[Pkg-javascript-devel] Bug#976331: Bug#976331: Bug#976331: Bug#976331: node-compression-webpack-plugin, node-copy-webpack-plugin, node-uglifyjs-webpack-plugin: contains hidden embedded nodejs module serialize-javascript

Jonas Smedegaard jonas at jones.dk
Thu Dec 3 14:12:44 GMT 2020 

Quoting Xavier (2020-12-03 14:35:25)
> Le 03/12/2020 à 14:24, Xavier a écrit :
> > Le 03/12/2020 à 12:44, Jonas Smedegaard a écrit :
> >> These source packages embed nodejs module serialize-javascript 
> >> without offering it as virtual binary package:
> >>
> >>  node-compression-webpack-plugin
> >>  node-copy-webpack-plugin
> >>  node-uglifyjs-webpack-plugin
> >>
> >> Please embed in only one source package provided as versioned 
> >> virtual package, and drop in other source packages instead 
> >> depending on the virtual package.
> >>
> >> Severity raised since the lack of virtual package blocks upgrading 
> >> node-terser.

[...]

> > for now, dh-sequence-nodejs adds a "Provides" item for modules 
> > installed in root nodejs directories. Do we want to declare a 
> > "node-foo" for submodules (installed in a <package>/node_modules 
> > directory) ?

Whatever that tool does, the resulting package should declare Provides: 
for each embedded Nodejs module, properly versioned with the module's 
own version as first segment then "~" then source package version.

I cannot see a reason for *any* embedded Nodejs module to stay hidden, 
but if someone comes up with some exceptional cases for that, then the 
reasoning should be explicitly documented in either README.source or 
README.Debian (and possibly in long description too).


> Note that the future lintian database (classification tags) will 
> permit to see node modules everywhere.

Everywhere?

I should be able to declare this in some other package:

   Build-Depend: node-serialize-javascript (>= 5)

That is not possible today, because no packages provide that name 
(despite 3 packages containing some version of it).

That will be possible if tommorrow one of those packages adds this:

  Provides: node-serialize-javascript (= 5.0.1)

That will *not* be possible, however, if tommorrow dh-sequence-nodejs 
automatically adds this for all three packages:

  Provides: $embeddedmodule (= ${embeddedmodule:Version})

...because then it is not deterministic which of them has priority.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20201203/47a4f774/attachment.sig>

More information about the Pkg-javascript-devel mailing list