB, mmJSON), refinement restraints
diff --git a/debian/gemmi-dev.install b/debian/gemmi-dev.install
index 91a7942..7de1c21 100644
--- a/debian/gemmi-dev.install
+++ b/debian/gemmi-dev.install
@@ -1,2 +1,2 @@
 usr/include/gemmi
-usr/lib/${DEB_HOST_MULTIARCH}
+usr/lib/${DEB_HOST_MULTIARCH}/cmake
diff --git a/debian/libgemmi1.install b/debian/libgemmi1.install
new file mode 100644
index 000..65440b7
--- /dev/null
+++ b/debian/libgemmi1.install
@@ -0,0 +1 @@
+usr/lib/${DEB_HOST_MULTIARCH}/*.so
diff --git a/debian/libgemmi1.postinst b/debian/libgemmi1.postinst
new file mode 100644
index 000..fb2c2d8
--- /dev/null
+++ b/debian/libgemmi1.postinst
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if [ "$1" = "triggered" ] || [ "$1" = "configure" ]; then
+  ldconfig -r "$DPKG_ROOT/" || ldconfig --verbose -r "$DPKG_ROOT/"
+  exit 0
+fi
+
+exit 0
diff --git a/debian/rules b/debian/rules
index 8228c67..b3e31be 100755
--- a/debian/rules
+++ b/debian/rules
@@ -11,7 +11,7 @@ export DEB_CXXFLAGS_MAINT_APPEND = -fexcess-precision=fast # 
See #1042379
dh $@ --buildsystem cmake --with python3
 
 override_dh_auto_configure:
-   dh_auto_configure -- -DUSE_PYTHON=1 -DINSTALL_EGG_INFO=OFF
+   dh_auto_configure -- -DUSE_PYTHON=1 -DINSTALL_EGG_INFO=OFF 
-DBUILD_SHARED_LIBS=ON
 
 override_dh_auto_test:
dh_auto_build -- check

Bug#1058864: ITP: ovito -- scientific data visualization and analysis software for particle-based simulations

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org

* Package name: ovito
  Version : 3.9.4
  Upstream Contact: https://gitlab.com/stuko/ovito/-/issues
* URL : https://www.ovito.org
* License : GPL-3 or Expat
  Programming Lang: C++
  Description : scientific data visualization and analysis software for 
particle-based simulations

OVITO is a scientific data visualization and analysis software for atomistic,
molecular and other particle-based simulations.

This package is part of Jupyterlab ecosystem.

Bug#1058863: libqwt-qt5-dev: invalid conversion from ‘int’ to ‘QwtPlotLayout::Option’

[Yadd]

Package: libqwt-qt5-dev
Version: 6.1.4-2
Severity: important
X-Debbugs-Cc: y...@debian.org

Hi,

when trying to compile ovito, I got the following error (with a simple
#include ):


/usr/include/qwt/qwt_plot_layout.h:84:51: error: invalid conversion from ‘int’ 
to ‘QwtPlotLayout::Option’ [-fpermissive]
   84 | const QRectF &plotRect, Options options = 0x00 );
  |   ^~~~
  |   |
  |   int
In file included from /usr/include/x86_64-linux-gnu/qt6/QtCore/qglobal.h:1401,
 from 
/usr/include/x86_64-linux-gnu/qt6/QtCore/qcoreapplication.h:7,
 from 
/usr/include/x86_64-linux-gnu/qt6/QtCore/QCoreApplication:1,
 from 
/home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/core/Core.h:61,
 from 
/home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/gui/base/GUIBase.h:30,
 from 
/home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/gui/desktop/GUI.h:30,
 from 
/home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/src/ovito/stdobj/gui/StdObjGui.h:30,
 from 
/home/yadd/dev/debian/src/other/tmp/ovito-3.9.4/obj-x86_64-linux-gnu/src/ovito/stdobj/gui/CMakeFiles/StdObjGui.dir/cmake_pch.hxx:5,
 from :


Best regeards,
Yadd

-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (100, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.5.0-5-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libqwt-qt5-dev depends on:
ii  libc62.37-12
ii  libgcc-s113.2.0-7
ii  libqt5core5a 5.15.10+dfsg-5
ii  libqt5designer5  5.15.10-5
ii  libqt5gui5   5.15.10+dfsg-5
ii  libqt5widgets5   5.15.10+dfsg-5
ii  libqwt-qt5-6 6.1.4-2
ii  libstdc++6   13.2.0-7

libqwt-qt5-dev recommends no packages.

libqwt-qt5-dev suggests no packages.

-- no debconf information

Bug#1058784: esbuild: [armel] install @esbuild/arm

[Yadd]

Package: esbuild
Version: 0.19.8-1
Severity: serious
Tags: ftbfs patch
Justification: node-esbuild-unusable-on-armel
X-Debbugs-Cc: y...@debian.org

Hi,

my armel patch was wrong: armel build uses @esbuild/arm, not
@esbuild/armel.

I fixed this in a merge request [MR4]

[MR4]: 
https://salsa.debian.org/go-team/packages/golang-github-evanw-esbuild/-/merge_requests/4

Bug#1058596: [Pkg-javascript-devel] Bug#1058596: yarnpkg broken on bookworm - yarnpkg --help fails with TypeError: commander.on is not a function

[Yadd]

On 12/13/23 19:17, Praveen Arimbrathodiyil wrote:

Control: fixed -1 1.22.19+~cs24.27.18-4

On Wed, 13 Dec 2023 20:39:39 +0530 Pirate Praveen  
wrote:

We should backport the patches in unstable to bookworm as well.


Updating the fixed info.


Hi,

since severity is grave, please prepare an update for stable also

Cheers,
Yadd

Bug#1058513: [Pkg-javascript-devel] Bug#1058513: node-signal-exit: FTBFS: SyntaxError: Cannot use import statement outside a module

[Yadd]

Control: tags -1 + moreinfo

On 12/13/23 00:52, Lucas Nussbaum wrote:

Source: node-signal-exit
Version: 4.1.0-6
Severity: serious
Justification: FTBFS
Tags: trixie sid ftbfs
User: lu...@debian.org
Usertags: ftbfs-20231212 ftbfs-trixie

Hi,

During a rebuild of all packages in sid, your package failed to build
on amd64.


Relevant part (hopefully):

make[1]: Entering directory '/<>'
tsc -p tsconfig.json
tsc -p tsconfig-esm.json
sh ./scripts/fixup.sh
#cp debian/index.cjs dist/cjs/
make[1]: Leaving directory '/<>'
dh_auto_test --buildsystem=nodejs
ln -s ../. node_modules/signal-exit
/bin/sh -ex debian/tests/pkg-js/test
+ tap -T -R spec test/all-integration-test.ts test/signal-exit-test.ts

/<>/test/all-integration-test.ts:1
import assert from 'assert'
^^



Hi,

I'm unable to reproduce this issue.

Bug#1058078: [Pkg-javascript-devel] Bug#1058078: FTBFS: ESLint couldn't find the config "not-an-aardvark/node" to extend from

[Yadd]

Control: tags -1 + patch

On 12/12/23 09:59, Yadd wrote:

Package: node-eslint-plugin-eslint-plugin
Version: 2.3.0+~0.3.0-4
Severity: serious
Tags: ftbfs
Justification: ftbfs

Hi,

when trying to reproduce node-eslint-plugin-eslint-plugin build, sbuild
fails. Below relevant logs:

eslint --format tap Xcomposer
TAP version 13
1..2
ok 1 - /<>/Xcomposer/lib/rule-composer.js
ok 2 - /<>/Xcomposer/tests/lib/rule-composer.js

eslint --format tap . --ignore-pattern '!.*'

Oops! Something went wrong! :(

ESLint: 6.4.0.

