Le 28/01/2019 à 18:45, Jonas Smedegaard a écrit : > Source: popper.js > Version: 1.14.6+ds-1 > Severity: serious > Justification: Policy 2.1 > > Source package contains several files (seemingly all of them) below > <dist/> which does not exist in upstream version tracking and therefore > are not in the form preferred upstream, and more importantly may include > other code than the actual source below <packages/>. > > - Jonas
Upstream author does provide dist/* files in release commits (example: https://github.com/FezVrasta/popper.js/commit/b1144cdbcb5b5ab20d281a6083ecdce475a54af1) and remove them from master at next commit. This generated files are readable javascript files, unminified and well commented (a sort of webpack of packages/* files). To reproduce build, many dependencies are needed. So the choices are: - doing nothing, twitter-bootstrap4 will be removed from buster with all its reverse dependencies - package many new modules (I've no time to do this) - decrease this severity issue NB: upstream build can be reproduce only using yarnpkg, failed with npm: $ yarnpkg install $ yarnpkg build Cheers, Xavier
