Compare commits

...

No commits in common. "c8-stream-12" and "stream-nodejs-14-rhel-8.9.0" have entirely different histories.

6 changed files with 124 additions and 19 deletions

7
.gitignore vendored
View File

@ -1 +1,6 @@
SOURCES/nodemon-v2.0.3-bundled.tar.gz
/nodemon-v1.18.3-bundled.tar.gz
/nodemon-v2.0.3-bundled.tar.gz
/nodemon-v2.0.7-bundled.tar.gz
/nodemon-v2.0.15-bundled.tar.gz
/nodemon-v2.0.19-bundled.tar.gz
/nodemon-v2.0.20-bundled.tar.gz

View File

@ -1 +0,0 @@
a515df94af26b438ffbf4d914259f16a03cc7c15 SOURCES/nodemon-v2.0.3-bundled.tar.gz

View File

@ -0,0 +1,63 @@
From 03b97db840718e36aaa091f95a98a0b81764093b Mon Sep 17 00:00:00 2001
From: Takayuki Sato <sttk.xslet@gmail.com>
Date: Tue, 20 Jul 2021 14:46:33 +0900
Subject: [PATCH] deps(glob-parent): Resolve ReDoS vulnerability from
CVE-2021-35065 (#49)
Signed-off-by: rpm-build <rpm-build>
---
node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js
index 09e257e..b182190 100644
--- a/node_modules/glob-parent/index.js
+++ b/node_modules/glob-parent/index.js
@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
var slash = '/';
var backslash = /\\/g;
-var enclosure = /[\{\[].*[\}\]]$/;
var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) {
}
// special case for strings ending in enclosure containing path separator
- if (enclosure.test(str)) {
+ if (isEnclosure(str)) {
str += slash;
}
@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) {
// remove escape chars and return result
return str.replace(escaped, '$1');
};
+
+
+function isEnclosure(str) {
+ var lastChar = str.slice(-1)
+
+ var enclosureStart;
+ switch (lastChar) {
+ case '}':
+ enclosureStart = '{';
+ break;
+ case ']':
+ enclosureStart = '[';
+ break;
+ default:
+ return false;
+ }
+
+ var foundIndex = str.indexOf(enclosureStart);
+ if (foundIndex < 0) {
+ return false;
+ }
+
+ return str.slice(foundIndex + 1, -1).includes(slash);
+}
--
2.39.2

View File

@ -5,13 +5,15 @@
%global enable_tests 0
Name: nodejs-%{npm_name}
Version: 2.0.3
Release: 1%{?dist}
Version: 2.0.20
Release: 3%{?dist}
Summary: Simple monitor script for use during development of a node.js app
License: MIT
URL: https://github.com/remy/nodemon
URL: https://www.npmjs.com/package/nodemon
Source0: %{npm_name}-v%{version}-bundled.tar.gz
Patch1: 0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch
BuildRequires: nodejs-devel
BuildRequires: nodejs-packaging
BuildRequires: npm
@ -47,7 +49,7 @@ replacement wrapper for node, think of it as replacing the word "node"
on the command line when you run your script.
%prep
%setup -q -n %{npm_name}-%{version}
%autosetup -p1 -n package
%build
@ -56,14 +58,11 @@ on the command line when you run your script.
%install
mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
cp -pr doc bin lib package.json website node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
cp -pr doc bin lib package.json node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
mkdir -p %{buildroot}%{_bindir}
ln -sf %{nodejs_sitelib}/%{npm_name}/bin/nodemon.js %{buildroot}%{_bindir}/nodemon
#%%nodejs_symlink_deps
%if 0%{?enable_tests}
%check
%nodejs_symlink_deps --check
@ -71,14 +70,45 @@ npm run test
%endif
%files
%doc CODE_OF_CONDUCT.md doc faq.md README.md
%doc doc README.md
%{nodejs_sitelib}/%{npm_name}
%{_bindir}/nodemon
%changelog
* Mon Mar 06 2023 Jan Staněk <jstanek@redhat.com> - 2.0.20-3
- Backport fix for CVE-2021-35065
Resolves: CVE-2021-35065
* Mon Dec 12 2022 Jan Staněk <jstanek@redhat.com> - 2.0.20-2
- Record remaining CVEs fixed by current rebase
Resolves: CVE-2021-44906
* Wed Nov 09 2022 Jan Staněk <jstanek@redhat.com> - 2.0.20-1
- Rebase to 2.0.20
Resolves: CVE-2022-3517
* Wed Aug 03 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.19-2
- Switched from autosetup
- Removed CODE_OF_CONDUCT.md and faq.md which is not present in npmjs package, might switch to GH sources in the future
- Resolves: RHBZ#2108140
* Mon Jul 25 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.19-1
- Rebase to 2.0.19
- Resolves CVE-2022-33987
- Resolves: RHBZ#2108140
* Tue Nov 30 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.15-1
- Resolves: RHBZ#1991322, RHBZ#1948030
- Resolves CVE-2020-28469
- Rebase to newest version
- Change source to npmjs.com
* Tue May 11 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.7-1
- Resolves: RHBZ#1953991
- Update to 2.0.7 to resolve CVE-2020-28469
* Wed May 06 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.3-1
- Resolves: RHBZ#1920692, RHBZ#1804236, RHBZ#1803247
- Rebase to 2.0.3
- Updated
* Mon Aug 13 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.18.3-1
- Resolves: #1615413

7
nodemon-tarball.sh Normal file
View File

@ -0,0 +1,7 @@
#!/bin/sh
version=$(rpm -q --specfile --qf='%{version}\n' nodejs-nodemon.spec | head -n1)
wget https://registry.npmjs.org/nodemon/-/nodemon-$version.tgz
tar -zxf nodemon-$version.tgz
cd package
npm install --production && rm -rf Dockerfile && cd .. && tar -zcf nodemon-v$version-bundled.tar.gz package

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (nodemon-v2.0.20-bundled.tar.gz) = 2060e08766fabd0501b1bc43479907fdcb918f6a825d885586c693d6b9a42e07a55f838f310ff2b2537cdec1c0c9bf67044973119e7f37e7d548abc3cb5dbc3c