nodejs-undici/undici-sources.sh
Jan Staněk 61cbc8f25a
Update to version 6.11.1
Fixes CVE-2024-24750, CVE-2024-30260, and CVE-2024-30261.

Resolves: RHEL-32207 RHEL-31865 RHEL-31864
2024-04-26 14:03:20 +02:00

118 lines
4.0 KiB
Bash
Executable File

#!/bin/sh
set -e
check_deps() {
deps_ec=0
for dep in "$@"; do
command -v "$dep" >/dev/null || {
printf 'Missing dependency: %s\n' "$dep" >&2
deps_ec="$((deps_ec + 1))"
}
done
return "$deps_ec"
}
check_deps curl rpm npm nodejs-packaging-bundler
UNDICI_VERSION="$(rpm --specfile nodejs-undici.spec --qf '%{VERSION}\n')"; readonly UNDICI_VERSION
RPKG=fedpkg
RELEASE=""
OFFLINE=false
usage() {
echo "${0##*/} - download and re-package upstream undici sources."
echo
echo Options:
printf '\t%s\n' '-h, --help: Show this info and exit.'
printf '\t%s\n' '-r<TOOL>, --rpkg=<TOOL>: Use <TOOL> for dist-git interaction [default: fedpkg].'
printf '\t%s\n' '--release=<RELEASE>: Tell <TOOL> to assume working on <RELEASE> [default: detected from current branch].'
printf '\t%s\n' '-n, --offline: Do not upload prepared sources to lookaside cache.'
}
# Construct upstream archive URL
github_archive_url() {
readonly gh_version="${1-${UNDICI_VERSION}}"
printf 'https://github.com/nodejs/undici/archive/v%s/undici-v%s.tar.gz' "${gh_version}" "${gh_version}"
}
# Fetch upstream release
# stdout: name of the original/upstream archive
fetch() {
readonly fetch_version="${1-${UNDICI_VERSION}}"
# npm archive does not contain everything (i.e. build scripts).
# Fetch the github archive instead.
fetch_url="$(github_archive_url "${fetch_version}")"; readonly fetch_url
curl --location --remote-name "${fetch_url}"
printf '%s\n' "${fetch_url##*/}"
}
# Delete any file where a WASM blob is detected
# stdout: relative paths to deleted files
nuke_wasm() {
find "${1-.}" -type f \
-exec grep -q --text -Pe '\x{0}asm|AGFzb' '{}' \; \
-print \
-delete
}
# Remove husky (git hook manager) from prepare scripts
remove_husky() {
cd "${1-undici-v${UNDICI_VERSION}/}" >/dev/null
if grep -q 'husky install' package.json; then
npm pkg delete scripts.prepare
fi
cd - >/dev/null
}
# Package the sources into stripped archive
repackage() {
readonly repackage_version="${1-${UNDICI_VERSION}}"
readonly repackage_rootdir="${2-undici-v${repackage_version}/}"
tar -czf "undici-${repackage_version}-stripped.tar.gz" "${repackage_rootdir}"
echo "undici-${repackage_version}-stripped.tar.gz"
}
# shellcheck disable=SC2046
set -- $(getopt -n "${0##*/}" --unquoted -o hr:n -l help,rpkg:,release:,offline -- "$@")
while test -n "$1"; do
case "$1" in
-h|--help) usage >&2 && exit;;
-r|--rpkg) RPKG="$2"; shift 2;;
-n|--offline) OFFLINE=true; shift 1;;
--release) RELEASE="$2"; shift 2;;
--) break;;
*) printf 'Unknown argument: %s\n' "$1" >&2; exit 2;;
esac
done
printf '=== %s ===\n' 'Fetching and unpacking upstream tarball' >&2
original="$(fetch "${UNDICI_VERSION}")"; readonly original
tar -xzf "${original}"
rootdir="$(ls -d "undici-${UNDICI_VERSION}/")"; readonly rootdir
rm -rf "${original}"
printf '=== %s ===\n' 'Removing following WASM blobs' >&2
nuke_wasm "${rootdir}" >&2
printf '=== %s ===\n' 'Cleaning package scripts' >&2
remove_husky "${rootdir}"
printf '=== %s ===\n' 'Re-packaging clean archive' >&2
repackage "${UNDICI_VERSION}" "${rootdir}"
printf '=== %s ===\n' 'Bundling dependencies' >&2
nodejs-packaging-bundler undici "${UNDICI_VERSION}" "undici-${UNDICI_VERSION}-stripped.tar.gz"
install -p -m0644 -t "${PWD}" "$(rpm -E '%{_sourcedir}')"/undici-"${UNDICI_VERSION}"-*
printf '=== %s ===\n' 'Updating dist-git sources' >&2
# shellcheck disable=SC2086,SC2046
${RPKG} $(test -n "${RELEASE}" && echo --release="${RELEASE}") new-sources $("$OFFLINE" && echo --offline) \
"undici-${UNDICI_VERSION}-stripped.tar.gz" \
"undici-${UNDICI_VERSION}-nm-prod.tgz" \
"undici-${UNDICI_VERSION}-nm-dev.tgz" \
"undici-${UNDICI_VERSION}-bundled-licenses.txt"
printf '=== %s ===\n' 'Detecting bundled versions' >&2
awk '/^#define LLHTTP_VERSION/{print $NF;}' "${rootdir}/deps/llhttp/include/llhttp.h" \
| xargs printf 'llhttp: %d.%d.%d\n'