ESLint couldn't find the config "not-an-aardvark/node" to extend from. Please 
check that the name of the config is correct.

The config "not-an-aardvark/node" was referenced from the config file in 
"/<>/.pc/2002_avoid_eslint-plugin-self.patch/.eslintrc.yml".

If you still have problems, please stop by https://gitter.im/eslint/eslint to 
chat with the team.

make[1]: *** [debian/rules:38: override_dh_auto_test] Error 2


Hi Jonas,

this patch seems to fix the problem:

--- a/debian/rules
+++ b/debian/rules
@@ -35,7 +35,7 @@ override_dh_auto_build: $(DOCS) $(CHANGELOGS)

 override_dh_auto_test:
$(ESLINT) Xcomposer
-   $(ESLINT) . --ignore-pattern '!.*'
+   $(ESLINT) . --ignore-pattern .pc
$(MOCHA) --recursive Xcomposer/tests
$(MOCHA) --recursive tests

Bug#1058080: node-eslint-plugin-eslint-plugin: Please add this patch for node-ajv >= 8

[Yadd]

Package: node-eslint-plugin-eslint-plugin
Version: 2.3.0+~0.3.0-3
Severity: important
Tags: ftbfs patch upstream
X-Debbugs-Cc: y...@debian.org

Hi,

here is a patch that updates AJV schemas. It is compatible with current
node-ajv 6 and node-ajv >= 8

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index e799068..317e5a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-eslint-plugin-eslint-plugin (2.3.0+~0.3.0-4) UNRELEASED; urgency=medium
+
+  * Team upload
+
+ -- Yadd   Tue, 12 Dec 2023 09:38:42 +0400
+
 node-eslint-plugin-eslint-plugin (2.3.0+~0.3.0-3) unstable; urgency=medium
 
   * add patch cherry-picked upstream
diff --git a/debian/patches/2006_prepare-for-ajv-8.patch 
b/debian/patches/2006_prepare-for-ajv-8.patch
new file mode 100644
index 000..669
--- /dev/null
+++ b/debian/patches/2006_prepare-for-ajv-8.patch
@@ -0,0 +1,27 @@
+Description: prepare for ajv 8
+Author: Yadd 
+Forwarded: no
+Last-Update: 2023-12-12
+
+--- a/lib/rules/meta-property-ordering.js
 b/lib/rules/meta-property-ordering.js
+@@ -21,7 +21,7 @@
+ fixable: 'code',
+ schema: [{
+   type: 'array',
+-  elements: { type: 'string' },
++  items: { type: 'string' },
+ }],
+   },
+ 
+--- a/lib/rules/test-case-property-ordering.js
 b/lib/rules/test-case-property-ordering.js
+@@ -22,7 +22,7 @@
+ fixable: 'code',
+ schema: [{
+   type: 'array',
+-  elements: { type: 'string' },
++  items: { type: 'string' },
+ }],
+   },
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 5eb779a..1de9aa5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
 2003_avoid_eslint-config-not-an-aardvark.patch
 2004_avoid_eslint-config-airbnb-base.patch
 2005_no-require-jsdoc.patch
+2006_prepare-for-ajv-8.patch

Bug#1058078: FTBFS: ESLint couldn't find the config "not-an-aardvark/node" to extend from

[Yadd]

Package: node-eslint-plugin-eslint-plugin
Version: 2.3.0+~0.3.0-4
Severity: serious
Tags: ftbfs
Justification: ftbfs

Hi,

when trying to reproduce node-eslint-plugin-eslint-plugin build, sbuild
fails. Below relevant logs:

eslint --format tap Xcomposer
TAP version 13
1..2
ok 1 - /<>/Xcomposer/lib/rule-composer.js
ok 2 - /<>/Xcomposer/tests/lib/rule-composer.js

eslint --format tap . --ignore-pattern '!.*'

Oops! Something went wrong! :(

ESLint: 6.4.0.

ESLint couldn't find the config "not-an-aardvark/node" to extend from. Please 
check that the name of the config is correct.

The config "not-an-aardvark/node" was referenced from the config file in 
"/<>/.pc/2002_avoid_eslint-plugin-self.patch/.eslintrc.yml".

If you still have problems, please stop by https://gitter.im/eslint/eslint to 
chat with the team.

make[1]: *** [debian/rules:38: override_dh_auto_test] Error 2

Bug#1057707: [Pkg-javascript-devel] Bug#1057707: eslint is incompatible with node-ajv >= 8

[Yadd]

On 12/8/23 03:59, Jonas Smedegaard wrote:

Quoting Yadd (2023-12-07 14:37:31)

Control: tags -1 + patch

On 12/7/23 15:52, Jérémy Lal wrote:



Le jeu. 7 déc. 2023 à 12:45, Yadd mailto:y...@debian.org>> a écrit :

 Package: eslint
 Version: 6.4.0~dfsg+~6.1.9-7
 Severity: important
 Tags: ftbfs upstream

 Hi,

 eslint depends on node-ajv 6 and is incompatible with node-ajv 8
 (available in exeprimental branch). All is in lib/shared/ajv.js:

   - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no
     more available
   - eslint tries to set `ajv._opts.defaultMeta` which is
     `ajv.opts.defaultMeta` in node-ajv 8.

 Changing "ajv/lib/refs/json-schema-draft-04.json" to
 "ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this
 patch which looks to work but 27 tests fail (not the good error string).
 It uses default ajv schemas.

 Help needed here ;-)


I suppose you tried
https://github.com/eslint/eslint/pull/13911/commits
<https://github.com/eslint/eslint/pull/13911/commits>
?


Thanks a lot Jérémy! Based on your suggestion, I succeed to build a patch.

@Jonas, do you agree if I push this to experimental ?


If it succeeds the testsuite then by all means, go for it.


Hi,

sure, all test passed now. Only error strings had to be updated

Cheers,
Yadd

Bug#1057707: [Pkg-javascript-devel] Bug#1057707: eslint is incompatible with node-ajv >= 8

[Yadd]

Control: tags -1 + patch

On 12/7/23 15:52, Jérémy Lal wrote:



Le jeu. 7 déc. 2023 à 12:45, Yadd <mailto:y...@debian.org>> a écrit :


Package: eslint
Version: 6.4.0~dfsg+~6.1.9-7
Severity: important
Tags: ftbfs upstream

Hi,

eslint depends on node-ajv 6 and is incompatible with node-ajv 8
(available in exeprimental branch). All is in lib/shared/ajv.js:

  - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no
    more available
  - eslint tries to set `ajv._opts.defaultMeta` which is
    `ajv.opts.defaultMeta` in node-ajv 8.

Changing "ajv/lib/refs/json-schema-draft-04.json" to
"ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this
patch which looks to work but 27 tests fail (not the good error string).
It uses default ajv schemas.

Help needed here ;-)


I suppose you tried
https://github.com/eslint/eslint/pull/13911/commits 
<https://github.com/eslint/eslint/pull/13911/commits>

?


Thanks a lot Jérémy! Based on your suggestion, I succeed to build a patch.

@Jonas, do you agree if I push this to experimental ?

