[Pkg-javascript-devel] NPM has not received updates

[shift16]

To whom it may concern,

NPM, the package manager for the NodeJS ecosystem, has not been updated since 2022 and as a result is missing many bug fixes and security updates such as:

- Security

- http-cache-semantics vulnerable to Regular Expression Denial of Service
- NPM IP package incorrectly identifies some private IP addresses as public
- semver vulnerable to Regular Expression Denial of Service
- Bugs

- [default auth-type to legacy if otp is configured](https://github.com/npm/cli/commit/cf175fb2a7faffa6664874a9e8bea52dbbb1b0e2)
- [unpublish: bubble up all errors parsing local package.json](https://github.com/npm/cli/commit/8d9d7351f5f9cfd7028a9f47cde520ca393218dd)
- [ignore node prereleases in npm engines check](https://github.com/npm/cli/commit/939a188bc3ab9c2bfa49ccb4837fe4ad844131ed)

Also, the version of NPM in Trixie/Testing and Unstable has not been updated since Bookworm. I think NPM should be packaged similarly to how it's packaged on Fedora where all of the node modules are packaged with NPM. This way when NPM is installed all of its dependencies don't pollute the global environment with random commands like "webpack" and "acorn". Plus, it eases the burden of packaging NPM because there won't be all of these tiny sub packages to manage. Of course, I don't know the inner details for why this package hasn't been updated, and it could be that no one has had the time to package it. In this case, I am more than happy to help with the efforts of packaging NPM.

Chris,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250125/838bf13d/attachment.htm>