[Pkg-javascript-devel] Bug#935845: Bug#935845: not an RC bug; fix is easy: upgrade embedded lodash.cli

Jonas Smedegaard jonas at jones.dk
Wed Oct 23 21:07:55 BST 2019 

Quoting Paolo Greppi (2019-10-23 21:18:37)
> First, I tripped on this one while testing yarnpkg 1.19.1 from experimental.
> For the record, this is how I found that node-lodash was the culprit:
> 
> node --trace-deprecation /usr/bin/yarnpkg install
> yarn install v1.19.1
> [1/4] Resolving packages...
> (node:29081) [DEP0016] DeprecationWarning: 'root' is deprecated, use 'global'
>     at Object.<anonymous> (/usr/share/nodejs/lodash/_createRound.js:6:22)
>     at Module._compile (internal/modules/cjs/loader.js:778:30)
>     at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10)
>     at Module.load (internal/modules/cjs/loader.js:653:32)
>     at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
>     at Function.Module._load (internal/modules/cjs/loader.js:585:3)
>     at Module.require (internal/modules/cjs/loader.js:692:17)
>     at require (internal/modules/cjs/helpers.js:25:18)
>     at Object.<anonymous> (/usr/share/nodejs/lodash/ceil.js:1:19)
>     at Module._compile (internal/modules/cjs/loader.js:778:30)
> ...
> 
> Second, this should not be an RC bug.
> It's a deprecation **warning**.
> And it could be easily patched out by allowing stderr in the autopkgtest.
> 
> But (and that's the third point) there's no need of that hack, because the actual fix is easier.
> 
> The upstream commit that Jonas pointed to is on a branch (4.17.15-npm) where upstream stores built artifacts ("binaries").
> You can rebuild those binaries locally in this package sources dir with:
> NODE_PATH=. node lodash-cli/bin/lodash modularize exports=node -o modules
> only to find that the generated modules/_createRound.js lacks the root = require statement
> 
> The reason is that the bundled version of lodash-cli is out of date:
> grep version lodash-cli/package.json 
>   "version": "4.17.5",
> 
> if you replace the lodash-cli dir with the current version (which is in sync with lodash itself, 4.17.15) you get the correct file generated.
> 
> So in the future we should keep the bundled lodash-cli in sync with lodash itself.

More importantly: We should track versions!!!

lodash embeds lodash-cli with "ignore" in its watch file.

How many JavaScript packages are packaged that way?


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20191023/d79cb040/attachment.sig>

More information about the Pkg-javascript-devel mailing list