From ccc9fed9f801852544fb6f06067111de2b605d0d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 30 2022 18:27:50 +0000 Subject: import nodejs-16.14.0-5.module+el8.7.0+15110+f25e9602 --- diff --git a/.gitignore b/.gitignore index 6d61726..a873a8a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/icu4c-69_1-src.tgz -SOURCES/node-v16.13.1-stripped.tar.gz +SOURCES/icu4c-70_1-src.tgz +SOURCES/node-v16.14.0-stripped.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 18bd083..9c15be1 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,2 @@ -620a71c84428758376baa0fb81a581c3daa866ce SOURCES/icu4c-69_1-src.tgz -09e2ea9b62a6e92a73c34e2997ec237ebd04141f SOURCES/node-v16.13.1-stripped.tar.gz +f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz +8c33c1ca00dab24a6ce4d1100a6fbc4493d82797 SOURCES/node-v16.14.0-stripped.tar.gz diff --git a/SOURCES/0001-fix-ci-lock-file-validation.patch b/SOURCES/0001-fix-ci-lock-file-validation.patch new file mode 100644 index 0000000..81ff06a --- /dev/null +++ b/SOURCES/0001-fix-ci-lock-file-validation.patch @@ -0,0 +1,397 @@ +From 730dd78c897a28c3df0468ed1fc42d5817badefe Mon Sep 17 00:00:00 2001 +From: Ruy Adorno +Date: Wed, 2 Feb 2022 22:10:22 -0500 +Subject: [PATCH] fix(ci): lock file validation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Make sure to validate any lock file (either package-lock.json or +npm-shrinkwrap.json) against the current install. This will properly +throw an error in case any of the dependencies being installed don't +match the dependencies that are currently listed in the lock file. + +Fixes: https://github.com/npm/cli/issues/2701 +Fixes: https://github.com/npm/cli/issues/3947 +Signed-off-by: Jan Staněk +--- + deps/npm/lib/commands/ci.js | 23 ++++++ + deps/npm/lib/utils/validate-lockfile.js | 29 +++++++ + .../smoke-tests/index.js.test.cjs | 11 +++ + .../test/lib/commands/ci.js.test.cjs | 13 +++ + .../lib/utils/validate-lockfile.js.test.cjs | 35 ++++++++ + deps/npm/test/lib/commands/ci.js | 82 +++++++++++++++++++ + deps/npm/test/lib/utils/validate-lockfile.js | 82 +++++++++++++++++++ + 7 files changed, 275 insertions(+) + create mode 100644 deps/npm/lib/utils/validate-lockfile.js + create mode 100644 deps/npm/tap-snapshots/test/lib/commands/ci.js.test.cjs + create mode 100644 deps/npm/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs + create mode 100644 deps/npm/test/lib/utils/validate-lockfile.js + +diff --git a/deps/npm/lib/commands/ci.js b/deps/npm/lib/commands/ci.js +index 2c2f8da..376a85d 100644 +--- a/deps/npm/lib/commands/ci.js ++++ b/deps/npm/lib/commands/ci.js +@@ -6,6 +6,7 @@ const runScript = require('@npmcli/run-script') + const fs = require('fs') + const readdir = util.promisify(fs.readdir) + const log = require('../utils/log-shim.js') ++const validateLockfile = require('../utils/validate-lockfile.js') + + const removeNodeModules = async where => { + const rimrafOpts = { glob: false } +@@ -55,6 +56,28 @@ class CI extends ArboristWorkspaceCmd { + }), + removeNodeModules(where), + ]) ++ ++ // retrieves inventory of packages from loaded virtual tree (lock file) ++ const virtualInventory = new Map(arb.virtualTree.inventory) ++ ++ // build ideal tree step needs to come right after retrieving the virtual ++ // inventory since it's going to erase the previous ref to virtualTree ++ await arb.buildIdealTree() ++ ++ // verifies that the packages from the ideal tree will match ++ // the same versions that are present in the virtual tree (lock file) ++ // throws a validation error in case of mismatches ++ const errors = validateLockfile(virtualInventory, arb.idealTree.inventory) ++ if (errors.length) { ++ throw new Error( ++ '`npm ci` can only install packages when your package.json and ' + ++ 'package-lock.json or npm-shrinkwrap.json are in sync. Please ' + ++ 'update your lock file with `npm install` ' + ++ 'before continuing.