On 04/02/2022 10:27, Yadd wrote:
Hi all,
when dh-sequence-nodejs (0.11.9, better with 0.11.10) detects a
"maybe-bundled-package" (ie webpack/browserify/rollup), it:
* generates some pkgjs-lock.json files
* generates a ${nodejs:BuiltUsing} variable usable in debian/control
(see [1])
The goal here is to be able to launch a transition is case of CVE in a
source of a bundled package.
To use ${nodejs:BuiltUsing}, simply add:
Package: node-foo
Built-Using: ${nodejs:BuiltUsing}
pkgjs-lock files are also used by pkgjs-audit: this tool launches a `npm
audit` using Debian dependencies, not dependencies found in package.json.
$ pkgjs-audit @babel/core
found 0 vulnerabilities
Notes:
* pkgjs-lock.json contains all module+version used, including those
existing in a node_modules dir (and declared in package.json)
* there is one pkgjs-lock.json in each installed module
* ${nodejs:BuildUsing} contains only Debian packages + versions.
Cheers,
Yadd
[1]:
https://www.debian.org/doc/debian-policy/ch-relationships.html#additional-source-packages-used-to-build-the-binary-built-using)
pkgjs-audit found this (maybe false positive since it doesn't read
debian/patches). I'm going to build a new check in lintian pkg-js-extra
profile.
eslint-config-eslint 5.0.1
Severity: critical
Malicious Package in eslint-scope -
https://github.com/advisories/GHSA-hxxf-q3w9-4xgw
node-fetch <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an
Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
trim-newlines <3.0.1
Severity: high
Regular Expression Denial of Service in trim-newlines -
https://github.com/advisories/GHSA-7p7h-4mm5-852v
nth-check <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check -
https://github.com/advisories/GHSA-rp65-9cf3-cjxr
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
