Building a package from AUR gives a series of warnings

General system Applications
1

I’ve build this package from AUR:

https://aur.archlinux.org/packages/touche/

It gives a series of warnings in the terminal. I haven’t installed it yet. Just wondered if it still ok.

npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.

added 550 packages, and audited 551 packages in 16s

51 packages are looking for funding
  run `npm fund` for details

7 vulnerabilities (6 moderate, 1 high)

To address all issues, run:
  npm audit fix

Particularly the following makes we wonder:

7 vulnerabilities (6 moderate, 1 high)

Should I be doing this:

To address all issues, run:
  npm audit fix

And what does mean:

added 550 packages, and audited 551 packages in 16s

51 packages are looking for funding
  run `npm fund` for details
full output of makepkg -s 
$ makepkg -s
==> Making package: touche 1.0.6-5 (Sat 04 Sep 2021 01:12:13 PM CEST)
==> Checking runtime dependencies...
==> Installing missing dependencies...
[sudo] password for pebcak:
resolving dependencies...
looking for conflicting packages...

Package (1)  New Version  Net Change  Download Size

extra/gjs    2:1.68.3-1     1.09 MiB       0.33 MiB

Total Download Size:   0.33 MiB
Total Installed Size:  1.09 MiB

:: Proceed with installation? [Y/n]
:: Retrieving packages...
 gjs-2:1.68.3-1-x86_64                 336.1 KiB  1339 KiB/s 00:00 [------------------------------------] 100%
(1/1) checking keys in keyring                                     [------------------------------------] 100%
(1/1) checking package integrity                                   [------------------------------------] 100%
(1/1) loading package files                                        [------------------------------------] 100%
(1/1) checking for file conflicts                                  [------------------------------------] 100%
(1/1) checking available disk space                                [------------------------------------] 100%
:: Processing package changes...
(1/1) installing gjs                                               [------------------------------------] 100%
:: Running post-transaction hooks...
(1/2) Arming ConditionNeedsUpdate...
(2/2) Refreshing PackageKit...
==> Checking buildtime dependencies...
==> Installing missing dependencies...
resolving dependencies...
looking for conflicting packages...

Package (8)            New Version  Net Change  Download Size

extra/c-ares           1.17.2-1       0.44 MiB       0.19 MiB
community/ninja        1.10.2-1       0.30 MiB       0.11 MiB
community/node-gyp     8.1.0-2        4.08 MiB       0.92 MiB
community/nodejs       16.8.0-1      30.78 MiB       8.78 MiB
community/nodejs-nopt  5.0.0-2        0.03 MiB       0.01 MiB
community/semver       7.3.5-2        0.11 MiB       0.04 MiB
extra/meson            0.59.1-1       7.30 MiB       1.24 MiB
community/npm          7.22.0-1       9.16 MiB       1.94 MiB

