import nodejs-16.14.0-5.el9

2022-09-27 07:54:03 -04:00 · 2022-09-27 07:54:03 -04:00 · 1d149a4dd8
parent 4654365fd8
commit 1d149a4dd8
2 changed files with 445 additions and 51 deletions
--- a/SOURCES/0001-fix-ci-lock-file-validation.patch
+++ b/SOURCES/0001-fix-ci-lock-file-validation.patch
@ -0,0 +1,397 @@
+From 730dd78c897a28c3df0468ed1fc42d5817badefe Mon Sep 17 00:00:00 2001
+From: Ruy Adorno <ruyadorno@hotmail.com>
+Date: Wed, 2 Feb 2022 22:10:22 -0500
+Subject: [PATCH] fix(ci): lock file validation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Make sure to validate any lock file (either package-lock.json or
+npm-shrinkwrap.json) against the current install. This will properly
+throw an error in case any of the dependencies being installed don't
+match the dependencies that are currently listed in the lock file.
+
+Fixes: https://github.com/npm/cli/issues/2701
+Fixes: https://github.com/npm/cli/issues/3947
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ deps/npm/lib/commands/ci.js                   | 23 ++++++
+ deps/npm/lib/utils/validate-lockfile.js       | 29 +++++++
+ .../smoke-tests/index.js.test.cjs             | 11 +++
+ .../test/lib/commands/ci.js.test.cjs          | 13 +++
+ .../lib/utils/validate-lockfile.js.test.cjs   | 35 ++++++++
+ deps/npm/test/lib/commands/ci.js              | 82 +++++++++++++++++++
+ deps/npm/test/lib/utils/validate-lockfile.js  | 82 +++++++++++++++++++
+ 7 files changed, 275 insertions(+)
+ create mode 100644 deps/npm/lib/utils/validate-lockfile.js
+ create mode 100644 deps/npm/tap-snapshots/test/lib/commands/ci.js.test.cjs
+ create mode 100644 deps/npm/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs
+ create mode 100644 deps/npm/test/lib/utils/validate-lockfile.js
+
+diff --git a/deps/npm/lib/commands/ci.js b/deps/npm/lib/commands/ci.js
+index 2c2f8da..376a85d 100644
+--- a/deps/npm/lib/commands/ci.js
+++ b/deps/npm/lib/commands/ci.js
+@@ -6,6 +6,7 @@ const runScript = require('@npmcli/run-script')
+ const fs = require('fs')
+ const readdir = util.promisify(fs.readdir)
+ const log = require('../utils/log-shim.js')
+const validateLockfile = require('../utils/validate-lockfile.js')
+ 
+ const removeNodeModules = async where => {
+   const rimrafOpts = { glob: false }
+@@ -55,6 +56,28 @@ class CI extends ArboristWorkspaceCmd {
+       }),
+       removeNodeModules(where),
+     ])
+
+    // retrieves inventory of packages from loaded virtual tree (lock file)
+    const virtualInventory = new Map(arb.virtualTree.inventory)
+
+    // build ideal tree step needs to come right after retrieving the virtual
+    // inventory since it's going to erase the previous ref to virtualTree
+    await arb.buildIdealTree()
+
+    // verifies that the packages from the ideal tree will match
+    // the same versions that are present in the virtual tree (lock file)
+    // throws a validation error in case of mismatches
+    const errors = validateLockfile(virtualInventory, arb.idealTree.inventory)
+    if (errors.length) {
+      throw new Error(
+        '`npm ci` can only install packages when your package.json and ' +
+        'package-lock.json or npm-shrinkwrap.json are in sync. Please ' +
+        'update your lock file with `npm install` ' +
+        'before continuing.\n\n' +
+        errors.join('\n') + '\n'
+      )
+    }
+
+     await arb.reify(opts)
+ 
+     const ignoreScripts = this.npm.config.get('ignore-scripts')
+diff --git a/deps/npm/lib/utils/validate-lockfile.js b/deps/npm/lib/utils/validate-lockfile.js
+new file mode 100644
+index 0000000..29161ec
+--- /dev/null
+++ b/deps/npm/lib/utils/validate-lockfile.js
+@@ -0,0 +1,29 @@
+// compares the inventory of package items in the tree
+// that is about to be installed (idealTree) with the inventory
+// of items stored in the package-lock file (virtualTree)
+//
+// Returns empty array if no errors found or an array populated
+// with an entry for each validation error found.
+function validateLockfile (virtualTree, idealTree) {
+  const errors = []
+
+  // loops through the inventory of packages resulted by ideal tree,
+  // for each package compares the versions with the version stored in the
+  // package-lock and adds an error to the list in case of mismatches
+  for (const [key, entry] of idealTree.entries()) {
+    const lock = virtualTree.get(key)
+
+    if (!lock) {
+      errors.push(`Missing: ${entry.name}@${entry.version} from lock file`)
+      continue
+    }
+
+    if (entry.version !== lock.version) {
+      errors.push(`Invalid: lock file's ${lock.name}@${lock.version} does ` +
+      `not satisfy ${entry.name}@${entry.version}`)
+    }
+  }
+  return errors
+}
+
+module.exports = validateLockfile
+diff --git a/deps/npm/tap-snapshots/smoke-tests/index.js.test.cjs b/deps/npm/tap-snapshots/smoke-tests/index.js.test.cjs
+index c1316e0..5fa3977 100644
+--- a/deps/npm/tap-snapshots/smoke-tests/index.js.test.cjs
+++ b/deps/npm/tap-snapshots/smoke-tests/index.js.test.cjs
+@@ -40,6 +40,17 @@ Configuration fields: npm help 7 config
+ 
+ npm {CWD}
+ 
+`
+
+exports[`smoke-tests/index.js TAP npm ci > should throw mismatch deps in lock file error 1`] = `
+npm ERR! \`npm ci\` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with \`npm install\` before continuing.
+npm ERR! 
+npm ERR! Invalid: lock file's abbrev@1.0.4 does not satisfy abbrev@1.1.1
+npm ERR! 
+
+npm ERR! A complete log of this run can be found in:
+
+
+ `
+ 
+ exports[`smoke-tests/index.js TAP npm diff > should have expected diff output 1`] = `
+diff --git a/deps/npm/tap-snapshots/test/lib/commands/ci.js.test.cjs b/deps/npm/tap-snapshots/test/lib/commands/ci.js.test.cjs
+new file mode 100644
+index 0000000..d6a7471
+--- /dev/null
+++ b/deps/npm/tap-snapshots/test/lib/commands/ci.js.test.cjs
+@@ -0,0 +1,13 @@
+/* IMPORTANT
+ * This snapshot file is auto-generated, but designed for humans.
+ * It should be checked into source control and tracked carefully.
+ * Re-generate by setting TAP_SNAPSHOT=1 and running tests.
+ * Make sure to inspect the output below.  Do not ignore changes!
+ */
+'use strict'
+exports[`test/lib/commands/ci.js TAP should throw error when ideal inventory mismatches virtual > must match snapshot 1`] = `
+\`npm ci\` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with \`npm install\` before continuing.
+
+Invalid: lock file's foo@1.0.0 does not satisfy foo@2.0.0
+
+`
+diff --git a/deps/npm/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs b/deps/npm/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs
+new file mode 100644
+index 0000000..98a5126
+--- /dev/null
+++ b/deps/npm/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs
+@@ -0,0 +1,35 @@
+/* IMPORTANT
+ * This snapshot file is auto-generated, but designed for humans.
+ * It should be checked into source control and tracked carefully.
+ * Re-generate by setting TAP_SNAPSHOT=1 and running tests.
+ * Make sure to inspect the output below.  Do not ignore changes!
+ */
+'use strict'
+exports[`test/lib/utils/validate-lockfile.js TAP extra inventory items on idealTree > should have missing entries error 1`] = `
+Array [
+  "Missing: baz@3.0.0 from lock file",
+]
+`
+
+exports[`test/lib/utils/validate-lockfile.js TAP extra inventory items on virtualTree > should have no errors if finding virtualTree extra items 1`] = `
+Array []
+`
+
+exports[`test/lib/utils/validate-lockfile.js TAP identical inventory for both idealTree and virtualTree > should have no errors on identical inventories 1`] = `
+Array []
+`
+
