PKGBUILD review

daniel_shub · 2026-05-31 21:07:58

I would like to package https://github.com/kuznetz/cockpit-port-forward

# Maintainer: daniel.e.shub@gmail.com
pkgname=cockpit-port-forward
pkgver=1.0
pkgrel=1
pkgdesc="Provides a UI within the Cockpit web console for managing firewalld port forwarding rules"
arch=('any')
url="https://github.com/kuznetz/cockpit-port-forward"
license=('MIT')
depends=('cockpit')
makedepends=('nodejs' 'npm')
source=("https://github.com/kuznetz/${pkgname}/archive/refs/tags/v${pkgver}.zip")
sha256sums=('646bbd2d377b216e9bd129ffd074b9c7de40b9a527fa9a88c8661f44a5132da3')

build() {
  cd "${pkgname}-${pkgver}"
  export npm_config_cache="${srcdir}/npm-cache"
  npm ci
  npm run build
}

package() {
  mkdir -p "${pkgdir}"/usr/share/cockpit/
  cp -a "${srcdir}/${pkgname}-${pkgver}/port-forward" "${pkgdir}"/usr/share/cockpit/
}

It nominally builds fine for me and work great. I have never package before, so I want to confirm the export, ci, build steps are reasonable.

My big concern is that during the build I get

76 packages are looking for funding
  run `npm fund` for details

19 vulnerabilities (1 low, 11 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

Are these real issues with the upstream code, or its dependencies, that should prevent me from packaging and using it until they are fixed, or can I "safely" ignore them?

Lone_Wolf · 2026-06-01 10:31:36

Not using the user cache is a good idea, but an export is not needed for that.

See https://wiki.archlinux.org/title/Node.j … guidelines for tips how to improve the PKGBUILD.

Nikolai5 · 2026-06-01 11:43:24

The NPM vulnerability warnings are an upstream issue rather than a PKGBUILD issue. They may originate from the application itself or any of its dependencies (or deps of deps), and are common when packaging Electron or Node.js applications.

This generally shouldn't prevent you from packaging or using the software, and it is not unusual for npm audit to report vulnerabilities even for actively maintained projects.

So I don't want to just say you can safely ignore them, but you can safely ignore them. NPM audit is very noisy, and the full dependency list can be in the thousands.

daniel_shub · 2026-06-01 18:41:11

Thanks. I think I am going to wait to see if there is a response from upstream. Seems like they go the package up and running, listed as an unofficial plugin for cockpit and have walked away. While useful to me, it might not be something that anybody will ever use.

loqs · 2026-06-01 20:04:29

PKGBUILD (cockpit-port-forward) W: Non-unique source name (v1.0.zip). Use a unique filename.

You can rename the archive locally or have github rename it using:

source=("https://github.com/kuznetz/${pkgname}/archive/v${pkgver}/$pkgname-$pkgver.tar.gz")

cockpit-port-forward E: Uncommon license identifiers such as 'MIT' require license files below /usr/share/licenses/cockpit-port-forward/ or switching to common license identifiers. Found 0/1 required license files.

See PKGBUILD#license

Arch Linux

#1 2026-05-31 21:07:58

PKGBUILD review

#2 2026-06-01 10:31:36

Re: PKGBUILD review

#3 2026-06-01 11:43:24

Re: PKGBUILD review

#4 2026-06-01 18:41:11

Re: PKGBUILD review

#5 2026-06-01 20:04:29

Re: PKGBUILD review

Board footer