Total Download Size:   13.23 MiB
Total Installed Size:  52.20 MiB

:: Proceed with installation? [Y/n]
:: Retrieving packages...
 nodejs-nopt-5.0.0-2-any                13.1 KiB  86.7 KiB/s 00:00 [------------------------------------] 100%
 ninja-1.10.2-1-x86_64                 116.8 KiB   541 KiB/s 00:00 [------------------------------------] 100%
 semver-7.3.5-2-any                     36.7 KiB   583 KiB/s 00:00 [------------------------------------] 100%
 c-ares-1.17.2-1-x86_64                196.3 KiB   732 KiB/s 00:00 [------------------------------------] 100%
 meson-0.59.1-1-any                   1269.6 KiB  2.86 MiB/s 00:00 [------------------------------------] 100%
 node-gyp-8.1.0-2-any                  938.2 KiB  1687 KiB/s 00:01 [------------------------------------] 100%
 npm-7.22.0-1-any                     1986.8 KiB  2.41 MiB/s 00:01 [------------------------------------] 100%
 nodejs-16.8.0-1-x86_64                  8.8 MiB  4.48 MiB/s 00:02 [------------------------------------] 100%
 Total (8/8)                            13.2 MiB  6.64 MiB/s 00:02 [------------------------------------] 100%
(8/8) checking keys in keyring                                     [------------------------------------] 100%
(8/8) checking package integrity                                   [------------------------------------] 100%
(8/8) loading package files                                        [------------------------------------] 100%
(8/8) checking for file conflicts                                  [------------------------------------] 100%
(8/8) checking available disk space                                [------------------------------------] 100%
:: Processing package changes...
(1/8) installing ninja                                             [------------------------------------] 100%
(2/8) installing meson                                             [------------------------------------] 100%
(3/8) installing c-ares                                            [------------------------------------] 100%
(4/8) installing nodejs                                            [------------------------------------] 100%
Optional dependencies for nodejs
    npm: nodejs package manager [pending]
(5/8) installing nodejs-nopt                                       [------------------------------------] 100%
(6/8) installing semver                                            [------------------------------------] 100%
(7/8) installing node-gyp                                          [------------------------------------] 100%
(8/8) installing npm                                               [------------------------------------] 100%
:: Running post-transaction hooks...
(1/2) Arming ConditionNeedsUpdate...
(2/2) Refreshing PackageKit...
==> Retrieving sources...
  -> Downloading touche-1.0.6.tar.gz...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   126  100   126    0     0    540      0 --:--:-- --:--:-- --:--:--   543
100  373k    0  373k    0     0   502k      0 --:--:-- --:--:-- --:--:--  913k
==> Validating source files with sha256sums...
    touche-1.0.6.tar.gz ... Passed
==> Extracting sources...
  -> Extracting touche-1.0.6.tar.gz with bsdtar
==> Starting build()...
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.

added 550 packages, and audited 551 packages in 16s

51 packages are looking for funding
  run `npm fund` for details

7 vulnerabilities (6 moderate, 1 high)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
+ exec meson setup --prefix /usr --libexecdir lib --sbindir bin --buildtype plain --auto-features enabled --wrap-mode nodownload -D b_lto=true -D b_pie=true . build -Dtarget-de=gnome
The Meson build system
Version: 0.59.1
Source dir: /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6
Build dir: /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/build
Build type: native build
Project name: com.github.joseexposito.touche
Project version: 1.0.6
Host machine cpu family: x86_64
Host machine cpu: x86_64
Program gjs found: YES (/usr/bin/gjs)
Program npm found: YES (/usr/bin/npm)
Program node found: YES (/usr/bin/node)
Program g-ir-scanner found: YES (/usr/bin/g-ir-scanner)
Program desktop-file-validate found: YES (/usr/bin/desktop-file-validate)
Program appstream-util found: YES (/usr/bin/appstream-util)
Program glib-compile-schemas found: YES (/usr/bin/glib-compile-schemas)
Program xgettext found: YES (/usr/bin/xgettext)

Executing subproject libtouche

libtouche| Project name: libtouche
libtouche| Project version: 1.0.0
libtouche| C++ compiler for the host machine: c++ (gcc 11.1.0 "c++ (GCC) 11.1.0")
libtouche| C++ linker for the host machine: c++ ld.bfd 2.36.1
libtouche| Found pkg-config: /usr/bin/pkg-config (1.7.3)
libtouche| Run-time dependency glib-2.0 found: YES 2.68.4
libtouche| Run-time dependency gobject-2.0 found: YES 2.68.4
libtouche| Run-time dependency x11 found: YES 1.7.2
libtouche| Run-time dependency gobject-introspection-1.0 found: YES 1.68.0
libtouche| Dependency gobject-introspection-1.0 found: YES 1.68.0 (cached)
libtouche| Program g-ir-scanner found: YES (/usr/bin/g-ir-scanner)
libtouche| Dependency gobject-introspection-1.0 found: YES 1.68.0 (cached)
libtouche| Program g-ir-compiler found: YES (/usr/bin/g-ir-compiler)
libtouche| Build targets in project: 3
libtouche| Subproject libtouche finished.