Best regards,
Yadddiff --git a/debian/control b/debian/control
index 10b6f6fc..35786a59 100644
--- a/debian/control
+++ b/debian/control
@@ -10,7 +10,7 @@ Build-Depends:
  help2man ,
  jq,
  mocha ,
- node-ajv  ,
+ node-ajv (>= 8)  ,
  node-babel-core (>= 7) ,
  node-babel-loader (>= 7) ,
  node-babel-preset-env (>= 7) ,
diff --git a/debian/patches/2012_fix-for-ajv-8.patch b/debian/patches/2012_fix-for-ajv-8.patch
new file mode 100644
index ..f0a2d132
--- /dev/null
+++ b/debian/patches/2012_fix-for-ajv-8.patch
@@ -0,0 +1,351 @@
+Description: fix for node-ajv >= 8
+Author: Evgeny Poberezkin <https://github.com/epoberezkin>
+Origin: upstream, https://github.com/eslint/eslint/pull/13911/files
+Bug: https://github.com/eslint/eslint/issues/13888
+Bug-Debian: https://bugs.debian.org/1057707
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2023-12-07
+
+--- a/conf/config-schema.js
 b/conf/config-schema.js
+@@ -11,8 +11,7 @@
+ globals: { type: "object" },
+ overrides: {
+ type: "array",
+-items: { $ref: "#/definitions/overrideConfig" },
+-additionalItems: false
++items: { $ref: "#/definitions/overrideConfig" }
+ },
+ parser: { type: ["string", "null"] },
+ parserOptions: { type: "object" },
+@@ -33,8 +32,7 @@
+ { type: "string" },
+ {
+ type: "array",
+-items: { type: "string" },
+-additionalItems: false
++items: { type: "string" }
+ }
+ ]
+ },
+@@ -44,7 +42,6 @@
+ {
+ type: "array",
+ items: { type: "string" },
+-additionalItems: false,
+ minItems: 1
+ }
+ ]
+--- a/lib/rule-tester/rule-tester.js
 b/lib/rule-tester/rule-tester.js
+@@ -48,7 +48,7 @@
+ { getRuleOptionsSchema, validate } = require("../shared/config-validator"),
+ { Linter, SourceCodeFixer, interpolate } = require("../linter");
+ 
+-const ajv = require("../shared/ajv")({ strictDefaults: true });
++const ajv = require("../shared/ajv")({ strictSchema: true });
+ 
+ const { SourceCode } = require("../source-code");
+ 
+@@ -398,7 +398,7 @@
+ 
+ if (ajv.errors) {
+ const errors = ajv.errors.map(error => {
+-const field = error.dataPath[0] === "." ? error.dataPath.slice(1) : error.dataPath;
++const field = error.instancePath[0] === "." ? error.instancePath.slice(1) : error.instancePath;
+ 
+ return `\t${field}: ${error.message}`;
+ }).join("\n");
+--- a/lib/rules/array-element-newline.js
 b/lib/rules/array-element-newline.js
+@@ -23,7 +23,6 @@
+ },
+ 
+ fixable: "whitespace",
+-
+ schema: [
+ {
+ oneOf: [
+--- a/lib/rules/eqeqeq.js
 b/lib/rules/eqeqeq.js
+@@ -43,8 +43,7 @@
+ },
+ additionalProperties: false
+ }
+-],
+-additionalItems: false
++]
+ },
+ {
+ type: "array",
+@@ -52,8 +51,7 @@
+ {
+ enum: ["smart", "allow-null"]
+ }
+-],
+-additionalItems: false
++  

Bug#1057707: eslint is incompatible with node-ajv >= 8

[Yadd]

Package: eslint
Version: 6.4.0~dfsg+~6.1.9-7
Severity: important
Tags: ftbfs upstream

Hi,

eslint depends on node-ajv 6 and is incompatible with node-ajv 8
(available in exeprimental branch). All is in lib/shared/ajv.js:

 - eslint requires 'ajv/lib/refs/json-schema-draft-04.json' which is no
   more available
 - eslint tries to set `ajv._opts.defaultMeta` which is
   `ajv.opts.defaultMeta` in node-ajv 8.

Changing "ajv/lib/refs/json-schema-draft-04.json" to
"ajv/lib/refs/json-schema-draft-06.json" doesn't work. I tried this
patch which looks to work but 27 tests fail (not the good error string).
It uses default ajv schemas.

Help needed here ;-)

--- a/lib/shared/ajv.js
+++ b/lib/shared/ajv.js
@@ -8,8 +8,7 @@
 // Requirements
 
//--

-const Ajv = require("ajv"),
-metaSchema = require("ajv/lib/refs/json-schema-draft-04.json");
+const Ajv = require("ajv");

 
//--
 // Public Interface
@@ -17,6 +16,7 @@

 module.exports = (additionalOptions = {}) => {
 const ajv = new Ajv({
+strict: false,
 meta: false,
 useDefaults: true,
 validateSchema: false,
@@ -26,9 +26,5 @@
 ...additionalOptions
 });

-ajv.addMetaSchema(metaSchema);
-// eslint-disable-next-line no-underscore-dangle
-ajv._opts.defaultMeta = metaSchema.id;
-
 return ajv;
 };

Bug#1056705: node-mqtt: Missing dependency to node-lru-cache

[Yadd]

Package: node-mqtt
Version: 4.3.7-2
Severity: serious
Tags: patch
Justification: Failure
X-Debbugs-Cc: y...@debian.org

Hi,

node-mqtt autopkgtest shows that this package requires node-lru-cache,
however it is not listed in debian/control and then start to fail when
one of its dependencies no more depend on node-lru-cache.

Best regards,
Yadd

Ref: 
https://ci.debian.net/data/autopkgtest/testing/amd64/n/node-mqtt/40126282/log.gz

Bug#1056334: [Pkg-javascript-devel] Bug#1056334: node-ast-types: autopkgtest failure

[Yadd]

Control: tags -1 + moreinfo

On 11/21/23 12:28, Gianfranco Costamagna wrote:

Source: node-ast-types
Version: 0.16.1-2
Severity: serious


Hello, according to ci, the package autopkgtests looks failing.
https://ci.debian.net/packages/n/node-ast-types/unstable/amd64/39617621/


  66s autopkgtest [20:34:26]: test pkg-js-autopkgtest: 
[---

  66s # Using ./package.(json|yaml)
  66s # Node module name is ast-types
  66s # Build files found: tsconfig.json
  66s # Test files found:
  66s # Found debian/tests/pkg-js/files, let's use it
  66s # Files/dir to be installed from source: src
  66s test
  66s tsconfig*
  66s ls: cannot access 'test': No such file or directory


This is strange: it seems that the test isn't launched from source 
directory (which has a test subdir)



  66s # Copy debian/tests/pkg-js content
  66s 'debian/tests/pkg-js' -> 
'/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js'
  66s 'debian/tests/pkg-js/test' -> 
'/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js/test'
  66s 'debian/tests/pkg-js/files' -> 
'/tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp/smokeXkrxbl/debian/tests/pkg-js/files'

  66s Found debian/tests/test_modules
  66s # let's copy it
  66s Found debian/nodejs/extlinks
  67s @babel/parser linked into node_modules
  67s @babel/types linked into node_modules
  68s tslib linked into node_modules
  68s @types/esprima linked into node_modules
  69s @types/estree linked into node_modules
  69s @types/glob linked into node_modules
  70s @types/mocha linked into node_modules
  70s # Searching module in /usr/lib/nodejs/ast-types
  70s # Searching module in /usr/lib/*/nodejs/ast-types
  70s # Searching module in /usr/share/nodejs/ast-types
  70s # Found /usr/share/nodejs/ast-types
  70s # Searching files to link in /usr/share/nodejs/ast-types
  70s # Launch debian/tests/pkg-js/test with sh -ex
  70s + test /tmp/autopkgtest-lxc.2rswz7np/downtmp/autopkgtest_tmp !=
  70s + rm -rf lib
  70s + tsc
  70s Version 4.8.4
  70s tsc: The TypeScript Compiler - Version 4.8.4
  70s
  70s COMMON COMMANDS


The "copy" part of pkg-js-autopkgtest failed, then "tsconfig.json" is 
missing then tsc display this.

