import nodejs-14.21.1-2.module+el8.7.0+17528+a329cd47
This commit is contained in:
parent
99c936df5b
commit
086db5aac8
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,2 +1,4 @@
|
||||
SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||
SOURCES/icu4c-70_1-src.tgz
|
||||
SOURCES/node-v14.20.0-stripped.tar.gz
|
||||
SOURCES/node-v14.21.1-stripped.tar.gz
|
||||
SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
|
||||
|
@ -1,2 +1,4 @@
|
||||
6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||
f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz
|
||||
66dc4b75e2e416d064f12be3450fc7953d72b21b SOURCES/node-v14.20.0-stripped.tar.gz
|
||||
2812a06625a63430d5f36ce9019cc2df321956e6 SOURCES/node-v14.21.1-stripped.tar.gz
|
||||
8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
|
||||
|
@ -1,19 +1,18 @@
|
||||
From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001
|
||||
From 0daef8b47290ffa866f321173a0a45f7c131f172 Mon Sep 17 00:00:00 2001
|
||||
From: Zuzana Svetlikova <zsvetlik@redhat.com>
|
||||
Date: Fri, 17 Apr 2020 12:59:44 +0200
|
||||
Subject: [PATCH 1/2] Disable running gyp on shared deps
|
||||
Subject: [PATCH] Disable running gyp on shared deps
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
Makefile | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile b/Makefile
|
||||
index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644
|
||||
index 82281b5..9e65fc4 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -136,11 +136,11 @@ endif
|
||||
.PHONY: test-code-cache
|
||||
with-code-cache test-code-cache:
|
||||
@@ -143,7 +143,7 @@ with-code-cache test-code-cache:
|
||||
$(warning '$@' target is a noop)
|
||||
|
||||
out/Makefile: config.gypi common.gypi node.gyp \
|
||||
@ -22,8 +21,6 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e
|
||||
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
|
||||
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
|
||||
$(PYTHON) tools/gyp_node.py -f make
|
||||
|
||||
# node_version.h is listed because the N-API version is taken from there
|
||||
--
|
||||
2.29.2
|
||||
2.38.1
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From e12dad58e7c749d65d51e2dd49dece4102ddfa18 Mon Sep 17 00:00:00 2001
|
||||
From 8fc20d21cd7861ecc4f034ae82234a05227c2c12 Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Thu, 9 Dec 2021 15:48:46 +0100
|
||||
Subject: [PATCH] deps(ansi-regex): fix potential ReDoS
|
||||
@ -41,6 +41,5 @@ index c254480..9e37ec3 100644
|
||||
].join('|');
|
||||
|
||||
--
|
||||
2.36.1
|
||||
|
||||
2.38.1
|
||||
|
@ -0,0 +1,98 @@
|
||||
From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001
|
||||
From: Jordan Harband <ljharb@gmail.com>
|
||||
Date: Mon, 27 Dec 2021 19:15:57 -0800
|
||||
Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999)
|
||||
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
deps/npm/node_modules/qs/lib/parse.js | 2 +-
|
||||
deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++
|
||||
2 files changed, 61 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js
|
||||
index 8c9872e..08e623a 100644
|
||||
--- a/deps/npm/node_modules/qs/lib/parse.js
|
||||
+++ b/deps/npm/node_modules/qs/lib/parse.js
|
||||
@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) {
|
||||
) {
|
||||
obj = [];
|
||||
obj[index] = leaf;
|
||||
- } else {
|
||||
+ } else if (cleanRoot !== '__proto__') {
|
||||
obj[cleanRoot] = leaf;
|
||||
}
|
||||
}
|
||||
diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js
|
||||
index 0f8fe45..3e93784 100644
|
||||
--- a/deps/npm/node_modules/qs/test/parse.js
|
||||
+++ b/deps/npm/node_modules/qs/test/parse.js
|
||||
@@ -515,6 +515,66 @@ test('parse()', function (t) {
|
||||
st.end();
|
||||
});
|
||||
|
||||
+ t.test('dunder proto is ignored', function (st) {
|
||||
+ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
|
||||
+ var result = qs.parse(payload, { allowPrototypes: true });
|
||||
+
|
||||
+ st.deepEqual(
|
||||
+ result,
|
||||
+ {
|
||||
+ categories: {
|
||||
+ length: '42'
|
||||
+ }
|
||||
+ },
|
||||
+ 'silent [[Prototype]] payload'
|
||||
+ );
|
||||
+
|
||||
+ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
|
||||
+
|
||||
+ st.deepEqual(
|
||||
+ plainResult,
|
||||
+ {
|
||||
+ __proto__: null,
|
||||
+ categories: {
|
||||
+ __proto__: null,
|
||||
+ length: '42'
|
||||
+ }
|
||||
+ },
|
||||
+ 'silent [[Prototype]] payload: plain objects'
|
||||
+ );
|
||||
+
|
||||
+ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
|
||||
+
|
||||
+ st.notOk(Array.isArray(query.categories), 'is not an array');
|
||||
+ st.notOk(query.categories instanceof Array, 'is not instanceof an array');
|
||||
+ st.deepEqual(query.categories, { some: { json: 'toInject' } });
|
||||
+ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
|
||||
+
|
||||
+ st.deepEqual(
|
||||
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
|
||||
+ {
|
||||
+ foo: {
|
||||
+ bar: 'stuffs'
|
||||
+ }
|
||||
+ },
|
||||
+ 'hidden values'
|
||||
+ );
|
||||
+
|
||||
+ st.deepEqual(
|
||||
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
|
||||
+ {
|
||||
+ __proto__: null,
|
||||
+ foo: {
|
||||
+ __proto__: null,
|
||||
+ bar: 'stuffs'
|
||||
+ }
|
||||
+ },
|
||||
+ 'hidden values: plain objects'
|
||||
+ );
|
||||
+
|
||||
+ st.end();
|
||||
+ });
|
||||
+
|
||||
t.test('can return null objects', { skip: !Object.create }, function (st) {
|
||||
var expected = Object.create(null);
|
||||
expected.a = Object.create(null);
