[Pkg-javascript-devel] Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository

Jérémy Lal kapouer at melix.org
Fri Feb 7 11:00:50 GMT 2025 

Also note that debian/trixie will have a version of nodejs that uses even
more external dependencies,
with a source tarball excluding the externalized dependencies, which will
make the process of doing security uploads easier for everyone.

Le ven. 7 févr. 2025 à 11:59, Jérémy Lal <kapouer at melix.org> a écrit :

> Security uploads take a lot of work to ensure all reverse
> (build-)dependencies of a package build and pass their test suite
> successfully.
> For that last upload, I in particular, lost track of time.
> To help me, one can redo those verifications, and then, once several
> packages failing to rebuild have been identified,
> they must be fixed, proposed to bookworm, and once they are all accepted,
> that version of nodejs can be proposed to bookworm too.
>
>
> Le ven. 7 févr. 2025 à 11:04, Naaz, Syeda Shagufta <
> syedashagufta.naaz at siemens.com> a écrit :
>
>> Package: nodejs
>>
>> Version: 18.19.0+dfsg-6~deb12u2
>>
>> Severity: critical
>>
>>
>>
>> Dear Debian Community,
>>
>>
>>
>> We are currently working with the Debian Bookworm
>> <https://packages.debian.org/bookworm/nodejs> 12.9 release for our
>> project and observed that the nodejs version is *18.19.0+dfsg-6~deb12u2*.
>>
>>
>>
>>
>> However, upon reviewing the salsa-debian/bookworm
>> <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads>
>> branch, we noticed that version *18.20.4+dfsg-1~deb12u1 *is available,
>> which includes fixes for multiple CVE issues, such as,
>>
>>    - CVE-2024-27983
>>    <https://security-tracker.debian.org/tracker/CVE-2024-27983> (*8.2
>>    HIGH*)
>>    - CVE-2024-21892
>>    <https://security-tracker.debian.org/tracker/CVE-2024-21892> (*7.5
>>    HIGH*)
>>    - CVE-2024-22019
>>    <https://security-tracker.debian.org/tracker/CVE-2024-22019> (*7.5
>>    HIGH*)
>>
>> These fixes are not included in the current Bookworm release. Having the
>> severity of some of these vulnerabilities as High,  we are eager for these
>> fixes to be available.
>>
>>
>>
>> Could you please help clarify why there is a discrepancy between the
>> version in the Bookworm release and the one on salsa? Is there a any
>> specific reason for the delay and, is there any fixed timeline for
>> resolving this?
>>
>>
>>
>> I appreciate your time and guidance on this matter.
>>
>>
>>
>> Best Regards,
>>
>> Syeda Shagufta Naaz
>>
>> Senior Software Developer
>>
>> *SIEMENS* *FT FDS (Foundational Services)*
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250207/d2f2dba0/attachment.htm>

More information about the Pkg-javascript-devel mailing list