From c91075cee3e51a71562abdc17e7d1c9af5ab310c Mon Sep 17 00:00:00 2001 From: eabdullin Date: Fri, 20 Oct 2023 10:41:23 +0000 Subject: [PATCH] import CS nodejs-nodemon-2.0.20-2.module_el8+585+aa8457d8 --- .gitignore | 2 +- .nodejs-nodemon.metadata | 2 +- ...-Resolve-ReDoS-vulnerability-from-CV.patch | 63 +++++++++++++++++++ SPECS/nodejs-nodemon.spec | 54 +++++++++++----- 4 files changed, 102 insertions(+), 19 deletions(-) create mode 100644 SOURCES/0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch diff --git a/.gitignore b/.gitignore index 0e81494..5023da7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/nodemon-v2.0.3-bundled.tar.gz +SOURCES/nodemon-v2.0.20-bundled.tar.gz diff --git a/.nodejs-nodemon.metadata b/.nodejs-nodemon.metadata index 714f000..9abb697 100644 --- a/.nodejs-nodemon.metadata +++ b/.nodejs-nodemon.metadata @@ -1 +1 @@ -a515df94af26b438ffbf4d914259f16a03cc7c15 SOURCES/nodemon-v2.0.3-bundled.tar.gz +1be1ce910230ecac54d90ff85e3fcf1f3fe87e4d SOURCES/nodemon-v2.0.20-bundled.tar.gz diff --git a/SOURCES/0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch b/SOURCES/0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch new file mode 100644 index 0000000..c838a4f --- /dev/null +++ b/SOURCES/0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch @@ -0,0 +1,63 @@ +From 62287c7af3aabd73db9bd1057c4c6cfcb5f3f67b Mon Sep 17 00:00:00 2001 +From: Takayuki Sato +Date: Tue, 20 Jul 2021 14:46:33 +0900 +Subject: [PATCH] deps(glob-parent): Resolve ReDoS vulnerability from + CVE-2021-35065 (#49) + +Signed-off-by: rpm-build +--- + node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++-- + 1 file changed, 25 insertions(+), 2 deletions(-) + +diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js +index 09e257e..b182190 100644 +--- a/node_modules/glob-parent/index.js ++++ b/node_modules/glob-parent/index.js +@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32'; + + var slash = '/'; + var backslash = /\\/g; +-var enclosure = /[\{\[].*[\}\]]$/; + var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/; + var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g; + +@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) { + } + + // special case for strings ending in enclosure containing path separator +- if (enclosure.test(str)) { ++ if (isEnclosure(str)) { + str += slash; + } + +@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) { + // remove escape chars and return result + return str.replace(escaped, '$1'); + }; ++ ++ ++function isEnclosure(str) { ++ var lastChar = str.slice(-1) ++ ++ var enclosureStart; ++ switch (lastChar) { ++ case '}': ++ enclosureStart = '{'; ++ break; ++ case ']': ++ enclosureStart = '['; ++ break; ++ default: ++ return false; ++ } ++ ++ var foundIndex = str.indexOf(enclosureStart); ++ if (foundIndex < 0) { ++ return false; ++ } ++ ++ return str.slice(foundIndex + 1, -1).includes(slash); ++} +-- +2.39.2 + diff --git a/SPECS/nodejs-nodemon.spec b/SPECS/nodejs-nodemon.spec index 9db4d6d..2cdfe1e 100644 --- a/SPECS/nodejs-nodemon.spec +++ b/SPECS/nodejs-nodemon.spec @@ -5,13 +5,15 @@ %global enable_tests 0 Name: nodejs-%{npm_name} -Version: 2.0.3 -Release: 1%{?dist} +Version: 2.0.20 +Release: 2%{?dist} Summary: Simple monitor script for use during development of a node.js app License: MIT -URL: https://github.com/remy/nodemon +URL: https://www.npmjs.com/package/nodemon Source0: %{npm_name}-v%{version}-bundled.tar.gz +Patch1: 0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch + BuildRequires: nodejs-devel BuildRequires: nodejs-packaging BuildRequires: npm @@ -36,18 +38,18 @@ Simple monitor script for use during development of a node.js app. For use during development of a node.js based application. -nodemon will watch the files in the directory in which nodemon -was started, and if any files change, nodemon will automatically +nodemon will watch the files in the directory in which nodemon +was started, and if any files change, nodemon will automatically restart your node application. -nodemon does not require any changes to your code or method of -development. nodemon simply wraps your node application and keeps -an eye on any files that have changed. Remember that nodemon is a -replacement wrapper for node, think of it as replacing the word "node" +nodemon does not require any changes to your code or method of +development. nodemon simply wraps your node application and keeps +an eye on any files that have changed. Remember that nodemon is a +replacement wrapper for node, think of it as replacing the word "node" on the command line when you run your script. %prep -%setup -q -n %{npm_name}-%{version} +%autosetup -p1 -n package %build @@ -56,14 +58,11 @@ on the command line when you run your script. %install mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name} -cp -pr doc bin lib package.json website node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name} +cp -pr doc bin lib package.json node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name} mkdir -p %{buildroot}%{_bindir} ln -sf %{nodejs_sitelib}/%{npm_name}/bin/nodemon.js %{buildroot}%{_bindir}/nodemon - -#%%nodejs_symlink_deps - %if 0%{?enable_tests} %check %nodejs_symlink_deps --check @@ -71,14 +70,35 @@ npm run test %endif %files -%doc CODE_OF_CONDUCT.md doc faq.md README.md +%doc doc README.md %{nodejs_sitelib}/%{npm_name} %{_bindir}/nodemon %changelog +* Mon Mar 20 2023 Zuzana Svetlikova - 2.0.20-2 +- Patch bundled glob-parent +- Resolves: CVE-2021-35065 + +* Wed Nov 09 2022 Jan Staněk - 2.0.20-1 +- Rebase to 2.0.20 + Resolves: CVE-2022-3517 + +* Tue Jul 19 2022 Jan Staněk - 2.0.19-1 +- Rebase to 2.0.19 + Resolves: CVE-2022-33987 + +* Tue Nov 30 2021 Zuzana Svetlikova - 2.0.15-1 +- Resolves: RHBZ#2005419 +- Resolves CVE-2020-28469 +- Rebase to newest version +- Change source to npmjs.com + +* Tue May 11 2021 Zuzana Svetlikova - 2.0.7-1 +- Resolves: RHBZ#1953991 +- Update to 2.0.7 to resolve CVE-2020-28469 + * Wed May 06 2020 Zuzana Svetlikova - 2.0.3-1 -- Resolves: RHBZ#1920692, RHBZ#1804236, RHBZ#1803247 -- Rebase to 2.0.3 +- Updated * Mon Aug 13 2018 Zuzana Svetlikova - 1.18.3-1 - Resolves: #1615413