[Pkg-javascript-devel] Bug#935845: not an RC bug; fix is easy: upgrade embedded lodash.cli
Pirate Praveen
praveen at onenetbeyond.org
Thu Oct 24 07:00:44 BST 2019
On Wed, Oct 23, 2019 at 22:31, Paolo Greppi <paolo.greppi at libpf.com>
wrote:
> Bringing this over to the mailing list ...
>
> On 23/10/19 22:07, Jonas Smedegaard wrote:
>> Quoting Paolo Greppi (2019-10-23 21:18:37)
>>> ...
>>> The reason is that the bundled version of lodash-cli is out of
>>> date:
>>> grep version lodash-cli/package.json
>>> "version": "4.17.5",
>>>
>>> if you replace the lodash-cli dir with the current version (which
>>> is in sync with lodash itself, 4.17.15) you get the correct file
>>> generated.
>>>
>>> So in the future we should keep the bundled lodash-cli in sync
>>> with lodash itself.
>>
>> More importantly: We should track versions!!!
>>
>> lodash embeds lodash-cli with "ignore" in its watch file.
>>
>> How many JavaScript packages are packaged that way?
>>
>>
>> - Jonas
>
> To find packages with ignore in d/watch:
> <https://codesearch.debian.net/search?q=ignore+path%3Adebian%2Fwatch>
>
> But this check is not enough to tell that something is wrong.
> It can still be fine provided that upstream has a yarn.lock or a
> package-lock.json AND all components pulled in are at the same
> version as required by the lock files.
> It seems that we need tooling to automatically verify that. Any
> volunteer ?
>
> For lodash the build-dep on lodash.cli is not in the devDependencies
> key of the package.json nor in the lockfiles (the only hint that you
> need that is in .travis.yml file).
> Anyway common sense requires that lodash.cli should be at the same
> version as lodash itself.
> It does not make sense to hack the version to
> node-lodash_4.17.15+4.17.15+dfsg-1, people have already making fun of
> that: <http://joeyh.name/blog/entry/turing_complete_version_numbers/>
> For this one I propose that we add a test in d/rules override_dh_test
> target that `grep version lodash-cli/package.json` == `grep version
> package.json` (sorry pseudocode but you get the idea)
Agreed, this will be sufficient and thanks for finding the root cause.
Since we have ignore option in watch, we will have to add a patch to
update lodash-cli version. I remember seeing a checksum option
mentioned somewhere that will generate a sane version string instead of
concatenating all versions, though not sure if uscan support it
already. Hope yadd will know the status.
Its likely lodash-cli was updated later as our watch file is checking
only 4.x version and uscan should have downloaded latest version anyway.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20191024/3b6ebc04/attachment.html>
More information about the Pkg-javascript-devel
mailing list