[Pkg-javascript-devel] Bug#1000673: Bug#1000673: reportbug: npm package depends on too many packages, including X11

Jonas Smedegaard jonas at jones.dk
Fri Nov 26 23:58:25 GMT 2021 

Control: severity -1 important

Hi Mikel,

Quoting Mikel Pérez (2021-11-26 23:57:36)
> Severity: serious
> Justification: Policy 2.2.1

Justification cannot be § 2.2.1 which is about what can go into Debian 
or instead can only be part of the "contrib" or "non-free": the npm 
package comply with all requirements in § 2.2.1 to be in "main" and all 
of its dependencies and recommendations are permitted in "main" as well.

This issue seems instead to be related to Policy § 7.2 - the rules about 
declaring package dependencies, recommendations, and suggestions: 
https://www.debian.org/doc/debian-policy/ch-relationships.html#binary-dependencies-depends-recommends-suggests-enhances-pre-depends

I consider the severity inflated of this issue inflated: Severity 
"serious" means the issue to so severe that it is better to completely 
remove npm from Debian if the issue is not resolved.  That's certainly 
not the case here, so I've taken the liberty to lower severity to 
"important" - even though I am not the maintainer of npm.


> I was installing npm on my headless raspberry pi when I noticed it 
> pulls unnecessary libx11 packages and xserver-utils. Since they're not 
> listed on the package dependencies, I assume one of the dependencies 
> is that which includes it. Still, I find it doubtful that anything 
> that depends on X is actually needed to run npm.
> 
> I believe the dependency list needs to be revised.
> I tried with the debian docker image too so it is not a raspbian bug.

npm depends on node-opener, which depends on xdg-utils, which recommends 
xserver-utils, which depends on libx11.

Seems sensible to me that npm wants the ability to open things in a web 
browser and thus via node-opener uses XDG calls for that.

Since the X11 libraries and tools are only recommended, you have the 
option to suppress installing it - e.g. with this command:

  apt install npm libx11-data-


Personally I consider this a non-issue: I would prefer if npm would 
consider it an exotic thing to rely on graphical tools, but by its 
dependency on node-opener the authors of npm clearly consider 
integration with graphical tools a part of its user experience, and we 
should appreciate that it is _possible_ to suppress that.

Only if npm gracefully handles node-opener being unavailable does it 
(maybe) make sense to relax to only suggesting node-opener.

I leave it to npm package maintainers how to proceed further here...


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20211127/f4686a02/attachment.sig>

More information about the Pkg-javascript-devel mailing list