[Pkg-javascript-devel] Bug#1103615: Bug#1103615: node-dompurify: please update to latest version
Paul Gevers
elbrus at debian.org
Mon Apr 21 09:09:18 BST 2025
Hi Jérémy,
Thanks for the reply.
On 20-04-2025 13:21, Jérémy Lal wrote:
> Good question ! The answer is that it's not needed:
> nodejs 20.19.0 can "require(esm)" [1] so a CJS module is no longer
> locked out using ESM modules.
> The other way around (import a CJS module form an ES module) has always
> been possible.
As I understand it, liferea is already ESM and my problem is that the
code apparently assumes that node-dompurify (and handlebars) is ESM too.
So far, I have never needed to fix javascript in a more than trivial
manner, so I don't know where to start here. My fundamental question is
what do I have to do to build liferea with the Debain shipped
node-dompurity (and handlebars) instead of the vendored version? liferea
uses the file during the build and embeds it in the executable, but as
can be seen from my discussion in the upstream bug tracker [1], using
the current versions in Debian doesn't work and upstream suggested that
node-dompurify needs the change. I understand you say it should be
trivial to fix on the liferea side? (The include happens here [2], for
handlebars it's here [3]. I tried commenting them out and adding a
<script> here [4] but that seems to be too simple.)
Paul
[1] https://github.com/lwindolf/liferea/issues/1414#issuecomment-2816632636
[2]
https://salsa.debian.org/debian/liferea/-/blob/116bb3e537eabc4f1cabda275822e1cb8fd05ace/js/htmlview.js#L23
[3]
https://salsa.debian.org/debian/liferea/-/blob/116bb3e537eabc4f1cabda275822e1cb8fd05ace/js/helpers/render.js#L3
[4]
https://salsa.debian.org/debian/liferea/-/blob/116bb3e537eabc4f1cabda275822e1cb8fd05ace/js/node.xml.in#L4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250421/90c172da/attachment.sig>
More information about the Pkg-javascript-devel
mailing list