The client-side Javascript to me is not a
relevant issue anymore since JS is an open standard and browsers are
sandboxed these days.
There is an issue:a) if the JavaScript is distributed as minified blobs and we can'trebuild it easily from source,b) if a large application makes heavy use of things like the NPMrepository for its build process
Accepted. I always assume that software like Discourse is compliant with FOSS licenses, where minified JS code is not “the corresponding source code”. That is usually a choice, though - most packages have a minified and a non-minified source URL. Developers tend to ship with links to the minified version because that is the norm and loads faster.
For a Debian packager, this is understandably a problem. We will probably run Discourse out of a container shipped by the project, not a package, so does that still apply to us?