Bug#1055525: cryptojs: CVE-2023-46233

[Yadd]

Hi,

this bug is still unfixed even if patch is trivial. Here is a template 
for an updatediff --git a/debian/changelog b/debian/changelog
index 558cbac..849d0f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cryptojs (3.1.2+dfsg-3+deb12u1) bookworm-security; urgency=medium
+
+  * Change default hash algorithm and iteration's for PBKDF2
+(Closes: #1055525)
+
+ -- Yadd   Thu, 16 Nov 2023 10:53:45 +0400
+
 cryptojs (3.1.2+dfsg-3) unstable; urgency=medium
 
   * Add upstream metadata.
diff --git a/debian/patches/CVE-2023-46233.patch 
b/debian/patches/CVE-2023-46233.patch
new file mode 100644
index 000..c321f49
--- /dev/null
+++ b/debian/patches/CVE-2023-46233.patch
@@ -0,0 +1,38 @@
+Description: Change default hash algorithm and iteration's for PBKDF2
+ to prevent weak security by using the default configuration
+Author: evanvosberg 
+Origin: upstream, https://github.com/brix/crypto-js/commit/421dd538
+Bug: https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf
+Bug-Debian: https://bugs.debian.org/1055525
+Forwarded: not-needed
+Reviewed-By: Yadd 
+Last-Update: 2023-11-16
+
+--- a/components/pbkdf2.js
 b/components/pbkdf2.js
+@@ -11,7 +11,7 @@
+ var Base = C_lib.Base;
+ var WordArray = C_lib.WordArray;
+ var C_algo = C.algo;
+-var SHA1 = C_algo.SHA1;
++var SHA256 = C_algo.SHA256;
+ var HMAC = C_algo.HMAC;
+ 
+ /**
+@@ -22,13 +22,13 @@
+  * Configuration options.
+  *
+  * @property {number} keySize The key size in words to generate. 
Default: 4 (128 bits)
+- * @property {Hasher} hasher The hasher to use. Default: SHA1
++ * @property {Hasher} hasher The hasher to use. Default: SHA256
+  * @property {number} iterations The number of iterations to perform. 
Default: 1
+  */
+ cfg: Base.extend({
+ keySize: 128/32,
+-hasher: SHA1,
+-iterations: 1
++hasher: SHA256,
++iterations: 25
+ }),
+ 
+ /**
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..4fdeacb
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-46233.patch

Bug#1056014: cryptojs: Library no more maintained, please keep out of next Debian stable

[Yadd]

Source: cryptojs
Severity: serious
Tags: security upstream
Justification: security
X-Debbugs-Cc: y...@debian.org, Debian Security Team 

Hi,

according to https://github.com/brix/crypto-js#readme it seems that
cryptojs is no more maintained. I just dropped the only one reverse
dependency so cryptojs can be safely removed from Debian.

Bug#1054853: node-katex: FTBFS: TypeError: Cannot read properties of undefined (reading '.cjs')

[Yadd]

Control: reassign -1 node-postcss-loader
Control: affects -1 node-katex
Control: found -1 7.3.3-1

It seems that node-postcss-loader 7.3.3 needs node-cosmiconfig 8 and "jiti".

Bug#1055480: ITP: libwebservice-s3-tiny-perl -- Perl module for using S3 or compatible APIs

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org, y...@debian.org

* Package name: libwebservice-s3-tiny-perl
  Version : 0.003
  Upstream Contact: James Raspass 
* URL : https://metacpan.org/release/WebService-S3-Tiny
* License : Artistic or GPL-1+ (and part under Apache-2.0)
  Programming Lang: Perl
  Description : Perl module for using S3 or compatible APIs

WebService::S3::Tiny is a little Perl module for using any S3 or compatible
APIs.

It will be maintained under Perl Team umbrella.

Bug#1054432: Not a bug

[Yadd]

Control: severity -1 wishlist

Files are readable

Bug#1054667: [Pkg-javascript-devel] Bug#1054667: node-browserify-sign: CVE-2023-46234

[Yadd]

On 10/27/23 20:20, Moritz Mühlenhoff wrote:

Source: node-browserify-sign
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for node-browserify-sign.

CVE-2023-46234[0]:
| browserify-sign is a package to duplicate the functionality of
| node's crypto public key functions, much of this is based on Fedor
| Indutny's work on indutny/tls.js. An upper bound check issue in
| `dsaVerify` function allows an attacker to construct signatures that
| can be successfully verified by any public key, thus leading to a
| signature forgery attack. All places in this project that involve
| DSA verification of user-input signatures will be affected by this
| vulnerability. This issue has been patched in version 4.2.2.

https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-46234
 https://www.cve.org/CVERecord?id=CVE-2023-46234

Please adjust the affected versions in the BTS as needed.


Hi,

please find attached the debdiff for Bookworm

Kind regards,
Yadddiff --git a/debian/changelog b/debian/changelog
index 5e3404f..c421503 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-browserify-sign (4.2.1-3+deb12u1) bookworm-security; urgency=high
+
+  * Team upload
+  * Properly check the upper bound for DSA signatures (Closes: #1054667, 
CVE-2023-46234)
+
+ -- Yadd   Sat, 28 Oct 2023 12:03:04 +0400
+
 node-browserify-sign (4.2.1-3) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2023-46234.patch 
b/debian/patches/CVE-2023-46234.patch
new file mode 100644
index 000..152fd72
--- /dev/null
+++ b/debian/patches/CVE-2023-46234.patch
@@ -0,0 +1,68 @@
+Description: properly check the upper bound for DSA signatures
+Author: roadicing 
+Origin: upstream, https://github.com/browserify/browserify-sign/commit/85994cd6
+Bug: 
https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw
+Bug-Debian: https://bugs.debian.org/1054667
+Forwarded: not-needed
+Applied-Upstream: 4.2.2, commit: 85994cd6
+Reviewed-By: Yadd 
+Last-Update: 2023-10-28
+
+--- a/browser/verify.js
 b/browser/verify.js
+@@ -78,7 +78,7 @@
+ 
+ function checkValue (b, q) {
+   if (b.cmpn(0) <= 0) throw new Error('invalid sig')
+-  if (b.cmp(q) >= q) throw new Error('invalid sig')
++  if (b.cmp(q) >= 0) throw new Error('invalid sig')
+ }
+ 
+ module.exports = verify
+--- a/test/index.js
 b/test/index.js
+@@ -4,6 +4,8 @@
+ var nCrypto = require('crypto')
+ var bCrypto = require('../browser')
+ var fixtures = require('./fixtures')
++var BN = require('bn.js')
++var parseKeys = require('parse-asn1')
+ 
+ function isNode10 () {
+   return parseInt(process.version.split('.')[1], 10) <= 10
+@@ -100,6 +102,35 @@
+   t.end()
+ })
+   }
++
++  var s = parseKeys(pub).data.q;
++  test(
++f.message + ' against a fake signature',
++{ skip: !s || '(this test only applies to DSA signatures and not EC 
signatures, this is ' + f.scheme + ')' },
++function (t) {
++  var messageBase64 = Buffer.from(f.message, 'base64');
++
++  // forge a fake signature
++  var r = new BN('1');
++
++  try {
++var fakeSig = asn1.signature.encode({ r: r, s: s }, 'der');
++  } catch (e) {
++t.ifError(e);
++t.end();
++return;
++  }
++
++  var bVer = bCrypto.createVerify(f.scheme);
++  t['throws'](
++function () { bVer.update(messageBase64).verify(pub, fakeSig); },
++Error,
++'fake signature is invalid'
++  );
++
++  t.end();
++}
++  );
+ })
+ 
+ fixtures.valid.kvectors.forEach(function (f) {
diff --git a/debian/patches/series b/debian/patches/series
index 8aafdeb..86ff972 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 drop-rmd160-support.patch
+CVE-2023-46234.patch

