import nodejs-14.21.1-2.module+el8.7.0+17528+a329cd47
This commit is contained in:
parent
5bca9392ff
commit
e356425f49
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,2 +1,4 @@
|
|||||||
|
SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||||
SOURCES/icu4c-70_1-src.tgz
|
SOURCES/icu4c-70_1-src.tgz
|
||||||
SOURCES/node-v14.20.1-stripped.tar.gz
|
SOURCES/node-v14.21.1-stripped.tar.gz
|
||||||
|
SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
|
||||||
|
@ -1,2 +1,4 @@
|
|||||||
|
6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||||
f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz
|
f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz
|
||||||
78984f3659b168dc3712a1cbd49f43c0f62a299f SOURCES/node-v14.20.1-stripped.tar.gz
|
2812a06625a63430d5f36ce9019cc2df321956e6 SOURCES/node-v14.21.1-stripped.tar.gz
|
||||||
|
8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
|
||||||
|
@ -1,19 +1,18 @@
|
|||||||
From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001
|
From 0daef8b47290ffa866f321173a0a45f7c131f172 Mon Sep 17 00:00:00 2001
|
||||||
From: Zuzana Svetlikova <zsvetlik@redhat.com>
|
From: Zuzana Svetlikova <zsvetlik@redhat.com>
|
||||||
Date: Fri, 17 Apr 2020 12:59:44 +0200
|
Date: Fri, 17 Apr 2020 12:59:44 +0200
|
||||||
Subject: [PATCH 1/2] Disable running gyp on shared deps
|
Subject: [PATCH] Disable running gyp on shared deps
|
||||||
|
|
||||||
|
Signed-off-by: rpm-build <rpm-build>
|
||||||
---
|
---
|
||||||
Makefile | 2 +-
|
Makefile | 2 +-
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/Makefile b/Makefile
|
diff --git a/Makefile b/Makefile
|
||||||
index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644
|
index 82281b5..9e65fc4 100644
|
||||||
--- a/Makefile
|
--- a/Makefile
|
||||||
+++ b/Makefile
|
+++ b/Makefile
|
||||||
@@ -136,11 +136,11 @@ endif
|
@@ -143,7 +143,7 @@ with-code-cache test-code-cache:
|
||||||
.PHONY: test-code-cache
|
|
||||||
with-code-cache test-code-cache:
|
|
||||||
$(warning '$@' target is a noop)
|
$(warning '$@' target is a noop)
|
||||||
|
|
||||||
out/Makefile: config.gypi common.gypi node.gyp \
|
out/Makefile: config.gypi common.gypi node.gyp \
|
||||||
@ -22,8 +21,6 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e
|
|||||||
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
|
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
|
||||||
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
|
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
|
||||||
$(PYTHON) tools/gyp_node.py -f make
|
$(PYTHON) tools/gyp_node.py -f make
|
||||||
|
|
||||||
# node_version.h is listed because the N-API version is taken from there
|
|
||||||
--
|
--
|
||||||
2.29.2
|
2.38.1
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From e12dad58e7c749d65d51e2dd49dece4102ddfa18 Mon Sep 17 00:00:00 2001
|
From 8fc20d21cd7861ecc4f034ae82234a05227c2c12 Mon Sep 17 00:00:00 2001
|
||||||
From: rpm-build <rpm-build>
|
From: rpm-build <rpm-build>
|
||||||
Date: Thu, 9 Dec 2021 15:48:46 +0100
|
Date: Thu, 9 Dec 2021 15:48:46 +0100
|
||||||
Subject: [PATCH] deps(ansi-regex): fix potential ReDoS
|
Subject: [PATCH] deps(ansi-regex): fix potential ReDoS
|
||||||
@ -41,6 +41,5 @@ index c254480..9e37ec3 100644
|
|||||||
].join('|');
|
].join('|');
|
||||||
|
|
||||||
--
|
--
|
||||||
2.36.1
|
2.38.1
|
||||||
|
|
||||||
|
|
@ -0,0 +1,98 @@
|
|||||||
|
From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jordan Harband <ljharb@gmail.com>
|
||||||
|
Date: Mon, 27 Dec 2021 19:15:57 -0800
|
||||||
|
Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999)
|
||||||
|
|
||||||
|
Signed-off-by: rpm-build <rpm-build>
|
||||||
|
---
|
||||||
|
deps/npm/node_modules/qs/lib/parse.js | 2 +-
|
||||||
|
deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++
|
||||||
|
2 files changed, 61 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js
|
||||||
|
index 8c9872e..08e623a 100644
|
||||||
|
--- a/deps/npm/node_modules/qs/lib/parse.js
|
||||||
|
