[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Jérémy Lal
kapouer at melix.org
Wed Dec 27 14:03:20 GMT 2023
Le mer. 27 déc. 2023 à 14:43, Moritz Mühlenhoff <jmm at inutil.org> a écrit :
> Am Thu, Dec 21, 2023 at 11:26:27PM +0100 schrieb Jérémy Lal:
> > Le jeu. 21 déc. 2023 à 20:34, Moritz Mühlenhoff <jmm at inutil.org> a
> écrit :
> >
> > > Am Thu, Dec 21, 2023 at 11:29:12AM +0100 schrieb Jérémy Lal:
> > > > Le jeu. 21 déc. 2023 à 10:54, Moritz Muehlenhoff <jmm at inutil.org> a
> > > écrit :
> > > >
> > > > > On Thu, Dec 21, 2023 at 06:43:35AM +0100, Salvatore Bonaccorso
> wrote:
> > > > > > Hi,
> > > > > >
> > > > > > [CC'ing node-undici uploader]
> > > > >
> > > >
> > > > [CC-ing the good email address for node-undici uploader]
> > > >
> > > > Attached is a debdiff for a node-undici update (which backports what
> has
> > > > been done in testing).
> > >
> > > Looks good to me, please build with -sa (since it's the first upload
> > > to bookworm-security) and upload to security-master.
> > >
> >
> > Note that nodejs 18.19.0 doesn't need this node-undici version to be
> built,
> > only typescript consumers need it (when rebuilding packages in bookworm,
> > or when simply using a typescript compiler in bookworm).
>
> I checked the autopkgtest results for 18.19 on bookworm (it's running
> on security-master and isn't public at this point) and there are
> five packages marked as regressing, for which I'm attaching the logs.
>
> Two have explicit references to the node-undici (but since the new
> node-undici isn't installed into the archive yet, these will only
> recover when it's out).
>
> Could you please do a quick pass over these if the other three are also
> related or whether we potentially also need to update other packages
> in bookworm?
I don't think so, there are all either node-undici-related, or just test
suites regressions.
Here are the details:
node-zx is a regression in the test suite only, fixed there:
https://salsa.debian.org/js-team/node-zx/-/commit/a7d2861413480261890db147ea367a252192c9f2
node-yaml is caused by missing node-undici
node-v8-compile-cache is a regression in the test suite only, fixed there:
https://salsa.debian.org/js-team/node-v8-compile-cache/-/commit/df42bdbfe84811e4da11d8c3d8ef3148d8a77bcc
node-babel7 is a regression in the test suite, fixed there:
https://salsa.debian.org/js-team/node-babel/-/commit/e5c88f4d765e4d64b60c9cf333dedb89abba39c5
node-re2 is caused by missing node-undici
Jérémy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20231227/0e0c334a/attachment.htm>
More information about the Pkg-javascript-devel
mailing list