[Pkg-javascript-devel] Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository

Jérémy Lal kapouer at melix.org
Mon Feb 17 11:04:20 GMT 2025 

Thank you for this helpful work.
Yes, since the latest nodejs update to bookworm has been somewhat
catastrophic,
it is our duty to ensure the next one goes very smoothly for it to be
accepted.

To sum up, we have this:

Those packages fail with nodejs_18.19.0+dfsg-6~deb12u1 and
nodejs_18.20.4+dfsg-1~deb12u1
node-rollup_3.15.0-1
node-redis_4.5.1+~1.1.2-1
node-minipass_3.3.6+~cs9.4.19-1
dask.distributed_2022.12.1+ds.1-3
jquery_3.3.1~dfsg-3
node-csstype_3.1.1-1
node-recast_0.21.1-1
node-js-sdsl_4.1.4-2
node-wikibase-cli_15.15.4-4
node-regexpp_3.2.0-4
science.js_1.9.3+dfsg-3
moment-timezone.js_0.5.40+dfsg-1+2023c
node-resolve_1.22.1+~cs5.31.10-1
node-jest_29.3.1~ds1+~cs70.48.25-2
node-jschardet_3.0.0+dfsg+~1.4.0-2
node-lib0_0.2.58-1

1 package builds with nodejs_18.20.4+dfsg-1~deb12u1
PASSED: firefox-esr_128.5.0esr-1~deb12u1

5 new failures with nodejs_18.20.4+dfsg-1~deb12u1:
node-node-rsa_1.1.1-4
node-rollup-plugin-sass_1.12.16-1
macaulay2_1.21+ds-3
node-public-encrypt_4.0.3-1
node-mutate-fs_2.1.1-2

The goal is to fix them (ensure they build, and their autopkgtest pass for
node 18.20.4), then do a reportbug release.debian.org
to bookworm-pu for each of them, finishing with a bookworm-pu for nodejs
18.20.4.
Attention: some of them might already have bookworm-pu bugs opened.



Le lun. 17 févr. 2025 à 11:36, Naaz, Syeda Shagufta <
syedashagufta.naaz at siemens.com> a écrit :

> Hi Jeremy Lal,
>
>
>
> Thank you for your earlier email.
>
>
>
> As per your suggestion, I have attached the RATT test results for Node.js
> versions 18.19.0 and 18.20.4, covering a total of 1707 packages, along with
> the build logs for the failed packages.
>
>
>
> Upon reviewing the results, I noticed the following:
>
>    - Version 18.19.0 has failures in *18* packages.
>       1. firefox-esr_128.5.0esr-1~deb12u1: this package failed in version
>       18.19.0 but passed in version 18.20.4.
>    - Version 18.20.4 has failures in *22* packages, of which 5 are
>    additional compared to v18.19.0:
>       1. node-public-encrypt_4.0.3-1 (failure in dh_auto_test)
>       2. node-node-rsa_1.1.1-4 (failure in dh_auto_test)
>       3. node-rollup-plugin-sass_1.12.16-1 (failure in dh_auto_test)
>       4. macaulay2_1.21+ds-3 (failure in dh_auto_build)
>       5. node-mutate-fs_2.1.1-2 (failure in dh_auto_test)
>
> I also noticed that the first two packages are failing due to the Openssl
> CVE fix for CVE-2023-46809
> <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads#L20>
> .
>
>
>
> Could the additional failures in version 18.20.4 be the reason the update
> has not yet been implemented?
>
> I would appreciate your insights on this matter. Please let me know your
> thoughts.
>
> Best Regards,
>
> Syeda Shagufta Naaz
>
>
>
> Senior Software Developer
>
> *SIEMENS* *FT FDS (Foundational Services)*
>
>
>
>
>
>
>
> *From:* Jérémy Lal <kapouer at melix.org>
> *Sent:* 07 February 2025 16:31
> *To:* Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) <
> syedashagufta.naaz at siemens.com>
> *Cc:* pkg-javascript-devel at alioth-lists.debian.net; Hombourger, Cedric
> (FT FDS CES LX) <cedric.hombourger at siemens.com>; Kumar, Ritesh (FT FDS
> CES LX PBU RSOL) <ritesh-kumar at siemens.com>; Koturappa, Hemanth (FT FDS
> CES LX PBU 2) <hemanth.koturappa at siemens.com>; Prusty, Badrikesh (FT FDS
> CES LX PBU 2) <badrikesh.prusty at siemens.com>
> *Subject:* Re: Discrepancy in nodejs version in Debian Bookworm vs. Salsa
> Debian repository
>
>
>
> Also note that debian/trixie will have a version of nodejs that uses even
> more external dependencies,
>
> with a source tarball excluding the externalized dependencies, which will
> make the process of doing security uploads easier for everyone.
>
>
>
> Le ven. 7 févr. 2025 à 11:59, Jérémy Lal <kapouer at melix.org> a écrit :
>
> Security uploads take a lot of work to ensure all reverse
> (build-)dependencies of a package build and pass their test suite
> successfully.
>
> For that last upload, I in particular, lost track of time.
>
> To help me, one can redo those verifications, and then, once several
> packages failing to rebuild have been identified,
>
> they must be fixed, proposed to bookworm, and once they are all accepted,
> that version of nodejs can be proposed to bookworm too.
>
>
>
>
>
> Le ven. 7 févr. 2025 à 11:04, Naaz, Syeda Shagufta <
> syedashagufta.naaz at siemens.com> a écrit :
>
> Package: nodejs
>
> Version: 18.19.0+dfsg-6~deb12u2
>
> Severity: critical
>
>
>
> Dear Debian Community,
>
>
>
> We are currently working with the Debian Bookworm
> <https://packages.debian.org/bookworm/nodejs> 12.9 release for our
> project and observed that the nodejs version is *18.19.0+dfsg-6~deb12u2*.
>
>
>
> However, upon reviewing the salsa-debian/bookworm
> <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads>
> branch, we noticed that version *18.20.4+dfsg-1~deb12u1 *is available,
> which includes fixes for multiple CVE issues, such as,
>
>    - CVE-2024-27983
>    <https://security-tracker.debian.org/tracker/CVE-2024-27983> (*8.2
>    HIGH*)
>    - CVE-2024-21892
>    <https://security-tracker.debian.org/tracker/CVE-2024-21892> (*7.5
>    HIGH*)
>    - CVE-2024-22019
>    <https://security-tracker.debian.org/tracker/CVE-2024-22019> (*7.5
>    HIGH*)
>
> These fixes are not included in the current Bookworm release. Having the
> severity of some of these vulnerabilities as High,  we are eager for these
> fixes to be available.
>
>
>
> Could you please help clarify why there is a discrepancy between the
> version in the Bookworm release and the one on salsa? Is there a any
> specific reason for the delay and, is there any fixed timeline for
> resolving this?
>
>
>
> I appreciate your time and guidance on this matter.
>
>
>
> Best Regards,
>
> Syeda Shagufta Naaz
>
> Senior Software Developer
>
> *SIEMENS* *FT FDS (Foundational Services)*
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250217/de0367dc/attachment.htm>

More information about the Pkg-javascript-devel mailing list