[Pkg-javascript-devel] [RFS] node-jsonld

Nilesh Patra npatra974 at gmail.com
Tue Mar 17 19:20:08 GMT 2020 

On Tue, 17 Mar 2020, 23:52 Jonas Smedegaard, <jonas at jones.dk> wrote:

> Quoting Nilesh Patra (2020-02-02 18:51:01)
> > On Sun, 2 Feb 2020 at 22:48, Jonas Smedegaard <jonas at jones.dk> wrote:
> >
> > > Quoting Nilesh Patra (2020-02-02 16:01:57)
> > > > I fixed node-jsonld to build with Node.js >= 12. It builds fine in
> > > > a clean chroot, and autopkgtests pass.
> [...]
> > > I reduced your module resolving patch to only add /usr/share/nodejs
> > > - if the two relative paths ('.' and 'node_modules') are really
> > > needed then please explain why (again, I may very well have missed
> > > something, but it looks to me like a dirty hack which might cause
> > > trouble at least on non-clean build environments).
> > >
> >
> > I have faced issues with webpack failing to resolve modules when they
> > are embedded.
> > I added that in to avoid webpack failing to recognize those, if in
> > case modules are embedded in future.
>
> I have now identified that webpack.config.js needs the following:
>
> +    resolve: {
> +      modules:
> ['/usr/lib/nodejs','/usr/share/nodejs','/usr/share/nodejs/babel-runtime/node_modules'],
> +    },
> +    resolveLoader: {
> +      modules: ['/usr/lib/nodejs','/usr/share/nodejs'],
> +    },
>
> To me that smells of an error in node-babel-runtime.
>

Seems like; and it looks apparent in yadd's commit which they pointed out
in with new babel


> I strongly recommend to *revert* any and all packages where resolve
> paths have been patched to include '.' and/or './node_modules' as I
> suspect that to not only be wrong but also be a security risk similar to
> shell PATH or perl/python/ruby/whatever module-loaders including ".".


Sounds good, I'll see if I can do that with a workaround for other node
modules which I have worked on with this particular change.

I appreciate that you reviewed and let me know the correct fixes.

That said, could you as well review my changes for node-terser here[1].
I had replied on the bug[2] too, and since it's approximately been a month,
I would really appreciate if you could review the changes.


[1]: https://salsa.debian.org/gi-boi-guest/node-terser/
[2]: https://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=950666#19

Thanks and regards,
Nilesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20200318/e93b8b9f/attachment.html>

More information about the Pkg-javascript-devel mailing list