import nodejs-16.18.1-3.module+el8.7.0+17465+1a1abd74

2023-03-28 12:17:33 +00:00 · 2023-03-28 12:17:33 +00:00 · bc3149b843
parent 9c7cfbc581
commit bc3149b843
5 changed files with 143 additions and 40 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,6 @@
-SOURCES/icu4c-70_1-src.tgz
-SOURCES/node-v16.16.0-stripped.tar.gz
+SOURCES/cjs-module-lexer-1.2.2.tar.gz
+SOURCES/icu4c-71_1-src.tgz
+SOURCES/node-v16.18.1-stripped.tar.gz
+SOURCES/undici-5.10.0.tar.gz
+SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
+SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,2 +1,6 @@
-f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz
-17d4c0f6337149c1171c478dbebc8c224ebd0778 SOURCES/node-v16.16.0-stripped.tar.gz
+b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
+406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
+0e8bf36bf0ed737011cc49026a1e7b82d7a1f638 SOURCES/node-v16.18.1-stripped.tar.gz
+a2668423c8ed5321e39ce08e239141b084563bb5 SOURCES/undici-5.10.0.tar.gz
+8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
+900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
--- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
@ -22,7 +22,7 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e
 	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
 	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
 	$(PYTHON) tools/gyp_node.py -f make
- 
+
 # node_version.h is listed because the N-API version is taken from there
 -- 
 2.29.2
--- a/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch
+++ b/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch
@ -0,0 +1,31 @@
+From 9872b897d6a9a39e3392c39bca70cfd9dd084558 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 26 Sep 2022 16:02:39 +0200
+Subject: [PATCH] install: keep installing dtrace and systemtap files
+
+Partly reverts commit e27e709d3ca93b3e7036ddc4f4d28dfde228bfb6.
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ tools/install.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/install.py b/tools/install.py
+index 4b01d67..dc16797 100755
+--- a/tools/install.py
+++ b/tools/install.py
+@@ -178,6 +178,11 @@ def files(action):
+       output_lib = 'libnode.' + variables.get('shlib_suffix')
+       action([output_prefix + output_lib], variables.get('libdir') + '/' + output_lib)
+ 
+  if 'true' == variables.get('node_use_dtrace'):
+    action(['out/Release/node.d'], variables.get('libdir') + '/dtrace/node.d')
+
+  action(['src/node.stp'], 'share/systemtap/tapset/')
+
+   action(['deps/v8/tools/gdbinit'], 'share/doc/node/')
+   action(['deps/v8/tools/lldb_commands.py'], 'share/doc/node/')
+ 
+-- 
+2.37.3
+
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -17,14 +17,19 @@
 #
 # create bootstrapping build with bundled deps and extra release suffix
 %bcond_with bootstrap
-# bundle dependencies that are not available as Fedora modules
+# bundle dependencies that are not available in CentOS
+# currently hardcoded to bundle; see Fedora spec on how to make this dependent on bootstrap
 %if %{with bootstrap}
 %bcond_without bundled
 %else
 %bcond_with bundled
 %endif

+%if 0%{?rhel} && 0%{?rhel} < 9
 %bcond_without python3_fixup
+%else
+%bcond_with python3_fixup
+%endif

 # == Master Relase ==
 # This is used by both the nodejs package and the npm subpackage that
@ -41,8 +46,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 16
-%global nodejs_minor 16
-%global nodejs_patch 0
+%global nodejs_minor 18
+%global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 93
@ -58,7 +63,7 @@
 %global v8_major 9
 %global v8_minor 4
 %global v8_build 146
-%global v8_patch 24
+%global v8_patch 26
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME
 %global v8_abi %{v8_major}.%{v8_minor}
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@ -74,7 +79,7 @@
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_major 6
 %global llhttp_minor 0
-%global llhttp_patch 7
+%global llhttp_patch 10
 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}

