[Pkg-javascript-devel] dh-sequence-nodejs improvements

Yadd Fri, 04 Feb 2022 01:27:10 -0800

Hi all,

when dh-sequence-nodejs (0.11.9, better with 0.11.10) detects a"maybe-bundled-package" (ie webpack/browserify/rollup), it:

 * generates some pkgjs-lock.json files
 * generates a ${nodejs:BuiltUsing} variable usable in debian/control
   (see [1])

The goal here is to be able to launch a transition is case of CVE in asource of a bundled package.


To use ${nodejs:BuiltUsing}, simply add:

  Package: node-foo
  Built-Using: ${nodejs:BuiltUsing}

pkgjs-lock files are also used by pkgjs-audit: this tool launches a `npmaudit` using Debian dependencies, not dependencies found in package.json.


  $ pkgjs-audit @babel/core
  found 0 vulnerabilities

Notes:
 * pkgjs-lock.json contains all module+version used, including those
   existing in a node_modules dir (and declared in package.json)
 * there is one pkgjs-lock.json in each installed module
 * ${nodejs:BuildUsing} contains only Debian packages + versions.

Cheers,
Yadd

[1]:https://www.debian.org/doc/debian-policy/ch-relationships.html#additional-source-packages-used-to-build-the-binary-built-using)


--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] dh-sequence-nodejs improvements

Reply via email to