[Pkg-javascript-devel] Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository

Jérémy Lal kapouer at melix.org
Thu Feb 20 09:52:54 GMT 2025 

I intend to fix them as much as possible, then propose nodejs to stable.
There will be a (possibly long) delay in the bookworm-proposed-updates
queue, because it depends on a team that has a lot to do already, but
eventually it will get into stable.

Le jeu. 20 févr. 2025 à 06:58, Naaz, Syeda Shagufta <
syedashagufta.naaz at siemens.com> a écrit :

> Hi Jeremy Lal,
>
>
>
> If I have understood your previous communication correctly, it appears that
>
>    1. The tests for the following two packages are failing due to the
>    OpenSSL CVE-2023-46809
>    <https://security-tracker.debian.org/tracker/CVE-2023-46809> fix.
>    However, upon reviewing the patch changes, it seems that this behaviour is
>    expected. The error encountered is a warning to the user about the
>    deprecation of RSA_PKCS1_PADDING for private decryption, with an option to
>    revert the fix if necessary:
>
>
>    - node-node-rsa_1.1.1-4
>    - node-public-encrypt_4.0.3-1
>
> Will it be appropriate to comment out this test?
>
>
>
>    2. This is part of the Math Team’s work, as seen here: Macaulay2
>    <https://salsa.debian.org/math-team/macaulay2>. Considering this, do
>    we really need to address this issue, like how you mentioned the case of
>    *dask.distributed_2022.12.1+ds.1-3*?
>
>
>    - macaulay2_1.21+ds-3
>
>
>
>    3. These two packages are failing due to issues with pkg-javascript,
>    as mentioned for *node-minipass_3.3.6+~cs9.4.19-1.*
>
>
>    - node-rollup-plugin-sass_1.12.16-1 (dh_auto_test: error: /bin/sh -ex
>    debian/tests/pkg-js/test)
>    - node-mutate-fs_2.1.1-2 (dh_auto_test: error: /bin/sh -ex
>    debian/tests/pkg-js/test)
>
>
>
> Your input will be valuable in helping clarify the next steps for these
> issues.
>
>
>
> Best Regards,
>
> Syeda Shagufta Naaz
>
>
>
> Senior Software Developer
>
> *SIEMENS* *FT FDS (Foundational Services)*
>
>
>
> *From:* Jérémy Lal <kapouer at melix.org>
> *Sent:* 18 February 2025 05:32
> *To:* Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) <
> syedashagufta.naaz at siemens.com>
> *Cc:* pkg-javascript-devel at alioth-lists.debian.net; Hombourger, Cedric
> (FT FDS CES LX) <cedric.hombourger at siemens.com>; Kumar, Ritesh (FT FDS
> CES LX PBU RSOL) <ritesh-kumar at siemens.com>; Koturappa, Hemanth (FT FDS
> CES LX PBU 2) <hemanth.koturappa at siemens.com>; Prusty, Badrikesh (FT FDS
> CES LX PBU 2) <badrikesh.prusty at siemens.com>
> *Subject:* Re: Discrepancy in nodejs version in Debian Bookworm vs. Salsa
> Debian repository
>
>
>
> Update:
>
>
>
> Done: node-rollup_3.15.0-1
> Done: node-redis_4.5.1+~1.1.2-1
> Not a regression of nodejs, but is a pkg-javascript problem so it's Done:
> node-minipass_3.3.6+~cs9.4.19-1
> Not a regression of nodejs, not my problem at all:
> dask.distributed_2022.12.1+ds.1-3
> Not part of bookworm - just ignore: jquery_3.3.1~dfsg-3
> Done: node-csstype_3.1.1-1
>
>
>
> "Done" means there is a FTBFS bug for that package,
>
> and I opened a release.debian.org bug containing a diff that fixes the
> FTBFS bug for that package.
>
>
>
> Le lun. 17 févr. 2025 à 12:04, Jérémy Lal <kapouer at melix.org> a écrit :
>
> Thank you for this helpful work.
>
> Yes, since the latest nodejs update to bookworm has been somewhat
> catastrophic,
>
> it is our duty to ensure the next one goes very smoothly for it to be
> accepted.
>
>
>
> To sum up, we have this:
>
>
>
> Those packages fail with nodejs_18.19.0+dfsg-6~deb12u1 and
> nodejs_18.20.4+dfsg-1~deb12u1
> node-rollup_3.15.0-1
> node-redis_4.5.1+~1.1.2-1
> node-minipass_3.3.6+~cs9.4.19-1
> dask.distributed_2022.12.1+ds.1-3
> jquery_3.3.1~dfsg-3
> node-csstype_3.1.1-1
> node-recast_0.21.1-1
> node-js-sdsl_4.1.4-2
> node-wikibase-cli_15.15.4-4
> node-regexpp_3.2.0-4
> science.js_1.9.3+dfsg-3
> moment-timezone.js_0.5.40+dfsg-1+2023c
> node-resolve_1.22.1+~cs5.31.10-1
> node-jest_29.3.1~ds1+~cs70.48.25-2
> node-jschardet_3.0.0+dfsg+~1.4.0-2
> node-lib0_0.2.58-1
>
> 1 package builds with nodejs_18.20.4+dfsg-1~deb12u1
> PASSED: firefox-esr_128.5.0esr-1~deb12u1
>
> 5 new failures with nodejs_18.20.4+dfsg-1~deb12u1:
> node-node-rsa_1.1.1-4
> node-rollup-plugin-sass_1.12.16-1
> macaulay2_1.21+ds-3
> node-public-encrypt_4.0.3-1
> node-mutate-fs_2.1.1-2
>
>
>
> The goal is to fix them (ensure they build, and their autopkgtest pass for
> node 18.20.4), then do a reportbug release.debian.org
>
> to bookworm-pu for each of them, finishing with a bookworm-pu for nodejs
> 18.20.4.
>
> Attention: some of them might already have bookworm-pu bugs opened.
>
>
>
>
>
>
>
