[Pkg-javascript-devel] Bug#1033927: unblock: node-sinon/14.0.2+ds+~cs74.13.25-2

Yadd yadd at debian.org
Tue Apr 4 08:06:58 BST 2023 

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: node-sinon at packages.debian.org
Control: affects -1 + src:node-sinon

Please unblock package node-sinon

[ Reason ]
node-sinon is a package used during JS tests. In Debian JS Team we
choose to launch autopkgtest with `--disable-proto=throw` to ensure
that JS packages don't used this old way to access to prototype for
security reasons.
This change started in September 2022 (pkg-js-autopkgtest 0.15.x).

node-sinon currently parses all object properties without avoid
__proto__. This breaks (at least) node-nock autopkgtest.

[ Impact ]
No change, the patch just avoid parsing __proto__

[ Tests ]
No change in test, still pass (autopkgtest + build). This fixed also
node-nock test.

[ Risks ]
No risk here, patch is trivial

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
This debdiff adds also some tips from lintian-brush (lintian tags and
metadata update)

Cheers,
Yadd

unblock node-sinon/14.0.2+ds+~cs74.13.25-2
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index aaace48..111c526 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-sinon (14.0.2+ds+~cs74.13.25-2) unstable; urgency=medium
+
+  * Team upload
+  * Update lintian override info format in d/source/lintian-overrides
+    on line 2-3
+  * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse
+  * Update standards version to 4.6.2, no changes needed
+  * Drop calls to __proto__ (Closes: #1033818)
+
+ -- Yadd <yadd at debian.org>  Mon, 03 Apr 2023 07:26:51 +0400
+
 node-sinon (14.0.2+ds+~cs74.13.25-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/control b/debian/control
index 1a73a29..c60cd62 100644
--- a/debian/control
+++ b/debian/control
@@ -27,7 +27,7 @@ Build-Depends:
  , node-supports-color
  , node-type-detect
  , node-util <!nocheck>
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Browser: https://salsa.debian.org/js-team/node-sinon
 Vcs-Git: https://salsa.debian.org/js-team/node-sinon.git
 Homepage: https://sinonjs.org/
diff --git a/debian/patches/dont-try-to-access-to-__proto__.patch b/debian/patches/dont-try-to-access-to-__proto__.patch
new file mode 100644
index 0000000..5973750
--- /dev/null
+++ b/debian/patches/dont-try-to-access-to-__proto__.patch
@@ -0,0 +1,16 @@
+Description: don't try to access to __proto__
+Author: Yadd <yadd at debian.org>
+Forwarded: no
+Last-Update: 2023-04-03
+
+--- a/lib/sinon/util/core/walk.js
++++ b/lib/sinon/util/core/walk.js
+@@ -17,7 +17,7 @@
+     }
+ 
+     forEach(Object.getOwnPropertyNames(obj), function (k) {
+-        if (seen[k] !== true) {
++        if (k !== '__proto__' && seen[k] !== true) {
+             seen[k] = true;
+             var target =
+                 typeof Object.getOwnPropertyDescriptor(obj, k).get ===
diff --git a/debian/patches/series b/debian/patches/series
index ffb3e1f..b2b7689 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ fix-sinonjsreferee-sinon-test.diff
 reproducible.patch
 fix-for-path-to-regexp-6.patch
 drop-unstable-test.patch
+dont-try-to-access-to-__proto__.patch
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
index 3f4d9d6..05b110e 100644
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,6 +1,6 @@
 # False positive: data
-source-is-missing *sinonjstext-encoding/lib/encoding-indexes.js*
-source-contains-prebuilt-javascript-object *sinonjstext-encoding/lib/encoding-indexes.js*
+source-is-missing [*sinonjstext-encoding/lib/encoding-indexes.js*]
+source-contains-prebuilt-javascript-object [*sinonjstext-encoding/lib/encoding-indexes.js*]
 very-long-line-length-in-source-file *sinonjsfake-timers/LICENSE*
 very-long-line-length-in-source-file *sinonjstext-encoding/lib/encoding-indexes.js*
 very-long-line-length-in-source-file *.md*
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
index 6d85d64..c5adee0 100644
--- a/debian/upstream/metadata
+++ b/debian/upstream/metadata
@@ -1,6 +1,6 @@
 ---
 Archive: GitHub
-Bug-Database: https://github.com/cjohansen/Sinon.JS/issues
-Bug-Submit: https://github.com/cjohansen/Sinon.JS/issues/new
+Bug-Database: https://github.com/sinonjs/sinon/issues
+Bug-Submit: https://github.com/sinonjs/sinon/issues/new
 Repository: https://github.com/cjohansen/Sinon.JS.git
-Repository-Browse: https://github.com/cjohansen/Sinon.JS
+Repository-Browse: https://github.com/sinonjs/sinon

More information about the Pkg-javascript-devel mailing list