[7/8] docs-wide: add warning on disabled NPM fetcher

Message ID	20260302-release-notes-6-0-v1-7-9662dee58591@bootlin.com
State	New
Headers	show Return-Path: <antonin.godard@bootlin.com> ip: 185.246.85.4, mailfrom: antonin.godard@bootlin.com) From: Antonin Godard <antonin.godard@bootlin.com> Date: Mon, 02 Mar 2026 10:37:54 +0100 Subject: [PATCH 7/8] docs-wide: add warning on disabled NPM fetcher MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-Id: <20260302-release-notes-6-0-v1-7-9662dee58591@bootlin.com> References: <20260302-release-notes-6-0-v1-0-9662dee58591@bootlin.com> In-Reply-To: <20260302-release-notes-6-0-v1-0-9662dee58591@bootlin.com> To: docs@lists.yoctoproject.org Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>, Antonin Godard <antonin.godard@bootlin.com>
Series	Update the documentation for 6.0 (Wrynose) \| expand [0/8] Update the documentation for 6.0 (Wrynose) [1/8] conf.py: define new {oecore,bitbake,meta_yocto}_rev roles [2/8] ref-manual/variables.rst: document qemuboot variables [3/8] ref-manual/variables.rst: SPDX_PACKAGE_URL: add missing parenthesis [4/8] ref-manual/variables.rst: document the LTO variable [5/8] ref-manual/variables.rst: document the SPDX_CONCLUDED_LICENSE variable [6/8] migration-guides: update 6.0 (Wrynose) release notes [7/8] docs-wide: add warning on disabled NPM fetcher [8/8] ref-manual/faq.rst: remove the CVS proxy note

Message ID

20260302-release-notes-6-0-v1-7-9662dee58591@bootlin.com

State

New

Headers

From: Antonin Godard <antonin.godard@bootlin.com>
Date: Mon, 02 Mar 2026 10:37:54 +0100
Subject: [PATCH 7/8] docs-wide: add warning on disabled NPM fetcher
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20260302-release-notes-6-0-v1-7-9662dee58591@bootlin.com>
References: <20260302-release-notes-6-0-v1-0-9662dee58591@bootlin.com>
In-Reply-To: <20260302-release-notes-6-0-v1-0-9662dee58591@bootlin.com>
To: docs@lists.yoctoproject.org
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
 Antonin Godard <antonin.godard@bootlin.com>

Series

Update the documentation for 6.0 (Wrynose) | expand

Commit Message

Antonin Godard March 2, 2026, 9:37 a.m. UTC

The NPM fetcher was disabled with 355cd226e072 ("fetch2/npm/npmsw:
Disable npm and npmsw fetchers due to security concerns") in BitBake.
Add warning notes throughout the documentation to let readers know.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/dev-manual/devtool.rst  |  5 +++++
 documentation/dev-manual/packages.rst | 10 +++++++++-
 documentation/ref-manual/classes.rst  |  5 +++++
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/documentation/dev-manual/devtool.rst b/documentation/dev-manual/devtool.rst
index c82dc9c33..08d4ffa9d 100644
--- a/documentation/dev-manual/devtool.rst
+++ b/documentation/dev-manual/devtool.rst
@@ -1111,6 +1111,11 @@  the following methods when you run ``devtool add``:
 Adding Node.js Modules
 ----------------------
 
+.. warning::
+
+   The NPM fetcher is currently disabled due to security concerns. See
+   :bitbake_rev:`355cd226e072` for more information.
+
 You can use the ``devtool add`` command two different ways to add
 Node.js modules: through ``npm`` or from a repository or local source.
 
diff --git a/documentation/dev-manual/packages.rst b/documentation/dev-manual/packages.rst
index 4c94ffd48..b3c9408b0 100644
--- a/documentation/dev-manual/packages.rst
+++ b/documentation/dev-manual/packages.rst
@@ -18,7 +18,7 @@  This section describes a few tasks that involve packages:
 -  :ref:`Setting up and running package test
    (ptest) <test-manual/ptest:testing packages with ptest>`
 
--  :ref:`dev-manual/packages:creating node package manager (npm) packages`
+-  (**disabled**) :ref:`dev-manual/packages:creating node package manager (npm) packages`
 
 -  :ref:`dev-manual/packages:adding custom metadata to packages`
 
@@ -914,6 +914,14 @@  Yocto Project Test Environment Manual.
 Creating Node Package Manager (NPM) Packages
 ============================================
 
+.. warning::
+
+   The NPM fetcher is currently disabled due to security concerns. See
+   :bitbake_rev:`355cd226e072` for more information.
+
+   This section is left there if it is re-enabled in the future, but is
+   currently obsolete.
+
 :wikipedia:`NPM <Npm_(software)>` is a package manager for the JavaScript
 programming language. The Yocto Project supports the NPM
 :ref:`fetcher <bitbake-user-manual/bitbake-user-manual-fetching:fetchers>`.
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index dc131be9f..053e5dd11 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -1891,6 +1891,11 @@  generation provided by :ref:`ref-classes-create-spdx`.
 ``npm``
 =======
 
+.. warning::
+
+   The NPM fetcher is currently disabled due to security concerns. See
+   :bitbake_rev:`355cd226e072` for more information.
+
 Provides support for building Node.js software fetched using the
 :wikipedia:`node package manager (NPM) <Npm_(software)>`.

[7/8] docs-wide: add warning on disabled NPM fetcher

Commit Message

Patch