[Pkg-javascript-devel] Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository

Naaz, Syeda Shagufta syedashagufta.naaz at siemens.com
Tue Mar 11 10:30:54 GMT 2025 

From: Jérémy Lal <kapouer at melix.org>
Sent: 20 February 2025 15:23
To: Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) <syedashagufta.naaz at siemens.com>
Cc: Jérémy Lal <kapouer at melix.org>; pkg-javascript-devel at alioth-lists.debian.net; Hombourger, Cedric (FT FDS CES LX) <cedric.hombourger at siemens.com>; Kumar, Ritesh (FT FDS CES LX PBU RSOL) <ritesh-kumar at siemens.com>; Koturappa, Hemanth (FT FDS CES LX PBU 2) <hemanth.koturappa at siemens.com>; Prusty, Badrikesh (FT FDS CES LX PBU 2) <badrikesh.prusty at siemens.com>
Subject: Re: Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository

I intend to fix them as much as possible, then propose nodejs to stable.
There will be a (possibly long) delay in the bookworm-proposed-updates queue, because it depends on a team that has a lot to do already, but eventually it will get into stable.



Update on the recent package fixes,

We have reported bugs to Debian for both node-node-rsa_1.1.1-4 and node-public-encrypt_4.0.3-1 packages, and merge requests addressing these issues have been raised in their respective repositories.
Autopkgtest have been verified with these fixes and have passed successfully on both older(18.19.0+dfsg-6~deb12u2) and newer(18.20.4+dfsg-1~deb12u1) version of Nodejs.

Please review the following,
node-node-rsa: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099640
node-public-encrypt: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100088

Regarding node-rollup-plugin-sass_1.12.16-1 and node-mutate-fs_2.1.1-2, after re-running the ratt tests, the previously observed issues are no longer present, indicating that these packages are now functioning as expected.

The only remaining issue will be with macaulay2_1.21+ds-3 package.

Please let me know if you have any questions or require further information.

Thanks,
Syeda

Le jeu. 20 févr. 2025 à 06:58, Naaz, Syeda Shagufta <syedashagufta.naaz at siemens.com<mailto:syedashagufta.naaz at siemens.com>> a écrit :
Hi Jeremy Lal,

If I have understood your previous communication correctly, it appears that

  1.  The tests for the following two packages are failing due to the OpenSSL CVE-2023-46809<https://security-tracker.debian.org/tracker/CVE-2023-46809> fix. However, upon reviewing the patch changes, it seems that this behaviour is expected. The error encountered is a warning to the user about the deprecation of RSA_PKCS1_PADDING for private decryption, with an option to revert the fix if necessary:

  *   node-node-rsa_1.1.1-4
  *   node-public-encrypt_4.0.3-1
Will it be appropriate to comment out this test?


  1.  This is part of the Math Team's work, as seen here: Macaulay2<https://salsa.debian.org/math-team/macaulay2>. Considering this, do we really need to address this issue, like how you mentioned the case of dask.distributed_2022.12.1+ds.1-3?

  *   macaulay2_1.21+ds-3


  1.  These two packages are failing due to issues with pkg-javascript, as mentioned for node-minipass_3.3.6+~cs9.4.19-1.

  *   node-rollup-plugin-sass_1.12.16-1 (dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test)
  *   node-mutate-fs_2.1.1-2 (dh_auto_test: error: /bin/sh -ex debian/tests/pkg-js/test)

Your input will be valuable in helping clarify the next steps for these issues.

Best Regards,
Syeda Shagufta Naaz

Senior Software Developer
SIEMENS FT FDS (Foundational Services)

From: Jérémy Lal <kapouer at melix.org<mailto:kapouer at melix.org>>
Sent: 18 February 2025 05:32
To: Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) <syedashagufta.naaz at siemens.com<mailto:syedashagufta.naaz at siemens.com>>
Cc: pkg-javascript-devel at alioth-lists.debian.net<mailto:pkg-javascript-devel at alioth-lists.debian.net>; Hombourger, Cedric (FT FDS CES LX) <cedric.hombourger at siemens.com<mailto:cedric.hombourger at siemens.com>>; Kumar, Ritesh (FT FDS CES LX PBU RSOL) <ritesh-kumar at siemens.com<mailto:ritesh-kumar at siemens.com>>; Koturappa, Hemanth (FT FDS CES LX PBU 2) <hemanth.koturappa at siemens.com<mailto:hemanth.koturappa at siemens.com>>; Prusty, Badrikesh (FT FDS CES LX PBU 2) <badrikesh.prusty at siemens.com<mailto:badrikesh.prusty at siemens.com>>
Subject: Re: Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository

