To whom it may concern,
NPM, the package manager for the NodeJS ecosystem, has not been updated since
2022 and as a result is missing many bug fixes and security updates such as:
- Security
- http-cache-semantics vulnerable to Regular Expression Denial of Service
- NPM IP package incorrectly identifies some private IP addresses as public
- semver vulnerable to Regular Expression Denial of Service
- Bugs
- [default auth-type to legacy if otp is
configured](https://github.com/npm/cli/commit/cf175fb2a7faffa6664874a9e8bea52dbbb1b0e2)
- [unpublish: bubble up all errors parsing local
package.json](https://github.com/npm/cli/commit/8d9d7351f5f9cfd7028a9f47cde520ca393218dd)
- [ignore node prereleases in npm engines
check](https://github.com/npm/cli/commit/939a188bc3ab9c2bfa49ccb4837fe4ad844131ed)
Also, the version of NPM in Trixie/Testing and Unstable has not been updated
since Bookworm. I think NPM should be packaged similarly to how it's packaged
on Fedora where all of the node modules are packaged with NPM. This way when
NPM is installed all of its dependencies don't pollute the global environment
with random commands like "webpack" and "acorn". Plus, it eases the burden of
packaging NPM because there won't be all of these tiny sub packages to manage.
Of course, I don't know the inner details for why this package hasn't been
updated, and it could be that no one has had the time to package it. In this
case, I am more than happy to help with the efforts of packaging NPM.
Chris,
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
