Apply lock file validation fixes
Resolves: CVE-2021-43616 Resolves: RHBZ#2070013
This commit is contained in:
parent
252867830e
commit
285790d63c
2
.gitignore
vendored
2
.gitignore
vendored
@ -21,3 +21,5 @@
|
|||||||
/node-v16.7.0-stripped.tar.gz
|
/node-v16.7.0-stripped.tar.gz
|
||||||
/node-v16.8.0-stripped.tar.gz
|
/node-v16.8.0-stripped.tar.gz
|
||||||
/node-v16.13.1-stripped.tar.gz
|
/node-v16.13.1-stripped.tar.gz
|
||||||
|
/node-v16.14.0-stripped.tar.gz
|
||||||
|
/icu4c-70_1-src.tgz
|
||||||
|
397
0001-fix-ci-lock-file-validation.patch
Normal file
397
0001-fix-ci-lock-file-validation.patch
Normal file
@ -0,0 +1,397 @@
|
|||||||
|
From 730dd78c897a28c3df0468ed1fc42d5817badefe Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ruy Adorno <ruyadorno@hotmail.com>
|
||||||
|
Date: Wed, 2 Feb 2022 22:10:22 -0500
|
||||||
|
Subject: [PATCH] fix(ci): lock file validation
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Make sure to validate any lock file (either package-lock.json or
|
||||||
|
npm-shrinkwrap.json) against the current install. This will properly
|
||||||
|
throw an error in case any of the dependencies being installed don't
|
||||||
|
match the dependencies that are currently listed in the lock file.
|
||||||
|
|
||||||
|
Fixes: https://github.com/npm/cli/issues/2701
|
||||||
|
Fixes: https://github.com/npm/cli/issues/3947
|
||||||
|
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
||||||
|
---
|
||||||
|
deps/npm/lib/commands/ci.js | 23 ++++++
|
||||||
|
deps/npm/lib/utils/validate-lockfile.js | 29 +++++++
|
||||||
|
.../smoke-tests/index.js.test.cjs | 11 +++
|
||||||
|
.../test/lib/commands/ci.js.test.cjs | 13 +++
|
||||||
|
.../lib/utils/validate-lockfile.js.test.cjs | 35 ++++++++
|
||||||
|
deps/npm/test/lib/commands/ci.js | 82 +++++++++++++++++++
|
||||||
|
deps/npm/test/lib/utils/validate-lockfile.js | 82 +++++++++++++++++++
|
||||||
|
7 files changed, 275 insertions(+)
|
||||||
|
create mode 100644 deps/npm/lib/utils/validate-lockfile.js
|
||||||
|
create mode 100644 deps/npm/tap-snapshots/test/lib/commands/ci.js.test.cjs
|
||||||
|
create mode 100644 deps/npm/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs
|
||||||
|
create mode 100644 deps/npm/test/lib/utils/validate-lockfile.js
|
||||||
|
|
||||||
|
diff --git a/deps/npm/lib/commands/ci.js b/deps/npm/lib/commands/ci.js
|
||||||
|
index 2c2f8da..376a85d 100644
|
||||||
|
--- a/deps/npm/lib/commands/ci.js
|
||||||
|
+++ b/deps/npm/lib/commands/ci.js
|
||||||
|
@@ -6,6 +6,7 @@ const runScript = require('@npmcli/run-script')
|
||||||
|
const fs = require('fs')
|
||||||
|
const readdir = util.promisify(fs.readdir)
|
||||||
|
const log = require('../utils/log-shim.js')
|
||||||
|
+const validateLockfile = require('../utils/validate-lockfile.js')
|
||||||
|
|
||||||
|
const removeNodeModules = async where => {
|
||||||
|
const rimrafOpts = { glob: false }
|
||||||
|
@@ -55,6 +56,28 @@ class CI extends ArboristWorkspaceCmd {
|
||||||
|
}),
|
||||||
|
removeNodeModules(where),
|
||||||
|
])
|
||||||
|
+
|
||||||
|
+ // retrieves inventory of packages from loaded virtual tree (lock file)
|
||||||
|
+ const virtualInventory = new Map(arb.virtualTree.inventory)
|
||||||
|
+
|
||||||
|
+ // build ideal tree step needs to come right after retrieving the virtual
|
||||||
|
+ // inventory since it's going to erase the previous ref to virtualTree
|
||||||
|
+ await arb.buildIdealTree()
|
||||||
|
+
|
||||||
|
+ // verifies that the packages from the ideal tree will match
|
||||||
|
+ // the same versions that are present in the virtual tree (lock file)
|
||||||
|
+ // throws a validation error in case of mismatches
|
||||||
|
+ const errors = validateLockfile(virtualInventory, arb.idealTree.inventory)
|
||||||
|
+ if (errors.length) {
|
||||||
|
+ throw new Error(
|
||||||
|
+ '`npm ci` can only install packages when your package.json and ' +
|
||||||
|
+ 'package-lock.json or npm-shrinkwrap.json are in sync. Please ' +
|
||||||
|
+ 'update your lock file with `npm install` ' +
|
||||||
|
+ 'before continuing.\n\n' +
|
||||||
|
+ errors.join('\n') + '\n'
|
||||||
|
+ )
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
await arb.reify(opts)
|
||||||
|
|
||||||
|
const ignoreScripts = this.npm.config.get('ignore-scripts')
|
||||||
|
diff --git a/deps/npm/lib/utils/validate-lockfile.js b/deps/npm/lib/utils/validate-lockfile.js
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..29161ec
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/deps/npm/lib/utils/validate-lockfile.js
|
||||||
|
@@ -0,0 +1,29 @@
|
||||||
|
+// compares the inventory of package items in the tree
|
||||||
|
+// that is about to be installed (idealTree) with the inventory
|
||||||
|
+// of items stored in the package-lock file (virtualTree)
|
||||||
|
+//
|
||||||
|
+// Returns empty array if no errors found or an array populated
|
||||||
|
+// with an entry for each validation error found.
|
||||||
|
+function validateLockfile (virtualTree, idealTree) {
|
||||||
|
+ const errors = []
|
||||||
|
+
|
||||||
|
+ // loops through the inventory of packages resulted by ideal tree,
|
||||||
|
+ // for each package compares the versions with the version stored in the
|
||||||
|
+ // package-lock and adds an error to the list in case of mismatches
|
||||||
|
+ for (const [key, entry] of idealTree.entries()) {
|
||||||
|
+ const lock = virtualTree.get(key)
|
||||||
|
+
|
||||||
|
+ if (!lock) {
|
||||||
|
+ errors.push(`Missing: ${entry.name}@${entry.version} from lock file`)
|
||||||
|
+ continue
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (entry.version !== lock.version) {
|
||||||
|
+ errors.push(`Invalid: lock file's ${lock.name}@${lock.version} does ` +
|
||||||
|
+ `not satisfy ${entry.name}@${entry.version}`)
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ return errors
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+module.exports = validateLockfile
|
||||||
|
diff --git a/deps/npm/tap-snapshots/smoke-tests/index.js.test.cjs b/deps/npm/tap-snapshots/smoke-tests/index.js.test.cjs
|
||||||
|
index c1316e0..5fa3977 100644
|
||||||
|
--- a/deps/npm/tap-snapshots/smoke-tests/index.js.test.cjs
|
||||||
|
+++ b/deps/npm/tap-snapshots/smoke-tests/index.js.test.cjs
|
||||||
|
@@ -40,6 +40,17 @@ Configuration fields: npm help 7 config
|
||||||
|
|
||||||
|
npm {CWD}
|
||||||
|
|
||||||
|
+`
|
||||||
|
+
|
||||||
|
+exports[`smoke-tests/index.js TAP npm ci > should throw mismatch deps in lock file error 1`] = `
|
||||||
|
+npm ERR! \`npm ci\` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with \`npm install\` before continuing.
|
||||||
|
+npm ERR!
|
||||||
|
+npm ERR! Invalid: lock file's abbrev@1.0.4 does not satisfy abbrev@1.1.1
|
||||||
|
+npm ERR!
|
||||||
|
+
|
||||||
|
+npm ERR! A complete log of this run can be found in:
|
||||||
|
+
|
||||||
|
+
|
||||||
|
`
|
||||||
|
|
||||||
|
exports[`smoke-tests/index.js TAP npm diff > should have expected diff output 1`] = `
|
||||||
|
diff --git a/deps/npm/tap-snapshots/test/lib/commands/ci.js.test.cjs b/deps/npm/tap-snapshots/test/lib/commands/ci.js.test.cjs
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..d6a7471
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/deps/npm/tap-snapshots/test/lib/commands/ci.js.test.cjs
|
||||||
|
@@ -0,0 +1,13 @@
|
||||||
|
+/* IMPORTANT
|
||||||
|
+ * This snapshot file is auto-generated, but designed for humans.
|
||||||
|
+ * It should be checked into source control and tracked carefully.
|
||||||
|
+ * Re-generate by setting TAP_SNAPSHOT=1 and running tests.
|
||||||
|
+ * Make sure to inspect the output below. Do not ignore changes!
|
||||||
|
+ */
|
||||||
|
+'use strict'
|
||||||
|
+exports[`test/lib/commands/ci.js TAP should throw error when ideal inventory mismatches virtual > must match snapshot 1`] = `
|
||||||
|
+\`npm ci\` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with \`npm install\` before continuing.
|
||||||
|
+
|
||||||
|
+Invalid: lock file's foo@1.0.0 does not satisfy foo@2.0.0
|
||||||
|
+
|
||||||
|
+`
|
||||||
|
diff --git a/deps/npm/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs b/deps/npm/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..98a5126
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/deps/npm/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs
|
||||||
|
@@ -0,0 +1,35 @@
|
||||||
|
+/* IMPORTANT
|
||||||
|
+ * This snapshot file is auto-generated, but designed for humans.
|
||||||
|
+ * It should be checked into source control and tracked carefully.
|
||||||
|
+ * Re-generate by setting TAP_SNAPSHOT=1 and running tests.
|
||||||
|
+ * Make sure to inspect the output below. Do not ignore changes!
|
||||||
|
+ */
|
||||||
|
+'use strict'
|
||||||
|
+exports[`test/lib/utils/validate-lockfile.js TAP extra inventory items on idealTree > should have missing entries error 1`] = `
|
||||||
|
+Array [
|
||||||
|
+ "Missing: baz@3.0.0 from lock file",
|
||||||
|
+]
|
||||||
|
+`
|
||||||
|
+
|
||||||
|
+exports[`test/lib/utils/validate-lockfile.js TAP extra inventory items on virtualTree > should have no errors if finding virtualTree extra items 1`] = `
|
||||||
|
+Array []
|
||||||
|
+`
|
||||||
|
+
|
||||||
|
+exports[`test/lib/utils/validate-lockfile.js TAP identical inventory for both idealTree and virtualTree > should have no errors on identical inventories 1`] = `
|
||||||
|
+Array []
|
||||||
|
+`
|
||||||
|
+
|
||||||
|
+exports[`test/lib/utils/validate-lockfile.js TAP mismatching versions on inventory > should have errors for each mismatching version 1`] = `
|
||||||
|
+Array [
|
||||||
|
+ "Invalid: lock file's foo@1.0.0 does not satisfy foo@2.0.0",
|
||||||
|
+ "Invalid: lock file's bar@2.0.0 does not satisfy bar@3.0.0",
|
||||||
|
+]
|
||||||
|
+`
|
||||||
|
+
|
||||||
|
+exports[`test/lib/utils/validate-lockfile.js TAP missing virtualTree inventory > should have errors for each mismatching version 1`] = `
|
||||||
|
+Array [
|
||||||
|
+ "Missing: foo@1.0.0 from lock file",
|
||||||
|
+ "Missing: bar@2.0.0 from lock file",
|
||||||
|
+ "Missing: baz@3.0.0 from lock file",
|
||||||
|
+]
|
||||||
|
+`
|
||||||
|
diff --git a/deps/npm/test/lib/commands/ci.js b/deps/npm/test/lib/commands/ci.js
|
||||||
|
index 537d078..e077c99 100644
|
||||||
|
--- a/deps/npm/test/lib/commands/ci.js
|
||||||
|
+++ b/deps/npm/test/lib/commands/ci.js
|
||||||
|
@@ -19,6 +19,17 @@ t.test('should ignore scripts with --ignore-scripts', async t => {
|
||||||
|
this.reify = () => {
|
||||||
|
REIFY_CALLED = true
|
||||||
|
}
|
||||||
|
+ this.buildIdealTree = () => {}
|
||||||
|
+ this.virtualTree = {
|
||||||
|
+ inventory: new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ }
|
||||||
|
+ this.idealTree = {
|
||||||
|
+ inventory: new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ }
|
||||||
|
},
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -99,6 +110,17 @@ t.test('should use Arborist and run-script', async t => {
|
||||||
|
this.reify = () => {
|
||||||
|
t.ok(true, 'reify is called')
|
||||||
|
}
|
||||||
|
+ this.buildIdealTree = () => {}
|
||||||
|
+ this.virtualTree = {
|
||||||
|
+ inventory: new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ }
|
||||||
|
+ this.idealTree = {
|
||||||
|
+ inventory: new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ }
|
||||||
|
},
|
||||||
|
rimraf: (path, ...args) => {
|
||||||
|
actualRimrafs++
|
||||||
|
@@ -138,6 +160,17 @@ t.test('should pass flatOptions to Arborist.reify', async t => {
|
||||||
|
this.reify = async (options) => {
|
||||||
|
t.equal(options.production, true, 'should pass flatOptions to Arborist.reify')
|
||||||
|
}
|
||||||
|
+ this.buildIdealTree = () => {}
|
||||||
|
+ this.virtualTree = {
|
||||||
|
+ inventory: new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ }
|
||||||
|
+ this.idealTree = {
|
||||||
|
+ inventory: new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ }
|
||||||
|
},
|
||||||
|
})
|
||||||
|
const npm = mockNpm({
|
||||||
|
@@ -218,6 +251,17 @@ t.test('should remove existing node_modules before installing', async t => {
|
||||||
|
const nodeModules = contents.filter((path) => path.startsWith('node_modules'))
|
||||||
|
t.same(nodeModules, ['node_modules'], 'should only have the node_modules directory')
|
||||||
|
}
|
||||||
|
+ this.buildIdealTree = () => {}
|
||||||
|
+ this.virtualTree = {
|
||||||
|
+ inventory: new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ }
|
||||||
|
+ this.idealTree = {
|
||||||
|
+ inventory: new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ }
|
||||||
|
},
|
||||||
|
})
|
||||||
|
|
||||||
|
@@ -231,3 +275,41 @@ t.test('should remove existing node_modules before installing', async t => {
|
||||||
|
|
||||||
|
await ci.exec(null)
|
||||||
|
})
|
||||||
|
+
|
||||||
|
+t.test('should throw error when ideal inventory mismatches virtual', async t => {
|
||||||
|
+ const CI = t.mock('../../../lib/commands/ci.js', {
|
||||||
|
+ '../../../lib/utils/reify-finish.js': async () => {},
|
||||||
|
+ '@npmcli/run-script': ({ event }) => {},
|
||||||
|
+ '@npmcli/arborist': function () {
|
||||||
|
+ this.loadVirtual = async () => {}
|
||||||
|
+ this.reify = () => {}
|
||||||
|
+ this.buildIdealTree = () => {}
|
||||||
|
+ this.virtualTree = {
|
||||||
|
+ inventory: new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ }
|
||||||
|
+ this.idealTree = {
|
||||||
|
+ inventory: new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '2.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ }
|
||||||
|
+ },
|
||||||
|
+ })
|
||||||
|
+
|
||||||
|
+ const npm = mockNpm({
|
||||||
|
+ globalDir: 'path/to/node_modules/',
|
||||||
|
+ prefix: 'foo',
|
||||||
|
+ config: {
|
||||||
|
+ global: false,
|
||||||
|
+ 'ignore-scripts': true,
|
||||||
|
+ },
|
||||||
|
+ })
|
||||||
|
+ const ci = new CI(npm)
|
||||||
|
+
|
||||||
|
+ try {
|
||||||
|
+ await ci.exec([])
|
||||||
|
+ } catch (err) {
|
||||||
|
+ t.matchSnapshot(err.message)
|
||||||
|
+ }
|
||||||
|
+})
|
||||||
|
diff --git a/deps/npm/test/lib/utils/validate-lockfile.js b/deps/npm/test/lib/utils/validate-lockfile.js
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..25939c5
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/deps/npm/test/lib/utils/validate-lockfile.js
|
||||||
|
@@ -0,0 +1,82 @@
|
||||||
|
+const t = require('tap')
|
||||||
|
+const validateLockfile = require('../../../lib/utils/validate-lockfile.js')
|
||||||
|
+
|
||||||
|
+t.test('identical inventory for both idealTree and virtualTree', async t => {
|
||||||
|
+ t.matchSnapshot(
|
||||||
|
+ validateLockfile(
|
||||||
|
+ new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ['bar', { name: 'bar', version: '2.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ['bar', { name: 'bar', version: '2.0.0' }],
|
||||||
|
+ ])
|
||||||
|
+ ),
|
||||||
|
+ 'should have no errors on identical inventories'
|
||||||
|
+ )
|
||||||
|
+})
|
||||||
|
+
|
||||||
|
+t.test('extra inventory items on idealTree', async t => {
|
||||||
|
+ t.matchSnapshot(
|
||||||
|
+ validateLockfile(
|
||||||
|
+ new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ['bar', { name: 'bar', version: '2.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ['bar', { name: 'bar', version: '2.0.0' }],
|
||||||
|
+ ['baz', { name: 'baz', version: '3.0.0' }],
|
||||||
|
+ ])
|
||||||
|
+ ),
|
||||||
|
+ 'should have missing entries error'
|
||||||
|
+ )
|
||||||
|
+})
|
||||||
|
+
|
||||||
|
+t.test('extra inventory items on virtualTree', async t => {
|
||||||
|
+ t.matchSnapshot(
|
||||||
|
+ validateLockfile(
|
||||||
|
+ new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ['bar', { name: 'bar', version: '2.0.0' }],
|
||||||
|
+ ['baz', { name: 'baz', version: '3.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ['bar', { name: 'bar', version: '2.0.0' }],
|
||||||
|
+ ])
|
||||||
|
+ ),
|
||||||
|
+ 'should have no errors if finding virtualTree extra items'
|
||||||
|
+ )
|
||||||
|
+})
|
||||||
|
+
|
||||||
|
+t.test('mismatching versions on inventory', async t => {
|
||||||
|
+ t.matchSnapshot(
|
||||||
|
+ validateLockfile(
|
||||||
|
+ new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ['bar', { name: 'bar', version: '2.0.0' }],
|
||||||
|
+ ]),
|
||||||
|
+ new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '2.0.0' }],
|
||||||
|
+ ['bar', { name: 'bar', version: '3.0.0' }],
|
||||||
|
+ ])
|
||||||
|
+ ),
|
||||||
|
+ 'should have errors for each mismatching version'
|
||||||
|
+ )
|
||||||
|
+})
|
||||||
|
+
|
||||||
|
+t.test('missing virtualTree inventory', async t => {
|
||||||
|
+ t.matchSnapshot(
|
||||||
|
+ validateLockfile(
|
||||||
|
+ new Map([]),
|
||||||
|
+ new Map([
|
||||||
|
+ ['foo', { name: 'foo', version: '1.0.0' }],
|
||||||
|
+ ['bar', { name: 'bar', version: '2.0.0' }],
|
||||||
|
+ ['baz', { name: 'baz', version: '3.0.0' }],
|
||||||
|
+ ])
|
||||||
|
+ ),
|
||||||
|
+ 'should have errors for each mismatching version'
|
||||||
|
+ )
|
||||||
|
+})
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -48,7 +48,7 @@ index 39f5ec6c66e..b56ebc03d58 100644
|
|||||||
@@ -192,7 +192,12 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationType type,
|
@@ -192,7 +192,12 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationType type,
|
||||||
IncrementObjectCounters();
|
IncrementObjectCounters();
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
- bool large_object = size_in_bytes > kMaxRegularHeapObjectSize;
|
- bool large_object = size_in_bytes > kMaxRegularHeapObjectSize;
|
||||||
+ size_t large_object_threshold =
|
+ size_t large_object_threshold =
|
||||||
+ AllocationType::kCode == type
|
+ AllocationType::kCode == type
|
||||||
@ -56,7 +56,7 @@ index 39f5ec6c66e..b56ebc03d58 100644
|
|||||||
+ : kMaxRegularHeapObjectSize;
|
+ : kMaxRegularHeapObjectSize;
|
||||||
+ bool large_object =
|
+ bool large_object =
|
||||||
+ static_cast<size_t>(size_in_bytes) > large_object_threshold;
|
+ static_cast<size_t>(size_in_bytes) > large_object_threshold;
|
||||||
|
|
||||||
HeapObject object;
|
HeapObject object;
|
||||||
AllocationResult allocation;
|
AllocationResult allocation;
|
||||||
@@ -225,10 +230,10 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationType type,
|
@@ -225,10 +230,10 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationType type,
|
||||||
@ -80,7 +80,7 @@ index 888d174c02f..0165fa6970f 100644
|
|||||||
@@ -1404,8 +1404,10 @@ class Heap {
|
@@ -1404,8 +1404,10 @@ class Heap {
|
||||||
// Heap object allocation tracking. ==========================================
|
// Heap object allocation tracking. ==========================================
|
||||||
// ===========================================================================
|
// ===========================================================================
|
||||||
|
|
||||||
- void AddHeapObjectAllocationTracker(HeapObjectAllocationTracker* tracker);
|
- void AddHeapObjectAllocationTracker(HeapObjectAllocationTracker* tracker);
|
||||||
- void RemoveHeapObjectAllocationTracker(HeapObjectAllocationTracker* tracker);
|
- void RemoveHeapObjectAllocationTracker(HeapObjectAllocationTracker* tracker);
