[Pkg-javascript-devel] Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository

Jérémy Lal kapouer at melix.org
Tue Feb 18 00:02:26 GMT 2025 

Update:

Done: node-rollup_3.15.0-1
Done: node-redis_4.5.1+~1.1.2-1
Not a regression of nodejs, but is a pkg-javascript problem so it's Done:
node-minipass_3.3.6+~cs9.4.19-1
Not a regression of nodejs, not my problem at all:
dask.distributed_2022.12.1+ds.1-3
Not part of bookworm - just ignore: jquery_3.3.1~dfsg-3
Done: node-csstype_3.1.1-1

"Done" means there is a FTBFS bug for that package,
and I opened a release.debian.org bug containing a diff that fixes the
FTBFS bug for that package.

Le lun. 17 févr. 2025 à 12:04, Jérémy Lal <kapouer at melix.org> a écrit :

> Thank you for this helpful work.
> Yes, since the latest nodejs update to bookworm has been somewhat
> catastrophic,
> it is our duty to ensure the next one goes very smoothly for it to be
> accepted.
>
> To sum up, we have this:
>
> Those packages fail with nodejs_18.19.0+dfsg-6~deb12u1 and
> nodejs_18.20.4+dfsg-1~deb12u1
> node-rollup_3.15.0-1
> node-redis_4.5.1+~1.1.2-1
> node-minipass_3.3.6+~cs9.4.19-1
> dask.distributed_2022.12.1+ds.1-3
> jquery_3.3.1~dfsg-3
> node-csstype_3.1.1-1
> node-recast_0.21.1-1
> node-js-sdsl_4.1.4-2
> node-wikibase-cli_15.15.4-4
> node-regexpp_3.2.0-4
> science.js_1.9.3+dfsg-3
> moment-timezone.js_0.5.40+dfsg-1+2023c
> node-resolve_1.22.1+~cs5.31.10-1
> node-jest_29.3.1~ds1+~cs70.48.25-2
> node-jschardet_3.0.0+dfsg+~1.4.0-2
> node-lib0_0.2.58-1
>
> 1 package builds with nodejs_18.20.4+dfsg-1~deb12u1
> PASSED: firefox-esr_128.5.0esr-1~deb12u1
>
> 5 new failures with nodejs_18.20.4+dfsg-1~deb12u1:
> node-node-rsa_1.1.1-4
> node-rollup-plugin-sass_1.12.16-1
> macaulay2_1.21+ds-3
> node-public-encrypt_4.0.3-1
> node-mutate-fs_2.1.1-2
>
> The goal is to fix them (ensure they build, and their autopkgtest pass for
> node 18.20.4), then do a reportbug release.debian.org
> to bookworm-pu for each of them, finishing with a bookworm-pu for nodejs
> 18.20.4.
> Attention: some of them might already have bookworm-pu bugs opened.
>
>
>
> Le lun. 17 févr. 2025 à 11:36, Naaz, Syeda Shagufta <
> syedashagufta.naaz at siemens.com> a écrit :
>
>> Hi Jeremy Lal,
>>
>>
>>
>> Thank you for your earlier email.
>>
>>
>>
>> As per your suggestion, I have attached the RATT test results for Node.js
>> versions 18.19.0 and 18.20.4, covering a total of 1707 packages, along with
>> the build logs for the failed packages.
>>
>>
>>
>> Upon reviewing the results, I noticed the following:
>>
>>    - Version 18.19.0 has failures in *18* packages.
>>       1. firefox-esr_128.5.0esr-1~deb12u1: this package failed in
>>       version 18.19.0 but passed in version 18.20.4.
>>    - Version 18.20.4 has failures in *22* packages, of which 5 are
>>    additional compared to v18.19.0:
>>       1. node-public-encrypt_4.0.3-1 (failure in dh_auto_test)
>>       2. node-node-rsa_1.1.1-4 (failure in dh_auto_test)
>>       3. node-rollup-plugin-sass_1.12.16-1 (failure in dh_auto_test)
>>       4. macaulay2_1.21+ds-3 (failure in dh_auto_build)
>>       5. node-mutate-fs_2.1.1-2 (failure in dh_auto_test)
>>
>> I also noticed that the first two packages are failing due to the Openssl
>> CVE fix for CVE-2023-46809
>> <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads#L20>
>> .
>>
>>
>>
>> Could the additional failures in version 18.20.4 be the reason the update
>> has not yet been implemented?
>>
