[Pkg-javascript-devel] Bug#1103615: Bug#1103615: node-dompurify: please update to latest version

[Jérémy Lal]

Le dim. 20 avr. 2025 à 09:09, Paul Gevers <elbrus at debian.org> a écrit :

> Hi,
>
> On Sat, 19 Apr 2025 19:28:11 +0200 Paul Gevers <elbrus at debian.org> wrote:
> > I was struggling to package the latest version of `liferea` because I
> > didn't want to use the upstream vendored purify (and handlebars). It
> > turns out that the Debian version of node-dompurify is too old. Is it
> > reasonable to upgrade?
>
> For the purpose of liferea, it might be relevant to say that apparently
> it's using an ESM version of dompurify (and handlebars). As I'm all new
> to this, upstream pointed me at [1] which explains a bit. I have no idea
> if it's reasonably feasible for the Debian node ecosystem to provide
> both flavors (by means of a ESM wrapper around the CJS flavor if I
> understand correctly).
>

Good question ! The answer is that it's not needed:
nodejs 20.19.0 can "require(esm)" [1] so a CJS module is no longer locked
out using ESM modules.
The other way around (import a CJS module form an ES module) has always
been possible.
All nodejs modules will switch to ESM, and in a far future "require" will
be a thing of the past.

For browsers, it's a little bit different:
"require" is not supported in browsers, but "import" is supported.
However, 99.99% if not 100% of modules for browsers are bundled, and the
bundler is supposed to behave
like nodejs above, so we're back to the first situation.



[1]
file:///usr/share/doc/nodejs/api/modules.html#loading-ecmascript-modules-using-require





> I guess for now I need to consider my options for liferea and I'm nearly
> convinced the best is to not try to ship the latest upstream version at
> this stage of trixie and leave that to forky.


Yes, "soft freeze".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250420/cd95786f/attachment.htm>