Bug#1054175: Closing: not a bug

[Yadd]

Control: close -1
Control: notfound -1 2.0.0-2

Closing: unable to reproduce

Bug#1054443: node-graphql: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:21, Bastien Roucariès wrote:

Source:  node-graphql
Version: 16.8.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory
https://sources.debian.org/src/node-graphql/16.8.1-1/website/src/pages/index.jsx/?hl=2#L2

You should repack or package docusaurus and rebuild

Bastien


No unreadable files here

Bug#1054435: [Pkg-javascript-devel] Bug#1054435: node-react-redux: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:08, Bastien Roucariès wrote:

Source:  node-react-redux
Version: 8.1.2+dfsg1+~cs1.2.3-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory

You should repack or package docusaurus and rebuild

Bastien


No unreadable file here

Bug#1054439: [Pkg-javascript-devel] Bug#1054439: node-rjsf: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:15, Bastien Roucariès wrote:

Source:  node-rjsf
Version: 5.6.2+~5.0.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory
https://sources.debian.org/src/node-rjsf/5.6.2+~5.0.1-1/packages/docs/docusaurus.config.js/?hl=54#L54

You should repack or package docusaurus and rebuild

Bastien


No unreadable files here

Bug#1054439: node-rjsf: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:15, Bastien Roucariès wrote:

Source:  node-rjsf
Version: 5.6.2+~5.0.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory
https://sources.debian.org/src/node-rjsf/5.6.2+~5.0.1-1/packages/docs/docusaurus.config.js/?hl=54#L54

You should repack or package docusaurus and rebuild

Bastien


No unreadable file here

Bug#1054441: node-ts-jest: website is build with Docusaurus not packaged for debian

[Yadd]

Control: severity -1 wishlist

On 10/23/23 23:18, Bastien Roucariès wrote:

Source:  node-ts-jest
Version: 29.1.1+~cs0.2.6-2
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory
https://sources.debian.org/data/main/n/node-ts-jest/29.1.1%2B~cs0.2.6-2/website/

You should repack or package docusaurus and rebuild

Bastien


No unreadable file here

Bug#1054434: [Pkg-javascript-devel] Bug#1054434: Bug#1054434: node-redux: website is build with Docusaurus not packaged for debian

[Yadd]

On 10/24/23 06:25, Yadd wrote:

Control: tags -1 + moreinfo

On 10/23/23 23:07, Bastien Roucariès wrote:

Source:  node-redux
Version: 4.2.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory

You should repack or package docusaurus and rebuild

Bastien


Hello,

directory docs contains only .md files, totally readable. What is the 
serious bug here ?


Also website/ directory, no unreadable file, no serialized files,... Do 
we have to consider html files as no source because they were written 
with a non free tool ?

Bug#1054434: [Pkg-javascript-devel] Bug#1054434: node-redux: website is build with Docusaurus not packaged for debian

[Yadd]

Control: tags -1 + moreinfo

On 10/23/23 23:07, Bastien Roucariès wrote:

Source:  node-redux
Version: 4.2.1-1
Severity: serious
Tags: ftbfs
Justification: FTBFS
Control: block -1 by 1054426

Dear Maintainer,

The documentation is build with docusaurus.

See website directory

You should repack or package docusaurus and rebuild

Bastien


Hello,

directory docs contains only .md files, totally readable. What is the 
serious bug here ?

Bug#1054167: [Pkg-javascript-devel] Bug#1054167: ftbfs: AssertionError in tests

[Yadd]

Control: severity -1 important

Hi,

not really a serious-bug since it exists only when using a color term. 
Fixed anyway in version 2.0.0-4


Cheers,
Yadd

Bug#1054175: [Pkg-javascript-devel] Bug#1054175: node-require-main-filename: failing dh_auto_test

[Yadd]

Control: tags -1 + moreinfo

On 10/18/23 20:27, Tianyu Chen wrote:

Source: node-require-main-filename
Version: 2.0.0-2
Severity: serious
Tags: ftbfs
Justification: fails to build from source
X-Debbugs-Cc: sweetyf...@deepin.org

Hi,

During a rebuild of your package in unstable, your package fails to
build from source.

Full log can be accessed at:


https://build.opensuse.org/package/live_build_log/home:utsweetyfish:node-202309/node-require-main-filename/Debian_Unstable/aarch64

Tail of log for your package:

# Subtest: should default to process.cwd() if require.main is 
undefined
not ok 1 - expected '/usr/src/packages/BUILD' to match 
/(?:.*autopkgtest.*|require-main-filename)/
  ---
[...]

1..1
# failed 1 test
# time=95.325ms
not ok 1 - test.js # time=95.325ms
  ---
  env: {}
  file: test.js
  timeout: 3
  command: /usr/bin/node
  args:
- test.js
  stdio:
- 0
- pipe
- 2
  cwd: /usr/src/packages/BUILD
  exitCode: 1
  ...

1..1
# failed 1 test
# time=1113.041ms
--|-|--|-|-|---
File  | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s
--|-|--|-|-|---
All files | 100 |  100 | 100 | 100 |
 index.js | 100 |  100 | 100 | 100 |
--|-|--|-|-|---
dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test returned exit 
code 1
make: *** [debian/rules:8: binary] Error 25
dpkg-buildpackage: error: debian/rules binary subprocess returned exit 
status 2

Thanks!
Tianyu Chen @ deepin


Hi,

I'm not able to reproduce this issue

Bug#1053895: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: node-und...@packages.debian.org
Control: affects -1 + src:node-undici

[ Reason ]
node-undici doesn't clear Cookie and Host headers on cross-origin
redirect.

[ Impact ]
Medium security issue

[ Tests ]
No new test here

[ Risks ]
No risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Drop headers Host/Cookie unless same-origin

Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 92c0de8..168ee34 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2) bookworm; urgency=medium
+
+  * Delete cookie and host headers on cross-origin redirect
+(Closes: #1053879, CVE-2023-45143)
+
+ -- Yadd   Fri, 13 Oct 2023 22:14:45 +0400
+
 node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium
 
   * Fix security issues (Closes: #1031418):
diff --git a/debian/patches/CVE-2023-45143.patch 
b/debian/patches/CVE-2023-45143.patch
new file mode 100644
index 000..c196bd2
--- /dev/null
+++ b/debian/patches/CVE-2023-45143.patch
@@ -0,0 +1,24 @@
+Description: delete 'cookie' and 'host' headers on cross-origin redirect
+Author: Khafra 
+Origin: upstream, https://github.com/nodejs/undici/commit/e041de35
+Bug: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
+ https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp
+Bug-Debian: https://bugs.debian.org/1053879
+Forwarded: not-needed
+Applied-Upstream: 5.26.2, commit:e041de35
+Reviewed-By: Yadd 
+Last-Update: 2023-10-13
+
+--- a/lib/fetch/index.js
 b/lib/fetch/index.js
+@@ -1204,6 +1204,10 @@
+   if (!sameOrigin(requestCurrentURL(request), locationURL)) {
+ // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
+ request.headersList.delete('authorization')
++
++// "Cookie" and "Host" are forbidden request-headers, which undici 
doesn't implement.
++request.headersList.delete('cookie')
++request.headersList.delete('host')
+   }
+ 
+   // 14. If request’s body is non-null, then set request’s body to the first 
return
diff --git a/debian/patches/series b/debian/patches/series
index ce1440a..297000a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,4 @@ drop-ssl-tests.patch
 CVE-2023-23936.patch
 CVE-2023-24807.patch
 update-httpbin.org-test-timeout.patch
+CVE-2023-45143.patch

Bug#1053782: RFP: node-vite -- Next Generation Frontend Tooling

[Yadd]

On 10/11/23 10:30, Andrius Merkys wrote:

Package: wnpp
Severity: wishlist
X-Debbugs-Cc: debian-de...@lists.debian.org
Control: block 1042095 by -1

* Package name    : node-vite
   Version : 4.4.11
   Upstream Author : Evan You
* URL : https://github.com/vitejs/vite
* License : Expat
   Programming Lang: JavaScript
   Description : Next Generation Frontend Tooling

Vite is a frontend build tool, including development server and build 
command bundling code with Rollup, pre-configured to output optimized 
static assets for production.


