Compare commits

...

No commits in common. "c8-stream-12" and "stream-nodejs-20-rhel-8.9.0" have entirely different histories.

6 changed files with 118 additions and 29 deletions

8
.gitignore vendored
View File

@ -1 +1,7 @@
SOURCES/nodemon-v2.0.3-bundled.tar.gz
/nodemon-v1.18.3-bundled.tar.gz
/nodemon-v2.0.3-bundled.tar.gz
/nodemon-v2.0.7-bundled.tar.gz
/nodemon-v2.0.15-bundled.tar.gz
/nodemon-v2.0.19-bundled.tar.gz
/nodemon-v2.0.20-bundled.tar.gz
/nodemon-v3.0.1-bundled.tar.gz

View File

@ -1 +0,0 @@
a515df94af26b438ffbf4d914259f16a03cc7c15 SOURCES/nodemon-v2.0.3-bundled.tar.gz

View File

@ -0,0 +1,63 @@
From 62287c7af3aabd73db9bd1057c4c6cfcb5f3f67b Mon Sep 17 00:00:00 2001
From: Takayuki Sato <sttk.xslet@gmail.com>
Date: Tue, 20 Jul 2021 14:46:33 +0900
Subject: [PATCH] deps(glob-parent): Resolve ReDoS vulnerability from
CVE-2021-35065 (#49)
Signed-off-by: rpm-build <rpm-build>
---
node_modules/glob-parent/index.js | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js
index 09e257e..b182190 100644
--- a/node_modules/glob-parent/index.js
+++ b/node_modules/glob-parent/index.js
@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
var slash = '/';
var backslash = /\\/g;
-var enclosure = /[\{\[].*[\}\]]$/;
var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
@@ -25,7 +24,7 @@ module.exports = function globParent(str, opts) {
}
// special case for strings ending in enclosure containing path separator
- if (enclosure.test(str)) {
+ if (isEnclosure(str)) {
str += slash;
}
@@ -40,3 +39,27 @@ module.exports = function globParent(str, opts) {
// remove escape chars and return result
return str.replace(escaped, '$1');
};
+
+
+function isEnclosure(str) {
+ var lastChar = str.slice(-1)
+
+ var enclosureStart;
+ switch (lastChar) {
+ case '}':
+ enclosureStart = '{';
+ break;
+ case ']':
+ enclosureStart = '[';
+ break;
+ default:
+ return false;
+ }
+
+ var foundIndex = str.indexOf(enclosureStart);
+ if (foundIndex < 0) {
+ return false;
+ }
+
+ return str.slice(foundIndex + 1, -1).includes(slash);
+}
--
2.39.2

View File

@ -5,13 +5,15 @@
%global enable_tests 0
Name: nodejs-%{npm_name}
Version: 2.0.3
Version: 3.0.1
Release: 1%{?dist}
Summary: Simple monitor script for use during development of a node.js app
License: MIT
URL: https://github.com/remy/nodemon
URL: https://www.npmjs.com/package/nodemon
Source0: %{npm_name}-v%{version}-bundled.tar.gz
Patch1: 0001-deps-glob-parent-Resolve-ReDoS-vulnerability-from-CV.patch
BuildRequires: nodejs-devel
BuildRequires: nodejs-packaging
BuildRequires: npm
@ -19,35 +21,24 @@ BuildRequires: npm
ExclusiveArch: %{nodejs_arches} noarch
BuildArch: noarch
%if 0%{?enable_tests}
BuildRequires: npm(async)
BuildRequires: npm(coffee-script)
BuildRequires: npm(husky)
BuildRequires: npm(istanbul)
BuildRequires: npm(jscs)
BuildRequires: npm(mocha)
BuildRequires: npm(proxyquire)
BuildRequires: npm(semantic-release)
BuildRequires: npm(should)
%endif
%description
Simple monitor script for use during development of a node.js app.
For use during development of a node.js based application.
nodemon will watch the files in the directory in which nodemon
was started, and if any files change, nodemon will automatically
nodemon will watch the files in the directory in which nodemon
was started, and if any files change, nodemon will automatically
restart your node application.
nodemon does not require any changes to your code or method of
development. nodemon simply wraps your node application and keeps
an eye on any files that have changed. Remember that nodemon is a
replacement wrapper for node, think of it as replacing the word "node"
nodemon does not require any changes to your code or method of
development. nodemon simply wraps your node application and keeps
an eye on any files that have changed. Remember that nodemon is a
replacement wrapper for node, think of it as replacing the word "node"
on the command line when you run your script.
%prep
%setup -q -n %{npm_name}-%{version}
%autosetup -p1 -n package
%build
@ -56,14 +47,11 @@ on the command line when you run your script.
%install
mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
cp -pr doc bin lib package.json website node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
cp -pr doc bin lib package.json node_modules %{buildroot}%{nodejs_sitelib}/%{npm_name}
mkdir -p %{buildroot}%{_bindir}
ln -sf %{nodejs_sitelib}/%{npm_name}/bin/nodemon.js %{buildroot}%{_bindir}/nodemon
#%%nodejs_symlink_deps
%if 0%{?enable_tests}
%check
%nodejs_symlink_deps --check
@ -71,14 +59,39 @@ npm run test
%endif
%files
%doc CODE_OF_CONDUCT.md doc faq.md README.md
%doc doc README.md
%{nodejs_sitelib}/%{npm_name}
%{_bindir}/nodemon
%changelog
* Wed Aug 23 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 3.0.1-1
- Rebase to 3.0.1
- Resolves: CVE-2022-25883
* Mon Mar 20 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.20-2
- Patch bundled glob-parent
- Resolves: CVE-2021-35065
* Wed Nov 09 2022 Jan Staněk <jstanek@redhat.com> - 2.0.20-1
- Rebase to 2.0.20
Resolves: CVE-2022-3517
* Tue Jul 19 2022 Jan Staněk <jstanek@redhat.com> - 2.0.19-1
- Rebase to 2.0.19
Resolves: CVE-2022-33987
* Tue Nov 30 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.15-1
- Resolves: RHBZ#2005419
- Resolves CVE-2020-28469
- Rebase to newest version
- Change source to npmjs.com
* Tue May 11 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.7-1
- Resolves: RHBZ#1953991
- Update to 2.0.7 to resolve CVE-2020-28469
* Wed May 06 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 2.0.3-1
- Resolves: RHBZ#1920692, RHBZ#1804236, RHBZ#1803247
- Rebase to 2.0.3
- Updated
* Mon Aug 13 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.18.3-1
- Resolves: #1615413

7
nodemon-tarball.sh Normal file
View File

@ -0,0 +1,7 @@
#!/bin/sh
version=$(rpm -q --specfile --qf='%{version}\n' nodejs-nodemon.spec | head -n1)
wget https://registry.npmjs.org/nodemon/-/nodemon-$version.tgz
tar -zxf nodemon-$version.tgz
cd package
npm install --production && rm -rf Dockerfile && cd .. && tar -zcf nodemon-v$version-bundled.tar.gz package

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (nodemon-v3.0.1-bundled.tar.gz) = 4411c9533cbde380179aa8e3a2bd46e5eee10a607058a075e695f6723d1b12be213eec1d885cb41383adb40fe0ee1dd596ede56c1554a4fea2bb742444a60fd8