[Pkg-javascript-devel] Bug#935845: not an RC bug; fix is easy: upgrade embedded lodash.cli

Paolo Greppi paolo.greppi at libpf.com
Wed Oct 23 21:31:16 BST 2019


Bringing this over to the mailing list ...

On 23/10/19 22:07, Jonas Smedegaard wrote:
> Quoting Paolo Greppi (2019-10-23 21:18:37)
>> ...
>> The reason is that the bundled version of lodash-cli is out of date:
>> grep version lodash-cli/package.json 
>>   "version": "4.17.5",
>>
>> if you replace the lodash-cli dir with the current version (which is in sync with lodash itself, 4.17.15) you get the correct file generated.
>>
>> So in the future we should keep the bundled lodash-cli in sync with lodash itself.
> 
> More importantly: We should track versions!!!
> 
> lodash embeds lodash-cli with "ignore" in its watch file.
> 
> How many JavaScript packages are packaged that way?
> 
> 
>  - Jonas

To find packages with ignore in d/watch:
https://codesearch.debian.net/search?q=ignore+path%3Adebian%2Fwatch

But this check is not enough to tell that something is wrong.
It can still be fine provided that upstream has a yarn.lock or a package-lock.json AND all components pulled in are at the same version as required by the lock files.
It seems that we need tooling to automatically verify that. Any volunteer ?

For lodash the build-dep on lodash.cli is not in the devDependencies key of the package.json nor in the lockfiles (the only hint that you need that is in .travis.yml file).
Anyway common sense requires that lodash.cli should be at the same version as lodash itself.
It does not make sense to hack the version to node-lodash_4.17.15+4.17.15+dfsg-1, people have already making fun of that: http://joeyh.name/blog/entry/turing_complete_version_numbers/
For this one I propose that we add a test in d/rules override_dh_test target that `grep version lodash-cli/package.json` == `grep version package.json` (sorry pseudocode but you get the idea)

Paolo



More information about the Pkg-javascript-devel mailing list