npm - Debian Package Tracker

general

source: npm (main)
version: 11.16.0+ds2-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Jérémy Lal [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.5.2+ds-2
oldstable: 9.2.0~ds1-1
stable: 9.2.0~ds1-3
testing: 11.16.0+ds2-1
unstable: 11.16.0+ds2-1

versioned links

7.5.2+ds-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.0~ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
9.2.0~ds1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
11.16.0+ds2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

npm (9 bugs: 0, 7, 2, 0)

action needed

A new upstream version is available: 12.0.0-pre.0.0 high

A new upstream version 12.0.0-pre.0.0 is available, you should consider packaging it.

Created: 2026-06-02 Last update: 2026-06-10 22:32

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-9496: Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

Created: 2026-06-05 Last update: 2026-06-10 22:00

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-9496: Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

Created: 2026-06-05 Last update: 2026-06-10 22:00

14 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit f151f406819f3e946b1ecc96345bfb971979a87a
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jun 1 23:16:59 2026 +0200

    Readd +ds1 suffix

commit b1b647a4c409bacf92b601dd5d0235f6a04c39fd
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jun 1 17:01:44 2026 +0200

    New upstream version

commit b16d0b8ebfc0f31976a015b3a5770bbcf2a38ab6
Merge: 7e60f3c fa644fd
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jun 1 16:43:07 2026 +0200

    Update upstream source from tag 'upstream/11.16.0+ds2'
    
    Update to upstream version '11.16.0+ds2'
    with Debian dir 5eab9ae7be87b6a5648e5d74b1cb01b7b13f4a6f

commit fa644fd1dee2387f5ff6e4c5d35bea85f13abaf4
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jun 1 16:42:56 2026 +0200

    New upstream version 11.16.0+ds2

commit 7e60f3cb0206441d51f4a21ca895ff72a0894e72
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jun 1 16:41:31 2026 +0200

    Add path-scurry

commit 3b0cd069f49d35d668a18a74b3be46b9c6d067ff
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jun 1 16:34:45 2026 +0200

    Add changelog

commit cf03b23162a936862b04bbc8efa1f53230b10c83
Merge: 985b9ef c9f72a5
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jun 1 16:38:23 2026 +0200

    Update upstream source from tag 'upstream/11.16.0+ds1'
    
    Update to upstream version '11.16.0+ds1'
    with Debian dir 91f8eedb07c4a7bdf88c64e4daea361d32dbe6e1

commit c9f72a5cf80c1d69e3779fc0a2e4e21d89905a12
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jun 1 16:38:11 2026 +0200

    New upstream version 11.16.0+ds1

commit 985b9ef27ebc4a8e7b0170c7ae9f1fda6d1b8130
Author: Bastien Roucariès <rouca@debian.org>
Date:   Mon Jun 1 16:26:27 2026 +0200

    use +ds in order to have ~pre before

commit bab7d8b40f2201a31b23426b9679681a9a3586ae
Author: Bastien Roucariès <rouca@debian.org>
Date:   Fri May 8 11:24:07 2026 +0200

    Remove walk-up-path packaged elsewhere

commit a064ec82a9c2bdfc8d34f7f19eb62a36508f02f5
Author: Xavier Guimard <yadd@debian.org>
Date:   Sat May 23 08:03:35 2026 +0200

    Update d/ch

commit 09f323386d4732d33d83d629c6bc79dee03060c7
Merge: 7c9436a 117b0b9
Author: Xavier Guimard <yadd@debian.org>
Date:   Sat May 23 08:02:44 2026 +0200

    Update upstream source from tag 'upstream/11.15.0_ds1'
    
    Update to upstream version '11.15.0~ds1'
    with Debian dir 32322777ee3d4532f83f482d7ac47843136b62a3

commit 117b0b923e22ac95b5e043afa84aeae7778f97c9
Author: Xavier Guimard <yadd@debian.org>
Date:   Sat May 23 08:02:22 2026 +0200

    New upstream version 11.15.0~ds1

commit 7c9436aad938fdcf6d30322dd8c3b7ddc3eff8ed
Author: Xavier Guimard <yadd@debian.org>
Date:   Sat May 23 08:01:57 2026 +0200

    Update d/watch

Created: 2026-05-23 Last update: 2026-06-07 09:32

lintian reports 99 warnings normal

Lintian reports 99 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-02 Last update: 2026-06-02 12:00

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-9496: (needs triaging) Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-06-05 Last update: 2026-06-10 22:00

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2026-9496: (needs triaging) Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-06-05 Last update: 2026-06-10 22:00

news

[rss feed]

[2026-06-07] npm 11.16.0+ds2-1 MIGRATED to testing (Debian testing watch)
[2026-06-01] Accepted npm 11.16.0+ds2-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-05-23] npm 11.13.0~ds1-1 MIGRATED to testing (Debian testing watch)
[2026-05-04] Accepted npm 11.13.0~ds1-1 (source) into unstable (Xavier Guimard)
[2026-04-20] npm 11.12.1~ds1-4 MIGRATED to testing (Debian testing watch)
[2026-04-12] Accepted npm 11.12.1~ds1-4 (source) into unstable (Xavier Guimard)
[2026-04-08] Accepted npm 11.12.1~ds1-3 (source) into unstable (Xavier Guimard)
[2026-04-07] Accepted npm 11.12.1~ds1-2 (source) into unstable (Xavier Guimard)
[2026-03-30] Accepted npm 11.12.1~ds1-1 (source) into experimental (Xavier Guimard)
[2026-03-04] npm 9.2.0~ds3-1 MIGRATED to testing (Debian testing watch)
[2026-03-01] Accepted npm 9.2.0~ds3-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2026-01-01] npm 9.2.0~ds2-2 MIGRATED to testing (Debian testing watch)
[2025-12-28] Accepted npm 9.2.0~ds2-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-12-28] npm 9.2.0~ds2-1 MIGRATED to testing (Debian testing watch)
[2025-12-25] Accepted npm 9.2.0~ds2-1 (source) into unstable (Jérémy Lal)
[2025-12-01] npm 9.2.0~ds1-4 MIGRATED to testing (Debian testing watch)
[2025-11-23] Accepted npm 9.2.0~ds1-4 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-05-29] npm 9.2.0~ds1-3 MIGRATED to testing (Debian testing watch)
[2024-05-29] npm 9.2.0~ds1-3 MIGRATED to testing (Debian testing watch)
[2024-05-27] Accepted npm 9.2.0~ds1-3 (source) into unstable (Jérémy Lal)
[2023-11-25] npm 9.2.0~ds1-2 MIGRATED to testing (Debian testing watch)
[2023-11-23] Accepted npm 9.2.0~ds1-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-14] npm 9.2.0~ds1-1 MIGRATED to testing (Debian testing watch)
[2022-12-11] Accepted npm 9.2.0~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-08] npm 9.1.3~ds1-1 MIGRATED to testing (Debian testing watch)
[2022-12-02] Accepted npm 9.1.3~ds1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-01] npm 9.1.2~ds1-3 MIGRATED to testing (Debian testing watch)
[2022-11-29] Accepted npm 9.1.2~ds1-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-11-21] npm 9.1.2~ds1-2 MIGRATED to testing (Debian testing watch)
[2022-11-18] Accepted npm 9.1.2~ds1-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 12
RC: 0
I&N: 10
M&W: 2
F&P: 0
patch: 0

links

homepage
lintian (0, 99)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 9.2.0~ds3-1