[Pkg-javascript-devel] dh-sequence-nodejs improvements
Jonas Smedegaard
jonas at jones.dk
Fri Feb 4 09:43:04 GMT 2022
Quoting Yadd (2022-02-04 10:27:02)
> when dh-sequence-nodejs (0.11.9, better with 0.11.10) detects a
> "maybe-bundled-package" (ie webpack/browserify/rollup), it:
> * generates some pkgjs-lock.json files
> * generates a ${nodejs:BuiltUsing} variable usable in debian/control
> (see [1])
>
> The goal here is to be able to launch a transition is case of CVE in a
> source of a bundled package.
>
> To use ${nodejs:BuiltUsing}, simply add:
>
> Package: node-foo
> Built-Using: ${nodejs:BuiltUsing}
>
> pkgjs-lock files are also used by pkgjs-audit: this tool launches a `npm
> audit` using Debian dependencies, not dependencies found in package.json.
>
> $ pkgjs-audit @babel/core
> found 0 vulnerabilities
>
> Notes:
> * pkgjs-lock.json contains all module+version used, including those
> existing in a node_modules dir (and declared in package.json)
> * there is one pkgjs-lock.json in each installed module
> * ${nodejs:BuildUsing} contains only Debian packages + versions.
That's really cool!
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20220204/9421929a/attachment.sig>
More information about the Pkg-javascript-devel
mailing list