+++ b/deps/npm/node_modules/qs/lib/parse.js
|
||||||
|
@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) {
|
||||||
|
) {
|
||||||
|
obj = [];
|
||||||
|
obj[index] = leaf;
|
||||||
|
- } else {
|
||||||
|
+ } else if (cleanRoot !== '__proto__') {
|
||||||
|
obj[cleanRoot] = leaf;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js
|
||||||
|
index 0f8fe45..3e93784 100644
|
||||||
|
--- a/deps/npm/node_modules/qs/test/parse.js
|
||||||
|
+++ b/deps/npm/node_modules/qs/test/parse.js
|
||||||
|
@@ -515,6 +515,66 @@ test('parse()', function (t) {
|
||||||
|
st.end();
|
||||||
|
});
|
||||||
|
|
||||||
|
+ t.test('dunder proto is ignored', function (st) {
|
||||||
|
+ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42';
|
||||||
|
+ var result = qs.parse(payload, { allowPrototypes: true });
|
||||||
|
+
|
||||||
|
+ st.deepEqual(
|
||||||
|
+ result,
|
||||||
|
+ {
|
||||||
|
+ categories: {
|
||||||
|
+ length: '42'
|
||||||
|
+ }
|
||||||
|
+ },
|
||||||
|
+ 'silent [[Prototype]] payload'
|
||||||
|
+ );
|
||||||
|
+
|
||||||
|
+ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true });
|
||||||
|
+
|
||||||
|
+ st.deepEqual(
|
||||||
|
+ plainResult,
|
||||||
|
+ {
|
||||||
|
+ __proto__: null,
|
||||||
|
+ categories: {
|
||||||
|
+ __proto__: null,
|
||||||
|
+ length: '42'
|
||||||
|
+ }
|
||||||
|
+ },
|
||||||
|
+ 'silent [[Prototype]] payload: plain objects'
|
||||||
|
+ );
|
||||||
|
+
|
||||||
|
+ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true });
|
||||||
|
+
|
||||||
|
+ st.notOk(Array.isArray(query.categories), 'is not an array');
|
||||||
|
+ st.notOk(query.categories instanceof Array, 'is not instanceof an array');
|
||||||
|
+ st.deepEqual(query.categories, { some: { json: 'toInject' } });
|
||||||
|
+ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array');
|
||||||
|
+
|
||||||
|
+ st.deepEqual(
|
||||||
|
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }),
|
||||||
|
+ {
|
||||||
|
+ foo: {
|
||||||
|
+ bar: 'stuffs'
|
||||||
|
+ }
|
||||||
|
+ },
|
||||||
|
+ 'hidden values'
|
||||||
|
+ );
|
||||||
|
+
|
||||||
|
+ st.deepEqual(
|
||||||
|
+ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }),
|
||||||
|
+ {
|
||||||
|
+ __proto__: null,
|
||||||
|
+ foo: {
|
||||||
|
+ __proto__: null,
|
||||||
|
+ bar: 'stuffs'
|
||||||
|
+ }
|
||||||
|
+ },
|
||||||
|
+ 'hidden values: plain objects'
|
||||||
|
+ );
|
||||||
|
+
|
||||||
|
+ st.end();
|
||||||
|
+ });
|
||||||
|
+
|
||||||
|
t.test('can return null objects', { skip: !Object.create }, function (st) {
|
||||||
|
var expected = Object.create(null);
|
||||||
|
expected.a = Object.create(null);
|
||||||
|
--
|
||||||
|
2.38.1
|
||||||
|
|
@ -41,7 +41,7 @@
|
|||||||
# than a Fedora release lifecycle.
|
# than a Fedora release lifecycle.
|
||||||
%global nodejs_epoch 1
|
%global nodejs_epoch 1
|
||||||
%global nodejs_major 14
|
%global nodejs_major 14
|
||||||
%global nodejs_minor 20
|
%global nodejs_minor 21
|
||||||
%global nodejs_patch 1
|
%global nodejs_patch 1
|
||||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||||
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
|
%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
|
||||||
@ -168,10 +168,23 @@ Source100: %{name}-tarball.sh
|
|||||||
# nodejs-packaging SRPM.
|
# nodejs-packaging SRPM.
|
||||||
Source7: nodejs_native.attr
|
Source7: nodejs_native.attr
|
||||||
|
|
||||||
|
# These are full sources for dependencies included as WASM blobs in the source of Node itself.
|
||||||
|
# Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to.
|
||||||
|
# Recipes for creating these blobs are included in the sources.
|
||||||
|
|
||||||
|
# Version: jq '.version' deps/cjs-module-lexer/package.json
|
||||||
|
# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz
|
||||||
|
# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm
|
||||||
|
Source101: cjs-module-lexer-1.2.2.tar.gz
|
||||||
|
# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in.
