[Pkg-javascript-devel] Bug#963764: Bug#963764: Bug#963764: node-node-sass: uses embedded old security-buggy libsass
Nilesh Patra
npatra974 at gmail.com
Wed Jul 8 15:26:34 BST 2020
Hi,
On Wed, 8 Jul 2020, 19:30 Jonas Smedegaard, <jonas at jones.dk> wrote:
> Quoting merkys at debian.org (2020-07-08 15:13:06)
> > The upstream has updated the libsass support to 3.6.3 [1], it's just
> > not released yet. I have successfully used head of their git
> > repository to build node-node-sass without the embedded libsass copy
> > (there were a couple of failing mocha tests, however).
>
@Andrius: Thanks a lot for your work on this :-)
> Thanks for looking into this issue!
>
> Please strongly consider to not only make the package link with
> system-shared libsass, but also repackage upstream tarball with embedded
> code copy removed, to ensure not accidentally using that code (and to
> lighten the size of what gets distributed in Debian and simplify
> copyright tracking and ease security tracking).
@Jonas:
I considered the same approach after the first source-only-upload was done.
However, it might so happen that going forward the version of sass is
updated to a newer upstream, and Debian adapts to that particular release,
but the node-sass upstream might only have support for libsass 3.6.3 -
considering that upstream of node-node-sass is slower to adapt to changes.
This would cause node-node-sass to FTBFS.
Hence, I wish to keep the embedded copy of libsass if such a situation
arises.
The package built with the libsass in the archive earlier - when it started
to FTBFS,
a flag was appended for it to build with the embedded version of libsass.
On reverting the commit[1], it'd again start building with the libsass in
the archive.
I'd wish to keep the same approach.
_Please let me know_ if this doesn't sound good to you and if you'd prefer
embedded libsass to be stripped entirely.
[1]:
https://salsa.debian.org/js-team/node-node-sass/-/commit/bb9e5ede14253ecc02140f9a5e946b580afed3d4
Kind Regards,
Nilesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20200708/3aae527d/attachment.html>
More information about the Pkg-javascript-devel
mailing list