From debbugs-submit-bounces@debbugs.gnu.org Sat Nov 16 15:28:42 2019 Received: (at submit) by debbugs.gnu.org; 16 Nov 2019 20:28:42 +0000 Received: from localhost ([127.0.0.1]:39752 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iW4gU-0004mi-JK for submit@debbugs.gnu.org; Sat, 16 Nov 2019 15:28:42 -0500 Received: from lists.gnu.org ([209.51.188.17]:34607) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1iW4gQ-0004mY-6L for submit@debbugs.gnu.org; Sat, 16 Nov 2019 15:28:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:52240) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iW4gO-0000BE-7b for bug-guix@gnu.org; Sat, 16 Nov 2019 15:28:38 -0500 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,URIBL_BLOCKED autolearn=disabled version=3.3.2 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iW4gM-0000R9-Tk for bug-guix@gnu.org; Sat, 16 Nov 2019 15:28:36 -0500 Received: from dustycloud.org ([2600:3c02::f03c:91ff:feae:cb51]:41166) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iW4gM-0000La-8J for bug-guix@gnu.org; Sat, 16 Nov 2019 15:28:34 -0500 Received: from twig (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 5314126618; Sat, 16 Nov 2019 15:28:31 -0500 (EST) References: <87d0npb1tx.fsf@atufi.org> <877edw6cta.fsf@fsfe.org> <87h8cz20ic.fsf@atufi.org> <877edud0ha.fsf@fsfe.org> <87va1doz0z.fsf@atufi.org> User-agent: mu4e 1.2.0; emacs 26.3 From: Christopher Lemmer Webber To: bug-guix@gnu.org Subject: Re: bug#34526: Updating node.js In-reply-to: <87va1doz0z.fsf@atufi.org> Date: Sat, 16 Nov 2019 15:28:30 -0500 Message-ID: <871ru7h8gh.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2600:3c02::f03c:91ff:feae:cb51 X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit Cc: Jelle Licht , 34526@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) Daniel Gerber writes: > Hi, > > 2019-02-20, Jelle Licht: >> Daniel Gerber writes: >> >>> [snip] >>> What about statically linking llhttp's C "sources" included in >>> node? Building v11.10.0 succeeds with this: >> >> You could do this, of course, but afaics this is not acceptable for >> inclusion in Guix proper. >> >> I don't really see any way forward between convincing the fine node >> folks to see the 'error of their ways', or to implement a >> ABI-compatible >> replacement for llhttp that we can actually bootstrap. > > Although I would prefer the convincing-the-fine-node-folks solution, > here are two more ways to avoid dropping node with the EOL of 8.x(LTS) > at the end of 2019. > > - Remove llhttp and keep only the "legacy" http-parser, or > > - Accept to bootstrap it -- I mean use intermediary self-compiling > steps, like ccl, golang, java, or haskell do. > The build-time dependencies are: node@11.x -> llhttp -> ts-node -> > typescript -> self (typescript), plus quite a few npm packages. > It seems that node@8.x or 9.x should be a native-input to later > versions, but I do not know enough of Guile / Guix packaging to do it > myself anytime soon. Hello, Went through the process of trying to update node myself, not having remembered this bug. Ran into the same issue. The bug was closed; I doubt we are going to convince the Node folks. Quite a few high-importance projects rely on Node at this point, and we are running an out of date Node which I suspect probably has quite a few insecurities. Our version of Node: v10.16.0 LTS Node: v12.13.0 Latest Node: v13.1.0 One way or another, we will probably need to update. Both Chromium and Icecat depend on Node at this point. I'm not sure if either of them use Node in any active way that an insecruity could manifest or if it's "just for packaging" but I think there's good reason to be nervous about being so out of date.