|
||||||
|
# Version source: Makefile
|
||||||
|
Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz
|
||||||
|
|
||||||
# Disable running gyp on bundled deps we don't use
|
# Disable running gyp on bundled deps we don't use
|
||||||
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||||
|
# Dependency vulnerabilities
|
||||||
Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch
|
Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch
|
||||||
|
Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
@ -352,6 +365,21 @@ The API documentation for the Node.js JavaScript runtime.
|
|||||||
rm -rf deps/zlib
|
rm -rf deps/zlib
|
||||||
rm -rf deps/brotli
|
rm -rf deps/brotli
|
||||||
|
|
||||||
|
# check for correct versions of dependencies we are bundling
|
||||||
|
check_wasm_dep() {
|
||||||
|
local -r name="$1" source="$2" packagejson="$3"
|
||||||
|
local -r expected_version="$(jq -r '.version' "${packagejson}")"
|
||||||
|
|
||||||
|
if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then
|
||||||
|
printf '%s version matches\n' "${name}" >&2
|
||||||
|
else
|
||||||
|
printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json
|
||||||
|
|
||||||
# Replace any instances of unversioned python' with python3
|
# Replace any instances of unversioned python' with python3
|
||||||
%if %{with python3_fixup}
|
%if %{with python3_fixup}
|
||||||
pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
|
pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
|
||||||
@ -668,35 +696,35 @@ end
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Dec 08 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-2
|
||||||
|
- Apply upstream fix for CVE-2022-24999
|
||||||
|
Resolves: CVE-2022-24999
|
||||||
|
- Record CVEs fixed by current or previous upstream releases
|
||||||
|
Resolves: CVE-2021-44906
|
||||||
|
|
||||||
|
* Wed Nov 16 2022 Jan Staněk <jstanek@redhat.com> - 1:14.21.1-1
|
||||||
|
- Rebase to version 14.21.1
|
||||||
|
Resolves: rhbz#2129805 CVE-2022-43548 CVE-2022-3517
|
||||||
|
|
||||||
* Fri Oct 07 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-2
|
* Fri Oct 07 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-2
|
||||||
- Record issues fixed in the current version
|
- Record issues fixed in the current version
|
||||||
Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824
|
Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824
|
||||||
Resolves: CVE-2022-0235
|
|
||||||
|
|
||||||
* Thu Sep 29 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-1
|
* Thu Sep 29 2022 Jan Staněk <jstanek@redhat.com> - 1:14.20.1-1
|
||||||
- Rebase to version 14.20.1
|
- Rebase to version 14.20.1
|
||||||
Resolves: CVE-2022-35256
|
Resolves: CVE-2022-35256
|
||||||
|
|
||||||
* Tue Aug 02 2022 Zuzana Svetlikova <zsvetlik@redhat.com - 1:14.20.0-2
|
* Mon Aug 22 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.20.0-1
|
||||||
|
- Rebase to latest release
|
||||||
|
- Resolves: #2106281, #2108056, #2108061, #2108066, #2108071, #2108139
|
||||||
|
- Remove libs patch
|
||||||
|
- Build without corepack
|
||||||
|
|
||||||
|
* Wed May 25 2022 Jan Staněk <jstanek@redhat.com> - 1:14.18.2-2
|
||||||
- Replace with_* macros with RPM confitionals
|
- Replace with_* macros with RPM confitionals
|
||||||
- Unify configure calls into single command
|
- Unify configure calls into single command
|
||||||
- Refactor bootstrap-related parts
|
- Refactor bootstrap-related parts
|
||||||
- Decouple dependency bundling from bootstrapping
|
- Decouple dependency bundling from bootstrapping
|
||||||
- Resolves: RHBZ#2111417
|
|
||||||
|
|
||||||
* Mon Jul 25 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.20.0-1
|
|
||||||
- Rebase to latest version
|
|
||||||
- Resolves: RHBZ#2106367
|
|
||||||
- CVE fixes for CVE-2022-32212/3/4/5
|
|
||||||
- Resolves: #2109576, #2109579, #2109582, #2109585
|
|
||||||
|
|
||||||
* Tue Jan 11 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-3
|
|
||||||
- Resolves: RHBZ#2029519
|
|
||||||
- Add missing BZ to changelog
|
|
||||||
|
|
||||||
* Mon Dec 13 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-2
|
|
||||||
- Add missing fixes
|
|
||||||
- Resolves: RHBZ#2027641, RHBZ#2027634
|
|
||||||
|
|
||||||
* Wed Dec 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-1
|
* Wed Dec 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-1
|
||||||
- Resolves: RHBZ#2026325
|
- Resolves: RHBZ#2026325
|
||||||
|
Loading…
Reference in New Issue
Block a user