import UBI nodejs22-22.23.1-2.el10_2

This commit is contained in:
AlmaLinux RelEng Bot 2026-07-06 00:06:57 -04:00
parent 588be30779
commit ac1484b736
5 changed files with 214 additions and 7733 deletions

2
.gitignore vendored
View File

@ -1,3 +1,3 @@
icu4c-78.2-data-bin-b.zip
icu4c-78.2-data-bin-l.zip
node-v22.22.2-stripped.tar.gz
node-v22.23.1-stripped.tar.gz

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,166 @@
From d98f88cfa68abef0e57ec2b48df0049032e50c85 Mon Sep 17 00:00:00 2001
From: Beau Gunderson <beau@beaugunderson.com>
Date: Sun, 27 Apr 2026 10:28:29 -0700
Subject: [PATCH] CVE-2026-42338 ip-address HTML escaping fix
Fix HTML escaping in ip-address library to prevent XSS vulnerabilities.
This adds proper HTML escaping for IPv6 address components before
including them in error HTML output.
Fixes: CVE-2026-42338
Upstream commit: d98f88cfa68abef0e57ec2b48df0049032e50c85
---
deps/npm/node_modules/ip-address/dist/v6/helpers.js | 9 +++++++++
deps/npm/node_modules/ip-address/dist/ipv6.js | 32 ++++++++++++++----------
deps/npm/node_modules/ip-address/package.json | 2 +-
3 files changed, 30 insertions(+), 13 deletions(-)
diff --git a/deps/npm/node_modules/ip-address/dist/v6/helpers.js b/deps/npm/node_modules/ip-address/dist/v6/helpers.js
index 1234567..abcdefg 100644
--- a/deps/npm/node_modules/ip-address/dist/v6/helpers.js
+++ b/deps/npm/node_modules/ip-address/dist/v6/helpers.js
@@ -1,14 +1,23 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
+exports.escapeHtml = escapeHtml;
exports.spanAllZeroes = spanAllZeroes;
exports.spanAll = spanAll;
exports.spanLeadingZeroes = spanLeadingZeroes;
exports.simpleGroup = simpleGroup;
+function escapeHtml(s) {
+ return s
+ .replace(/&/g, '&amp;')
+ .replace(/</g, '&lt;')
+ .replace(/>/g, '&gt;')
+ .replace(/"/g, '&quot;')
+ .replace(/'/g, '&#39;');
+}
/**
* @returns {String} the string with all zeroes contained in a <span>
*/
function spanAllZeroes(s) {
- return s.replace(/(0+)/g, '<span class="zero">$1</span>');
+ return escapeHtml(s).replace(/(0+)/g, '<span class="zero">$1</span>');
}
/**
* @returns {String} the string with each character contained in a <span>
@@ -16,11 +25,11 @@
function spanAll(s, offset = 0) {
const letters = s.split('');
return letters
- .map((n, i) => `<span class="digit value-${n} position-${i + offset}">${spanAllZeroes(n)}</span>`)
+ .map((n, i) => `<span class="digit value-${escapeHtml(n)} position-${i + offset}">${spanAllZeroes(n)}</span>`)
.join('');
}
function spanLeadingZeroesSimple(group) {
- return group.replace(/^(0+)/, '<span class="zero">$1</span>');
+ return escapeHtml(group).replace(/^(0+)/, '<span class="zero">$1</span>');
}
/**
* @returns {String} the string with leading zeroes contained in a <span>
@@ -42,4 +51,3 @@
return `<span class="hover-group group-${i + offset}">${spanLeadingZeroesSimple(g)}</span>`;
});
}
-//# sourceMappingURL=helpers.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/ip-address/dist/ipv6.js b/deps/npm/node_modules/ip-address/dist/ipv6.js
index 1234567..abcdefg 100644
--- a/deps/npm/node_modules/ip-address/dist/ipv6.js
+++ b/deps/npm/node_modules/ip-address/dist/ipv6.js
@@ -17,13 +17,23 @@
}) : function(o, v) {
o["default"] = v;
});
-var __importStar = (this && this.__importStar) || function (mod) {
