Rebase to 16.20.1

2023-07-13 12:22:53 +02:00 · 2023-07-13 12:22:53 +02:00 · c906dcbb97
commit c906dcbb97
parent 4a85187e39
4 changed files with 20 additions and 16830 deletions
--- a/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
+++ b/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
@ -1,45 +0,0 @@
-From abe534dda44a10e1b80a206c996f2e0e42298f7f Mon Sep 17 00:00:00 2001
-From: Kornel <kornel@geekhood.net>
-Date: Fri, 27 Jan 2023 01:20:38 +0000
-Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim
- whitespace
-
-Signed-off-by: rpm-build <rpm-build>
---
- deps/npm/node_modules/http-cache-semantics/index.js     | 6 +++---
- deps/npm/node_modules/http-cache-semantics/package.json | 2 +-
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/deps/npm/node_modules/http-cache-semantics/index.js b/deps/npm/node_modules/http-cache-semantics/index.js
-index 4f6c2f3..39d58a7 100644
--- a/deps/npm/node_modules/http-cache-semantics/index.js
-+++ b/deps/npm/node_modules/http-cache-semantics/index.js
-@@ -79,10 +79,10 @@ function parseCacheControl(header) {
- 
-     // TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives),
-     // the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale
-    const parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing
-+    const parts = header.trim().split(/,/);
-     for (const part of parts) {
-        const [k, v] = part.split(/\s*=\s*/, 2);
-        cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting
-+        const [k, v] = part.split(/=/, 2);
-+        cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, '');
-     }
- 
-     return cc;
-diff --git a/deps/npm/node_modules/http-cache-semantics/package.json b/deps/npm/node_modules/http-cache-semantics/package.json
-index 897798d..79c020a 100644
--- a/deps/npm/node_modules/http-cache-semantics/package.json
-+++ b/deps/npm/node_modules/http-cache-semantics/package.json
-@@ -1,6 +1,6 @@
- {
-     "name": "http-cache-semantics",
-    "version": "4.1.0",
-+    "version": "4.1.1",
-     "description": "Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies",
-     "repository": "https://github.com/kornelski/http-cache-semantics.git",
-     "main": "index.js",
-- 
-2.40.1
-
--- a/0003-deps-update-c-ares-to-1.19.1.patch
+++ b/0003-deps-update-c-ares-to-1.19.1.patch
--- a/nodejs.spec
+++ b/nodejs.spec
@ -35,7 +35,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 2
+%global baserelease 1

 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}

@ -46,7 +46,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 16
-%global nodejs_minor 19
+%global nodejs_minor 20
 %global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -74,10 +74,7 @@
 %global c_ares_version 1.19.1

 # llhttp - from deps/llhttp/include/llhttp.h
-%global llhttp_major 6
-%global llhttp_minor 0
-%global llhttp_patch 10
-%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
+%global llhttp_version 6.0.11

 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
@ -135,10 +132,13 @@

 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_major 8
-%global npm_minor 19
-%global npm_patch 3
-%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
+%global npm_version 8.19.4
+
+# In order to avoid needing to keep incrementing the release version for the
+# main package forever, we will just construct one for npm that is guaranteed
+# to increment safely. Changing this can only be done during an update when the
+# base npm version number is increasing.
+%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}

 # uvwasi - from deps/uvwasi/include/uvwasi.h
 %global uvwasi_major 0
@ -152,12 +152,6 @@
 %global histogram_patch 2
 %global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}

-# In order to avoid needing to keep incrementing the release version for the
-# main package forever, we will just construct one for npm that is guaranteed
-# to increment safely. Changing this can only be done during an update when the
-# base npm version number is increasing.
-%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
-

 Name: nodejs
 Epoch: %{nodejs_epoch}
@ -197,18 +191,15 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
 Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz

 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.19.1.tar.gz
-# Adjustments: rm -f undici-5.19.1/lib/llhttp/llhttp*.wasm*
-Source111: undici-5.19.1.tar.gz
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.20.0.tar.gz
+# Adjustments: rm -f undici-5.20.0/lib/llhttp/llhttp*.wasm*
+Source111: undici-5.20.0.tar.gz
 # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in.
 # Version source: build/Dockerfile
 Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz

 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
-# CVE-2022-25881
-Patch2: 0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
-Patch3: 0003-deps-update-c-ares-to-1.19.1.patch

 BuildRequires: make
 BuildRequires: python3-devel
@ -729,6 +720,11 @@ end


 %changelog
+* Thu Jul 13 2023 Jan Staněk <jstanek@redhat.com> - 1:16.20.1-1
+- Rebase to 16.20.1
+  Resolves: rhbz#2188289
+  Resolves: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
+
 * Wed May 31 2023 Jan Staněk <jstanek@redhat.com> - 1:16.19.1-2
 - Update bundled c-ares to 1.19.1
  Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067
--- a/4
+++ b/4
@ -1,6 +1,6 @@
-SHA512 (node-v16.19.1-stripped.tar.gz) = e3aeeb26b34e2a2d429852969507566b78212d4128cc4516c9d6ef74f187c35124874ca5d2a2824f074030fcc727a311dce0d0757ab2b4bbb01a343d2697b2b7
+SHA512 (node-v16.20.1-stripped.tar.gz) = ea33b6301be6c24ad631c0fc5b6df5af41a3047db8557421062561c5e0da7f67c9837a330098235a8a160f2b680fccd80931f5887745db0e6f9dbf366f1ed4f6
 SHA512 (icu4c-71_1-src.tgz) = 1fd2a20aef48369d1f06e2bb74584877b8ad0eb529320b976264ec2db87420bae242715795f372dbc513ea80047bc49077a064e78205cd5e8b33d746fd2a2912
 SHA512 (cjs-module-lexer-1.2.2.tar.gz) = 2c8e9caf2231ca7d61e71936305389774859aca9b5c86c63489c9a62a81f4736f99477c3f0cbb41077bb7924fdd23e0f24b7bce858e42fb0f87e7c0ffc87afeb
-SHA512 (undici-5.19.1.tar.gz) = 71ca06acac25e0ef4d44bf9e523b6068d6906ee5ed926befa224c312335f471d1f6c1eec10c0a275b1212c72fd6f8b13a3a47c3a1ca51777a062ad8ea7193a7e
+SHA512 (undici-5.20.0.tar.gz) = 49fd4d9f73bd44232612963ca51e54da9e94a64504f7cbf426b3c04ec8ddcc1c4a060d7f713d9345452094039ae1b8938224bfd49bb32d0be723963b3db31edc
 SHA512 (wasi-sdk-wasi-sdk-11.tar.gz) = cb37f357b09431a3efad26141d83dce63232a35b536d9a7bd341d4d9627a0a3d4bd4d57504b6e3dab421942d2c168a96da2a6be889aab3f9a2852fc5a3200d3c
 SHA512 (wasi-sdk-wasi-sdk-14.tar.gz) = 4fecb3d9c04b91eb2388a9e51d49fbff6f22b81f9945a07ecdbfe479c96dad1e3b673b8bee24842b0dae5294129a9cb35dcf8e5ecf45437a6d01fb6e0fd13645