import UBI nodejs-16.20.1-1.module+el8.8.0+19440+ee8dbee5

2023-08-08 13:49:05 +00:00 · 2023-08-08 13:49:05 +00:00 · 81f29cb90c
parent 8cea0c713f
commit 81f29cb90c
6 changed files with 36 additions and 16838 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,6 @@
 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 SOURCES/icu4c-71_1-src.tgz
-SOURCES/node-v16.19.1-stripped.tar.gz
-SOURCES/undici-5.19.1.tar.gz
+SOURCES/node-v16.20.1-stripped.tar.gz
+SOURCES/undici-5.20.0.tar.gz
 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,6 +1,6 @@
 b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
-bd54c70441a0d8933e6e78378e47501ef5639038 SOURCES/node-v16.19.1-stripped.tar.gz
-4ba08daec56f2571fc8af493b3a2628d290f9390 SOURCES/undici-5.19.1.tar.gz
+dd58f4942a016f232a06e36fae6cc43c387e2f66 SOURCES/node-v16.20.1-stripped.tar.gz
+a96c780a67c578c31e9c8d291e357b2ae98a0ce5 SOURCES/undici-5.20.0.tar.gz
 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
 900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
--- a/SOURCES/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
+++ b/SOURCES/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
@ -1,45 +0,0 @@
-From abe534dda44a10e1b80a206c996f2e0e42298f7f Mon Sep 17 00:00:00 2001
-From: Kornel <kornel@geekhood.net>
-Date: Fri, 27 Jan 2023 01:20:38 +0000
-Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim
- whitespace
-
-Signed-off-by: rpm-build <rpm-build>
---
- deps/npm/node_modules/http-cache-semantics/index.js     | 6 +++---
- deps/npm/node_modules/http-cache-semantics/package.json | 2 +-
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/deps/npm/node_modules/http-cache-semantics/index.js b/deps/npm/node_modules/http-cache-semantics/index.js
-index 4f6c2f3..39d58a7 100644
--- a/deps/npm/node_modules/http-cache-semantics/index.js
-+++ b/deps/npm/node_modules/http-cache-semantics/index.js
-@@ -79,10 +79,10 @@ function parseCacheControl(header) {
- 
-     // TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives),
-     // the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale
-    const parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing
-+    const parts = header.trim().split(/,/);
-     for (const part of parts) {
-        const [k, v] = part.split(/\s*=\s*/, 2);
-        cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting
-+        const [k, v] = part.split(/=/, 2);
-+        cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, '');
-     }
- 
-     return cc;
-diff --git a/deps/npm/node_modules/http-cache-semantics/package.json b/deps/npm/node_modules/http-cache-semantics/package.json
-index 897798d..79c020a 100644
--- a/deps/npm/node_modules/http-cache-semantics/package.json
-+++ b/deps/npm/node_modules/http-cache-semantics/package.json
-@@ -1,6 +1,6 @@
- {
-     "name": "http-cache-semantics",
-    "version": "4.1.0",
-+    "version": "4.1.1",
-     "description": "Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies",
-     "repository": "https://github.com/kornelski/http-cache-semantics.git",
-     "main": "index.js",
-- 
-2.40.1
-
--- a/SOURCES/0003-deps-update-c-ares-to-1.19.1.patch
+++ b/SOURCES/0003-deps-update-c-ares-to-1.19.1.patch
--- a/SOURCES/npmrc.builtin.in
+++ b/SOURCES/npmrc.builtin.in
@ -0,0 +1,5 @@
+# This is the distibution-level configuration file for npm.
+# To configure NPM on a system level, use the globalconfig below (defaults to @SYSCONFDIR@/npmrc).
+# vim:set filetype=dosini:
+
+globalconfig=@SYSCONFDIR@/npmrc
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -35,7 +35,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 2
+%global baserelease 1

 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}

@ -46,7 +46,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 16
-%global nodejs_minor 19
+%global nodejs_minor 20
 %global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -74,10 +74,7 @@
 %global c_ares_version 1.19.1

