From b553ca163d7508a65866ef934fc7bb153aa85413 Mon Sep 17 00:00:00 2001 From: zsvetlik Date: Mon, 14 Feb 2022 08:29:39 +0000 Subject: [PATCH] Update to 16.14.0 Resolves: #2042995, #2042970, #2042981, #2042989 Resolves: #2029936, #2024890, #2014499, #2014135 Resolves: #2013834, #1945299 --- nodejs.spec | 109 +++++++++++++++++++++++++++++----------------------- sources | 4 +- 2 files changed, 63 insertions(+), 50 deletions(-) diff --git a/nodejs.spec b/nodejs.spec index 194c743..e73a708 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -1,15 +1,24 @@ # bundle dependencies that are not available as Fedora modules -%bcond_with bootstrap +%bcond_without bootstrap + +%if 0%{?rhel} && 0%{?rhel} < 9 %bcond_without python3_fixup +%else +%bcond_with python3_fixup +%endif # LTO is currently broken on Node.js builds %define _lto_cflags %{nil} +# Heavy-handed approach to avoiding issues with python +# bytecompiling files in the node_modules/ directory +%global __python %{__python3} + # == Master Relase == -# This is used by both the nodejs package and the npm subpackage thar +# This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 1 +%global baserelease 2 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -20,7 +29,7 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 16 -%global nodejs_minor 10 +%global nodejs_minor 14 %global nodejs_patch 0 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -35,9 +44,9 @@ # Epoch is set to ensure clean upgrades from the old v8 package %global v8_epoch 2 %global v8_major 9 -%global v8_minor 3 -%global v8_build 345 -%global v8_patch 19 +%global v8_minor 4 +%global v8_build 146 +%global v8_patch 24 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -45,28 +54,16 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 -%global c_ares_major 1 -%global c_ares_minor 17 -%global c_ares_patch 2 -%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} +%global c_ares_version 1.18.1 # llhttp - from deps/llhttp/include/llhttp.h -%global llhttp_major 6 -%global llhttp_minor 0 -%global llhttp_patch 2 -%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} +%global llhttp_version 6.0.4 # libuv - from deps/uv/include/uv/version.h -%global libuv_major 1 -%global libuv_minor 41 -%global libuv_patch 0 -%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch} +%global libuv_version 1.43.0 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h -%global nghttp2_major 1 -%global nghttp2_minor 42 -%global nghttp2_patch 0 -%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch} +%global nghttp2_version 1.45.1 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %global nghttp3_major 0 @@ -81,7 +78,7 @@ %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch} # ICU - from tools/icu/current_ver.dep -%global icu_major 69 +%global icu_major 70 %global icu_minor 1 %global icu_version %{icu_major}.%{icu_minor} @@ -105,29 +102,11 @@ # punycode - from lib/punycode.js # Note: this was merged into the mainline since 0.6.x # Note: this will be unmerged in an upcoming major release -%global punycode_major 2 -%global punycode_minor 1 -%global punycode_patch 0 -%global punycode_version %{punycode_major}.%{punycode_minor}.%{punycode_patch} +%global punycode_version 2.1.0 # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_major 7 -%global npm_minor 24 -%global npm_patch 0 -%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} - -# uvwasi - from deps/uvwasi/include/uvwasi.h -%global uvwasi_major 0 -%global uvwasi_minor 0 -%global uvwasi_patch 11 -%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch} - -# histogram_c - assumed from timestamps -%global histogram_major 0 -%global histogram_minor 9 -%global histogram_patch 7 -%global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch} +%global npm_version 8.3.1 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -135,8 +114,14 @@ # base npm version number is increasing. %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} +# uvwasi - from deps/uvwasi/include/uvwasi.h +%global uvwasi_version 0.0.12 + +# histogram_c - assumed from timestamps +%global histogram_version 0.9.7 + # Node.js 16.9.1 and later comes with an experimental package management tool -%global corepack_version 0.9.0 +%global corepack_version 0.10.0 Name: nodejs Epoch: %{nodejs_epoch} @@ -172,10 +157,15 @@ Patch2: 0002-Install-both-binaries-and-use-libdir.patch BuildRequires: make BuildRequires: python3-devel BuildRequires: python3-setuptools +BuildRequires: python3-jinja2 +%if !