Update:

Done: node-rollup_3.15.0-1
Done: node-redis_4.5.1+~1.1.2-1
Not a regression of nodejs, but is a pkg-javascript problem so it's Done: node-minipass_3.3.6+~cs9.4.19-1
Not a regression of nodejs, not my problem at all: dask.distributed_2022.12.1+ds.1-3
Not part of bookworm - just ignore: jquery_3.3.1~dfsg-3
Done: node-csstype_3.1.1-1

"Done" means there is a FTBFS bug for that package,
and I opened a release.debian.org<http://release.debian.org/> bug containing a diff that fixes the FTBFS bug for that package.

Le lun. 17 févr. 2025 à 12:04, Jérémy Lal <kapouer at melix.org<mailto:kapouer at melix.org>> a écrit :
Thank you for this helpful work.
Yes, since the latest nodejs update to bookworm has been somewhat catastrophic,
it is our duty to ensure the next one goes very smoothly for it to be accepted.

To sum up, we have this:

Those packages fail with nodejs_18.19.0+dfsg-6~deb12u1 and nodejs_18.20.4+dfsg-1~deb12u1
node-rollup_3.15.0-1
node-redis_4.5.1+~1.1.2-1
node-minipass_3.3.6+~cs9.4.19-1
dask.distributed_2022.12.1+ds.1-3
jquery_3.3.1~dfsg-3
node-csstype_3.1.1-1
node-recast_0.21.1-1
node-js-sdsl_4.1.4-2
node-wikibase-cli_15.15.4-4
node-regexpp_3.2.0-4
science.js_1.9.3+dfsg-3
moment-timezone.js_0.5.40+dfsg-1+2023c
node-resolve_1.22.1+~cs5.31.10-1
node-jest_29.3.1~ds1+~cs70.48.25-2
node-jschardet_3.0.0+dfsg+~1.4.0-2
node-lib0_0.2.58-1

1 package builds with nodejs_18.20.4+dfsg-1~deb12u1
PASSED: firefox-esr_128.5.0esr-1~deb12u1

5 new failures with nodejs_18.20.4+dfsg-1~deb12u1:
node-node-rsa_1.1.1-4
node-rollup-plugin-sass_1.12.16-1
macaulay2_1.21+ds-3
node-public-encrypt_4.0.3-1
node-mutate-fs_2.1.1-2

The goal is to fix them (ensure they build, and their autopkgtest pass for node 18.20.4), then do a reportbug release.debian.org<http://release.debian.org/>
to bookworm-pu for each of them, finishing with a bookworm-pu for nodejs 18.20.4.
Attention: some of them might already have bookworm-pu bugs opened.



Le lun. 17 févr. 2025 à 11:36, Naaz, Syeda Shagufta <syedashagufta.naaz at siemens.com<mailto:syedashagufta.naaz at siemens.com>> a écrit :
Hi Jeremy Lal,

Thank you for your earlier email.

As per your suggestion, I have attached the RATT test results for Node.js versions 18.19.0 and 18.20.4, covering a total of 1707 packages, along with the build logs for the failed packages.

Upon reviewing the results, I noticed the following:

  *   Version 18.19.0 has failures in 18 packages.

     *   firefox-esr_128.5.0esr-1~deb12u1: this package failed in version 18.19.0 but passed in version 18.20.4.