 # libuv - from deps/uv/include/uv/version.h
@ -91,18 +96,18 @@

 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_major 0
-%global nghttp3_minor 1
-%global nghttp3_patch 0-DEV
+%global nghttp3_minor 7
+%global nghttp3_patch 0
 %global nghttp3_version %{nghttp3_major}.%{nghttp3_minor}.%{nghttp3_patch}

 # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
 %global ngtcp2_major 0
-%global ngtcp2_minor 1
-%global ngtcp2_patch 0-DEV
+%global ngtcp2_minor 8
+%global ngtcp2_patch 1
 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}

 # ICU - from tools/icu/current_ver.dep
-%global icu_major 70
+%global icu_major 71
 %global icu_minor 1
 %global icu_version %{icu_major}.%{icu_minor}

@ -134,20 +139,20 @@
 # npm - from deps/npm/package.json
 %global npm_epoch 1
 %global npm_major 8
-%global npm_minor 11
-%global npm_patch 0
+%global npm_minor 19
+%global npm_patch 2
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}

 # uvwasi - from deps/uvwasi/include/uvwasi.h
 %global uvwasi_major 0
 %global uvwasi_minor 0
-%global uvwasi_patch 12
+%global uvwasi_patch 13
 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}

 # histogram_c - assumed from timestamps
 %global histogram_major 0
-%global histogram_minor 9
-%global histogram_patch 7
+%global histogram_minor 11
+%global histogram_patch 2
 %global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}

 # In order to avoid needing to keep incrementing the release version for the
@ -182,15 +187,42 @@ Source100: %{name}-tarball.sh
 # nodejs-packaging SRPM.
 Source7: nodejs_native.attr

+# These are full sources for dependencies included as WASM blobs in the source of Node itself.
+# Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to.
+# Recipes for creating these blobs are included in the sources.
+
+# Version: jq '.version' deps/cjs-module-lexer/package.json
+# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz
+# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm
+Source101: cjs-module-lexer-1.2.2.tar.gz
+# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in.
+# Version source: Makefile
+Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz
+
+# Version: jq '.version' deps/undici/src/package.json
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.10.0.tar.gz
+# Adjustments: rm -f undici-5.10.0/lib/llhttp/llhttp*.wasm*
+Source111: undici-5.10.0.tar.gz
+# The WASM blob was made using wasi-sdk v14; compiler libraries are linked in.
+# Version source: build/Dockerfile
+Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz
+
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
+Patch2: 0002-install-keep-installing-dtrace-and-systemtap-files.patch

 BuildRequires: make
 BuildRequires: python3-devel
+BuildRequires: python3-setuptools
+BuildRequires: python3-jinja2
+%if !%{with python3_fixup}
+BuildRequires: python-unversioned-command
+%endif
 BuildRequires: zlib-devel
 BuildRequires: brotli-devel
 BuildRequires: gcc >= 8.3.0
 BuildRequires: gcc-c++ >= 8.3.0
+BuildRequires: jq
 # needed to generate bundled provides for npm dependencies
 # https://src.fedoraproject.org/rpms/nodejs/pull-request/2
 # https://pagure.io/nodejs-packaging/pull-request/10
@ -206,7 +238,7 @@ BuildRequires: libuv-devel >= 1:%{libuv_version}
 Requires:      libuv >= 1:%{libuv_version}
 %endif

-%if %{with bundled}
+%if %{with bundled} || !(0%{?fedora} || 0%{?rhel} >= 9)
 Provides:      bundled(nghttp2) = %{nghttp2_version}
 %else
 BuildRequires: libnghttp2-devel >= %{nghttp2_version}
@ -278,12 +310,7 @@ Provides: bundled(uvwasi) = %{uvwasi_version}
 Provides: bundled(histogram) = %{histogram_version}

 # Make sure we keep NPM up to date when we update Node.js
-%if 0%{?rhel} < 8
-# EPEL doesn't support Recommends, so make it strict
-Requires: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
-%else
 Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
-%endif

