[Pkg-javascript-devel] dh-sequence-nodejs improvements
Yadd
yadd at debian.org
Fri Feb 4 09:27:02 GMT 2022
Hi all,
when dh-sequence-nodejs (0.11.9, better with 0.11.10) detects a
"maybe-bundled-package" (ie webpack/browserify/rollup), it:
* generates some pkgjs-lock.json files
* generates a ${nodejs:BuiltUsing} variable usable in debian/control
(see [1])
The goal here is to be able to launch a transition is case of CVE in a
source of a bundled package.
To use ${nodejs:BuiltUsing}, simply add:
Package: node-foo
Built-Using: ${nodejs:BuiltUsing}
pkgjs-lock files are also used by pkgjs-audit: this tool launches a `npm
audit` using Debian dependencies, not dependencies found in package.json.
$ pkgjs-audit @babel/core
found 0 vulnerabilities
Notes:
* pkgjs-lock.json contains all module+version used, including those
existing in a node_modules dir (and declared in package.json)
* there is one pkgjs-lock.json in each installed module
* ${nodejs:BuildUsing} contains only Debian packages + versions.
Cheers,
Yadd
[1]:
https://www.debian.org/doc/debian-policy/ch-relationships.html#additional-source-packages-used-to-build-the-binary-built-using)
More information about the Pkg-javascript-devel
mailing list