[Pkg-javascript-devel] Bug#963764: Bug#963764: node-node-sass: uses embedded old security-buggy libsass
Jonas Smedegaard
jonas at jones.dk
Wed Jul 8 14:56:58 BST 2020
Quoting merkys at debian.org (2020-07-08 15:13:06)
> The upstream has updated the libsass support to 3.6.3 [1], it's just
> not released yet. I have successfully used head of their git
> repository to build node-node-sass without the embedded libsass copy
> (there were a couple of failing mocha tests, however).
Thanks for looking into this issue!
Please strongly consider to not only make the package link with
system-shared libsass, but also repackage upstream tarball with embedded
code copy removed, to ensure not accidentally using that code (and to
lighten the size of what gets distributed in Debian and simplify
copyright tracking and ease security tracking).
For an example of such repackaging, see e.g. ruby-sassc.
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20200708/73e02f2b/attachment.sig>
More information about the Pkg-javascript-devel
mailing list