[Pkg-javascript-devel] Bug#920749: Bug#920749: popper.js: contains generated code uncertain if fully included as source
Xavier
yadd at debian.org
Tue Jan 29 06:41:40 GMT 2019
Le 28/01/2019 à 18:45, Jonas Smedegaard a écrit :
> Source: popper.js
> Version: 1.14.6+ds-1
> Severity: serious
> Justification: Policy 2.1
>
> Source package contains several files (seemingly all of them) below
> <dist/> which does not exist in upstream version tracking and therefore
> are not in the form preferred upstream, and more importantly may include
> other code than the actual source below <packages/>.
>
> - Jonas
Upstream author does provide dist/* files in release commits (example:
https://github.com/FezVrasta/popper.js/commit/b1144cdbcb5b5ab20d281a6083ecdce475a54af1)
and remove them from master at next commit. This generated files are
readable javascript files, unminified and well commented (a sort of
webpack of packages/* files).
To reproduce build, many dependencies are needed. So the choices are:
- doing nothing, twitter-bootstrap4 will be removed from buster with
all its reverse dependencies
- package many new modules (I've no time to do this)
- decrease this severity issue
NB: upstream build can be reproduce only using yarnpkg, failed with npm:
$ yarnpkg install
$ yarnpkg build
Cheers,
Xavier
More information about the Pkg-javascript-devel
mailing list