 # llhttp - from deps/llhttp/include/llhttp.h
-%global llhttp_major 6
-%global llhttp_minor 0
-%global llhttp_patch 10
-%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
+%global llhttp_version 6.0.11

 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
@ -135,10 +132,13 @@

 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_major 8
-%global npm_minor 19
-%global npm_patch 3
-%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
+%global npm_version 8.19.4
+
+# In order to avoid needing to keep incrementing the release version for the
+# main package forever, we will just construct one for npm that is guaranteed
+# to increment safely. Changing this can only be done during an update when the
+# base npm version number is increasing.
+%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}

 # uvwasi - from deps/uvwasi/include/uvwasi.h
 %global uvwasi_major 0
@ -152,12 +152,6 @@
 %global histogram_patch 2
 %global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}

-# In order to avoid needing to keep incrementing the release version for the
-# main package forever, we will just construct one for npm that is guaranteed
-# to increment safely. Changing this can only be done during an update when the
-# base npm version number is increasing.
-%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
-

 Name: nodejs
 Epoch: %{nodejs_epoch}
@ -184,6 +178,9 @@ Source100: %{name}-tarball.sh
 # nodejs-packaging SRPM.
 Source7: nodejs_native.attr

+# Configure npm to look into /etc for configuration
+Source8: npmrc.builtin.in
+
 # These are full sources for dependencies included as WASM blobs in the source of Node itself.
 # Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to.
 # Recipes for creating these blobs are included in the sources.
@ -197,18 +194,15 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
 Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz

 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.19.1.tar.gz
-# Adjustments: rm -f undici-5.19.1/lib/llhttp/llhttp*.wasm*
-Source111: undici-5.19.1.tar.gz
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.20.0.tar.gz
+# Adjustments: rm -f undici-5.20.0/lib/llhttp/llhttp*.wasm*
+Source111: undici-5.20.0.tar.gz
 # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in.
 # Version source: build/Dockerfile
 Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz

 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
-# CVE-2022-25881
-Patch2: 0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
-Patch3: 0003-deps-update-c-ares-to-1.19.1.patch

 BuildRequires: make
 BuildRequires: python3-devel
@ -566,15 +560,14 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \
 chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp
 chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js

+# Drop the NPM builtin configuration in place
+sed -e 's#@SYSCONFDIR@#%{_sysconfdir}#g' \
+    %{SOURCE8} > %{buildroot}%{_prefix}/lib/node_modules/npm/npmrc
+
 # Drop the NPM default configuration in place
 mkdir -p %{buildroot}%{_sysconfdir}
 cp %{SOURCE1} %{buildroot}%{_sysconfdir}/npmrc

-# NPM upstream expects it to be in /usr/etc/npmrc, so we'll put a symlink here
-# This is done in the interests of keeping /usr read-only.
-mkdir -p %{buildroot}%{_prefix}/etc
-ln -s %{_sysconfdir}/npmrc %{buildroot}%{_prefix}/etc/npmrc
-
 # Install the full-icu data files
 install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/*

@ -696,7 +689,6 @@ end
 %{_bindir}/npx
 %{_prefix}/lib/node_modules/npm
 %config(noreplace) %{_sysconfdir}/npmrc
-%{_prefix}/etc/npmrc
 %ghost %{_sysconfdir}/npmignore
 %doc %{_mandir}/man1/npm*.1*
 %doc %{_mandir}/man1/npx.1*
@ -729,6 +721,13 @@ end


 %changelog
+* Thu Jul 13 2023 Jan Staněk <jstanek@redhat.com> - 1:16.20.1-1
+- Rebase to 16.20.1
+  Resolves: rhbz#2188289
+  Resolves: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
+- Replace /usr/etc/npmrc symlink with builtin configuration
+  Resolves: rhbz#2222288
+
 * Wed May 31 2023 Jan Staněk <jstanek@redhat.com> - 1:16.19.1-2
 - Update bundled c-ares to 1.19.1
  Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067