|
||||||
+ V8_EXPORT_PRIVATE void AddHeapObjectAllocationTracker(
|
+ V8_EXPORT_PRIVATE void AddHeapObjectAllocationTracker(
|
||||||
|
@ -128,7 +128,7 @@ echo "$ICUMD5 $ICUTARBALL" > icu.md5
|
|||||||
md5sum -c icu.md5
|
md5sum -c icu.md5
|
||||||
rm -f icu.md5 SHASUMS256.txt
|
rm -f icu.md5 SHASUMS256.txt
|
||||||
|
|
||||||
rhpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz
|
#fedpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz
|
||||||
|
|
||||||
rm -f node-v${version}.tar.gz
|
rm -f node-v${version}.tar.gz
|
||||||
|
|
||||||
|
31
nodejs.spec
31
nodejs.spec
@ -11,10 +11,10 @@
|
|||||||
%bcond_without python3_fixup
|
%bcond_without python3_fixup
|
||||||
|
|
||||||
# == Master Relase ==
|
# == Master Relase ==
|
||||||
# This is used by both the nodejs package and the npm subpackage thar
|
# This is used by both the nodejs package and the npm subpackage that
|
||||||
# has a separate version - the name is special so that rpmdev-bumpspec
|
# has a separate version - the name is special so that rpmdev-bumpspec
|
||||||
# will bump this rather than adding .1 to the end.
|
# will bump this rather than adding .1 to the end.
|
||||||
%global baserelease 3
|
%global baserelease 4
|
||||||
|
|
||||||
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
||||||
|
|
||||||
@ -25,8 +25,8 @@
|
|||||||
# than a Fedora release lifecycle.
|
# than a Fedora release lifecycle.
|
||||||
%global nodejs_epoch 1
|
%global nodejs_epoch 1
|
||||||
%global nodejs_major 16
|
%global nodejs_major 16
|
||||||
%global nodejs_minor 13
|
%global nodejs_minor 14
|
||||||
%global nodejs_patch 1
|
%global nodejs_patch 0
|
||||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||||
%global nodejs_soversion 93
|
%global nodejs_soversion 93
|
||||||
@ -63,7 +63,7 @@
|
|||||||
|
|
||||||
# libuv - from deps/uv/include/uv/version.h
|
# libuv - from deps/uv/include/uv/version.h
|
||||||
%global libuv_major 1
|
%global libuv_major 1
|
||||||
%global libuv_minor 42
|
%global libuv_minor 43
|
||||||
%global libuv_patch 0
|
%global libuv_patch 0
|
||||||
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
|
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
|
||||||
|
|
||||||
@ -86,7 +86,7 @@
|
|||||||
%global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
|
%global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
|
||||||
|
|
||||||
# ICU - from tools/icu/current_ver.dep
|
# ICU - from tools/icu/current_ver.dep
|
||||||
%global icu_major 69
|
%global icu_major 70
|
||||||
%global icu_minor 1
|
%global icu_minor 1
|
||||||
%global icu_version %{icu_major}.%{icu_minor}
|
%global icu_version %{icu_major}.%{icu_minor}
|
||||||
|
|
||||||
@ -118,14 +118,14 @@
|
|||||||
# npm - from deps/npm/package.json
|
# npm - from deps/npm/package.json
|
||||||
%global npm_epoch 1
|
%global npm_epoch 1
|
||||||
%global npm_major 8
|
%global npm_major 8
|
||||||
%global npm_minor 1
|
%global npm_minor 3
|
||||||
%global npm_patch 2
|
%global npm_patch 1
|
||||||
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
|
||||||
|
|
||||||
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
# uvwasi - from deps/uvwasi/include/uvwasi.h
|
||||||
%global uvwasi_major 0
|
%global uvwasi_major 0
|
||||||
%global uvwasi_minor 0
|
%global uvwasi_minor 0
|
||||||
%global uvwasi_patch 11
|
%global uvwasi_patch 12
|
||||||
%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
|
%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
|
||||||
|
|
||||||
# histogram_c - assumed from timestamps
|
# histogram_c - assumed from timestamps
|
||||||
@ -171,6 +171,9 @@ Source7: nodejs_native.attr
|
|||||||
# Disable running gyp on bundled deps we don't use
|
# Disable running gyp on bundled deps we don't use
|
||||||
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||||
|
|
||||||
|
# CVE-2021-43616
|
||||||
|
Patch2: 0001-fix-ci-lock-file-validation.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
@ -500,7 +503,7 @@ cp -pr deps/npm/man/* %{buildroot}%{_mandir}/
|
|||||||
rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/man
|
rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/man
|
||||||
ln -sf %{_mandir} %{buildroot}%{_prefix}/lib/node_modules/npm/man
|
ln -sf %{_mandir} %{buildroot}%{_prefix}/lib/node_modules/npm/man
|
||||||
|
|
||||||
# Install Gatsby HTML documentation to %{_pkgdocdir}
|
# Install Gatsby HTML documentation to %%{_pkgdocdir}
|
||||||
cp -pr deps/npm/docs %{buildroot}%{_pkgdocdir}/npm/
|
cp -pr deps/npm/docs %{buildroot}%{_pkgdocdir}/npm/
|
||||||
rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/docs
|
rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/docs
|
||||||
|
|
||||||
@ -521,7 +524,7 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \
|
|||||||
-exec chmod -x {} \;
|
-exec chmod -x {} \;
|
||||||
|
|
||||||
# The above command is a little overzealous. Add a few permissions back.
|
# The above command is a little overzealous. Add a few permissions back.
|
||||||
chmod 0775 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp
|
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp
|
||||||
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
|
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
|
||||||
|
|
||||||
# Corepack contains a number of executable"shims", including some for Windows
|
# Corepack contains a number of executable"shims", including some for Windows
|
||||||
@ -677,6 +680,7 @@ end
|
|||||||
%doc %{_mandir}/man7/config.7*
|
%doc %{_mandir}/man7/config.7*
|
||||||
%doc %{_mandir}/man7/developers.7*
|
%doc %{_mandir}/man7/developers.7*
|
||||||
%doc %{_mandir}/man7/orgs.7*
|
%doc %{_mandir}/man7/orgs.7*
|
||||||
|
%doc %{_mandir}/man7/logging.7*
|
||||||
%doc %{_mandir}/man7/registry.7*
|
%doc %{_mandir}/man7/registry.7*
|
||||||
%doc %{_mandir}/man7/removal.7*
|
%doc %{_mandir}/man7/removal.7*
|
||||||
%doc %{_mandir}/man7/scope.7*
|
%doc %{_mandir}/man7/scope.7*
|
||||||
@ -692,6 +696,11 @@ end
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Apr 11 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.14.0-4
|
||||||
|
- Apply lock file validation fixes
|
||||||
|
- Resolves: CVE-2021-43616
|
||||||
|
- Resolves: RHBZ#2070013
|
||||||
|
|
||||||
* Mon Dec 06 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.13.1-3
|
* Mon Dec 06 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.13.1-3
|
||||||
- Resolves: RHBZ#2026329
|
- Resolves: RHBZ#2026329
|
||||||
- Add corepack to spec
|
- Add corepack to spec
|
||||||
|
4
sources
4
sources
@ -1,2 +1,2 @@
|
|||||||
SHA512 (node-v16.13.1-stripped.tar.gz) = 7db815043054605b923eba720df0181512d8a042b01465f82c0b39f0ab991a9b48e6832e303d1ab6fee70be54da00880b2c31b0a02c2282b8750edceda63916c
|
SHA512 (node-v16.14.0-stripped.tar.gz) = 5227f488e703b458ab299fce87821810f4b6f08192d7985c6643b5d6ab9457619b29847ff17a5cc31ffa3bdf48cc8baa4c88f2641327ba1b1f58cfc3c7336031
|
||||||
SHA512 (icu4c-69_1-src.tgz) = d4aeb781715144ea6e3c6b98df5bbe0490bfa3175221a1d667f3e6851b7bd4a638fa4a37d4a921ccb31f02b5d15a6dded9464d98051964a86f7b1cde0ff0aab7
|
SHA512 (icu4c-70_1-src.tgz) = 0b26ae7207155cb65a8fdb25f7b2fa4431e74b12bccbed0884a17feaae3c96833d12451064dd152197fd6ea5fd3adfd95594284a463e66c82e0d860f645880c9
|
||||||
|
Loading…
Reference in New Issue
Block a user