- if (mod && mod.__esModule) return mod;
- var result = {};
- if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
- __setModuleDefault(result, mod);
- return result;
-};
+var __importStar = (this && this.__importStar) || (function () {
+ var ownKeys = function(o) {
+ ownKeys = Object.getOwnPropertyNames || function (o) {
+ var ar = [];
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+ return ar;
+ };
+ return ownKeys(o);
+ };
+ return function (mod) {
+ if (mod && mod.__esModule) return mod;
+ var result = {};
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+ __setModuleDefault(result, mod);
+ return result;
+ };
+})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.Address6 = void 0;
const common = __importStar(require("./common"));
@@ -536,7 +546,12 @@
this.address4 = new ipv4_1.Address4(this.parsedAddress4);
for (let i = 0; i < this.address4.groups; i++) {
if (/^0[0-9]+/.test(this.address4.parsedAddress[i])) {
- throw new address_error_1.AddressError("IPv4 addresses can't have leading zeroes.", address.replace(constants4.RE_ADDRESS, this.address4.parsedAddress.map(spanLeadingZeroes4).join('.')));
+ // The prefix groups haven't been through the bad-character check
+ // yet, so escape them before including in the error HTML.
+ const highlighted = this.address4.parsedAddress.map(spanLeadingZeroes4).join('.');
+ const prefix = groups.slice(0, -1).map(helpers.escapeHtml).join(':');
+ const separator = groups.length > 1 ? ':' : '';
+ throw new address_error_1.AddressError("IPv4 addresses can't have leading zeroes.", `${prefix}${separator}${highlighted}`);
}
}
this.v4 = true;
@@ -896,10 +911,13 @@
formFunction = this.to4in6;
}
const form = formFunction.call(this);
+ const safeHref = helpers.escapeHtml(`${options.prefix}${form}`);
+ const safeForm = helpers.escapeHtml(form);
if (options.className) {
- return `<a href="${options.prefix}${form}" class="${options.className}">${form}</a>`;
+ const safeClass = helpers.escapeHtml(options.className);
+ return `<a href="${safeHref}" class="${safeClass}">${safeForm}</a>`;
}
- return `<a href="${options.prefix}${form}">${form}</a>`;
+ return `<a href="${safeHref}">${safeForm}</a>`;
}
/**
* Groups an address
@@ -908,13 +926,13 @@
group() {
if (this.elidedGroups === 0) {
// The simple case
- return helpers.simpleGroup(this.address).join(':');
+ return helpers.simpleGroup(this.addressMinusSuffix).join(':');
}
assert(typeof this.elidedGroups === 'number');
assert(typeof this.elisionBegin === 'number');
// The elided case
const output = [];
- const [left, right] = this.address.split('::');
+ const [left, right] = this.addressMinusSuffix.split('::');
if (left.length) {
output.push(...helpers.simpleGroup(left));
}
@@ -1000,4 +1018,3 @@
}
}
exports.Address6 = Address6;
-//# sourceMappingURL=ipv6.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/ip-address/package.json b/deps/npm/node_modules/ip-address/package.json
index 1234567..abcdefg 100644
--- a/deps/npm/node_modules/ip-address/package.json
+++ b/deps/npm/node_modules/ip-address/package.json
@@ -7,7 +7,7 @@
"browser",
"validation"
],
- "version": "10.1.0",
+ "version": "10.1.1",
"author": "Beau Gunderson <beau@beaugunderson.com> (https://beaugunderson.com/)",
"license": "MIT",
"main": "dist/ip-address.js",

