[Pkg-javascript-devel] Bug#1103615: Bug#1103615: Bug#1103615: node-dompurify: please update to latest version

Yadd yadd at debian.org
Mon Apr 21 07:10:08 BST 2025 

Control: tags -1 + pending

On 4/20/25 13:21, Jérémy Lal wrote:
> 
> 
> Le dim. 20 avr. 2025 à 09:09, Paul Gevers <elbrus at debian.org 
> <mailto:elbrus at debian.org>> a écrit :
> 
>     Hi,
> 
>     On Sat, 19 Apr 2025 19:28:11 +0200 Paul Gevers <elbrus at debian.org
>     <mailto:elbrus at debian.org>> wrote:
>      > I was struggling to package the latest version of `liferea`
>     because I
>      > didn't want to use the upstream vendored purify (and handlebars). It
>      > turns out that the Debian version of node-dompurify is too old.
>     Is it
>      > reasonable to upgrade?
> 
>     For the purpose of liferea, it might be relevant to say that apparently
>     it's using an ESM version of dompurify (and handlebars). As I'm all new
>     to this, upstream pointed me at [1] which explains a bit. I have no
>     idea
>     if it's reasonably feasible for the Debian node ecosystem to provide
>     both flavors (by means of a ESM wrapper around the CJS flavor if I
>     understand correctly).
> 
> 
> Good question ! The answer is that it's not needed:
> nodejs 20.19.0 can "require(esm)" [1] so a CJS module is no longer 
> locked out using ESM modules.
> The other way around (import a CJS module form an ES module) has always 
> been possible.
> All nodejs modules will switch to ESM, and in a far future "require" 
> will be a thing of the past.
> 
> For browsers, it's a little bit different:
> "require" is not supported in browsers, but "import" is supported.
> However, 99.99% if not 100% of modules for browsers are bundled, and the 
> bundler is supposed to behave
> like nodejs above, so we're back to the first situation.
> 
> 
> 
> [1]
> file:///usr/share/doc/nodejs/api/modules.html#loading-ecmascript- 
> modules-using-require
> 
> 
> 
>     I guess for now I need to consider my options for liferea and I'm
>     nearly
>     convinced the best is to not try to ship the latest upstream version at
>     this stage of trixie and leave that to forky.
> 
> 
> Yes, "soft freeze".
Hi,

I just pushed the last version into experimental.

Best regards,
Xavier

More information about the Pkg-javascript-devel mailing list