On Wed, Oct 23, 2019 at 22:31, Paolo Greppi <paolo.gre...@libpf.com>
wrote:
Bringing this over to the mailing list ...
On 23/10/19 22:07, Jonas Smedegaard wrote:
Quoting Paolo Greppi (2019-10-23 21:18:37)
...
The reason is that the bundled version of lodash-cli is out of
date:
grep version lodash-cli/package.json
"version": "4.17.5",
if you replace the lodash-cli dir with the current version (which
is in sync with lodash itself, 4.17.15) you get the correct file
generated.
So in the future we should keep the bundled lodash-cli in sync
with lodash itself.
More importantly: We should track versions!!!
lodash embeds lodash-cli with "ignore" in its watch file.
How many JavaScript packages are packaged that way?
- Jonas
To find packages with ignore in d/watch:
<https://codesearch.debian.net/search?q=ignore+path%3Adebian%2Fwatch>
But this check is not enough to tell that something is wrong.
It can still be fine provided that upstream has a yarn.lock or a
package-lock.json AND all components pulled in are at the same
version as required by the lock files.
It seems that we need tooling to automatically verify that. Any
volunteer ?
For lodash the build-dep on lodash.cli is not in the devDependencies
key of the package.json nor in the lockfiles (the only hint that you
need that is in .travis.yml file).
Anyway common sense requires that lodash.cli should be at the same
version as lodash itself.
It does not make sense to hack the version to
node-lodash_4.17.15+4.17.15+dfsg-1, people have already making fun of
that: <http://joeyh.name/blog/entry/turing_complete_version_numbers/>
For this one I propose that we add a test in d/rules override_dh_test
target that `grep version lodash-cli/package.json` == `grep version
package.json` (sorry pseudocode but you get the idea)
Agreed, this will be sufficient and thanks for finding the root cause.
Since we have ignore option in watch, we will have to add a patch to
update lodash-cli version. I remember seeing a checksum option
mentioned somewhere that will generate a sane version string instead of
concatenating all versions, though not sure if uscan support it
already. Hope yadd will know the status.
Its likely lodash-cli was updated later as our watch file is checking
only 4.x version and uscan should have downloaded latest version anyway.
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
