[Pkg-javascript-devel] Bug#972570: Bug#972570: node-lightgallery is built using minified files

Daniel Ring dring at wolfishly.me
Sun Apr 25 00:12:06 BST 2021


It looks like this RC bug also caused the next version of Rainloop to be 
removed from bullseye before the freeze. That version contains an 
relatively important security fix (bug #962629), so both Rainloop and 
node-lightgallery will need to be uploaded to bullseye-backports (when 
available) as well as unstable.

Sincerely,
Daniel Ring

On 4/23/2021 9:35 PM, Daniel Ring wrote:
> The warnings are already overridden in the current version on Salsa, 
> since the Youtube/Vimeo/etc. embeds are only loaded when Lightgallery is 
> used to display a video from that source (e.g. by passing it a Youtube 
> link).
> 
> Sincerely,
> Daniel Ring
> 
> On 4/23/2021 12:31 PM, Yadd wrote:
>> Le 23/04/2021 à 19:03, Jonas Smedegaard a écrit :
>>> Quoting Yadd (2021-04-23 17:47:23)
>>>> Control: tags -1 + pending
>>>>
>>>> Le 23/04/2021 à 09:44, Daniel Ring a écrit :
>>>>> Hello Xavier,
>>>>>
>>>>> It looks like the build process was minifying the source files to the
>>>>> destination *.js files and copying the pre-minified files to 
>>>>> *.min.js. I
>>>>> corrected it to copy the unminified files directly and minify them to
>>>>> *.min.js.
>>>>>
>>>>> I also updated the package on Salsa to exclude the minified
>>>>> modules/*.min.js files via Files-Excluded in d/copyright, so 
>>>>> they're no
>>>>> longer in the source package at all.
>>>>>
>>>>> Sincerely,
>>>>> Daniel Ring
>>>>
>>>> Hi,
>>>>
>>>> looks good to me, thanks! Could you also ignore these warnings in a
>>>> debain/lintian-overrides? It looks like false positive
>>>>
>>>> Cheers,
>>>> Yadd
>>>>
>>>>   W: node-lightgallery: privacy-breach-generic
>>>> usr/share/nodejs/lightgallery/dist/js/lg-video.min.min.js [<iframe
>>>> class="lg-video-object lg-dailymotion '+o+'" '+l+' width="560"
>>>> height="315"
>>> [...]
>>> Those warnings look real to me.
>>>
>>> What makes you consider them false positives, Xavier?
>>
>> Hi Jonas,
>>
>> yes but the relevant lines are in if/then/else blocks:
>>
>>    if (isVideo.youtube) {
>>      ...  video = '<iframe ...  src="//www.youtube.com/embed/' + .../>
>>
>> so it looks like a admin choice, Daniel maybe I'm wrong here ?
>>



More information about the Pkg-javascript-devel mailing list