>> I would appreciate your insights on this matter. Please let me know your
>> thoughts.
>>
>> Best Regards,
>>
>> Syeda Shagufta Naaz
>>
>>
>>
>> Senior Software Developer
>>
>> *SIEMENS* *FT FDS (Foundational Services)*
>>
>>
>>
>>
>>
>>
>>
>> *From:* Jérémy Lal <kapouer at melix.org>
>> *Sent:* 07 February 2025 16:31
>> *To:* Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) <
>> syedashagufta.naaz at siemens.com>
>> *Cc:* pkg-javascript-devel at alioth-lists.debian.net; Hombourger, Cedric
>> (FT FDS CES LX) <cedric.hombourger at siemens.com>; Kumar, Ritesh (FT FDS
>> CES LX PBU RSOL) <ritesh-kumar at siemens.com>; Koturappa, Hemanth (FT FDS
>> CES LX PBU 2) <hemanth.koturappa at siemens.com>; Prusty, Badrikesh (FT FDS
>> CES LX PBU 2) <badrikesh.prusty at siemens.com>
>> *Subject:* Re: Discrepancy in nodejs version in Debian Bookworm vs.
>> Salsa Debian repository
>>
>>
>>
>> Also note that debian/trixie will have a version of nodejs that uses even
>> more external dependencies,
>>
>> with a source tarball excluding the externalized dependencies, which will
>> make the process of doing security uploads easier for everyone.
>>
>>
>>
>> Le ven. 7 févr. 2025 à 11:59, Jérémy Lal <kapouer at melix.org> a écrit :
>>
>> Security uploads take a lot of work to ensure all reverse
>> (build-)dependencies of a package build and pass their test suite
>> successfully.
>>
>> For that last upload, I in particular, lost track of time.
>>
>> To help me, one can redo those verifications, and then, once several
>> packages failing to rebuild have been identified,
>>
>> they must be fixed, proposed to bookworm, and once they are all accepted,
>> that version of nodejs can be proposed to bookworm too.
>>
>>
>>
>>
>>
>> Le ven. 7 févr. 2025 à 11:04, Naaz, Syeda Shagufta <
>> syedashagufta.naaz at siemens.com> a écrit :
>>
>> Package: nodejs
>>
>> Version: 18.19.0+dfsg-6~deb12u2
>>
>> Severity: critical
>>
>>
>>
>> Dear Debian Community,
>>
>>
>>
>> We are currently working with the Debian Bookworm
>> <https://packages.debian.org/bookworm/nodejs> 12.9 release for our
>> project and observed that the nodejs version is *18.19.0+dfsg-6~deb12u2*.
>>
>>
>>
>>
>> However, upon reviewing the salsa-debian/bookworm
>> <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads>
>> branch, we noticed that version *18.20.4+dfsg-1~deb12u1 *is available,
>> which includes fixes for multiple CVE issues, such as,
>>
>>    - CVE-2024-27983
>>    <https://security-tracker.debian.org/tracker/CVE-2024-27983> (*8.2
>>    HIGH*)
>>    - CVE-2024-21892
>>    <https://security-tracker.debian.org/tracker/CVE-2024-21892> (*7.5
>>    HIGH*)
>>    - CVE-2024-22019
>>    <https://security-tracker.debian.org/tracker/CVE-2024-22019> (*7.5
>>    HIGH*)
>>
>> These fixes are not included in the current Bookworm release. Having the
>> severity of some of these vulnerabilities as High,  we are eager for these
>> fixes to be available.
>>
>>
>>
>> Could you please help clarify why there is a discrepancy between the
>> version in the Bookworm release and the one on salsa? Is there a any
>> specific reason for the delay and, is there any fixed timeline for
>> resolving this?
>>
>>
>>
>> I appreciate your time and guidance on this matter.
>>
>>
>>
>> Best Regards,
>>
>> Syeda Shagufta Naaz
>>
>> Senior Software Developer
>>
>> *SIEMENS* *FT FDS (Foundational Services)*
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250218/3d399e24/attachment.htm>

More information about the Pkg-javascript-devel mailing list