Compare commits

...

No commits in common. "c8-stream-12" and "c8-stream-18" have entirely different histories.

4 changed files with 116 additions and 18 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/nodemon-v2.0.3-bundled.tar.gz
SOURCES/nodemon-v3.0.1-bundled.tar.gz

View File

@ -1 +1 @@
a515df94af26b438ffbf4d914259f16a03cc7c15 SOURCES/nodemon-v2.0.3-bundled.tar.gz
c100f2de26d7386dcfd7609445d9a01cd23e3a58 SOURCES/nodemon-v3.0.1-bundled.tar.gz

View File

@ -0,0 +1,63 @@
From 62287c7af3aabd73db9bd1057c4c6cfcb5f3f67b Mon Sep 17 00:00:00 2001
From: Takayuki Sato <sttk.xslet@gmail.com>
Date: Tue, 20 Jul 2021 14:46:33 +0900
Subject: [PATCH] deps(glob-parent): Resolve ReDoS vulnerability from
CVE-2021-35065 (#49)
Signed-off-by: rpm-build <rpm-build>
---
node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js
index 09e257e..b182190 100644
--- a/node_modules/glob-parent/index.js
+++ b/node_modules/glob-parent/index.js
@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
var slash = '/';
var backslash = /\\/g;
-var enclosure = /[\{\[].*[\}\]]$/;
var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) {
}
// special case for strings ending in enclosure containing path separator
- if (enclosure.test(str)) {
+ if (isEnclosure(str)) {
str += slash;
}
@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) {
// remove escape chars and return result
return str.replace(escaped, '$1');
};
+
+
+function isEnclosure(str) {
+ var lastChar = str.slice(-1)
+
+ var enclosureStart;
+ switch (lastChar) {
+ case '}':
+ enclosureStart = '{';
+ break;
+ case ']':
+ enclosureStart = '[';
+ break;
+ default:
+ return false;
+ }
+
+ var foundIndex = str.indexOf(enclosureStart);
+ if (foundIndex < 0) {
+ return false;
+ }
+
+ return str.slice(foundIndex + 1, -1).includes(slash);
+}
--
2.39.2

View File

@ -5,13 +5,15 @@
%global enable_tests 0
Name: nodejs-%{npm_name}
Version: 2.0.3
Version: 3.0.1
Release: 1%{?dist}
Summary: Simple monitor script for use during development of a node.js app
License: MIT
URL: https://github.com/remy/nodemon
URL: https://www.npmjs.com/package/nodemon
Source0: %{npm_name}-v%{version}-bundled.tar.gz
Patch1: 0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch
BuildRequires: nodejs-devel
BuildRequires: nodejs-packaging
BuildRequires: npm
@ -36,18 +38,18 @@ Simple monitor script for use during development of a node.js app.
For use during development of a node.js based application.
nodemon will watch the files in the directory in which nodemon
was started, and if any files change, nodemon will automatically
nodemon will watch the files in the directory in which nodemon
was started, and if any files change, nodemon will automatically
restart your node application.
nodemon does not require any changes to your code or method of
development. nodemon simply wraps your node application and keeps
an eye on any files that have changed. Remember that nodemon is a
replacement wrapper for node, think of it as replacing the word "node"
nodemon does not require any changes to your code or method of
development. nodemon simply wraps your node application and keeps
an eye on any files that have changed. Remember that nodemon is a
replacement wrapper for node, think of it as replacing the word "node"
on the command line when you run your script.
%prep
%setup -q -n %{npm_name}-%{version}
%autosetup -p1 -n package
%build
@ -56,14 +58,11 @@ on the command line when you run your script.
%install
mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
cp -pr doc bin lib package.json website node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
cp -pr doc bin lib package.json node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
mkdir -p %{buildroot}%{_bindir}
ln -sf %{nodejs_sitelib}/%{npm_name}/bin/nodemon.js %{buildroot}%{_bindir}/nodemon
#%%nodejs_symlink_deps
%if 0%{?enable_tests}
%check
%nodejs_symlink_deps --check
@ -71,14 +70,50 @@ npm run test
%endif
%files
%doc CODE_OF_CONDUCT.md doc faq.md README.md
%doc doc README.md
%{nodejs_sitelib}/%{npm_name}
%{_bindir}/nodemon
%changelog
* Fri Aug 18 2023 Dominik Rehák <drehak@redhat.com> - 3.0.1-1
- Rebase to 3.0.1
Resolves: CVE-2022-25883
* Mon Feb 27 2023 Jan Staněk <jstanek@redhat.com> - 2.0.20-3
- Patch bundled glob-parent
Resolves: CVE-2021-35065
* Fri Dec 02 2022 Jan Staněk <jstanek@redhat.com> - 2.0.20-1
- Record CVE fixed in the current or previous upstream versions
Resolves: CVE-2021-44906
* Wed Nov 16 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.20-1
- Rebase to 2.0.20
- Resolves: CVE-2022-3517
- Resolves: #2135491
* Wed Aug 03 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.19-2
- Switched from autosetup
- Removed CODE_OF_CONDUCT.md and faq.md which is not present in npmjs package, might switch to GH sources in the future
- Resolves: RHBZ#2108141
* Mon Jul 25 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.19-1
- Rebase to 2.0.19
- Resolves CVE-2022-33987
- Resolves: RHBZ#2108141
* Tue Nov 30 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.15-1
- Resolves: RHBZ#2005419
- Resolves CVE-2020-28469
- Rebase to newest version
- Change source to npmjs.com
* Tue May 11 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.7-1
- Resolves: RHBZ#1953991
- Update to 2.0.7 to resolve CVE-2020-28469
* Wed May 06 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.3-1
- Resolves: RHBZ#1920692, RHBZ#1804236, RHBZ#1803247
- Rebase to 2.0.3
- Updated
* Mon Aug 13 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.18.3-1
- Resolves: #1615413