[Pkg-javascript-devel] RFS: node-dompurify

Yadd yadd at debian.org
Fri Nov 5 11:57:57 GMT 2021 

Le 05/11/2021 à 12:22, Caleb O.A. a écrit :
> Hi there,
> 
> I just updated the node-dompurify package from 2.3.0 to 2.3.3. I would
> like you to confirm if it's safe for sponsorship and uploading
> https://salsa.debian.org/calebpitan/node-dompurify
> 
> Thank you!
> 
> Caleb Adepitan.
> 
> (Outreachy Internship Applicant)

Hi,

done with changes. Detailed explanations:

 * `lintian-brush` tool fixes automatically some little things. It's a
   good practice to launch it. Here:
    * trailing whitespaces
    * some debian/upstream/metadata fixes

 * `lintian` can display more things with options --info. I added some
   missing unimportant overrides (see my changes)

 * dependency to nodejs is bad (Multi-Arch). Two solutions:
   + if there is a node script (bin/foo.js), replace it by "nodejs:any"
   + else prefer to drop this dependency: there are some other JS
     engines
     Note than if you drop nodejs but it is required, lintian will show
     it with an error. So you can safely drop it and wait for lintian to
     see if it was required, if so, use "nodejs:any"

 * always take a look to tracker.debian.org, you will see:
   * if there is a bug to fix
   * if Multi-Arch reports a problem

 * `cme check dpkg` command shows some other problems:
   + debian/copyright didn't follow
     https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
     (bad license entry)
   + [Pedantic, really not required] patch didn't follow format provided
     by `dpkg-source --commit`. It can be useful for other team member
     to know
     + if the patch has been submitted to upstream, if yes where
     + if the patch refers to a known bug (upstream and/or Debian and/or
       Ubuntu)
     + if the patch comes (or is inspired) from upstream or another
       source, if yes set the link
     + who is author
     + who reviewed it (used when patch is changed later by another team
       member,...)
    When you submit a patch to fix a security issue, it is really useful
    to use this format

  * `duck` tool can show some other problems (upstream dead,...)

  * `debcheck-nodejs` shows if there is a difference between npmjs.com
    and source given to debian/watch. Don't apply it's recommandations
    without analysis (sometime, just report to upstream that there is
    a missing tag,...)

  * other:
    + prefer to use "dh-sequence-nodejs" instead of "pkg-js-tools +
      dh --with nodejs"
    + I fixed debian/watch because next version of uscan will raise an
      error when filenamemangle failed (don't worry with that for now)

Thanks for your contribution!

Cheers,
Yadd

More information about the Pkg-javascript-devel mailing list