diff --git a/.gitignore b/.gitignore index 91480ee..6d61726 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/icu4c-69_1-src.tgz -SOURCES/node-v16.7.0-stripped.tar.gz +SOURCES/node-v16.13.1-stripped.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 78e6dd0..18bd083 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,2 @@ 620a71c84428758376baa0fb81a581c3daa866ce SOURCES/icu4c-69_1-src.tgz -c20abd2bf8f1ab262d500ca27dc29475a0f7b675 SOURCES/node-v16.7.0-stripped.tar.gz +09e2ea9b62a6e92a73c34e2997ec237ebd04141f SOURCES/node-v16.13.1-stripped.tar.gz diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 250e1c7..9548f15 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -14,7 +14,7 @@ # This is used by both the nodejs package and the npm subpackage thar # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 2 +%global baserelease 3 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -25,8 +25,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 16 -%global nodejs_minor 7 -%global nodejs_patch 0 +%global nodejs_minor 13 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 93 @@ -40,9 +40,9 @@ # Epoch is set to ensure clean upgrades from the old v8 package %global v8_epoch 2 %global v8_major 9 -%global v8_minor 2 -%global v8_build 230 -%global v8_patch 21 +%global v8_minor 4 +%global v8_build 146 +%global v8_patch 24 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -51,14 +51,14 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 %global c_ares_major 1 -%global c_ares_minor 17 -%global c_ares_patch 2 +%global c_ares_minor 18 +%global c_ares_patch 1 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_major 6 %global llhttp_minor 0 -%global llhttp_patch 2 +%global llhttp_patch 4 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} # libuv - from deps/uv/include/uv/version.h @@ -69,8 +69,8 @@ # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h %global nghttp2_major 1 -%global nghttp2_minor 42 -%global nghttp2_patch 0 +%global nghttp2_minor 45 +%global nghttp2_patch 1 %global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch} # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h @@ -117,9 +117,9 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_major 7 -%global npm_minor 20 -%global npm_patch 3 +%global npm_major 8 +%global npm_minor 1 +%global npm_patch 2 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -140,6 +140,8 @@ # base npm version number is increasing. %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} +# Node.js 16.9.1 and later comes with an experimental package management tool +%global corepack_version 0.10.0 Name: nodejs Epoch: %{nodejs_epoch} @@ -256,6 +258,7 @@ Provides: bundled(icu) = %{icu_version} # or there's no option to built it as a shared dependency, so we bundle them Provides: bundled(uvwasi) = %{uvwasi_version} Provides: bundled(histogram) = %{histogram_version} +Provides: bundled(corepack) = %{corepack_version} # Make sure we keep NPM up to date when we update Node.js %if 0%{?rhel} < 8 @@ -521,6 +524,11 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \ chmod 0775 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js +# Corepack contains a number of executable"shims", including some for Windows +# PowerShell. Drop the executable bit for those so we don't pick up an +# automatic dependency on /usr/bin/pwsh that we cannot satisfy. +chmod -x %{buildroot}%{_prefix}/lib/node_modules/corepack/shims/*.ps1 + # Drop the NPM default configuration in place mkdir -p %{buildroot}%{_sysconfdir} cp %{SOURCE1} %{buildroot}%{_sysconfdir}/npmrc @@ -544,7 +552,8 @@ install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/* %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')" # Ensure we have npm and that the version matches -NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')" +# NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')" +NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(JSON.parse(require(\"fs\").readFileSync(\"%{buildroot}%{_prefix}/lib/node_modules/npm/package.json\")).version, '%{npm_version}')" # Make sure i18n support is working NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2} @@ -622,6 +631,10 @@ end %dir %{_datadir}/systemtap/tapset %{_datadir}/systemtap/tapset/node.stp +# corepack +%{_bindir}/corepack +%{_prefix}/lib/node_modules/corepack + %dir %{_usr}/lib/dtrace %{_usr}/lib/dtrace/node.d @@ -679,6 +692,23 @@ end %changelog +* Mon Dec 06 2021 Zuzana Svetlikova - 1:16.13.1-3 +- Resolves: RHBZ#2027610 +- Add corepack to spec + +* Mon Dec 06 2021 Zuzana Svetlikova - 1:16.13.1-2 +- Resolves: RHBZ#2027610 +- Update npm version test + +* Thu Dec 02 2021 Zuzana Svetlikova - 1:16.13.1-1 +- Resolves: RHBZ#2027644, RHBZ#2027643, RHBZ#2027638, RHBZ#2027633 +- Resolves: RHBZ#2027610 +- Rebase to LTS release and to fix multiple low and medium CVEs + +* Mon Sep 13 2021 Zuzana Svetlikova - 1:16.8.0-1 +- Resolves CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712 +- Resolves: RHBZ#1993948, RHBZ#1993941, RHBZ#2000151, RHBZ#2002176 + * Mon Aug 30 2021 Zuzana Svetlikova - 1:16.7.0-2 - Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, - CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672