  *   Version 18.20.4 has failures in 22 packages, of which 5 are additional compared to v18.19.0:

     *   node-public-encrypt_4.0.3-1 (failure in dh_auto_test)
     *   node-node-rsa_1.1.1-4 (failure in dh_auto_test)
     *   node-rollup-plugin-sass_1.12.16-1 (failure in dh_auto_test)
     *   macaulay2_1.21+ds-3 (failure in dh_auto_build)
     *   node-mutate-fs_2.1.1-2 (failure in dh_auto_test)
I also noticed that the first two packages are failing due to the Openssl CVE fix for CVE-2023-46809<https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads#L20> .

Could the additional failures in version 18.20.4 be the reason the update has not yet been implemented?
I would appreciate your insights on this matter. Please let me know your thoughts.
Best Regards,
Syeda Shagufta Naaz

Senior Software Developer
SIEMENS FT FDS (Foundational Services)



From: Jérémy Lal <kapouer at melix.org<mailto:kapouer at melix.org>>
Sent: 07 February 2025 16:31
To: Naaz, Syeda Shagufta (FT FDS CES LX PBU 1) <syedashagufta.naaz at siemens.com<mailto:syedashagufta.naaz at siemens.com>>
Cc: pkg-javascript-devel at alioth-lists.debian.net<mailto:pkg-javascript-devel at alioth-lists.debian.net>; Hombourger, Cedric (FT FDS CES LX) <cedric.hombourger at siemens.com<mailto:cedric.hombourger at siemens.com>>; Kumar, Ritesh (FT FDS CES LX PBU RSOL) <ritesh-kumar at siemens.com<mailto:ritesh-kumar at siemens.com>>; Koturappa, Hemanth (FT FDS CES LX PBU 2) <hemanth.koturappa at siemens.com<mailto:hemanth.koturappa at siemens.com>>; Prusty, Badrikesh (FT FDS CES LX PBU 2) <badrikesh.prusty at siemens.com<mailto:badrikesh.prusty at siemens.com>>
Subject: Re: Discrepancy in nodejs version in Debian Bookworm vs. Salsa Debian repository

Also note that debian/trixie will have a version of nodejs that uses even more external dependencies,
with a source tarball excluding the externalized dependencies, which will make the process of doing security uploads easier for everyone.

Le ven. 7 févr. 2025 à 11:59, Jérémy Lal <kapouer at melix.org<mailto:kapouer at melix.org>> a écrit :
Security uploads take a lot of work to ensure all reverse (build-)dependencies of a package build and pass their test suite successfully.
For that last upload, I in particular, lost track of time.
To help me, one can redo those verifications, and then, once several packages failing to rebuild have been identified,
they must be fixed, proposed to bookworm, and once they are all accepted, that version of nodejs can be proposed to bookworm too.


Le ven. 7 févr. 2025 à 11:04, Naaz, Syeda Shagufta <syedashagufta.naaz at siemens.com<mailto:syedashagufta.naaz at siemens.com>> a écrit :
Package: nodejs
Version: 18.19.0+dfsg-6~deb12u2
Severity: critical

Dear Debian Community,

We are currently working with the Debian Bookworm<https://packages.debian.org/bookworm/nodejs> 12.9 release for our project and observed that the nodejs version is 18.19.0+dfsg-6~deb12u2.

However, upon reviewing the salsa-debian/bookworm<https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads> branch, we noticed that version 18.20.4+dfsg-1~deb12u1 is available, which includes fixes for multiple CVE issues, such as,

  *   CVE-2024-27983<https://security-tracker.debian.org/tracker/CVE-2024-27983> (8.2 HIGH)
  *   CVE-2024-21892<https://security-tracker.debian.org/tracker/CVE-2024-21892> (7.5 HIGH)
  *   CVE-2024-22019<https://security-tracker.debian.org/tracker/CVE-2024-22019> (7.5 HIGH)
These fixes are not included in the current Bookworm release. Having the severity of some of these vulnerabilities as High,  we are eager for these fixes to be available.

Could you please help clarify why there is a discrepancy between the version in the Bookworm release and the one on salsa? Is there a any specific reason for the delay and, is there any fixed timeline for resolving this?

I appreciate your time and guidance on this matter.

Best Regards,
Syeda Shagufta Naaz
Senior Software Developer
SIEMENS FT FDS (Foundational Services)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250311/4badb946/attachment.htm>

More information about the Pkg-javascript-devel mailing list