Control: severity -1 important Hi Mikel,
Quoting Mikel Pérez (2021-11-26 23:57:36) > Severity: serious > Justification: Policy 2.2.1 Justification cannot be § 2.2.1 which is about what can go into Debian or instead can only be part of the "contrib" or "non-free": the npm package comply with all requirements in § 2.2.1 to be in "main" and all of its dependencies and recommendations are permitted in "main" as well. This issue seems instead to be related to Policy § 7.2 - the rules about declaring package dependencies, recommendations, and suggestions: https://www.debian.org/doc/debian-policy/ch-relationships.html#binary-dependencies-depends-recommends-suggests-enhances-pre-depends I consider the severity inflated of this issue inflated: Severity "serious" means the issue to so severe that it is better to completely remove npm from Debian if the issue is not resolved. That's certainly not the case here, so I've taken the liberty to lower severity to "important" - even though I am not the maintainer of npm. > I was installing npm on my headless raspberry pi when I noticed it > pulls unnecessary libx11 packages and xserver-utils. Since they're not > listed on the package dependencies, I assume one of the dependencies > is that which includes it. Still, I find it doubtful that anything > that depends on X is actually needed to run npm. > > I believe the dependency list needs to be revised. > I tried with the debian docker image too so it is not a raspbian bug. npm depends on node-opener, which depends on xdg-utils, which recommends xserver-utils, which depends on libx11. Seems sensible to me that npm wants the ability to open things in a web browser and thus via node-opener uses XDG calls for that. Since the X11 libraries and tools are only recommended, you have the option to suppress installing it - e.g. with this command: apt install npm libx11-data- Personally I consider this a non-issue: I would prefer if npm would consider it an exotic thing to rely on graphical tools, but by its dependency on node-opener the authors of npm clearly consider integration with graphical tools a part of its user experience, and we should appreciate that it is _possible_ to suppress that. Only if npm gracefully handles node-opener being unavailable does it (maybe) make sense to relax to only suggesting node-opener. I leave it to npm package maintainers how to proceed further here... - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature