[Pkg-javascript-devel] dh-sequence-nodejs improvements

[Yadd]

On 04/02/2022 10:27, Yadd wrote:
> Hi all,
> 
> when dh-sequence-nodejs (0.11.9, better with 0.11.10) detects a 
> "maybe-bundled-package" (ie webpack/browserify/rollup), it:
>   * generates some pkgjs-lock.json files
>   * generates a ${nodejs:BuiltUsing} variable usable in debian/control
>     (see [1])
> 
> The goal here is to be able to launch a transition is case of CVE in a 
> source of a bundled package.
> 
> To use ${nodejs:BuiltUsing}, simply add:
> 
>    Package: node-foo
>    Built-Using: ${nodejs:BuiltUsing}
> 
> pkgjs-lock files are also used by pkgjs-audit: this tool launches a `npm 
> audit` using Debian dependencies, not dependencies found in package.json.
> 
>    $ pkgjs-audit @babel/core
>    found 0 vulnerabilities
> 
> Notes:
>   * pkgjs-lock.json contains all module+version used, including those
>     existing in a node_modules dir (and declared in package.json)
>   * there is one pkgjs-lock.json in each installed module
>   * ${nodejs:BuildUsing} contains only Debian packages + versions.
> 
> Cheers,
> Yadd
> 
> [1]: 
> https://www.debian.org/doc/debian-policy/ch-relationships.html#additional-source-packages-used-to-build-the-binary-built-using) 

pkgjs-audit found this (maybe false positive since it doesn't read 
debian/patches). I'm going to build a new check in lintian pkg-js-extra 
profile.

eslint-config-eslint  5.0.1
Severity: critical
Malicious Package in eslint-scope - 
https://github.com/advisories/GHSA-hxxf-q3w9-4xgw

node-fetch  <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an 
Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g

trim-newlines  <3.0.1
Severity: high
Regular Expression Denial of Service in trim-newlines - 
https://github.com/advisories/GHSA-7p7h-4mm5-852v

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - 
https://github.com/advisories/GHSA-rp65-9cf3-cjxr