From: Antonin Godard <antonin.godard@bootlin.com>
To: docs@lists.yoctoproject.org
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
Antonin Godard <antonin.godard@bootlin.com>,
Quentin Schulz <quentin.schulz@cherry.de>
Subject: [PATCH v2 7/8] docs-wide: add warning on disabled NPM fetcher
Date: Fri, 20 Mar 2026 11:46:25 +0100 [thread overview]
Message-ID: <20260320-release-notes-6-0-v2-7-1bdb1eb142ae@bootlin.com> (raw)
In-Reply-To: <20260320-release-notes-6-0-v2-0-1bdb1eb142ae@bootlin.com>
The NPM fetcher was disabled with 355cd226e072 ("fetch2/npm/npmsw:
Disable npm and npmsw fetchers due to security concerns") in BitBake.
Add warning notes throughout the documentation to let readers know.
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
documentation/dev-manual/devtool.rst | 5 +++++
documentation/dev-manual/packages.rst | 10 +++++++++-
documentation/ref-manual/classes.rst | 5 +++++
3 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/documentation/dev-manual/devtool.rst b/documentation/dev-manual/devtool.rst
index c82dc9c33..08d4ffa9d 100644
--- a/documentation/dev-manual/devtool.rst
+++ b/documentation/dev-manual/devtool.rst
@@ -1111,6 +1111,11 @@ the following methods when you run ``devtool add``:
Adding Node.js Modules
----------------------
+.. warning::
+
+ The NPM fetcher is currently disabled due to security concerns. See
+ :bitbake_rev:`355cd226e072` for more information.
+
You can use the ``devtool add`` command two different ways to add
Node.js modules: through ``npm`` or from a repository or local source.
diff --git a/documentation/dev-manual/packages.rst b/documentation/dev-manual/packages.rst
index 4c94ffd48..b3c9408b0 100644
--- a/documentation/dev-manual/packages.rst
+++ b/documentation/dev-manual/packages.rst
@@ -18,7 +18,7 @@ This section describes a few tasks that involve packages:
- :ref:`Setting up and running package test
(ptest) <test-manual/ptest:testing packages with ptest>`
-- :ref:`dev-manual/packages:creating node package manager (npm) packages`
+- (**disabled**) :ref:`dev-manual/packages:creating node package manager (npm) packages`
- :ref:`dev-manual/packages:adding custom metadata to packages`
@@ -914,6 +914,14 @@ Yocto Project Test Environment Manual.
Creating Node Package Manager (NPM) Packages
============================================
+.. warning::
+
+ The NPM fetcher is currently disabled due to security concerns. See
+ :bitbake_rev:`355cd226e072` for more information.
+
+ This section is left there if it is re-enabled in the future, but is
+ currently obsolete.
+
:wikipedia:`NPM <Npm_(software)>` is a package manager for the JavaScript
programming language. The Yocto Project supports the NPM
:ref:`fetcher <bitbake-user-manual/bitbake-user-manual-fetching:fetchers>`.
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index dc131be9f..053e5dd11 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -1891,6 +1891,11 @@ generation provided by :ref:`ref-classes-create-spdx`.
``npm``
=======
+.. warning::
+
+ The NPM fetcher is currently disabled due to security concerns. See
+ :bitbake_rev:`355cd226e072` for more information.
+
Provides support for building Node.js software fetched using the
:wikipedia:`node package manager (NPM) <Npm_(software)>`.
--
2.53.0
next prev parent reply other threads:[~2026-03-20 10:46 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-20 10:46 [PATCH v2 0/8] Update the documentation for 6.0 (Wrynose) Antonin Godard
2026-03-20 10:46 ` [PATCH v2 1/8] conf.py: define new {oecore,bitbake,meta_yocto}_rev roles Antonin Godard
2026-03-20 10:46 ` [PATCH v2 2/8] ref-manual/variables.rst: document qemuboot variables Antonin Godard
2026-03-20 10:46 ` [PATCH v2 3/8] ref-manual/variables.rst: SPDX_PACKAGE_URL: add missing parenthesis Antonin Godard
2026-03-20 10:46 ` [PATCH v2 4/8] ref-manual/variables.rst: document the LTO variable Antonin Godard
2026-03-20 10:46 ` [PATCH v2 5/8] ref-manual/variables.rst: document the SPDX_CONCLUDED_LICENSE variable Antonin Godard
2026-03-20 10:46 ` [PATCH v2 6/8] migration-guides: update 6.0 (Wrynose) release notes Antonin Godard
2026-03-20 10:46 ` Antonin Godard [this message]
2026-03-20 10:46 ` [PATCH v2 8/8] ref-manual/faq.rst: remove the CVS proxy note Antonin Godard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260320-release-notes-6-0-v2-7-1bdb1eb142ae@bootlin.com \
--to=antonin.godard@bootlin.com \
--cc=docs@lists.yoctoproject.org \
--cc=quentin.schulz@cherry.de \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox