Update npm to 8.3.1 (CVE-2021-43616)

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2022-02-03 16:25:10 -05:00 · 2022-02-03 16:25:10 -05:00 · b699bdb677
commit b699bdb677
parent 56f025de66
5 changed files with 17 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,4 @@
 /.build-*.log
 /noarch
 /x86_64
+/0003-deps-upgrade-npm-to-8.3.1.patch
--- a/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/0001-Disable-running-gyp-on-shared-deps.patch
@ -1,14 +1,14 @@
-From 51f31ab027934c3e7aead556752911e6dee1ea69 Mon Sep 17 00:00:00 2001
+From b65f81f25d060b048e788e846f9332a70fa953f1 Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
 Date: Fri, 17 Apr 2020 12:59:44 +0200
-Subject: [PATCH 1/2] Disable running gyp on shared deps
+Subject: [PATCH 1/3] Disable running gyp on shared deps

 ---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/Makefile b/Makefile
-index e55bd8d70242ace659fa9c7945708156e7770f9d..2959b0a436b10c9ff9b104de5130b751d19cb3a9 100644
+index 7671bb804fa6a4f9c4bed07fa97b353e823d42cc..e0b7803710c539d7b291b24708d8a077cd5fb40d 100644
 --- a/Makefile
 +++ b/Makefile
@@ -142,11 +142,11 @@ endif
@ -25,5 +25,5 @@ index e55bd8d70242ace659fa9c7945708156e7770f9d..2959b0a436b10c9ff9b104de5130b751
 
 # node_version.h is listed because the N-API version is taken from there
 -- 
-2.33.0
+2.34.1

--- a/0002-Install-both-binaries-and-use-libdir.patch
+++ b/0002-Install-both-binaries-and-use-libdir.patch
@ -1,7 +1,7 @@
-From 62ddf8499747fb1e366477d666c0634ad50039a9 Mon Sep 17 00:00:00 2001
+From 73033dbc74778f7bee49f77716968bbac1e80c28 Mon Sep 17 00:00:00 2001
 From: Elliott Sales de Andrade <quantum.analyst@gmail.com>
 Date: Tue, 19 Mar 2019 23:22:40 -0400
-Subject: [PATCH 2/2] Install both binaries and use libdir.
+Subject: [PATCH 2/3] Install both binaries and use libdir.

 This allows us to build with a shared library for other users while
 still providing the normal executable.
@ -87,5 +87,5 @@ index 41cc1cbc60a9480cc08df3aa0ebe582c2becc3a2..11208f9e7166ab60da46d5ace2257c23
 
   # behave similarly for systemtap
 -- 
-2.33.0
+2.34.1

--- a/nodejs.spec
+++ b/nodejs.spec
@ -25,7 +25,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 7
+%global baserelease 8

 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}

@ -141,6 +141,10 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 # Patch to install both node and libnode.so, using the correct libdir
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch

+# Upstream patch to rebase npm to 8.3.1
+# Carrying it until 16.14.0 is released due to CVE-2021-43616
+Patch3: 0003-deps-upgrade-npm-to-8.3.1.patch
+
 BuildRequires: make
 BuildRequires: python%{python3_pkgversion}-devel
 BuildRequires: python%{python3_pkgversion}-setuptools
@ -729,6 +733,9 @@ end


 %changelog
+* Thu Feb 03 2022 Stephen Gallagher <sgallagh@redhat.com> - 1:16.13.2-8
+- Update npm to 8.3.1 (CVE-2021-43616)
+
 * Wed Feb 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 1:16.13.2-7
 - Fix incorrect version Provides: for npm (bz#2049873)

--- a/1
+++ b/1
@ -1,2 +1,3 @@
 SHA512 (node-v16.13.2-stripped.tar.gz) = 2e55952b95681cb18d8ca3ee096105d3076d3c79a92b707e7f580141a5def6e6a45971bc32ecf47307e90fc51de71039dcb00697487fe83d4eb7af01b0ff40b5
 SHA512 (icu4c-69_1-src.tgz) = d4aeb781715144ea6e3c6b98df5bbe0490bfa3175221a1d667f3e6851b7bd4a638fa4a37d4a921ccb31f02b5d15a6dded9464d98051964a86f7b1cde0ff0aab7
+SHA512 (0003-deps-upgrade-npm-to-8.3.1.patch) = 756b8b77a11b08cfc57054b809b2d70d7c5a3ce72afa179efff548ebb814747135bcbd051c4d1c86ee045fa0d1fedbe4f1c6268a8b2610e44bf8a2e07be8d656