Vite is needed to produce CSS and JS files for sphinx-press-theme.

An estimate of work needed to package Vite:

$ npm2deb depends vite
Dependencies:
NPM   Debian
vite (4.4.11) None
├─ esbuild (^0.18.10) None
├─ fsevents (~2.3.2)  None
├─ postcss (^8.4.27)  node-postcss 
(8.4.20+~cs8.0.23-1)

└─ rollup (^3.27.1)   node-rollup (3.28.0-2)

Build dependencies:
NPM   Debian
@ampproject/remapping (^2.2.1) node-ampproject-remapping 
(2.2.0+~cs5.15.37-1)

@babel/parser (^7.22.7)   None
@babel/types (^7.22.5)    node-babel 
(6.26.0+repack-3~bpo10+1)

@jridgewell/trace-mapping (^0.3.18)   None
@rollup/plugin-alias (^4.0.4) node-rollup-plugin-alias (5.0.0~ds-1)
@rollup/plugin-commonjs (^25.0.3) node-rollup-plugin-commonjs 
(25.0.4+ds1-1)

@rollup/plugin-dynamic-import-vars (^2.0.4)   None
@rollup/plugin-json (^6.0.0) node-rollup-plugin-json (6.0.0+ds1-2)
@rollup/plugin-node-resolve (15.1.0) node-rollup-plugin-node-resolve 
(15.1.0+ds-1)
@rollup/plugin-typescript (^11.1.2) node-rollup-plugin-typescript 
(11.1.2~ds+~1.0.1-1)

@rollup/pluginutils (^5.0.2) node-rollup-pluginutils (5.0.2~ds+~2.8.2-1)
@types/escape-html (^1.0.2)   None
@types/pnpapi (^0.0.2)    None
acorn (^8.10.0)   acorn 
(8.8.1+ds+~cs25.17.7-2)

acorn-walk (^8.2.0)   None
cac (^6.7.14) None
chokidar (^3.5.3) node-chokidar (3.5.3-2)
connect (^3.7.0)  node-connect 
(3.7.0+~3.4.35-1)

connect-history-api-fallback (^2.0.0) None
convert-source-map (^2.0.0) node-convert-source-map (1.9.0+~1.5.2-1)
cors (^2.8.5) node-cors (2.8.5-1)
cross-spawn (^7.0.3)  node-cross-spawn 
(5.1.0-2)
debug (^4.3.4)    node-debug 
(4.3.4+~cs4.1.7-1)

dep-types (link:./src/types)  None
dotenv (^16.3.1)  None
dotenv-expand (^9.0.0)    None
es-module-lexer (^1.3.0)  node-es-module-lexer 
(1.1.0+dfsg-2)
escape-html (^1.0.3)  node-escape-html 
(1.0.3+~1.0.2-2)
estree-walker (^3.0.3)    node-estree-walker 
(2.0.2-5)

etag (^1.8.1) node-etag (1.8.1-3)
fast-glob (^3.3.1)    None
http-proxy (^1.18.1)  node-http-proxy 
(1.18.1-8)
json-stable-stringify (^1.0.2) node-json-stable-stringify 
(1.0.2+repack1+~cs1.0.34-2)

launch-editor-middleware (^2.6.0) None
lightningcss (^1.21.5)    None
magic-string (^0.30.2)    node-magic-string 
(0.30.1-1)
micromatch (^4.0.5)   node-micromatch 
(4.0.5+~4.0.2-1)

mlly (^1.4.0) None
mrmime (^1.0.1)   None
okie (^1.0.1) None
open (^8.4.2) node-open (8.4.0-6)
parse5 (^7.1.2)   node-parse5 
(7.1.2+dfsg-2)

periscopic (^3.1.0)   None
picocolors (^1.0.0)   node-picocolors (1.0.0-4)
picomatch (^2.3.1)    node-anymatch 
(3.1.3+~cs4.6.1-2)

postcss-import (^15.1.0)  None
postcss-load-config (^4.0.1) node-postcss-load-config (2.1.2+~cs6.0.0-1)
postcss-modules (^6.0.0)  node-postcss-modules 
(6.0.0+~cs5.1.3-2)

resolve.exports (^2.0.2)  None
rollup-plugin-license (^3.0.1)    None
sirv (^2.0.3) None
source-map-support (^0.5.21) node-source-map-support (0.5.21+ds+~0.5.4-1)
strip-ansi (^7.1.0)   node-strip-ansi (6.0.1-2)
strip-literal (^1.3.0)    None
tsconfck (^2.1.2) None
tslib (^2.6.1)  

Bug#1040679: bullseye-pu: package node-dottie/2.0.2-4+deb11u1

[Yadd]

On 10/8/23 16:10, Jonathan Wiltshire wrote:

Hi,

This request was approved but not uploaded in time for the previous point
release (11.8). Should it be included in 11.9, or should this request be
abandoned and closed?


Sorry, I was travelling. I just pushed the update

Thanks!

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

[Yadd]

On 10/8/23 16:04, Jonathan Wiltshire wrote:

Hi,

This request was approved but not uploaded in time for the previous point
release (11.8). Should it be included in 11.9, or should this request be
abandoned and closed?


Sorry, I was travelling. I just pushed the update

Thanks!

Bug#1036975: bullseye-pu: package node-url-parse/1.5.3-1+deb11u2

[Yadd]

On 10/8/23 16:03, Jonathan Wiltshire wrote:

Hi,

This request was approved but not uploaded in time for the previous point
release (11.8). Should it be included in 11.9, or should this request be
abandoned and closed?


Sorry, I was travelling. I just pushed the update

Thanks!

Bug#1034665: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1

[Yadd]

On 10/8/23 15:55, Jonathan Wiltshire wrote:

Hi,

This request was approved but not uploaded in time for the previous point
release (11.8). Should it be included in 11.9, or should this request be
abandoned and closed?


Sorry, I was travelling. I just pushed the update

Thanks!

Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
Control: affects -1 + src:lemonldap-ng

[ Reason ]
Two new vulnerabilities have been dicovered and fixed in lemonldap-ng:
 - an open redirection due to incorrect escape handling
 - an open redirection only when configuration is edited by hand and
   doesn't follow OIDC specifications
 - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
   A little-know feature of OIDC allows the OpenID Provider to fetch the
   Authorization request parameters itself by indicating a request_uri
   parameter. This feature is now restricted to a white list using this
   patch

[ Impact ]
Two low and one medium security issue.