Configuring desktop.in using configuration
Configuring app.appdata.xml.in using configuration
WARNING: Project targeting '>= 0.49.0' but tried to use feature introduced in '0.50.0': install arg in configure_file.
Configuring com.github.joseexposito.touche.gschema.xml using configuration
Configuring data.gresource.xml using configuration
Found pkg-config: /usr/bin/pkg-config (1.7.3)
Program glib-compile-resources found: YES (/usr/bin/glib-compile-resources)
Message: Building the application entry point: bin/com.github.joseexposito.touche
Configuring com.github.joseexposito.touche using configuration
Message: Building the application JavaScript bundle with Webpack...
Configuring src.gresource.xml using configuration
Program glib-compile-resources found: YES (/usr/bin/glib-compile-resources)
Program bundle/scripts/postinstall.py found: YES (/home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/bundle/scripts/postinstall.py)
Build targets in project: 11
WARNING: Project specifies a minimum meson_version '>= 0.49.0' but uses features which were added in newer versions:
 * 0.50.0: {'install arg in configure_file'}

com.github.joseexposito.touche 1.0.6

  Subprojects
    libtouche: YES

Found ninja-1.10.2 at /usr/bin/ninja
ninja: Entering directory `build'
[6/9] Generating Touche-1.0.0.gir with a custom command
g-ir-scanner: link: gcc -pthread -o /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/build/tmp-introspectguud_u80/Touche-1.0.0 -march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions -Wp,-D_FORTIFY_SOURCE=2 -Wformat -Werror=format-security -fstack-clash-protection -fcf-protection /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/build/tmp-introspectguud_u80/Touche-1.0.0.o -L. -Wl,-rpath,. -Wl,--no-as-needed -L/home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/build/subprojects/libtouche -Wl,-rpath,/home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/build/subprojects/libtouche -ltouche -lglib-2.0 -lgobject-2.0 -lX11 -lgirepository-1.0 -lgio-2.0 -lgobject-2.0 -Wl,--export-dynamic -lgmodule-2.0 -pthread -lglib-2.0 -lglib-2.0 -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now
[8/9] Generating build-application-bundle with a custom command
Browserslist: caniuse-lite is outdated. Please run:
npx browserslist@latest --update-db

Why you should do it regularly:
https://github.com/browserslist/browserslist#browsers-data-updating
[9/9] Generating com.github.joseexposito.touche.src_gresource with a custom command
==> Starting check()...
ninja: Entering directory `/home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/build'
ninja: no work to do.
1/3 Validate desktop file          OK              0.02s
2/3 Validate schema file           OK              0.00s
3/3 Validate appstream file        OK              0.85s


Ok:                 3
Expected Fail:      0
Fail:               0
Unexpected Pass:    0
Skipped:            0
Timeout:            0

Full log written to /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/build/meson-logs/testlog.txt
==> Entering fakeroot environment...
==> Starting package()...
ninja: Entering directory `/home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/build'
[1/2] Generating build-application-bundle with a custom command
Installing subprojects/libtouche/libtouche.so to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/lib
Installing subprojects/libtouche/Touche-1.0.0.gir to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/gir-1.0
Installing subprojects/libtouche/Touche-1.0.0.typelib to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/lib/girepository-1.0
Installing data/com.github.joseexposito.touche.desktop to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/applications
Installing data/com.github.joseexposito.touche.appdata.xml to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/appdata
Installing data/com.github.joseexposito.touche.data.gresource to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/com.github.joseexposito.touche
Installing bundle/com.github.joseexposito.touche.src.gresource to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/com.github.joseexposito.touche
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/subprojects/libtouche/touche.h to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/include
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/build/data/com.github.joseexposito.touche.gschema.xml to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/glib-2.0/schemas
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/data/icons/16/app.svg to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/icons/hicolor/16x16/apps
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/data/icons/16/app.svg to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/icons/hicolor/16x16@2/apps
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/data/icons/24/app.svg to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/icons/hicolor/24x24/apps
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/data/icons/24/app.svg to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/icons/hicolor/24x24@2/apps
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/data/icons/32/app.svg to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/icons/hicolor/32x32/apps
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/data/icons/32/app.svg to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/icons/hicolor/32x32@2/apps
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/data/icons/48/app.svg to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/icons/hicolor/48x48/apps
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/data/icons/48/app.svg to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/icons/hicolor/48x48@2/apps
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/data/icons/64/app.svg to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/icons/hicolor/64x64/apps
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/data/icons/64/app.svg to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/icons/hicolor/64x64@2/apps
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/data/icons/128/app.svg to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/icons/hicolor/128x128/apps
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/data/icons/128/app.svg to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/share/icons/hicolor/128x128@2/apps
Installing /home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/build/bundle/com.github.joseexposito.touche to /home/pebcak/Downloads/tmp/touche/pkg/touche/usr/bin
Running custom install script '/usr/bin/meson --internal gettext install --subdir=po --localedir=share/locale --pkgname=com.github.joseexposito.touche'
Running custom install script '/home/pebcak/Downloads/tmp/touche/src/touche-1.0.6/bundle/scripts/postinstall.py'
==> Tidying install...
  -> Removing libtool files...
  -> Purging unwanted files...
  -> Removing static library files...
  -> Stripping unneeded symbols from binaries and libraries...
  -> Compressing man and info pages...
==> Checking for packaging issues...
==> Creating package "touche"...
  -> Generating .PKGINFO file...
  -> Generating .BUILDINFO file...
  -> Generating .MTREE file...
  -> Compressing package...
==> Leaving fakeroot environment.
==> Finished making: touche 1.0.6-5 (Sat 04 Sep 2021 01:13:05 PM CEST)
2

