Compare commits
No commits in common. "stream-nodejs-10-rhel-8.9.0" and "c8-stream-10" have entirely different histories.
stream-nod
...
c8-stream-
12
.gitignore
vendored
12
.gitignore
vendored
@ -1,10 +1,2 @@
|
|||||||
/node-v10.7.0-stripped.tar.gz
|
SOURCES/icu4c-64_2-src.tgz
|
||||||
/node-v10.11.0-stripped.tar.gz
|
SOURCES/node-v10.24.0-stripped.tar.gz
|
||||||
/node-v10.14.1-stripped.tar.gz
|
|
||||||
/node-v10.16.3-stripped.tar.gz
|
|
||||||
/node-v10.19.0-stripped.tar.gz
|
|
||||||
/node-v10.21.0-stripped.tar.gz
|
|
||||||
/icu4c-64_2-src.tgz
|
|
||||||
/node-v10.22.1-stripped.tar.gz
|
|
||||||
/node-v10.23.1-stripped.tar.gz
|
|
||||||
/node-v10.24.0-stripped.tar.gz
|
|
||||||
|
2
.nodejs.metadata
Normal file
2
.nodejs.metadata
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz
|
||||||
|
be0e0b385a852c376f452b3d94727492e05407e4 SOURCES/node-v10.24.0-stripped.tar.gz
|
@ -1,99 +0,0 @@
|
|||||||
From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: isaacs <i@izs.me>
|
|
||||||
Date: Tue, 8 Dec 2020 14:21:50 -0800
|
|
||||||
Subject: [PATCH] do not allow invalid hazardous string as section name
|
|
||||||
|
|
||||||
Signed-off-by: rpm-build <rpm-build>
|
|
||||||
---
|
|
||||||
deps/npm/node_modules/ini/ini.js | 8 +++++
|
|
||||||
deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
|
|
||||||
2 files changed, 53 insertions(+)
|
|
||||||
create mode 100644 deps/npm/node_modules/ini/test/proto.js
|
|
||||||
|
|
||||||
diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
|
|
||||||
index 590195d..0401258 100644
|
|
||||||
--- a/deps/npm/node_modules/ini/ini.js
|
|
||||||
+++ b/deps/npm/node_modules/ini/ini.js
|
|
||||||
@@ -80,6 +80,12 @@ function decode (str) {
|
|
||||||
if (!match) return
|
|
||||||
if (match[1] !== undefined) {
|
|
||||||
section = unsafe(match[1])
|
|
||||||
+ if (section === '__proto__') {
|
|
||||||
+ // not allowed
|
|
||||||
+ // keep parsing the section, but don't attach it.
|
|
||||||
+ p = {}
|
|
||||||
+ return
|
|
||||||
+ }
|
|
||||||
p = out[section] = out[section] || {}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
@@ -94,6 +100,7 @@ function decode (str) {
|
|
||||||
// Convert keys with '[]' suffix to an array
|
|
||||||
if (key.length > 2 && key.slice(-2) === '[]') {
|
|
||||||
key = key.substring(0, key.length - 2)
|
|
||||||
+ if (key === '__proto__') return
|
|
||||||
if (!p[key]) {
|
|
||||||
p[key] = []
|
|
||||||
} else if (!Array.isArray(p[key])) {
|
|
||||||
@@ -125,6 +132,7 @@ function decode (str) {
|
|
||||||
var l = parts.pop()
|
|
||||||
var nl = l.replace(/\\\./g, '.')
|
|
||||||
parts.forEach(function (part, _, __) {
|
|
||||||
+ if (part === '__proto__') return
|
|
||||||
if (!p[part] || typeof p[part] !== 'object') p[part] = {}
|
|
||||||
p = p[part]
|
|
||||||
})
|
|
||||||
diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..ab35533
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/deps/npm/node_modules/ini/test/proto.js
|
|
||||||
@@ -0,0 +1,45 @@
|
|
||||||
+var ini = require('../')
|
|
||||||
+var t = require('tap')
|
|
||||||
+
|
|
||||||
+var data = `
|
|
||||||
+__proto__ = quux
|
|
||||||
+foo = baz
|
|
||||||
+[__proto__]
|
|
||||||
+foo = bar
|
|
||||||
+[other]
|
|
||||||
+foo = asdf
|
|
||||||
+[kid.__proto__.foo]
|
|
||||||
+foo = kid
|
|
||||||
+[arrproto]
|
|
||||||
+hello = snyk
|
|
||||||
+__proto__[] = you did a good job
|
|
||||||
+__proto__[] = so you deserve arrays
|
|
||||||
+thanks = true
|
|
||||||
+`
|
|
||||||
+var res = ini.parse(data)
|
|
||||||
+t.deepEqual(res, {
|
|
||||||
+ foo: 'baz',
|
|
||||||
+ other: {
|
|
||||||
+ foo: 'asdf',
|
|
||||||
+ },
|
|
||||||
+ kid: {
|
|
||||||
+ foo: {
|
|
||||||
+ foo: 'kid',
|
|
||||||
+ },
|
|
||||||
+ },
|
|
||||||
+ arrproto: {
|
|
||||||
+ hello: 'snyk',
|
|
||||||
+ thanks: true,
|
|
||||||
+ },
|
|
||||||
+})
|
|
||||||
+t.equal(res.__proto__, Object.prototype)
|
|
||||||
+t.equal(res.kid.__proto__, Object.prototype)
|
|
||||||
+t.equal(res.kid.foo.__proto__, Object.prototype)
|
|
||||||
+t.equal(res.arrproto.__proto__, Object.prototype)
