<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>To whom it may concern,</p>
<p><br>
</p>
<p>NPM, the package manager for the NodeJS ecosystem, has not been
updated since 2022 and as a result is missing many bug fixes and
security updates such as: </p>
<ul>
<li>Security<br>
</li>
<ul>
<li>http-cache-semantics vulnerable to Regular Expression Denial
of Service</li>
<li>NPM IP package incorrectly identifies some private IP
addresses as public</li>
<li>semver vulnerable to Regular Expression Denial of Service</li>
</ul>
<li>Bugs</li>
<ul>
<li><a moz-do-not-send="true"
href="https://github.com/npm/cli/commit/cf175fb2a7faffa6664874a9e8bea52dbbb1b0e2">default
auth-type to legacy if otp is configured</a></li>
<li><a moz-do-not-send="true"
href="https://github.com/npm/cli/commit/8d9d7351f5f9cfd7028a9f47cde520ca393218dd">unpublish:
bubble up all errors parsing local package.json</a></li>
<li><a moz-do-not-send="true"
href="https://github.com/npm/cli/commit/939a188bc3ab9c2bfa49ccb4837fe4ad844131ed">ignore
node prereleases in npm engines check</a></li>
</ul>
</ul>
<p>Also, the version of NPM in Trixie/Testing and Unstable has not
been updated since Bookworm. I think NPM should be packaged
similarly to how it's packaged on Fedora where all of the node
modules are packaged with NPM. This way when NPM is installed all
of its dependencies don't pollute the global environment with
random commands like "webpack" and "acorn". Plus, it eases the
burden of packaging NPM because there won't be all of these tiny
sub packages to manage. Of course, I don't know the inner details
for why this package hasn't been updated, and it could be that no
one has had the time to package it. In this case, I am more than
happy to help with the efforts of packaging NPM.</p>
<p>Chris,<br>
</p>
<br>
</body>
</html>