On Wed, Sep 28, 2016 at 02:26:07AM +0000, Potter, Tim (HPE Linux Support) wrote: > * Package name : node-is-extglob > Version : 2.0.0 > Upstream Author : Jon Schlinkert (https://github.com/jonschlinkert) > * URL : https://github.com/jonschlinkert/is-extglob
After reading this ITP, I investigated the package on github. If the intent is to implement a predicate about bash-like extglobs, the package is wrong (and if it is to implement some other standard, for instance a kind of pattern-matching string where "[" is not a special character, the documentation is woefully inadequate since nowhere is "extglob" specified). The package author declined to fix the issue I filed, and also declined to incorporate a pull-request which showed the bug I feel exists: "it's extremely clear that you're trying to come up with patterns that no one has actually used". By contrast, I feel it's important to correctly handle even malicious or malformed inputs, since in the node ecosystem it's possible that someone several layers up the dependency tree in a piece of enduser software may use the underlying code in a security-sensitive environment. (I don't know what is-extglob is a prospective reverse dependency of, to say whether this is relevant to Debian at this moment) https://github.com/jonschlinkert/is-extglob/issues/1 https://github.com/jonschlinkert/is-extglob/pull/2 After two tries with the author, I wash my hands of it. But I thought that you might like to know. (My interactions on github were weeks ago; I wasn't even planning to write or send this message, but in light of the recent discussion of the shortcomings of node-os-homedir in another thread on debian-devel, I felt I should mention it) Jeff
