Your message dated Fri, 30 Jul 2021 16:32:35 +0200
with message-id <CAJxTCxy_20WuHmxObnDmM=7WaB3i9K_CH07WKp6moYPDpiT+9w@mail.gmail.com>
and subject line Re: Bug#991707: Acknowledgement (unblock: nodejs/12.22.4~dfsg-1)
has caused the Debian Bug report #991707,
regarding unblock: nodejs/12.22.4~dfsg-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
991707: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991707
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
---------- Forwarded message ----------
From: "Jérémy Lal" <kapouer@melix.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc:
Bcc:
Date: Fri, 30 Jul 2021 15:27:24 +0200
Subject: unblock: nodejs/12.22.4~dfsg-1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: security@debian.org
Please unblock package nodejs
[ Reason ]
Debian security team plans to upload nodejs security updates "as-is",
at least while upstream still maintain nodejs 12.x. This is what was
done in Buster.
Latest security update is 12.22.4 (severity high).
I did not try to get nodejs > 12.21.0 into bullseye up until now
because upstream changes were essentially not concerning the debian package.
However the 12.22.4 release has many v8 fixes, and a security fix (high).
[ Impact ]
If not in Bullseye, it will require users to download nodejs a second time
just after installation, through security updates.
So it will postpone any issue post-release.
[ Tests ]
Usual thorough upstream test suite + all dependents packages tests.
[ Risks ]
Low, but when considering the regressions i saw false positives:
- node-chokidar seems to have a flaky test
- node-esquery, node-caniuse-api, node-browserslist suites fail on their own,
for an unrelated problem
- node-websocket-driver was already broken, probably for a long time.
I opened #991700 and will ask its removal from testing.
Also an undocumented internal api has been deprecated, and old modules trying
accessing it will now print a warning (process.binding('http_parser')).
Only node-websocket-driver is actually using it...
A code search shows node-http-signature, node-fastcgi are using it in their
test suites, but it doesn't pose any problem.
https://codesearch.debian.net/search?q=process%5C.binding%5C%28%5B%27%22%5Dhttp_parser%5B%27%22%5D%5C%29&literal=0
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
debdiff is without deps/cares (not used), deps/openssl (not used), test/*, benchmark/*, tools/msvs/*.
Still waiting for armhf test results when writing this request.
unblock nodejs/12.22.4~dfsg-1
---------- Forwarded message ----------
From: "Jérémy Lal" <kapouer@melix.org>
To: 991707-done@bugs.debian.org
Cc:
Bcc:
Date: Fri, 30 Jul 2021 16:32:35 +0200
Subject: Re: Bug#991707: Acknowledgement (unblock: nodejs/12.22.4~dfsg-1)
What was happening was an incomplete upstream fix, released in nodejs 12.22.5.
I suppose it's too late for an unblock request so i'll just propose it to security updates.
Jérémy