Quoting Yadd (2022-02-04 10:27:02)
> when dh-sequence-nodejs (0.11.9, better with 0.11.10) detects a
> "maybe-bundled-package" (ie webpack/browserify/rollup), it:
> * generates some pkgjs-lock.json files
> * generates a ${nodejs:BuiltUsing} variable usable in debian/control
> (see [1])
>
> The goal here is to be able to launch a transition is case of CVE in a
> source of a bundled package.
>
> To use ${nodejs:BuiltUsing}, simply add:
>
> Package: node-foo
> Built-Using: ${nodejs:BuiltUsing}
>
> pkgjs-lock files are also used by pkgjs-audit: this tool launches a `npm
> audit` using Debian dependencies, not dependencies found in package.json.
>
> $ pkgjs-audit @babel/core
> found 0 vulnerabilities
>
> Notes:
> * pkgjs-lock.json contains all module+version used, including those
> existing in a node_modules dir (and declared in package.json)
> * there is one pkgjs-lock.json in each installed module
> * ${nodejs:BuildUsing} contains only Debian packages + versions.That's really cool! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
