diff --git a/.gitignore b/.gitignore index 8692d82..0b6d40a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ -SOURCES/icu4c-70_1-src.tgz -SOURCES/node-v16.16.0-stripped.tar.gz +SOURCES/cjs-module-lexer-1.2.2.tar.gz +SOURCES/icu4c-71_1-src.tgz +SOURCES/node-v16.17.1-stripped.tar.gz +SOURCES/undici-5.8.0.tar.gz +SOURCES/wasi-sdk-wasi-sdk-11.tar.gz +SOURCES/wasi-sdk-wasi-sdk-14.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index a651982..9e157c7 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,6 @@ -f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz -03ce6ba30288cf950d91146cb7ae8f30fc6a30aa SOURCES/node-v16.16.0-stripped.tar.gz +6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz +406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz +34ffd79dbdcb5aecebbb117d28023cac56414b80 SOURCES/node-v16.17.1-stripped.tar.gz +ef225709142c4bd9fbb37598ff42a1228951e48b SOURCES/undici-5.8.0.tar.gz +8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz +900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch index 361ea08..48202ba 100644 --- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch +++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,19 +1,18 @@ -From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001 +From 61fd3e74ff223cd59476ef8a69880c57e3312af7 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Fri, 17 Apr 2020 12:59:44 +0200 -Subject: [PATCH 1/2] Disable running gyp on shared deps +Subject: [PATCH] Disable running gyp on shared deps +Signed-off-by: rpm-build --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644 +index dc6f08b..c865e72 100644 --- a/Makefile +++ b/Makefile -@@ -136,11 +136,11 @@ endif - .PHONY: test-code-cache - with-code-cache test-code-cache: +@@ -147,7 +147,7 @@ with-code-cache test-code-cache: $(warning '$@' target is a noop) out/Makefile: config.gypi common.gypi node.gyp \ @@ -22,8 +21,6 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp $(PYTHON) tools/gyp_node.py -f make - - # node_version.h is listed because the N-API version is taken from there -- -2.29.2 +2.37.3 diff --git a/SOURCES/0002-Install-both-binaries-and-use-libdir.patch b/SOURCES/0002-Install-both-binaries-and-use-libdir.patch index 4abfc3e..ed89d0d 100644 --- a/SOURCES/0002-Install-both-binaries-and-use-libdir.patch +++ b/SOURCES/0002-Install-both-binaries-and-use-libdir.patch @@ -1,8 +1,19 @@ +From e2ff0fc92ddbaa5535d684e353c55cefe99eb081 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Tue, 27 Sep 2022 13:48:12 +0200 +Subject: [PATCH] Install both binaries and use libdir + +Signed-off-by: rpm-build +--- + configure.py | 7 +++++++ + tools/install.py | 8 +++++--- + 2 files changed, 12 insertions(+), 3 deletions(-) + diff --git a/configure.py b/configure.py -index 895a0869cb..791c3e4a62 100755 +index 1a7023d..b16db0c 100755 --- a/configure.py +++ b/configure.py -@@ -722,6 +722,12 @@ parser.add_argument('--shared', +@@ -739,6 +739,12 @@ parser.add_argument('--shared', help='compile shared library for embedding node in another project. ' + '(This mode is not officially supported for regular applications)') @@ -15,7 +26,7 @@ index 895a0869cb..791c3e4a62 100755 parser.add_argument('--without-v8-platform', action='store_true', dest='without_v8_platform', -@@ -1293,6 +1299,7 @@ def configure_node(o): +@@ -1368,6 +1374,7 @@ def configure_node(o): o['variables']['node_no_browser_globals'] = b(options.no_browser_globals) o['variables']['node_shared'] = b(options.shared) @@ -24,38 +35,38 @@ index 895a0869cb..791c3e4a62 100755 if options.dest_os == 'android': diff --git a/tools/install.py b/tools/install.py -index 045d406d84..b3ef454199 100755 +index a6d1f8b..e3ef9d7 100755 --- a/tools/install.py +++ b/tools/install.py -@@ -121,22 +121,19 @@ def subdir_files(path, dest, action): - - def files(action): +@@ -144,6 +144,7 @@ def files(action): is_windows = sys.platform == 'win32' -- output_file = 'node' + output_file = 'node' output_prefix = 'out/Release/' + output_libprefix = output_prefix -- if 'false' == variables.get('node_shared'): -- if is_windows: -- output_file += '.exe' -+ if is_windows: -+ output_bin = 'node.exe' -+ output_lib = 'node.dll' - else: -- if is_windows: -- output_file += '.dll' -- else: -- output_file = 'lib' + output_file + '.' + variables.get('shlib_suffix') -+ output_bin = 'node' -+ output_lib = 'libnode.' + variables.get('shlib_suffix') - -- if 'false' == variables.get('node_shared'): -- action([output_prefix + output_file], 'bin/' + output_file) -- else: -- action([output_prefix + output_file], 'lib/' + output_file) -+ action([output_prefix + output_bin], 'bin/' + output_bin) -+ if 'true' == variables.get('node_shared'): -+ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib) + if is_windows: + output_file += '.exe' +@@ -151,8 +152,8 @@ def files(action): + if 'true' == variables.get('node_shared'): + if is_windows: +- action([output_prefix + 'libnode.dll'], 'bin/libnode.dll') +- action([output_prefix + 'libnode.lib'], 'lib/libnode.lib') ++ action([output_libprefix + 'libnode.dll'], 'bin/libnode.dll') ++ action([output_libprefix + 'libnode.lib'], 'lib/libnode.lib') + elif sys.platform == 'zos': + # GYP will output to lib.target; see _InstallableTargetInstallPath + # function in tools/gyp/pylib/gyp/generator/make.py +@@ -176,7 +177,8 @@ def files(action): + try_symlink(so_name, link_path) + else: + output_lib = 'libnode.' + variables.get('shlib_suffix') +- action([output_prefix + output_lib], 'lib/' + output_lib) ++ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib) ++ if 'true' == variables.get('node_use_dtrace'): action(['out/Release/node.d'], 'lib/dtrace/node.d') + +-- +2.37.3 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 8a08648..b0215c7 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -41,8 +41,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 16 -%global nodejs_minor 16 -%global nodejs_patch 0 +%global nodejs_minor 17 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 93 @@ -58,7 +58,7 @@ %global v8_major 9 %global v8_minor 4 %global v8_build 146 -%global v8_patch 24 +%global v8_patch 26 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -69,7 +69,7 @@ %global c_ares_version 1.18.1 # llhttp - from deps/llhttp/include/llhttp.h -%global llhttp_version 6.0.7 +%global llhttp_version 6.0.9 # libuv - from deps/uv/include/uv/version.h %global libuv_version 1.43.0 @@ -90,7 +90,7 @@ %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch} # ICU - from tools/icu/current_ver.dep -%global icu_major 70 +%global icu_major 71 %global icu_minor 1 %global icu_version %{icu_major}.%{icu_minor} @@ -118,7 +118,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 8.11.0 +%global npm_version 8.15.0 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -157,6 +157,26 @@ Source100: %{name}-tarball.sh # nodejs-packaging SRPM. Source7: nodejs_native.attr +# These are full sources for dependencies included as WASM blobs in the source of Node itself. +# Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to. +# Recipes for creating these blobs are included in the sources. + +# Version: jq '.version' deps/cjs-module-lexer/package.json +# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz +# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm +Source101: cjs-module-lexer-1.2.2.tar.gz +# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in. +# Version source: Makefile +Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz + +# Version: jq '.version' deps/undici/src/package.json +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.8.0.tar.gz +# Adjustments: rm -f undici-5.8.0/lib/llhttp/llhttp*.wasm* +Source111: undici-5.8.0.tar.gz +# The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. +# Version source: build/Dockerfile +Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz + # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch @@ -671,8 +691,9 @@ end %doc %{_mandir}/man5/npm-shrinkwrap-json.5* %doc %{_mandir}/man7/config.7* %doc %{_mandir}/man7/developers.7* -%doc %{_mandir}/man7/orgs.7* %doc %{_mandir}/man7/logging.7* +%doc %{_mandir}/man7/orgs.7* +%doc %{_mandir}/man7/package-spec.7* %doc %{_mandir}/man7/registry.7* %doc %{_mandir}/man7/removal.7* %doc %{_mandir}/man7/scope.7* @@ -688,10 +709,15 @@ end %changelog +* Tue Sep 27 2022 Jan Staněk - 16.17.1-1 +- Rebase to version 16.17.1 + Resolves: CVE-2022-35255 CVE-2022-35256 + * Tue Aug 23 2022 Jan Staněk - 16.16.0-1 - Rebase to version 16.16.0 Resolves: RHBZ#2106290 Resolves: CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215 + Resolves: CVE-2022-29244 * Thu Apr 21 2022 Jan Staněk - 16.14.0-5 - Decouple dependency bundling from bootstrapping