> Le lun. 17 févr. 2025 à 11:36, Naaz, Syeda Shagufta <
> syedashagufta.naaz at siemens.com> a écrit :
>
> Hi Jeremy Lal,
>
>
>
> Thank you for your earlier email.
>
>
>
> As per your suggestion, I have attached the RATT test results for Node.js
> versions 18.19.0 and 18.20.4, covering a total of 1707 packages, along with
> the build logs for the failed packages.
>
>
>
> Upon reviewing the results, I noticed the following:
>
>    - Version 18.19.0 has failures in *18* packages.
>
>
>    1. firefox-esr_128.5.0esr-1~deb12u1: this package failed in version
>       18.19.0 but passed in version 18.20.4.
>
>
>    - Version 18.20.4 has failures in *22* packages, of which 5 are
>    additional compared to v18.19.0:
>
>
>    1. node-public-encrypt_4.0.3-1 (failure in dh_auto_test)
>       2. node-node-rsa_1.1.1-4 (failure in dh_auto_test)
>       3. node-rollup-plugin-sass_1.12.16-1 (failure in dh_auto_test)
>       4. macaulay2_1.21+ds-3 (failure in dh_auto_build)
>       5. node-mutate-fs_2.1.1-2 (failure in dh_auto_test)
>
> I also noticed that the first two packages are failing due to the Openssl
> CVE fix for CVE-2023-46809
> <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads#L20>
> .
>
>
>
> Could the additional failures in version 18.20.4 be the reason the update
> has not yet been implemented?
>
> I would appreciate your insights on this matter. Please let me know your
> thoughts.
>
> Best Regards,
>
> Syeda Shagufta Naaz
>
>
>
> Senior Software Developer
>
> *SIEMENS* *FT FDS (Foundational Services)*
>
>
>
>
>
>
>
> *From:* Jérémy Lal <kapouer at melix.org>
> *Sent:* 07 February 2025 16:31
> *To:* Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) <
> syedashagufta.naaz at siemens.com>
> *Cc:* pkg-javascript-devel at alioth-lists.debian.net; Hombourger, Cedric
> (FT FDS CES LX) <cedric.hombourger at siemens.com>; Kumar, Ritesh (FT FDS
> CES LX PBU RSOL) <ritesh-kumar at siemens.com>; Koturappa, Hemanth (FT FDS
> CES LX PBU 2) <hemanth.koturappa at siemens.com>; Prusty, Badrikesh (FT FDS
> CES LX PBU 2) <badrikesh.prusty at siemens.com>
> *Subject:* Re: Discrepancy in nodejs version in Debian Bookworm vs. Salsa
> Debian repository
>
>
>
> Also note that debian/trixie will have a version of nodejs that uses even
> more external dependencies,
>
> with a source tarball excluding the externalized dependencies, which will
> make the process of doing security uploads easier for everyone.
>
>
>
> Le ven. 7 févr. 2025 à 11:59, Jérémy Lal <kapouer at melix.org> a écrit :
>
> Security uploads take a lot of work to ensure all reverse
> (build-)dependencies of a package build and pass their test suite
> successfully.
>
> For that last upload, I in particular, lost track of time.
>
> To help me, one can redo those verifications, and then, once several
> packages failing to rebuild have been identified,
>
> they must be fixed, proposed to bookworm, and once they are all accepted,
> that version of nodejs can be proposed to bookworm too.
>
>
>
>
>
> Le ven. 7 févr. 2025 à 11:04, Naaz, Syeda Shagufta <
> syedashagufta.naaz at siemens.com> a écrit :
>
> Package: nodejs
>
> Version: 18.19.0+dfsg-6~deb12u2
>
> Severity: critical
>
>
>
> Dear Debian Community,
>
>
>
> We are currently working with the Debian Bookworm
> <https://packages.debian.org/bookworm/nodejs> 12.9 release for our
> project and observed that the nodejs version is *18.19.0+dfsg-6~deb12u2*.
>
>
>
> However, upon reviewing the salsa-debian/bookworm
> <https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads>
> branch, we noticed that version *18.20.4+dfsg-1~deb12u1 *is available,
> which includes fixes for multiple CVE issues, such as,
>
>    - CVE-2024-27983
>    <https://security-tracker.debian.org/tracker/CVE-2024-27983> (*8.2
>    HIGH*)
>    - CVE-2024-21892
>    <https://security-tracker.debian.org/tracker/CVE-2024-21892> (*7.5
>    HIGH*)
>    - CVE-2024-22019
>    <https://security-tracker.debian.org/tracker/CVE-2024-22019> (*7.5
>    HIGH*)
>
> These fixes are not included in the current Bookworm release. Having the
> severity of some of these vulnerabilities as High,  we are eager for these
> fixes to be available.
>
>
>
> Could you please help clarify why there is a discrepancy between the
> version in the Bookworm release and the one on salsa? Is there a any
> specific reason for the delay and, is there any fixed timeline for
> resolving this?
>
>
>
> I appreciate your time and guidance on this matter.
>
>
>
> Best Regards,
>
> Syeda Shagufta Naaz
>
> Senior Software Developer
>
> *SIEMENS* *FT FDS (Foundational Services)*
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250220/26669e1b/attachment.htm>

More information about the Pkg-javascript-devel mailing list