OK, since the package review last weekend, I've been reading documentation, discussion threads, and running various experiments with LLMs.

Among other things, because dependencies installed in node_modules don't necessarily have their own devDependencies installed, I think the only reasonable way to bundle dependencies is to not bundle any module that contains native binaries or Wasm files, and to require those modules to be installed as system modules. ( Ref: https://github.com/orgs/community/discussions/199880 )

To aid future package reviews of all types, I've suggested a change to fedora-review that will scan for native binaries in source archives: https://forge.fedoraproject.org/packaging/FedoraReview/pulls/553

Eventually I found "npm2rpm" which I think could reasonably replace nodejs-packaging-bundler and probably package "source.sh" scripts, if it were able to detect modules with binaries or Wasm and avoid bundling those. They'd need to be provided as system packages. I've offered such a feature to the developers of that project: https://github.com/theforeman/npm2rpm/pull/93

Additionally, I have another branch in my fork that adds more Fedora-specific changes to the spec template: https://github.com/gordonmessmer/npm2rpm/tree/fedora-spec

Finally, I've written a draft update of the packaging guidelines, if npm2rpm replaces nodejs-packaging-bundler: https://forge.fedoraproject.org/packaging/guidelines/pulls/1553


--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to