Compare commits

...

No commits in common. "c8-stream-12" and "c8s-stream-14" have entirely different histories.

4 changed files with 112 additions and 19 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/nodemon-v2.0.3-bundled.tar.gz
SOURCES/nodemon-v2.0.20-bundled.tar.gz

View File

@ -1 +1 @@
a515df94af26b438ffbf4d914259f16a03cc7c15 SOURCES/nodemon-v2.0.3-bundled.tar.gz
f558d7dc37c745ca2983daebe6868df6ee46c00a SOURCES/nodemon-v2.0.20-bundled.tar.gz

View File

@ -0,0 +1,63 @@
From 03b97db840718e36aaa091f95a98a0b81764093b Mon Sep 17 00:00:00 2001
From: Takayuki Sato <sttk.xslet@gmail.com>
Date: Tue, 20 Jul 2021 14:46:33 +0900
Subject: [PATCH] deps(glob-parent): Resolve ReDoS vulnerability from
CVE-2021-35065 (#49)
Signed-off-by: rpm-build <rpm-build>
---
node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js
index 09e257e..b182190 100644
--- a/node_modules/glob-parent/index.js
+++ b/node_modules/glob-parent/index.js
@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
var slash = '/';
var backslash = /\\/g;
-var enclosure = /[\{\[].*[\}\]]$/;
var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) {
}
// special case for strings ending in enclosure containing path separator
- if (enclosure.test(str)) {
+ if (isEnclosure(str)) {
str += slash;
}
@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) {
// remove escape chars and return result
return str.replace(escaped, '$1');
};
+
+
+function isEnclosure(str) {
+ var lastChar = str.slice(-1)
+
+ var enclosureStart;
+ switch (lastChar) {
+ case '}':
+ enclosureStart = '{';
+ break;
+ case ']':
+ enclosureStart = '[';
+ break;
+ default:
+ return false;
+ }
+
+ var foundIndex = str.indexOf(enclosureStart);
+ if (foundIndex < 0) {
+ return false;
+ }
+
+ return str.slice(foundIndex + 1, -1).includes(slash);
+}
--
2.39.2

View File

@ -5,13 +5,15 @@
%global enable_tests 0
Name: nodejs-%{npm_name}
Version: 2.0.3
Release: 1%{?dist}
Version: 2.0.20
Release: 3%{?dist}
Summary: Simple monitor script for use during development of a node.js app
License: MIT
URL: https://github.com/remy/nodemon
URL: https://www.npmjs.com/package/nodemon
Source0: %{npm_name}-v%{version}-bundled.tar.gz
Patch1: 0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch
BuildRequires: nodejs-devel
BuildRequires: nodejs-packaging
BuildRequires: npm
@ -36,18 +38,18 @@ Simple monitor script for use during development of a node.js app.
For use during development of a node.js based application.
nodemon will watch the files in the directory in which nodemon
was started, and if any files change, nodemon will automatically
nodemon will watch the files in the directory in which nodemon
was started, and if any files change, nodemon will automatically
restart your node application.
nodemon does not require any changes to your code or method of
development. nodemon simply wraps your node application and keeps
an eye on any files that have changed. Remember that nodemon is a
replacement wrapper for node, think of it as replacing the word "node"
nodemon does not require any changes to your code or method of
development. nodemon simply wraps your node application and keeps
an eye on any files that have changed. Remember that nodemon is a
replacement wrapper for node, think of it as replacing the word "node"
on the command line when you run your script.
%prep
%setup -q -n %{npm_name}-%{version}
%autosetup -p1 -n package
%build
@ -56,14 +58,11 @@ on the command line when you run your script.
%install
mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
cp -pr doc bin lib package.json website node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
cp -pr doc bin lib package.json node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
mkdir -p %{buildroot}%{_bindir}
ln -sf %{nodejs_sitelib}/%{npm_name}/bin/nodemon.js %{buildroot}%{_bindir}/nodemon
#%%nodejs_symlink_deps
%if 0%{?enable_tests}
%check
%nodejs_symlink_deps --check
@ -71,14 +70,45 @@ npm run test
%endif
%files
%doc CODE_OF_CONDUCT.md doc faq.md README.md
%doc doc README.md
%{nodejs_sitelib}/%{npm_name}
%{_bindir}/nodemon
%changelog
* Mon Mar 06 2023 Jan Staněk <jstanek@redhat.com> - 2.0.20-3
- Backport fix for CVE-2021-35065
Resolves: CVE-2021-35065
* Mon Dec 12 2022 Jan Staněk <jstanek@redhat.com> - 2.0.20-2
- Record remaining CVEs fixed by current rebase
Resolves: CVE-2021-44906
* Wed Nov 09 2022 Jan Staněk <jstanek@redhat.com> - 2.0.20-1
- Rebase to 2.0.20
Resolves: CVE-2022-3517
* Wed Aug 03 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.19-2
- Switched from autosetup
- Removed CODE_OF_CONDUCT.md and faq.md which is not present in npmjs package, might switch to GH sources in the future
- Resolves: RHBZ#2108140
* Mon Jul 25 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.19-1
- Rebase to 2.0.19
- Resolves CVE-2022-33987
- Resolves: RHBZ#2108140
* Tue Nov 30 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.15-1
- Resolves: RHBZ#1991322, RHBZ#1948030
- Resolves CVE-2020-28469
- Rebase to newest version
- Change source to npmjs.com
* Tue May 11 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.7-1
- Resolves: RHBZ#1953991
- Update to 2.0.7 to resolve CVE-2020-28469
* Wed May 06 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.3-1
- Resolves: RHBZ#1920692, RHBZ#1804236, RHBZ#1803247
- Rebase to 2.0.3
- Updated
* Mon Aug 13 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.18.3-1
- Resolves: #1615413