[Pkg-javascript-devel] Embedded modules more than once
Jonas Smedegaard
jonas at jones.dk
Thu Sep 3 15:16:13 BST 2020
Quoting Xavier (2020-09-03 16:06:01)
> Le 03/09/2020 à 16:02, Jonas Smedegaard a écrit :
> > Quoting Xavier (2020-09-03 15:43:24)
> >> Le 03/09/2020 à 15:36, Xavier a écrit :
> >>> Le 03/09/2020 à 14:59, Andrius Merkys a écrit :
> >>>> Hi Xavier,
> >>>>
> >>>> On 2020-09-03 15:54, Xavier wrote:
> >>>>> buffer-equal:
> >>>>> - node-buffer-equal (1.0.0)
> >>>>> - node-vinyl-fs (1.0.0)
> >>>>
> >>>> Does this (and the like) mean that <module> is now packaged as
> >>>> node-<module>? If so, such embedded modules might be removed.
> >>>
> >>> Hi,
> >>>
> >>> You're right buffer-equal should be removed from node-vinyl-fs. Other
> >>> example, node-parse-json is bad: it embeds some outdated @babel/*
> >>> modules while node-babel7 has been released.
> >>>
> >>> I built this inventory to detect such cases.
> >>
> >> Other (good) example: node-lolex embed a slightly outdated
> >> @sinonjs/commons to avoid a complex circular dependency with node-sinon.
> >> In this case no bug, just a known problem.
> >
> > "known" to whom? It does not seem known to Debian nor to the JavaScript
> > team - i.e. I fail to see any mention of the reason for that code
> > embedding in debian/README or debian/TODO.
> >
> > What did I miss?
>
> I missed to insert a Debian/README, this is just mentionned in
> d/changelog. Let's do that.
Thanks.
Please also report it for the security team - see
https://wiki.debian.org/EmbeddedCopies
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20200903/85f72418/attachment.sig>
More information about the Pkg-javascript-devel
mailing list