Compare commits

...

1 Commits

Author SHA1 Message Date
eabdullin
c91075cee3 import CS nodejs-nodemon-2.0.20-2.module_el8+585+aa8457d8 2023-10-20 10:41:23 +00:00
4 changed files with 102 additions and 19 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/nodemon-v2.0.3-bundled.tar.gz
SOURCES/nodemon-v2.0.20-bundled.tar.gz

View File

@ -1 +1 @@
a515df94af26b438ffbf4d914259f16a03cc7c15 SOURCES/nodemon-v2.0.3-bundled.tar.gz
1be1ce910230ecac54d90ff85e3fcf1f3fe87e4d SOURCES/nodemon-v2.0.20-bundled.tar.gz

View File

@ -0,0 +1,63 @@
From 62287c7af3aabd73db9bd1057c4c6cfcb5f3f67b Mon Sep 17 00:00:00 2001
From: Takayuki Sato <sttk.xslet@gmail.com>
Date: Tue, 20 Jul 2021 14:46:33 +0900
Subject: [PATCH] deps(glob-parent): Resolve ReDoS vulnerability from
CVE-2021-35065 (#49)
Signed-off-by: rpm-build <rpm-build>
---
node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js
index 09e257e..b182190 100644
--- a/node_modules/glob-parent/index.js
+++ b/node_modules/glob-parent/index.js
@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
var slash = '/';
var backslash = /\\/g;
-var enclosure = /[\{\[].*[\}\]]$/;
var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) {
}
// special case for strings ending in enclosure containing path separator
- if (enclosure.test(str)) {
+ if (isEnclosure(str)) {
str += slash;
}
@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) {
// remove escape chars and return result
return str.replace(escaped, '$1');
};
+
+
+function isEnclosure(str) {
+ var lastChar = str.slice(-1)
+
+ var enclosureStart;
+ switch (lastChar) {
+ case '}':
+ enclosureStart = '{';
+ break;
+ case ']':
+ enclosureStart = '[';
+ break;
+ default:
+ return false;
+ }
+
+ var foundIndex = str.indexOf(enclosureStart);
+ if (foundIndex < 0) {
+ return false;
+ }
+
+ return str.slice(foundIndex + 1, -1).includes(slash);
+}
--
2.39.2

View File

@ -5,13 +5,15 @@
%global enable_tests 0
Name: nodejs-%{npm_name}
Version: 2.0.3
Release: 1%{?dist}
Version: 2.0.20
Release: 2%{?dist}
Summary: Simple monitor script for use during development of a node.js app
License: MIT
URL: https://github.com/remy/nodemon
URL: https://www.npmjs.com/package/nodemon
Source0: %{npm_name}-v%{version}-bundled.tar.gz
Patch1: 0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch
BuildRequires: nodejs-devel
BuildRequires: nodejs-packaging
BuildRequires: npm
@ -36,18 +38,18 @@ Simple monitor script for use during development of a node.js app.
For use during development of a node.js based application.
nodemon will watch the files in the directory in which nodemon
was started, and if any files change, nodemon will automatically
nodemon will watch the files in the directory in which nodemon
was started, and if any files change, nodemon will automatically
restart your node application.
nodemon does not require any changes to your code or method of
development. nodemon simply wraps your node application and keeps
an eye on any files that have changed. Remember that nodemon is a
replacement wrapper for node, think of it as replacing the word "node"
nodemon does not require any changes to your code or method of
development. nodemon simply wraps your node application and keeps
an eye on any files that have changed. Remember that nodemon is a
replacement wrapper for node, think of it as replacing the word "node"
on the command line when you run your script.
%prep
%setup -q -n %{npm_name}-%{version}
%autosetup -p1 -n package
%build
@ -56,14 +58,11 @@ on the command line when you run your script.
%install
mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
cp -pr doc bin lib package.json website node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
cp -pr doc bin lib package.json node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
mkdir -p %{buildroot}%{_bindir}
ln -sf %{nodejs_sitelib}/%{npm_name}/bin/nodemon.js %{buildroot}%{_bindir}/nodemon
#%%nodejs_symlink_deps
%if 0%{?enable_tests}
%check
%nodejs_symlink_deps --check
@ -71,14 +70,35 @@ npm run test
%endif
%files
%doc CODE_OF_CONDUCT.md doc faq.md README.md
%doc doc README.md
%{nodejs_sitelib}/%{npm_name}
%{_bindir}/nodemon
%changelog
* Mon Mar 20 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.20-2
- Patch bundled glob-parent
- Resolves: CVE-2021-35065
* Wed Nov 09 2022 Jan Staněk <jstanek@redhat.com> - 2.0.20-1
- Rebase to 2.0.20
Resolves: CVE-2022-3517
* Tue Jul 19 2022 Jan Staněk <jstanek@redhat.com> - 2.0.19-1
- Rebase to 2.0.19
Resolves: CVE-2022-33987
* Tue Nov 30 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.15-1
- Resolves: RHBZ#2005419
- Resolves CVE-2020-28469
- Rebase to newest version
- Change source to npmjs.com
* Tue May 11 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.7-1
- Resolves: RHBZ#1953991
- Update to 2.0.7 to resolve CVE-2020-28469
* Wed May 06 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.3-1
- Resolves: RHBZ#1920692, RHBZ#1804236, RHBZ#1803247
- Rebase to 2.0.3
- Updated
* Mon Aug 13 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.18.3-1
- Resolves: #1615413