[Pkg-javascript-devel] Bug#976331: Bug#976331: Bug#976331: Bug#976331: node-compression-webpack-plugin, node-copy-webpack-plugin, node-uglifyjs-webpack-plugin: contains hidden embedded nodejs module serialize-javascript

Thu Dec 3 14:44:48 GMT 2020

Le 03/12/2020 à 15:12, Jonas Smedegaard a écrit :
> Quoting Xavier (2020-12-03 14:35:25)
>> Le 03/12/2020 à 14:24, Xavier a écrit :
>>> Le 03/12/2020 à 12:44, Jonas Smedegaard a écrit :
>>>> These source packages embed nodejs module serialize-javascript 
>>>> without offering it as virtual binary package:
>>>>
>>>>  node-compression-webpack-plugin
>>>>  node-copy-webpack-plugin
>>>>  node-uglifyjs-webpack-plugin
>>>>
>>>> Please embed in only one source package provided as versioned 
>>>> virtual package, and drop in other source packages instead 
>>>> depending on the virtual package.
>>>>
>>>> Severity raised since the lack of virtual package blocks upgrading 
>>>> node-terser.
> 
> [...]
> 
>>> for now, dh-sequence-nodejs adds a "Provides" item for modules 
>>> installed in root nodejs directories. Do we want to declare a 
>>> "node-foo" for submodules (installed in a <package>/node_modules 
>>> directory) ?
> 
> Whatever that tool does, the resulting package should declare Provides: 
> for each embedded Nodejs module, properly versioned with the module's 
> own version as first segment then "~" then source package version.
> 
> I cannot see a reason for *any* embedded Nodejs module to stay hidden, 
> but if someone comes up with some exceptional cases for that, then the 
> reasoning should be explicitly documented in either README.source or 
> README.Debian (and possibly in long description too).

I chose that because such modules are not directly usable using a
`require("foo")`, but I can change

>> Note that the future lintian database (classification tags) will 
>> permit to see node modules everywhere.
> 
> Everywhere?

Sorry, I miss some explanations: lintian parses all files and emit a tag
each time it finds a node_module/foo/package.json or
<main nodejs>/foo/package.json or <main nodejs/foo.js. Then we will be
able to see nodejs embedded module in all Debian packages.

NB2, you can also take a look at
https://lintian.debian.org/tags/nodejs-module-not-declared.html : it
shows node module installed in nodejs main dirs (not in node_modules/
for now).

If we decide to change this ~policy, nodejs-module-not-declared should
also be updated.

But in this case, we will have some not-directly-usable node-* virtual
packages.

> I should be able to declare this in some other package:
> 
>    Build-Depend: node-serialize-javascript (>= 5)
> 
> That is not possible today, because no packages provide that name 
> (despite 3 packages containing some version of it).
> 
> That will be possible if tommorrow one of those packages adds this:
> 
>   Provides: node-serialize-javascript (= 5.0.1)
> 
> That will *not* be possible, however, if tommorrow dh-sequence-nodejs 
> automatically adds this for all three packages:
> 
>   Provides: $embeddedmodule (= ${embeddedmodule:Version})

It does (see our discussion about acorn) but only for main installed
modules (and if DD didn't omit ${nodejs:Provides} of course)

> ...because then it is not deterministic which of them has priority.
> 
>  - Jonas

Cheers,
Xavier

NB: maybe I misunderstood part of your explanations and then my
explanations are perhaps out of subject