Short answer, yes. With Node and NPM it’s incredibly rare to get a clean compilation without security issue warnings.

Possibly, though NPM isn’t one of the most robust tools. You can add the line into the prepare() function, just before npm install. However, you might need to also pass the legacy deps flag if it can’t resolve something. Don’t use --force as it will probably end up breaking the application.

1 Like
3

Thanks for the reply!

Like this?

build() {
	export npm_config_cache="$srcdir/npm_cache"

	cd "$pkgname-$pkgver"
	
prepare( ) {
        npm audit fix
}

        npm install

	if [[ "$XDG_CURRENT_DESKTOP" == "Pantheon" ]]; then
		arch-meson . build -Dtarget-de=elementary
	else
		arch-meson . build -Dtarget-de=gnome
	fi

	meson compile -C build
}

Where should I add this?

4

This is going to break, get rid of the extra }.

It’s a flag e.g. npm audit fix --legacy-resolver (I can’t remember the exact text, and it doesn’t appear in npm audit --help)

1 Like
5

In the meantime, I ran it again with the changes I made above. It ran throught the process and built the package but produced the same output as before.

I had a look as well but didn’t see anything.
I am going to try without the extra }

6

makepkg -s won’t run if I remove that extra }:

makepkg -s
/home/pebcak/Downloads/tmp/touche.2/PKGBUILD: line 21: syntax error near unexpected token `npm'
/home/pebcak/Downloads/tmp/touche.2/PKGBUILD: line 21: `        npm audit fix --legacy-resolver'
==> ERROR: Failed to source /home/pebcak/Downloads/tmp/touche.2/PKGBUILD

Looks like only with both of the curl brackets makepkg -s goes through and build the package. I removed both of them in turn an got an error message like the one above. With the following
added

prepare( ) {
        npm audit fix --legacy-resolver
}

it will build but with the same output as my op.

7

Try this in the build() function rather than introducing a new prepare():

build() {
	export npm_config_cache="$srcdir/npm_cache"

	cd "$pkgname-$pkgver"
	npm audit fix
	npm install

	if [[ "$XDG_CURRENT_DESKTOP" == "Pantheon" ]]; then
		arch-meson . build -Dtarget-de=elementary
	else
		arch-meson . build -Dtarget-de=gnome
	fi

	meson compile -C build
}
1 Like
8

Thanks @jonathon for the help!
I’ll try that a bit later since I am away from that machine now. I’ll get back with the result.

1 Like
9

Unfortunately it didn’t work. I got:

=> ERROR: A failure occurred in build().
    Aborting...

But interesting thing, this time I get

3 moderate severity vulnerabilities

instead of

7 vulnerabilities (6 moderate, 1 high)

which I had initially.

You said that the resulting package that I first build is OK to install. And since you also said

so perhaps I should install that, not really wanting to take more of your time on this.