View File

@ -1,8 +1,8 @@
## START: Set by rpmautospec
## (rpmautospec version 0.6.5)
## (rpmautospec version 0.8.4)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 1;
release_number = 2;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@ -38,6 +38,12 @@
%bcond_with bundled_zlib
%endif
# 2026-05-05: Currently libuv up to date, but if it no longer the case - switch to 1
%bcond bundled_libuv 0
# 2026-05-05: Currently c-ares up to date, but if it no longer the case - switch to 1
%bcond bundled_cares 0
%bcond bundled_sqlite %{with bootstrap}
# LTO is currently broken on Node.js builds
@ -62,8 +68,8 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 22
%global nodejs_minor 22
%global nodejs_patch 2
%global nodejs_minor 23
%global nodejs_patch 1
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 127
%global nodejs_abi %{nodejs_soversion}
@ -86,20 +92,20 @@
%global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
# zlib - from deps/zlib/zlib.h
%global zlib_version 1.3.0.1-motley
%global zlib_version 1.3.1
# c-ares - from deps/cares/include/ares_version.h
# https://github.com/nodejs/node/pull/9332
%global c_ares_version 1.34.6
# llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_version 9.3.0
%global llhttp_version 9.4.2
# libuv - from deps/uv/include/uv/version.h
%global libuv_version 1.51.0
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
%global nghttp2_version 1.68.1
%global nghttp2_version 1.69.0
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
%global nghttp3_version 1.6.0
@ -130,7 +136,7 @@
# npm - from deps/npm/package.json
%global npm_epoch 1
%global npm_version 10.9.7
%global npm_version 10.9.8
# In order to avoid needing to keep incrementing the release version for the
# main package forever, we will just construct one for npm that is guaranteed
@ -147,7 +153,7 @@
%global histogram_version 0.11.9
# sqlite from deps/sqlite/sqlite3.h
%global sqlite_version 3.51.2
%global sqlite_version 3.51.3
Name: nodejs%{nodejs_pkg_major}
@ -182,8 +188,9 @@ Source301: test-should-pass.txt
Patch: 0001-Remove-unused-OpenSSL-config.patch
Patch: 0001-fips-disable-options.patch
Patch: 0001-deps-update-nghttp2-to-1.68.1.patch
Patch: 0001-CVE-2026-25547-braces-expansion.patch
# npm deps patches
Patch: 0002-CVE-2026-42338-npm-ip-address-security-fix.patch
%if 0%{?nodejs_default}
%global pkgname nodejs
@ -222,6 +229,11 @@ BuildRequires: jq
# https://pagure.io/nodejs-packaging/pull-request/10
BuildRequires: nodejs-packaging
%if %{with bundled_cares}
Provides: bundled(c-ares) = %{c_ares_version}
%else
BuildRequires: c-ares-devel >= %{c_ares_version}
%endif
BuildRequires: chrpath
BuildRequires: libatomic
BuildRequires: ninja-build
@ -251,7 +263,7 @@ Provides: nodejs%{nodejs_pkg_major}%{?1:-%{1}} = %{nodejs_envr}\
%define unversioned_obsoletes_of_nodejsXX_if_default() %{nil}
%endif
%if %{with bundled}
%if %{with bundled_libuv}
Provides: bundled(libuv) = %{libuv_version}
%else
BuildRequires: libuv-devel >= 1:%{libuv_version}
@ -330,11 +342,6 @@ Conflicts: node <= 0.3.2-12
Provides: nodejs-punycode = %{punycode_version}
Provides: npm(punycode) = %{punycode_version}
# Node.js has forked c-ares from upstream in an incompatible way, so we need
# to carry the bundled version internally.
# See https://github.com/nodejs/node/commit/766d063e0578c0f7758c3a965c971763f43fec85
Provides: bundled(c-ares) = %{c_ares_version}
# Node.js is closely tied to the version of v8 that is used with it. It makes
# sense to use the bundled version because upstream consistently breaks ABI
# even in point releases. Node.js upstream has now removed the ability to build
@ -367,7 +374,7 @@ Requires: nodejs-cjs-module-lexer
%endif
%if %{with bundled_undici}
Provides: bundled(nodejs-undici) = 6.24.1
Provides: bundled(nodejs-undici) = 6.27.0
%else
BuildRequires: nodejs-undici
Requires: nodejs-undici
@ -407,7 +414,7 @@ Requires: zlib-devel%{?_isa}
Requires: brotli-devel%{?_isa}
Requires: nodejs-packaging
%if %{without bundled}
%if %{without bundled_libuv}
Requires: libuv-devel%{?_isa}
%endif
@ -536,6 +543,14 @@ The API documentation for the Node.js JavaScript runtime.
%autosetup -p1 -n node-v%{nodejs_version}
# remove bundled dependencies that we aren't building
%if %{without bundled_libuv}
rm -rf deps/uv
%endif
%if %{without bundled_cares}
rm -rf deps/cares
%endif
%if !%{with bundled_zlib}
rm -rf deps/zlib
%endif
@ -620,7 +635,8 @@ export PATH="${cwd}/.bin:$PATH"
%{!?with_bundled_undici:--shared-builtin-undici/undici-path %{nodejs_private_sitelib}/undici/loader.js} \
%{!?with_bundled_sqlite:--shared-sqlite} \
--shared-brotli \
--shared-libuv \
%{!?with_bundled_cares:--shared-cares} \
%{!?with_bundled_libuv:--shared-libuv} \
--with-intl=small-icu \
--with-icu-default-data-dir=%{icudatadir} \
--without-corepack \
@ -974,6 +990,17 @@ end
%changelog
## START: Generated by rpmautospec
* Wed Jun 24 2026 tjuhasz <tjuhasz@redhat.com> - 1:22.23.1-2
- CVE-2026-42338 ip-address HTML escaping fix.
* Wed Jun 24 2026 tjuhasz <tjuhasz@redhat.com> - 1:22.23.1-1
- Update to version 22.23.1
* Tue May 05 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.22.2-2
- De-bundle c-ares, libuv
- we waited for c-ares for about 4 months, so added conditional flag in
case it falls behind in future again, same for libuv
* Mon Mar 30 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.22.2-1
- Update to version 22.22.2
- introduced patch updating deps/nghttp2 to v 1.68.1 for CVE-2026-27135

View File

@ -1,3 +1,3 @@
SHA512 (icu4c-78.2-data-bin-b.zip) = 032a1e519bf92dfa7936ef85ebed697550dbcb4e32c6ecd28ffecb158a403eeff6c0a3545b2551eba73f288e31693be6880e202a38cd86c129dffa395e8ab625
SHA512 (icu4c-78.2-data-bin-l.zip) = c0b46de115332940d3276763904caa6257eb516edce4382632f4b96a5b010fee4cb06a5e10ef5eee2f881515c1ee8277d9ae59015f6de6fe1d175b9d00dbb1ca
SHA512 (node-v22.22.2-stripped.tar.gz) = 82c3357cce10a3fe89373ec4e3460af5992d853f28a7339358a3f910959e7b17987c8eb1748d9c3033d4c642701d321e2265cc0ac004a218860da4eda2971226
SHA512 (node-v22.23.1-stripped.tar.gz) = dee26039e7a6f5d740c9f022ff702699748901c72d77ec41b91f4d9cc295d79596435d3e74446074bee1b34bd18b34f09144cd63266bf68858c975bb9e6339a3