%{with python3_fixup} +BuildRequires: python-unversioned-command +%endif BuildRequires: zlib-devel BuildRequires: brotli-devel BuildRequires: gcc >= 8.3.0 BuildRequires: gcc-c++ >= 8.3.0 +BuildRequires: jq # needed to generate bundled provides for npm dependencies # https://src.fedoraproject.org/rpms/nodejs/pull-request/2 # https://pagure.io/nodejs-packaging/pull-request/10 @@ -190,8 +180,13 @@ Provides: bundled(nghttp2) = %{nghttp2_version} %else BuildRequires: libuv-devel >= 1:%{libuv_version} Requires: libuv >= 1:%{libuv_version} +%if 0%{?fedora} || 0%{?rhel} >= 9 BuildRequires: libnghttp2-devel >= %{nghttp2_version} Requires: libnghttp2 >= %{nghttp2_version} +%else +%define nghttp2_configure %{nil} +Provides: bundled(nghttp2) = %{nghttp2_version} +%endif %endif # Temporarily bundle llhttp because the upstream doesn't @@ -383,6 +378,8 @@ The API documentation for the Node.js JavaScript runtime. # remove bundled dependencies that we aren't building rm -rf deps/zlib rm -rf deps/brotli +rm -rf deps/v8/third_party/jinja2 +rm -rf tools/inspector_protocol/jinja2 # Replace any instances of unversioned python' with python3 %if %{with python3_fixup} @@ -546,7 +543,7 @@ cp -pr deps/npm/man/* %{buildroot}%{_mandir}/ rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/man ln -sf %{_mandir} %{buildroot}%{_prefix}/lib/node_modules/npm/man -# Install Gatsby HTML documentation to %{_pkgdocdir} +# Install Gatsby HTML documentation to %%{_pkgdocdir} cp -pr deps/npm/docs %{buildroot}%{_pkgdocdir}/npm/ rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/docs @@ -567,7 +564,7 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \ -exec chmod -x {} \; # The above command is a little overzealous. Add a few permissions back. -chmod 0775 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp +chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js # Corepack contains a number of executable"shims", including some for Windows @@ -598,7 +595,7 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require( LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')" # Ensure we have npm and that the version matches -NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')" +LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}%{_bindir}/node %{buildroot}%{_bindir}/npm version --json |jq -e '.npm == "%{npm_version}"' # Make sure i18n support is working NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2} @@ -691,6 +688,7 @@ end %doc %{_mandir}/man7/config.7* %doc %{_mandir}/man7/developers.7* %doc %{_mandir}/man7/orgs.7* +%doc %{_mandir}/man7/logging.7* %doc %{_mandir}/man7/registry.7* %doc %{_mandir}/man7/removal.7* %doc %{_mandir}/man7/scope.7* @@ -706,6 +704,21 @@ end %changelog +* Sun Feb 13 2022 Zuzana Svetlikova - 1:16.14.0-2 +- Build with bootstrap by default due to old versions of dependencies available +- Resolves: #2042995, #2042970, #2042981, #2042989 +- Resolves: #2029936, #2024890, #2014499, #2014135 +- Resolves: #2013834, #1945299 + +* Fri Feb 11 2022 Zuzana Svetlikova - 1:16.14.0-1 +- Update to latest version +- Use jinja and jq +- Don't fix python3 +- Resolves: CVE-2022-21824, CVE-2021-44531, CVE-2021-44532, CVE-2021-44533 +- Resolves CVE-2020-15095 +- Resolves: CVE-2021-3918, CVE-2021-22959, CVE-2021-22960 +- Resolves: CVE-2021-3807, CVE-2021-27290 + * Wed Sep 29 2021 Zuzana Svetlikova - 1:16.10.0-1 - Rebase to 16.10.0, add corepack, fix PowerShell dependency - Resolves: RHBZ#2000539, #2000548, #2000549, #2002177 diff --git a/sources b/sources index e3a21c6..6387de0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (node-v16.10.0-stripped.tar.gz) = 3be9583eca3eeee6f277e6c12f4371fddc05b72adfdfdf08e1276b25b5f51927d4c1925c95898988e17eef631910049769858693032bb2ca398e2745d8e67726 -SHA512 (icu4c-69_1-src.tgz) = d4aeb781715144ea6e3c6b98df5bbe0490bfa3175221a1d667f3e6851b7bd4a638fa4a37d4a921ccb31f02b5d15a6dded9464d98051964a86f7b1cde0ff0aab7 +SHA512 (icu4c-70_1-src.tgz) = 0b26ae7207155cb65a8fdb25f7b2fa4431e74b12bccbed0884a17feaae3c96833d12451064dd152197fd6ea5fd3adfd95594284a463e66c82e0d860f645880c9 +SHA512 (node-v16.14.0-stripped.tar.gz) = 14f146a04e7ce8dded189b52053d71f927c154498d9b2f4b1f4f61547effcebc33e81f99a0a92c08347dc6179f42b98e3cd0f5b6e5160b01a7dfc3721c875642