|
||||
--
|
||||
2.38.1
|
||||
|
@ -41,8 +41,8 @@
|
||||
# than a Fedora release lifecycle.
|
||||
%global nodejs_epoch 1
|
||||
%global nodejs_major 14
|
||||
%global nodejs_minor 20
|
||||
%global nodejs_patch 0
|
||||
%global nodejs_minor 21
|
||||
%global nodejs_patch 1
|
||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
|
||||
%global nodejs_release %{baserelease}
|
||||
@ -72,7 +72,7 @@
|
||||
# llhttp - from deps/llhttp/include/llhttp.h
|
||||
%global llhttp_major 2
|
||||
%global llhttp_minor 1
|
||||
%global llhttp_patch 5
|
||||
%global llhttp_patch 6
|
||||
%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
|
||||
|
||||
# libuv - from deps/uv/include/uv/version.h
|
||||
@ -168,10 +168,23 @@ Source100: %{name}-tarball.sh
|
||||
# nodejs-packaging SRPM.
|
||||
Source7: nodejs_native.attr
|
||||
|
||||
# These are full sources for dependencies included as WASM blobs in the source of Node itself.
|
||||
# Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to.
|
||||
# Recipes for creating these blobs are included in the sources.
|
||||
|
||||
# Version: jq '.version' deps/cjs-module-lexer/package.json
|
||||
# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz
|
||||
# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm
|
||||
Source101: cjs-module-lexer-1.2.2.tar.gz
|
||||
# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in.
|
||||
# Version source: Makefile
|
||||
Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz
|
||||
|
||||
# Disable running gyp on bundled deps we don't use
|
||||
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||
|
||||
Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch
|
||||
# Dependency vulnerabilities
|
||||
Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch
|
||||
Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: python3-devel
|
||||
@ -352,6 +365,21 @@ The API documentation for the Node.js JavaScript runtime.
|
||||
rm -rf deps/zlib
|
||||
rm -rf deps/brotli
|
||||
|
||||
# check for correct versions of dependencies we are bundling
|
||||
check_wasm_dep() {
|
||||
local -r name="$1" source="$2" packagejson="$3"
|
||||
local -r expected_version="$(jq -r '.version' "${packagejson}")"
|
||||
|
||||
if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then
|
||||
printf '%s version matches\n' "${name}" >&2
|
||||
else
|
||||
printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json
|
||||
|
||||
# Replace any instances of unversioned python' with python3
|
||||
%if %{with python3_fixup}
|
||||
pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
|
||||
@ -668,26 +696,35 @@ end
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Aug 02 2022 Zuzana Svetlikova <zsvetlik@redhat.com - 1:14.20.0-2
|
||||
* Thu Dec 08 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-2
|
||||
- Apply upstream fix for CVE-2022-24999
|
||||
Resolves: CVE-2022-24999
|
||||
- Record CVEs fixed by current or previous upstream releases
|
||||
Resolves: CVE-2021-44906
|
||||
|
||||
* Wed Nov 16 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-1
|
||||
- Rebase to version 14.21.1
|
||||
Resolves: rhbz#2129805 CVE-2022-43548 CVE-2022-3517
|
||||
|
||||
* Fri Oct 07 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-2
|
||||
- Record issues fixed in the current version
|
||||
Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824
|
||||
|
||||
* Thu Sep 29 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-1
|
||||
- Rebase to version 14.20.1
|
||||
Resolves: CVE-2022-35256
|
||||
|
||||
* Mon Aug 22 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.20.0-1
|
||||
- Rebase to latest release
|
||||
- Resolves: #2106281, #2108056, #2108061, #2108066, #2108071, #2108139
|
||||
- Remove libs patch
|
||||
- Build without corepack
|
||||
|
||||
* Wed May 25 2022 Jan Staněk <jstanek@redhat.com> - 1:14.18.2-2
|
||||
- Replace with_* macros with RPM confitionals
|
||||
- Unify configure calls into single command
|
||||
- Refactor bootstrap-related parts
|
||||
- Decouple dependency bundling from bootstrapping
|
||||
- Resolves: RHBZ#2111417
|
||||
|
||||
* Mon Jul 25 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.20.0-1
|
||||
- Rebase to latest version
|
||||
- Resolves: RHBZ#2106367
|
||||
- CVE fixes for CVE-2022-32212/3/4/5
|
||||
- Resolves: #2109576, #2109579, #2109582, #2109585
|
||||
|
||||
* Tue Jan 11 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-3
|
||||
- Resolves: RHBZ#2029519
|
||||
- Add missing BZ to changelog
|
||||
|
||||
* Mon Dec 13 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-2
|
||||
- Add missing fixes
|
||||
- Resolves: RHBZ#2027641, RHBZ#2027634
|
||||
|
||||
* Wed Dec 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-1
|
||||
- Resolves: RHBZ#2026325
|
||||
|
Loading…
Reference in New Issue
Block a user