[ Tests ]
Patches includes test updates

[ Risks ]
Outside of test changes, patches are not so big and the test coverage
provided by upstream is good, so risk is moderate.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
- open redirection patch: use `URI->new($url)->as_string` in each
  redirections
- OIDC open redirection patch: just rejects requests with `redirect_uri` if
  relying party configuration has no declared redirect URIs.
- SSRF patch:
  * add new configuration parameter to list authorized "request_uris"
  * change the algorithm that manage request_uri parameter

Cheers,
Yadd
diff --git a/debian/NEWS b/debian/NEWS
index c4d7ee951..ba4a14a12 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium
+
+  A little-know feature of OIDC allows the OpenID Provider to fetch the
+  Authorization request parameters itself by indicating a request_uri
+  parameter.
+  By default, this feature is now restricted to a white list. See
+  Relying-Party security option to fill this field.
+
+ -- Yadd   Fri, 29 Sep 2023 17:38:51 +0400
+
 lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium
 
   AuthBasic now enforces 2FA activation (CVE-2023-28862):
diff --git a/debian/changelog b/debian/changelog
index 5d2c62ac0..35d5599a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium
+
+  * Fix open redirection when OIDC RP has no redirect uris
+  * Fix open redirection due to incorrect escape handling
+  * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469)
+
+ -- Yadd   Fri, 29 Sep 2023 16:35:14 +0400
+
 lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium
 
   * Fix 2FA issue when using AuthBasic handler (CVE-2023-28862)
@@ -19,7 +27,7 @@ lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium
 
 lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium
 
-  * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
+  * Fix auth process in password-testing plugins (Closes: #1005302, 
CVE-2021-40874)
 
  -- Yadd   Thu, 24 Feb 2022 15:16:09 +0100
 
diff --git a/debian/clean b/debian/clean
index 73f167814..cdb4a5ae4 100644
--- a/debian/clean
+++ b/debian/clean
@@ -1,3 +1,4 @@
+doc/pages/documentation/current/.buildinfo
 lemonldap-ng-manager/site/htdocs/static/js/conftree.js
 lemonldap-ng-manager/site/htdocs/static/struct.json
 lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch
new file mode 100644
index 0..dce756430
--- /dev/null
+++ b/debian/patches/SSRF-issue.patch
@@ -0,0 +1,627 @@
+Description: fix SSRF vulnerability
+ Issue described here: 
https://security.lauritz-holtmann.de/post/sso-security-ssrf/
+Author: Maxime Besson 
+Origin: upstream, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
+Forwarded: not-needed
+Applied-Upstream: 2.17.1, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Reviewed-By: Yadd 
+Last-Update: 2023-09-23
+
+--- a/doc/sources/admin/idpopenidconnect.rst
 b/doc/sources/admin/idpopenidconnect.rst
+@@ -278,6 +278,11 @@
+   the Session Browser.
+- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``): Allow the 
use of the :ref:`Resource Owner Password Credentials Grant 
` by this client. This feature only works if you 
have configured a form-based authentication module.
+- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): 
Allow the use of the :ref:`Resource Owner Password Credentials Grant 
` by this client.
++   - **Allowed URLs for fetching Request Object**: (since version ``2.17.1``):
++ which URLs may be called by the portal to fetch the request object (see
++ `request_uri
++ 
<https://openid.net/specs/openid-connect-core-1_0.

Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2

[Yadd]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
Control: affects -1 + src:lemonldap-ng

[ Reason ]
Two new vulnerabilities have been dicovered and fixed in lemonldap-ng:
 - an open redirection only when configuration is edited by hand and
   doesn't follow OIDC specifications
 - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
   A little-know feature of OIDC allows the OpenID Provider to fetch the
   Authorization request parameters itself by indicating a request_uri
   parameter. This feature is now restricted to a white list using this
   patch

[ Impact ]
One low and one medium security issue.

[ Tests ]
Patches includes test updates

[ Risks ]
Outside of test changes, patches are not so big and the test coverage
provided by upstream is good, so risk is moderate.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
- open redirection patch: just rejects requests with `redirect_uri` if
  relying party configuration has no declared redirect URIs.
- SSRF patch:
  * add new configuration parameter to list authorized "request_uris"
  * change the algorithm that manage request_uri parameter

Cheers,
Xavier
diff --git a/debian/NEWS b/debian/NEWS
index b8955920b..5295a3cbb 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,13 @@
+lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium
+
+  A little-know feature of OIDC allows the OpenID Provider to fetch the
+  Authorization request parameters itself by indicating a request_uri
+  parameter.
+  By default, this feature is now restricted to a white list. See
+  Relying-Party security option to fill this field.
+
+ -- Yadd   Fri, 29 Sep 2023 17:15:03 +0400
+
 lemonldap-ng (2.0.9+ds-1) unstable; urgency=medium
 
   CVE-2020-24660
diff --git a/debian/changelog b/debian/changelog
index cd4c8a023..148164a94 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium
+
+  * Fix open redirection when OIDC RP has no redirect uris
+  * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469)
+
+ -- Yadd   Fri, 29 Sep 2023 17:18:12 +0400
+
 lemonldap-ng (2.16.1+ds-deb12u1) bookworm; urgency=medium
 
   * Apply login control to auth-slave requests
diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch
new file mode 100644
index 0..3c6ca8b51
--- /dev/null
+++ b/debian/patches/SSRF-issue.patch
@@ -0,0 +1,795 @@
+Description: fix SSRF vulnerability
+ Issue described here: 
https://security.lauritz-holtmann.de/post/sso-security-ssrf/
+Author: Maxime Besson 
+Origin: upstream, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
+Forwarded: not-needed
+Applied-Upstream: 2.17.1, 
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs
+Reviewed-By: Yadd 
+Last-Update: 2023-09-22
+
+--- a/doc/sources/admin/idpopenidconnect.rst
 b/doc/sources/admin/idpopenidconnect.rst
+@@ -247,6 +247,11 @@
+   This feature only works if you have configured a form-based 
authentication module.
+-  **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): 
Allow the use of the
+   :ref:`Client Credentials Grant ` by this 
client.
++   -  **Allowed URLs for fetching Request Object**: (since version 
``2.17.1``):
++  which URLs may be called by the portal to fetch the request object (see
++  `request_uri
++  
<https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter>`__
++  in OIDC specifications). These URLs may use wildcards 
(``https://app.example.com/*``).
+-  **Authentication level**: Required authentication level to access this 
application
+-  **Access rule**: Lets you specify a :doc:`Perl rule` to 
restrict access to this client
+ 
+--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
 b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
+@@ -4656,6 +4656,7 @@
+ oidcRPMetaDataOptionsComment  => { type => 'longtext' 
},
+ oidcRPMetaDataOptionsOfflineSessionExpiration => { type => 'int' },
+ oidcRPMetaDataOptionsRedirectUris => { type => 'text', },
++oidcRPMetaDataOptionsRequestUris  => { type => 'text', },
+ oidcRPMetaDataOptionsExtraClaims  => {
+ type=> 'keyTextContainer',
+ keyTest => qr/^[\x21\x23-\x5B\x5D-\x7E]+$/,
+--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manage

Bug#1052428: node-minimatch: please update to 9.x

[Yadd]

On 9/22/23 00:10, Jérémy Lal wrote:

Package: node-minimatch
Version: 5.1.1+~5.1.2-1
Severity: normal

Hi,

nodejs 18.18.0 depends on node-minimatch 9.0.3.

It'd be nice if someone could update that module.

Regards,
Jérémy


Hi,

I'm going to push version 9.0.3 to experimental (breaking changes)

Cheers,
Yadd

Bug#1052301: ITP: node-stdlib -- Standard library for JavaScript and Node.js

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-stdlib
  Version : 0.0.96
  Upstream Contact: The Stdlib Authors
  <https://github.com/stdlib-js/stdlib/graphs/contributors>
* URL : https://github.com/stdlib-js/stdlib
* License : Apache-2.0
  Programming Lang: JavaScript
  Description : Standard library for JavaScript and Node.js

node-stdlib is a standard library for JavaScript and Node.js, with an
emphasis on numerical and scientific computing applications. The library
provides a collection of robust, high performance libraries for mathematics,
statistics, data processing, streams, and more and includes many utilities
expected from a standard library.

node-stdlib is a build dependency of node-jupyterlab. Will be maintained
under JS Team umbrella.