+exports[`test/lib/utils/validate-lockfile.js TAP mismatching versions on inventory > should have errors for each mismatching version 1`] = `
+Array [
+  "Invalid: lock file's foo@1.0.0 does not satisfy foo@2.0.0",
+  "Invalid: lock file's bar@2.0.0 does not satisfy bar@3.0.0",
+]
+`
+
+exports[`test/lib/utils/validate-lockfile.js TAP missing virtualTree inventory > should have errors for each mismatching version 1`] = `
+Array [
+  "Missing: foo@1.0.0 from lock file",
+  "Missing: bar@2.0.0 from lock file",
+  "Missing: baz@3.0.0 from lock file",
+]
+`
+diff --git a/deps/npm/test/lib/commands/ci.js b/deps/npm/test/lib/commands/ci.js
+index 537d078..e077c99 100644
+--- a/deps/npm/test/lib/commands/ci.js
+++ b/deps/npm/test/lib/commands/ci.js
+@@ -19,6 +19,17 @@ t.test('should ignore scripts with --ignore-scripts', async t => {
+       this.reify = () => {
+         REIFY_CALLED = true
+       }
+      this.buildIdealTree = () => {}
+      this.virtualTree = {
+        inventory: new Map([
+          ['foo', { name: 'foo', version: '1.0.0' }],
+        ]),
+      }
+      this.idealTree = {
+        inventory: new Map([
+          ['foo', { name: 'foo', version: '1.0.0' }],
+        ]),
+      }
+     },
+   })
+ 
+@@ -99,6 +110,17 @@ t.test('should use Arborist and run-script', async t => {
+       this.reify = () => {
+         t.ok(true, 'reify is called')
+       }
+      this.buildIdealTree = () => {}
+      this.virtualTree = {
+        inventory: new Map([
+          ['foo', { name: 'foo', version: '1.0.0' }],
+        ]),
+      }
+      this.idealTree = {
+        inventory: new Map([
+          ['foo', { name: 'foo', version: '1.0.0' }],
+        ]),
+      }
+     },
+     rimraf: (path, ...args) => {
+       actualRimrafs++
+@@ -138,6 +160,17 @@ t.test('should pass flatOptions to Arborist.reify', async t => {
+       this.reify = async (options) => {
+         t.equal(options.production, true, 'should pass flatOptions to Arborist.reify')
+       }
+      this.buildIdealTree = () => {}
+      this.virtualTree = {
+        inventory: new Map([
+          ['foo', { name: 'foo', version: '1.0.0' }],
+        ]),
+      }
+      this.idealTree = {
+        inventory: new Map([
+          ['foo', { name: 'foo', version: '1.0.0' }],
+        ]),
+      }
+     },
+   })
+   const npm = mockNpm({
+@@ -218,6 +251,17 @@ t.test('should remove existing node_modules before installing', async t => {
+         const nodeModules = contents.filter((path) => path.startsWith('node_modules'))
+         t.same(nodeModules, ['node_modules'], 'should only have the node_modules directory')
+       }
+      this.buildIdealTree = () => {}
+      this.virtualTree = {
+        inventory: new Map([
+          ['foo', { name: 'foo', version: '1.0.0' }],
+        ]),
+      }
+      this.idealTree = {
+        inventory: new Map([
+          ['foo', { name: 'foo', version: '1.0.0' }],
+        ]),
+      }
+     },
+   })
+ 
+@@ -231,3 +275,41 @@ t.test('should remove existing node_modules before installing', async t => {
+ 
+   await ci.exec(null)
+ })
+
+t.test('should throw error when ideal inventory mismatches virtual', async t => {
+  const CI = t.mock('../../../lib/commands/ci.js', {
+    '../../../lib/utils/reify-finish.js': async () => {},
+    '@npmcli/run-script': ({ event }) => {},
+    '@npmcli/arborist': function () {
+      this.loadVirtual = async () => {}
+      this.reify = () => {}
+      this.buildIdealTree = () => {}
+      this.virtualTree = {
+        inventory: new Map([
+          ['foo', { name: 'foo', version: '1.0.0' }],
+        ]),
+      }
+      this.idealTree = {
+        inventory: new Map([
+          ['foo', { name: 'foo', version: '2.0.0' }],
+        ]),
+      }
+    },
+  })
+
+  const npm = mockNpm({
+    globalDir: 'path/to/node_modules/',
+    prefix: 'foo',