|
|
||||||
+t.equal(Object.prototype.foo, undefined)
|
|
||||||
+t.equal(Object.prototype[0], undefined)
|
|
||||||
+t.equal(Object.prototype['0'], undefined)
|
|
||||||
+t.equal(Object.prototype[1], undefined)
|
|
||||||
+t.equal(Object.prototype['1'], undefined)
|
|
||||||
+t.equal(Array.prototype[0], undefined)
|
|
||||||
+t.equal(Array.prototype[1], undefined)
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -622,18 +622,18 @@ end
|
|||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Feb 24 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.24.0-1
|
* Wed Feb 24 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.24.0-1
|
||||||
- Resolves: RHBZ#1934597, RHBZ#1934566
|
- Resolves: RHBZ#1932373, RHBZ#1932426
|
||||||
- Resolves CVE-2021-22883 and CVE-2021-22884
|
- Resolves CVE-2021-22883 and CVE-2021-22884
|
||||||
- remove -debug-nghttp2 flag
|
- remove -debug-nghttp2 flag (1930775)
|
||||||
- remove ini patch merged upstream
|
- remove ini patch merged upstream
|
||||||
|
|
||||||
* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1
|
* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1
|
||||||
- January Security release
|
- January Security release
|
||||||
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
|
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
|
||||||
- Rebase to 10.23.1
|
- Rebase to 10.23.1
|
||||||
- Resolves: RHBZ#1912999, RHBZ#1912954
|
- Resolves: RHBZ#1916461, RHBZ#1914789
|
||||||
- Resolves: RHBZ#1912634, RHBZ#1878543, RHBZ#1898764, RHBZ#1893983
|
- Resolves: RHBZ#1914783, RHBZ#1916462, RHBZ#1916395, RHBZ#1916459
|
||||||
- Resolves: RHBZ#1857054, RHBZ#1861601, RHBZ#1875686
|
- Resolves: RHBZ#1916691, RHBZ#1916689, RHBZ#1916388
|
||||||
- Remove dot-prop patch, as it is fixed by npm rebase
|
- Remove dot-prop patch, as it is fixed by npm rebase
|
||||||
|
|
||||||
* Tue Sep 22 2020 Jan Staněk <jstanek@redhat.com> - 1:10.22.1-1
|
* Tue Sep 22 2020 Jan Staněk <jstanek@redhat.com> - 1:10.22.1-1
|
@ -1,33 +0,0 @@
|
|||||||
# nodejs binary
|
|
||||||
%__nodejs %{_bindir}/node
|
|
||||||
|
|
||||||
# nodejs library directory
|
|
||||||
%nodejs_sitelib %{_prefix}/lib/node_modules
|
|
||||||
|
|
||||||
#arch specific library directory
|
|
||||||
#for future-proofing only; we don't do multilib
|
|
||||||
%nodejs_sitearch %{nodejs_sitelib}
|
|
||||||
|
|
||||||
# currently installed nodejs version
|
|
||||||
%nodejs_version %(%{__nodejs} -v | sed s/v//)
|
|
||||||
|
|
||||||
# symlink dependencies so `npm link` works
|
|
||||||
# this should be run in every module's %%install section
|
|
||||||
# pass --check to work in the current directory instead of the buildroot
|
|
||||||
# pass --no-devdeps to ignore devDependencies when --check is used
|
|
||||||
%nodejs_symlink_deps %{_rpmconfigdir}/nodejs-symlink-deps %{nodejs_sitelib}
|
|
||||||
|
|
||||||
# patch package.json to fix a dependency
|
|
||||||
# see `man npm-json` for details on writing dependencies for package.json files
|
|
||||||
# e.g. `%%nodejs_fixdep frobber` makes any version of frobber do
|
|
||||||
# `%%nodejs_fixdep frobber '>1.0'` requires frobber > 1.0
|
|
||||||
# `%%nodejs_fixdep -r frobber removes the frobber dep
|
|
||||||
%nodejs_fixdep %{_rpmconfigdir}/nodejs-fixdep
|
|
||||||
|
|
||||||
# macro to filter unwanted provides from Node.js binary native modules
|
|
||||||
%nodejs_default_filter %{expand: \
|
|
||||||
%global __provides_exclude_from ^%{nodejs_sitearch}/.*\\.node$
|
|
||||||
}
|
|
||||||
|
|
||||||
# no-op macro to allow spec compatibility with EPEL
|
|
||||||
%nodejs_find_provides_and_requires %{nil}
|
|
2
sources
2
sources
@ -1,2 +0,0 @@
|
|||||||
SHA512 (node-v10.24.0-stripped.tar.gz) = c6106f16c6a91fcc0b36d733f23f5e6535c7fe215422c9ffae2542e0e572d07e32887053c94249c021f39135dbf828daf9fb19c2d0e7ee3aead8105d1212550e
|
|
||||||
SHA512 (icu4c-64_2-src.tgz) = 5ecb4c230ba45918747a1cf9aef86f555aa07d5b29b1d07ab674e8013f46dfb907a0e9d6945db41155f9dc3012fd94e1152ffc19f61a68b6dfcbabdcb8ae9d78
|
|
Loading…
Reference in New Issue
Block a user