Bug#1052246: ITP: node-vdom-to-html -- Node.js library to turn virtual-dom nodes into HTML

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-vdom-to-html
  Version : 2.3.1
  Upstream Contact: Nathan Tran 
* URL : https://github.com/nthtran/vdom-to-html
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js library to turn virtual-dom nodes into HTML

node-vdom-to-html turn virtual-dom nodes into HTML. virtual-dom is a
collection of modules designed to provide a declarative way of
representing the DOM.

This is a dependency of node-stdlib which is needed to build
node-jupyterlab. Will be maintained under JS Team umbrella.

Bug#1052170: ITP: node-playwright -- JavaScript framework for Web Testing and Automation

[Yadd]

On 9/18/23 21:26, Jérémy Lal wrote:



Le lun. 18 sept. 2023 à 19:15, Yadd <mailto:y...@debian.org>> a écrit :


Package: wnpp
Severity: wishlist
    Owner: Yadd mailto:y...@debian.org>>
X-Debbugs-Cc: debian-de...@lists.debian.org
<mailto:debian-de...@lists.debian.org>

* Package name    : node-playwright
   Version         : 1.38.0
   Upstream Contact: Microsoft Corporation
   <https://github.com/Microsoft/playwright/issues
<https://github.com/Microsoft/playwright/issues>>
* URL             : https://github.com/Microsoft/playwright
<https://github.com/Microsoft/playwright>
* License         : Apache-2.0
   Programming Lang: JavaScript
   Description     : JavaScript framework for Web Testing and Automation

node-playwright is a framework for Web Testing and Automation. It allows
testing Chromium, Firefox and WebKit with a single API. Playwright is
built to enable cross-browser web automation that is ever-green,
capable,
reliable and fast.


Hi, I am a heavy user of node-playwright, so this interests me.
Note that latest version of playwright stopped downloading automatically
the needed browser, which is a good thing.
Playwright is also able to use system-installed chromium, but maybe not 
firefox,

and I'm pretty sure it won't work out of the box with webkitgtk.

Cheers,
Jérémy


Hi,

happy to help you ! You can test my work, available on salsa.

Best regards,
Yadd

Bug#1052170: ITP: node-playwright -- JavaScript framework for Web Testing and Automation

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-playwright
  Version : 1.38.0
  Upstream Contact: Microsoft Corporation
  <https://github.com/Microsoft/playwright/issues>
* URL : https://github.com/Microsoft/playwright
* License : Apache-2.0
  Programming Lang: JavaScript
  Description : JavaScript framework for Web Testing and Automation

node-playwright is a framework for Web Testing and Automation. It allows
testing Chromium, Firefox and WebKit with a single API. Playwright is
built to enable cross-browser web automation that is ever-green, capable,
reliable and fast.

Another node-jupyterlab dependency, will be maintained under JS Team
umbrella.

Bug#1052147: ITP: node-source-map-loader -- Node.js library to extract source maps

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-source-map-loader
  Version : 4.0.1
  Upstream Contact: JS Founadation
  <https://github.com/webpack-contrib/source-map-loader/issues>
* URL : https://github.com/webpack-contrib/source-map-loader
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js library to extract source maps

node-source-map-loader is a JS library to extracts source maps from
existing source files. Can be used in a node-webpack rule.

It's a build dependency of node-jupyterlab, will be maintained under JS
Team umbrella.

Bug#1052143: ITP: node-html-loader -- Node module that exports HTML as string

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-html-loader
  Version : 4.2.0
  Upstream Contact: JS Foundation
  <https://github.com/webpack-contrib/html-loader/issues>
* URL : https://github.com/webpack-contrib/html-loader
* License : Expat
  Programming Lang: JavaScript
  Description : Node module that exports HTML as string

node-html-loader exports HTML as string. HTML is minimized when the
compiler demands. It is typically used as node-webpack plugin.

node-html-loader is a dependency of node-jupyterlab and will be
maintained under JS Team umbrella

Bug#1052140: ITP: node-html-webpack-plugin -- node-webpack plugin to create HTML files

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-html-webpack-plugin
  Version : 5.5.3
  Upstream Contact: JS Foundation
  <https://github.com/jantimon/html-webpack-plugin/issues>
* URL : https://github.com/jantimon/html-webpack-plugin
* License : JavaScript
  Programming Lang: Expat
  Description : node-webpack plugin to create HTML files

node-html-webpack-plugin is a node-webpack plugin that simplifies
creation of HTML files to serve a node-webpack bundle.This is
especially useful for bundles that include a hash in the filename
which changes every compilations

It's a build dependency of node-jupyterlab. Will be maintained under JS
Team umbrella.

Bug#1052076: ITP: node-mathjax-full -- JavaScript library to display math in browsers

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-mathjax-full
  Version : 3.2.2
  Upstream Contact: The MathJax Consortium
  <https://github.com/mathjax/Mathjax-src/issues>
* URL : https://github.com/mathjax/Mathjax-src
* License : Apache-2.0
  Programming Lang: JavaScript
  Description : JavaScript library to display math in browsers

MathJax is an open-source JavaScript display engine for LaTeX, MathML,
and AsciiMath notation that works in all modern browsers. It was
designed with the goal of consolidating the recent advances in web
technologies into a single, definitive, math-on-the-web platform
supporting the major browsers and operating systems.  It requires no
setup on the part of the user (no plugins to download or software to
install), so the page author can write web documents that include
mathematics and be confident that users will be able to view it
naturally and easily.  Simply include MathJax and some mathematics in
a web page, and MathJax does the rest.

node-mathjax-full is a dependency of node-jupyterlab. It will be
maintained under JS Team umbrella.

Bug#1052075: ITP: node-speech-rule-engine -- NodeJS version of the ChromeVox speech rule engine

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-speech-rule-engine
  Version : 3.2.2
  Upstream Contact: Volker Sorge 
* URL : https://github.com/zorkow/speech-rule-engine
* License : Apache-2.0
  Programming Lang: JavaScript
  Description : NodeJS version of the ChromeVox speech rule engine

node-speech-rule-engine (SRE) can translate XML expressions into speech
strings according to rules that can be specified in a syntax using Xpath
expressions.

It's a dependnecy of node-mathjax-full, needed to build node-jupyterlab.
Will be maintained under JS Team upbrella.

Bug#1052054: ITP: node-sort-package-json -- Node.js library to sort package.json

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-sort-package-json
  Version : 2.5.1
  Upstream Contact: Keith Cirkel 
* URL : https://github.com/fisker/git-hooks-list
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js library to sort package.json

node-sort-package-json is a small library useful to sort package.json files
of Node.js modules, not in alphabetic order but in logical order (starting
by name and version).

It's a dependency of node-jupyterlab and will be maintained under JS
Team umbrella.

Bug#1051991: ITP: node-sixel -- Node.js library to manage Sixel images

[Yadd]

Package: wnpp
Severity: wishlist
Owner: Yadd 
X-Debbugs-Cc: debian-de...@lists.debian.org

* Package name: node-sixel
  Version : 0.16.0
  Upstream Contact: Joerg Breitbart 
* URL : https://github.com/jerch/node-sixel/
* License : Expat
  Programming Lang: JavaScript
  Description : Node.js library to manage Sixel images

node-sixel is a image decoding / encoding library for node and the browser.

It is a build dependency of node-xterm 5 which is required for
node-jupyterlab. Will be maintained under JS Team umbrella.