+    config: {
+      global: false,
+      'ignore-scripts': true,
+    },
+  })
+  const ci = new CI(npm)
+
+  try {
+    await ci.exec([])
+  } catch (err) {
+    t.matchSnapshot(err.message)
+  }
+})
+diff --git a/deps/npm/test/lib/utils/validate-lockfile.js b/deps/npm/test/lib/utils/validate-lockfile.js
+new file mode 100644
+index 0000000..25939c5
+--- /dev/null
+++ b/deps/npm/test/lib/utils/validate-lockfile.js
+@@ -0,0 +1,82 @@
+const t = require('tap')
+const validateLockfile = require('../../../lib/utils/validate-lockfile.js')
+
+t.test('identical inventory for both idealTree and virtualTree', async t => {
+  t.matchSnapshot(
+    validateLockfile(
+      new Map([
+        ['foo', { name: 'foo', version: '1.0.0' }],
+        ['bar', { name: 'bar', version: '2.0.0' }],
+      ]),
+      new Map([
+        ['foo', { name: 'foo', version: '1.0.0' }],
+        ['bar', { name: 'bar', version: '2.0.0' }],
+      ])
+    ),
+    'should have no errors on identical inventories'
+  )
+})
+
+t.test('extra inventory items on idealTree', async t => {
+  t.matchSnapshot(
+    validateLockfile(
+      new Map([
+        ['foo', { name: 'foo', version: '1.0.0' }],
+        ['bar', { name: 'bar', version: '2.0.0' }],
+      ]),
+      new Map([
+        ['foo', { name: 'foo', version: '1.0.0' }],
+        ['bar', { name: 'bar', version: '2.0.0' }],
+        ['baz', { name: 'baz', version: '3.0.0' }],
+      ])
+    ),
+    'should have missing entries error'
+  )
+})
+
+t.test('extra inventory items on virtualTree', async t => {
+  t.matchSnapshot(
+    validateLockfile(
+      new Map([
+        ['foo', { name: 'foo', version: '1.0.0' }],
+        ['bar', { name: 'bar', version: '2.0.0' }],
+        ['baz', { name: 'baz', version: '3.0.0' }],
+      ]),
+      new Map([
+        ['foo', { name: 'foo', version: '1.0.0' }],
+        ['bar', { name: 'bar', version: '2.0.0' }],
+      ])
+    ),
+    'should have no errors if finding virtualTree extra items'
+  )
+})
+
+t.test('mismatching versions on inventory', async t => {
+  t.matchSnapshot(
+    validateLockfile(
+      new Map([
+        ['foo', { name: 'foo', version: '1.0.0' }],
+        ['bar', { name: 'bar', version: '2.0.0' }],
+      ]),
+      new Map([
+        ['foo', { name: 'foo', version: '2.0.0' }],
+        ['bar', { name: 'bar', version: '3.0.0' }],
+      ])
+    ),
+    'should have errors for each mismatching version'
+  )
+})
+
+t.test('missing virtualTree inventory', async t => {
+  t.matchSnapshot(
+    validateLockfile(
+      new Map([]),
+      new Map([
+        ['foo', { name: 'foo', version: '1.0.0' }],
+        ['bar', { name: 'bar', version: '2.0.0' }],
+        ['baz', { name: 'baz', version: '3.0.0' }],
+      ])
+    ),
+    'should have errors for each mismatching version'
+  )
+})
+-- 
+2.35.1
+
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -1,6 +1,17 @@
-# bundle dependencies that are not available as Fedora modules
-%bcond_without bootstrap
-%global __bootstrap %{nil}
+# The following macros control the usage of dependencies bundled from upstream.
+#
+# When to use what:
+# - Regular (presumably non-modular) build: use neither (the default in Fedora)
+# - Early bootstrapping build that is not intended to be shipped:
+#     use --with=bootstrap; this will bundle deps and add `~bootstrap` release suffix
+# - Build with some dependencies not avalaible in necessary versions (i.e. module build):
+#     use --with=bundled; will bundle deps, but do not add the suffix
+#
+# create bootstrapping build with bundled deps and extra release suffix
+%bcond_with bootstrap
+# bundle dependencies that are not available in CentOS
+# currently hardcoded to bundle; see Fedora spec on how to make this dependent on bootstrap
+%bcond_without bundled

