[Pkg-javascript-devel] Bug#940708: Bug#935845: Bug#935845: not an RC bug; fix is easy: upgrade embedded lodash.cli

Jonas Smedegaard jonas at jones.dk
Thu Oct 24 09:05:22 BST 2019 

Quoting Xavier (2019-10-24 09:18:38)
> 
> 
> Le 23 octobre 2019 22:07:55 GMT+02:00, Jonas Smedegaard <jonas at jones.dk> a écrit :
> >Quoting Paolo Greppi (2019-10-23 21:18:37)
> >> First, I tripped on this one while testing yarnpkg 1.19.1 from
> >experimental.
> >> For the record, this is how I found that node-lodash was the culprit:
> >> 
> >> node --trace-deprecation /usr/bin/yarnpkg install
> >> yarn install v1.19.1
> >> [1/4] Resolving packages...
> >> (node:29081) [DEP0016] DeprecationWarning: 'root' is deprecated, use
> >'global'
> >>     at Object.<anonymous>
> >(/usr/share/nodejs/lodash/_createRound.js:6:22)
> >>     at Module._compile (internal/modules/cjs/loader.js:778:30)
> >>     at Object.Module._extensions..js
> >(internal/modules/cjs/loader.js:789:10)
> >>     at Module.load (internal/modules/cjs/loader.js:653:32)
> >>     at tryModuleLoad (internal/modules/cjs/loader.js:593:12)
> >>     at Function.Module._load (internal/modules/cjs/loader.js:585:3)
> >>     at Module.require (internal/modules/cjs/loader.js:692:17)
> >>     at require (internal/modules/cjs/helpers.js:25:18)
> >>     at Object.<anonymous> (/usr/share/nodejs/lodash/ceil.js:1:19)
> >>     at Module._compile (internal/modules/cjs/loader.js:778:30)
> >> ...
> >> 
> >> Second, this should not be an RC bug.
> >> It's a deprecation **warning**.
> >> And it could be easily patched out by allowing stderr in the
> >autopkgtest.
> >> 
> >> But (and that's the third point) there's no need of that hack,
> >because the actual fix is easier.
> >> 
> >> The upstream commit that Jonas pointed to is on a branch
> >(4.17.15-npm) where upstream stores built artifacts ("binaries").
> >> You can rebuild those binaries locally in this package sources dir
> >with:
> >> NODE_PATH=. node lodash-cli/bin/lodash modularize exports=node -o
> >modules
> >> only to find that the generated modules/_createRound.js lacks the
> >root = require statement
> >> 
> >> The reason is that the bundled version of lodash-cli is out of date:
> >> grep version lodash-cli/package.json 
> >>   "version": "4.17.5",
> >> 
> >> if you replace the lodash-cli dir with the current version (which is
> >in sync with lodash itself, 4.17.15) you get the correct file
> >generated.
> >> 
> >> So in the future we should keep the bundled lodash-cli in sync with
> >lodash itself.
> >
> >More importantly: We should track versions!!!
> >
> >lodash embeds lodash-cli with "ignore" in its watch file.
> >
> >How many JavaScript packages are packaged that way?
> 
> Then what to answer to https://bugs.debian.org/940708 ?

I agree with Jonathan Dowland that tracking an upstream project by use 
of a version string like 
6.2.1+ds+~0.4.0+~4.0.0+really4.0.0+~1.0.0+~5.0.1+ds+~1.7.0+ds+~0.1.1+~0.3.1+~0.2.0+~0.1.0+~0.3.0+~0.3.0-5 
is painful and should be replaced.

I do not volunteer to implement an alternative, but imagine that a 
sensible alternative could look like 6.2.1+ds+~20191003+d4e91ce where 
the latter part would indicate day of bundling and tiny hash of bundle, 
and if there was ever a need to issue another bundle on same day then 
the scheme would support adding a serial: 6.2.1+ds+~20191003.1+d08d819

I find it less painful to use the current bundling scheme to track 
_bundles_ of a _limited_ set of relatively stale upstreams, like 
src:jsbundle-web-interfaces 4.0.2~1.1.0+~2.0.1~ds+~4.0.2+~0~20180821-2

What I criticise is *zero* indication of bundling for the package lodash:

  src:lodash 4.17.15+dfsg-1

I would strongly prefer using current bundling scheme for that:

  src:lodash 4.17.15+dfsg+~4.17.5-1

If lodash had had such a version, I would not have wasted *hours* of 
trying to figure out why the heck our 4.17.15 did not include what 
upstream released in 4.17.13.

I consider the watch file a helper tool, not part of the mandatory 
skeleton of a source package, and expect to have adequate information 
about what consitutes "the source" without needing to extrapolate hints 
from the watch file.

Oh, and please in future don't cross-post.  And when you do anyway then 
say so explicitly and state your plan for how to untangle it - e.g. 
"please follow up only at foobar at baz".


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20191024/2ad5db74/attachment-0001.sig>

More information about the Pkg-javascript-devel mailing list