<div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 17 Mar 2020, 23:52 Jonas Smedegaard, <<a href="mailto:jonas@jones.dk">jonas@jones.dk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Quoting Nilesh Patra (2020-02-02 18:51:01)<br>
> On Sun, 2 Feb 2020 at 22:48, Jonas Smedegaard <<a href="mailto:jonas@jones.dk" target="_blank" rel="noreferrer">jonas@jones.dk</a>> wrote:<br>
> <br>
> > Quoting Nilesh Patra (2020-02-02 16:01:57)<br>
> > > I fixed node-jsonld to build with Node.js >= 12. It builds fine in <br>
> > > a clean chroot, and autopkgtests pass.<br>
[...]<br>
> > I reduced your module resolving patch to only add /usr/share/nodejs <br>
> > - if the two relative paths ('.' and 'node_modules') are really <br>
> > needed then please explain why (again, I may very well have missed <br>
> > something, but it looks to me like a dirty hack which might cause <br>
> > trouble at least on non-clean build environments).<br>
> ><br>
> <br>
> I have faced issues with webpack failing to resolve modules when they <br>
> are embedded.<br>
> I added that in to avoid webpack failing to recognize those, if in <br>
> case modules are embedded in future.<br>
<br>
I have now identified that webpack.config.js needs the following:<br>
<br>
+ resolve: {<br>
+ modules: ['/usr/lib/nodejs','/usr/share/nodejs','/usr/share/nodejs/babel-runtime/node_modules'],<br>
+ },<br>
+ resolveLoader: {<br>
+ modules: ['/usr/lib/nodejs','/usr/share/nodejs'],<br>
+ },<br>
<br>
To me that smells of an error in node-babel-runtime.<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">Seems like; and it looks apparent in yadd's commit which they pointed out in with new babel</div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I strongly recommend to *revert* any and all packages where resolve <br>
paths have been patched to include '.' and/or './node_modules' as I <br>
suspect that to not only be wrong but also be a security risk similar to <br>
shell PATH or perl/python/ruby/whatever module-loaders including ".".</blockquote></div></div><div dir="auto"><br></div><div dir="auto">Sounds good, I'll see if I can do that with a workaround for other node modules which I have worked on with this particular change.</div><div dir="auto"><br></div><div dir="auto">I appreciate that you reviewed and let me know the correct fixes.</div><div dir="auto"><br></div><div dir="auto">That said, could you as well review my changes for node-terser here[1].</div><div dir="auto">I had replied on the bug[2] too, and since it's approximately been a month, I would really appreciate if you could review the changes.</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">[1]: <a href="https://salsa.debian.org/gi-boi-guest/node-terser/">https://salsa.debian.org/gi-boi-guest/node-terser/</a></div><div dir="auto">[2]: <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=950666#19">https://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=950666#19</a></div><div dir="auto"><br></div><div dir="auto">Thanks and regards,</div><div dir="auto">Nilesh</div><div dir="auto"></div></div>