 %if 0%{?rhel} && 0%{?rhel} < 9
 %bcond_without python3_fixup
@ -19,7 +30,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 3
+%global baserelease 5

 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}

@ -155,6 +166,9 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 # Patch to install both node and libnode.so, using the correct libdir
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch

+# CVE-2021-43616
+Patch3: 0001-fix-ci-lock-file-validation.patch
+
 BuildRequires: make
 BuildRequires: python3-devel
 BuildRequires: python3-setuptools
@ -175,19 +189,18 @@ BuildRequires: chrpath
 BuildRequires: libatomic
 BuildRequires: systemtap-sdt-devel

-%if %{with bootstrap}
-Provides: bundled(libuv) = %{libuv_version}
-Provides: bundled(nghttp2) = %{nghttp2_version}
+%if %{with bundled}
+Provides:      bundled(libuv) = %{libuv_version}
 %else
-BuildRequires: libuv-devel >= 1:%{libuv_version}
-Requires: libuv >= 1:%{libuv_version}
-%if 0%{?fedora} || 0%{?rhel} >= 9
-BuildRequires: libnghttp2-devel >= %{nghttp2_version}
-Requires: libnghttp2 >= %{nghttp2_version}
-%else
-%define nghttp2_configure %{nil}
-Provides: bundled(nghttp2) = %{nghttp2_version}
+BuildRequires:  libuv-devel >= 1:%{libuv_version}
+Requires:       libuv-devel >= 1:%{libuv_version}
 %endif
+
+%if %{with bundled} || !(0%{?fedora} || 0%{?rhel} >= 9)
+Provides:      bundled(nghttp2) = %{nghttp2_version}
+%else
+BuildRequires:  libnghttp2-devel >= %{nghttp2_version}
+Requires:       libnghttp2-devel >= %{nghttp2_version}
 %endif

 # Temporarily bundle llhttp because the upstream doesn't
@ -282,9 +295,7 @@ Requires: zlib-devel%{?_isa}
 Requires: brotli-devel%{?_isa}
 Requires: nodejs-packaging

-%if %{with bootstrap}
-# deps are bundled
-%else
+%if %{without bundled}
 Requires: libuv-devel%{?_isa}
 %endif

@ -412,49 +423,28 @@ export CXX='%{__cxx}'
 # build with debugging symbols and add defines from libuv (#892601)
 # Node's v8 breaks with GCC 6 because of incorrect usage of methods on
 # NULL objects. We need to pass -fno-delete-null-pointer-checks
-export CFLAGS='%{optflags} \
-               -D_LARGEFILE_SOURCE \
-               -D_FILE_OFFSET_BITS=64 \
-               -DZLIB_CONST \
-               -fno-delete-null-pointer-checks'
-export CXXFLAGS='%{optflags} \
-                 -D_LARGEFILE_SOURCE \
-                 -D_FILE_OFFSET_BITS=64 \
-                 -DZLIB_CONST \
-                 -fno-delete-null-pointer-checks'
-
-# Explicit new lines in C(XX)FLAGS can break naive build scripts
-export CFLAGS="$(echo ${CFLAGS} | tr '\n\\' '  ')"
-export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' '  ')"
-
+extra_cflags=(
+    -D_LARGEFILE_SOURCE
+    -D_FILE_OFFSET_BITS=64
+    -DZLIB_CONST
+    -fno-delete-null-pointer-checks
+)
+export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cflags[*]}"
 export LDFLAGS="%{build_ldflags}"

-%if %{with bootstrap}
 %{__python3} configure.py --prefix=%{_prefix} \
           --shared \
           --libdir=%{_lib} \
           --shared-openssl \
           --shared-zlib \
           --shared-brotli \
-           --with-dtrace \
-           --with-intl=small-icu \
-           --openssl-use-def-ca-store \
-           --openssl-default-cipher-list=PROFILE=SYSTEM
-%else
-%{__python3} configure.py --prefix=%{_prefix} \
-           --shared \
-           --libdir=%{_lib} \
-           --shared-openssl \
-           --shared-zlib \
-           --shared-brotli \
-           --shared-libuv \
-           --shared-nghttp2 \
+           %{!?with_bundled:--shared-libuv} \
+           %{!?with_bundled:--shared-nghttp2} \
           --with-dtrace \
           --with-intl=small-icu \
           --with-icu-default-data-dir=%{icudatadir} \
           --openssl-use-def-ca-store \
           --openssl-default-cipher-list=PROFILE=SYSTEM
-%endif

 make BUILDTYPE=Release %{?_smp_mflags}

@ -705,9 +695,16 @@ end


 %changelog
-* Mon Mar 07 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.14.0-3
- Resolves: #2059949
- Make Brew not append ~bootstrap when the macro is used
+* Thu Apr 21 2022 Jan Staněk <jstanek@redhat.com> - 16.14.0-5
+- Decouple dependency bundling from bootstrapping
+
+* Tue Apr 05 2022 Jan Staněk <jstanek@redhat.com> - 16.14.0-4
+- Apply lock file validation fixes
+  Resolves: CVE-2021-43616
+
+* Thu Mar 31 2022 Jan Staněk <jstanek@redhat.com> - 16.14.0-3
+- Refactor bootstap handling and configure script invocation
+  Resolves: rhbz#2056969

 * Sun Feb 13 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.14.0-2
 - Build with bootstrap by default due to old versions of dependencies available