 %description
 Node.js is a platform built on Chrome's JavaScript runtime
@ -365,6 +392,24 @@ The API documentation for the Node.js JavaScript runtime.
 # remove bundled dependencies that we aren't building
 rm -rf deps/zlib
 rm -rf deps/brotli
+rm -rf deps/v8/third_party/jinja2
+rm -rf tools/inspector_protocol/jinja2
+
+# check for correct versions of dependencies we are bundling
+check_wasm_dep() {
+  local -r name="$1" source="$2" packagejson="$3"
+  local -r expected_version="$(jq -r '.version' "${packagejson}")"
+
+  if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then
+    printf '%s version matches\n' "${name}" >&2
+  else
+    printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2
+    return 1
+  fi
+}
+
+check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json
+check_wasm_dep undici           '%{SOURCE111}' deps/undici/src/package.json

 # Replace any instances of unversioned python' with python3
 %if %{with python3_fixup}
@ -663,9 +708,11 @@ end
 %doc %{_mandir}/man5/package-lock-json.5*
 %doc %{_mandir}/man5/npm-shrinkwrap-json.5*
 %doc %{_mandir}/man7/config.7*
+%doc %{_mandir}/man7/dependency-selectors.7*
 %doc %{_mandir}/man7/developers.7*
-%doc %{_mandir}/man7/orgs.7*
 %doc %{_mandir}/man7/logging.7*
+%doc %{_mandir}/man7/orgs.7*
+%doc %{_mandir}/man7/package-spec.7*
 %doc %{_mandir}/man7/registry.7*
 %doc %{_mandir}/man7/removal.7*
 %doc %{_mandir}/man7/scope.7*
@ -681,24 +728,41 @@ end


 %changelog
-* Fri Aug 05 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.16.0-3
- Fix build
- Resolves: RHBZ#2111416
+* Wed Dec 07 2022 Jan Staněk <jstanek@redhat.com> - 1:16.18.1-3
+- Update sources of undici WASM blobs
+  Resolves: rhbz#2151546

-* Fri Aug 05 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.16.0-2
- Refactor spec
- Resolves: RHBZ#2111416
+* Fri Dec 02 2022 Jan Staněk <jstanek@redhat.com> - 1:16.18.1-2
+- Record CVE references already addressed in this or previous upstream versions
+  Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824

-* Tue Jul 26 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.16.0-1
- Rebase to latest version
- Resolves: RHBZ#2106369
- CVE fixes for CVE-2022-32212/3/4/5
- Resolves: #2109578, #2109581, #2109584, #2109588
+* Wed Nov 16 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.18.1-1
+- Rebase + CVE fixes
+- Resolves: #2142806
+- Resolves: #2142837, #2142851
+
+* Fri Oct 07 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.17.1-1
+- Rebase to version 16.17.1
+- Resolves: CVE-2022-35255 CVE-2022-35256
+- Resolves: #2130553
+- Resolves #2132003
+- Resolves #2121095
+
+* Tue Aug 23 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.16.0-1
+- Resolves: #2104754, #2108057, #2108062, #2108067, #2108072
+- Resolves CVE-2022-29244, CVE-2022-32212/3/4/5
+- Resolves: #2106285
+- Rebase to latest release
+
+* Mon Apr 25 2022 Jan Staněk <jstanek@redhat.com> - 1:16.14.0-5
+- Unify configure calls into single command
+- Refactor bootstrap-related parts
+- Decouple dependency bundling from bootstrapping

 * Mon Apr 11 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.14.0-4
 - Apply lock file validation fixes
- Resolves CVE-2021-43616
- Resolves: RHBZ#2070012
+- Resolves: CVE-2021-43616
+- Resolves: RHBZ#2070013

 * Mon Dec 06 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.13.1-3
 - Resolves: RHBZ#2026329