\n\n' + ++ errors.join('\n') + '\n' ++ ) ++ } ++ + await arb.reify(opts) + + const ignoreScripts = this.npm.config.get('ignore-scripts') +diff --git a/deps/npm/lib/utils/validate-lockfile.js b/deps/npm/lib/utils/validate-lockfile.js +new file mode 100644 +index 0000000..29161ec +--- /dev/null ++++ b/deps/npm/lib/utils/validate-lockfile.js +@@ -0,0 +1,29 @@ ++// compares the inventory of package items in the tree ++// that is about to be installed (idealTree) with the inventory ++// of items stored in the package-lock file (virtualTree) ++// ++// Returns empty array if no errors found or an array populated ++// with an entry for each validation error found. ++function validateLockfile (virtualTree, idealTree) { ++ const errors = [] ++ ++ // loops through the inventory of packages resulted by ideal tree, ++ // for each package compares the versions with the version stored in the ++ // package-lock and adds an error to the list in case of mismatches ++ for (const [key, entry] of idealTree.entries()) { ++ const lock = virtualTree.get(key) ++ ++ if (!lock) { ++ errors.push(`Missing: ${entry.name}@${entry.version} from lock file`) ++ continue ++ } ++ ++ if (entry.version !== lock.version) { ++ errors.push(`Invalid: lock file's ${lock.name}@${lock.version} does ` + ++ `not satisfy ${entry.name}@${entry.version}`) ++ } ++ } ++ return errors ++} ++ ++module.exports = validateLockfile +diff --git a/deps/npm/tap-snapshots/smoke-tests/index.js.test.cjs b/deps/npm/tap-snapshots/smoke-tests/index.js.test.cjs +index c1316e0..5fa3977 100644 +--- a/deps/npm/tap-snapshots/smoke-tests/index.js.test.cjs ++++ b/deps/npm/tap-snapshots/smoke-tests/index.js.test.cjs +@@ -40,6 +40,17 @@ Configuration fields: npm help 7 config + + npm {CWD} + ++` ++ ++exports[`smoke-tests/index.js TAP npm ci > should throw mismatch deps in lock file error 1`] = ` ++npm ERR! \`npm ci\` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with \`npm install\` before continuing. ++npm ERR! ++npm ERR! Invalid: lock file's abbrev@1.0.4 does not satisfy abbrev@1.1.1 ++npm ERR! ++ ++npm ERR! A complete log of this run can be found in: ++ ++ + ` + + exports[`smoke-tests/index.js TAP npm diff > should have expected diff output 1`] = ` +diff --git a/deps/npm/tap-snapshots/test/lib/commands/ci.js.test.cjs b/deps/npm/tap-snapshots/test/lib/commands/ci.js.test.cjs +new file mode 100644 +index 0000000..d6a7471 +--- /dev/null ++++ b/deps/npm/tap-snapshots/test/lib/commands/ci.js.test.cjs +@@ -0,0 +1,13 @@ ++/* IMPORTANT ++ * This snapshot file is auto-generated, but designed for humans. ++ * It should be checked into source control and tracked carefully. ++ * Re-generate by setting TAP_SNAPSHOT=1 and running tests. ++ * Make sure to inspect the output below. Do not ignore changes! ++ */ ++'use strict' ++exports[`test/lib/commands/ci.js TAP should throw error when ideal inventory mismatches virtual > must match snapshot 1`] = ` ++\`npm ci\` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with \`npm install\` before continuing. ++ ++Invalid: lock file's foo@1.0.0 does not satisfy foo@2.0.0 ++ ++` +diff --git a/deps/npm/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs b/deps/npm/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs +new file mode 100644 +index 0000000..98a5126 +--- /dev/null ++++ b/deps/npm/tap-snapshots/test/lib/utils/validate-lockfile.js.test.cjs +@@ -0,0 +1,35 @@ ++/* IMPORTANT ++ * This snapshot file is auto-generated, but designed for humans. ++ * It should be checked into source control and tracked carefully. ++ * Re-generate by setting TAP_SNAPSHOT=1 and running tests. ++ * Make sure to inspect the output below. Do not ignore changes! ++ */ ++'use strict' ++exports[`test/lib/utils/validate-lockfile.js TAP extra inventory items on idealTree > should have missing entries error 1`] = ` ++Array [ ++ "Missing: baz@3.0.0 from lock file", ++] ++` ++ ++exports[`test/lib/utils/validate-lockfile.js TAP extra inventory items on virtualTree > should have no errors if finding virtualTree extra items 1`] = ` ++Array [] ++` ++ ++exports[`test/lib/utils/validate-lockfile.js TAP identical inventory for both idealTree and virtualTree > should have no errors on identical inventories 1`] = ` ++Array [] ++` ++ ++exports[`test/lib/utils/validate-lockfile.js TAP mismatching versions on inventory > should have errors for each mismatching version 1`] = ` ++Array [ ++ "Invalid: lock file's foo@1.0.0 does not satisfy foo@2.0.0", ++ "Invalid: lock file's bar@2.0.0 does not satisfy bar@3.0.0", ++] ++` ++ ++exports[`test/lib/utils/validate-lockfile.js TAP missing virtualTree inventory > should have errors for each mismatching version 1`] = ` ++Array [ ++ "Missing: foo@1.0.0 from lock file", ++ "Missing: bar@2.0.0 from lock file", ++ "Missing: baz@3.0.0 from lock file", ++] ++` +diff --git a/deps/npm/test/lib/commands/ci.js b/deps/npm/test/lib/commands/ci.js +index 537d078..e077c99 100644 +--- a/deps/npm/test/lib/commands/ci.js ++++ b/deps/npm/test/lib/commands/ci.js +@@ -19,6 +19,17 @@ t.test('should ignore scripts with --ignore-scripts', async t => { + this.reify = () => { + REIFY_CALLED = true + } ++ this.buildIdealTree = () => {} ++ this.virtualTree = { ++ inventory: new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ]), ++ } ++ this.idealTree = { ++ inventory: new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ]), ++ } + }, + }) + +@@ -99,6 +110,17 @@ t.test('should use Arborist and run-script', async t => { + this.reify = () => { + t.ok(true, 'reify is called') + } ++ this.buildIdealTree = () => {} ++ this.virtualTree = { ++ inventory: new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ]), ++ } ++ this.idealTree = { ++ inventory: new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ]), ++ } + }, + rimraf: (path, ...args) => { + actualRimrafs++ +@@ -138,6 +160,17 @@ t.test('should pass flatOptions to Arborist.reify', async t => { + this.reify = async (options) => { + t.equal(options.production, true, 'should pass flatOptions to Arborist.reify') + } ++ this.buildIdealTree = () => {} ++ this.virtualTree = { ++ inventory: new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ]), ++ } ++ this.idealTree = { ++ inventory: new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ]), ++ } + }, + }) + const npm = mockNpm({ +@@ -218,6 +251,17 @@ t.test('should remove existing node_modules before installing', async t => { + const nodeModules = contents.filter((path) => path.startsWith('node_modules')) + t.same(nodeModules, ['node_modules'], 'should only have the node_modules directory') + } ++ this.buildIdealTree = () => {} ++ this.virtualTree = { ++ inventory: new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ]), ++ } ++ this.idealTree = { ++ inventory: new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ]), ++ } + }, + }) + +@@ -231,3 +275,41 @@ t.test('should remove existing node_modules before installing', async t => { + + await ci.exec(null) + }) ++ ++t.test('should throw error when ideal inventory mismatches virtual', async t => { ++ const CI = t.mock('../../../lib/commands/ci.js', { ++ '../../../lib/utils/reify-finish.js': async () => {}, ++ '@npmcli/run-script': ({ event }) => {}, ++ '@npmcli/arborist': function () { ++ this.loadVirtual = async () => {} ++ this.reify = () => {} ++ this.buildIdealTree = () => {} ++ this.virtualTree = { ++ inventory: new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ]), ++ } ++ this.idealTree = { ++ inventory: new Map([ ++ ['foo', { name: 'foo', version: '2.0.0' }], ++ ]), ++ } ++ }, ++ }) ++ ++ const npm = mockNpm({ ++ globalDir: 'path/to/node_modules/', ++ prefix: 'foo', ++ config: { ++ global: false, ++ 'ignore-scripts': true, ++ }, ++ }) ++ const ci = new CI(npm) ++ ++ try { ++ await ci.exec([]) ++ } catch (err) { ++ t.matchSnapshot(err.message) ++ } ++}) +diff --git a/deps/npm/test/lib/utils/validate-lockfile.js b/deps/npm/test/lib/utils/validate-lockfile.js +new file mode 100644 +index 0000000..25939c5 +--- /dev/null ++++ b/deps/npm/test/lib/utils/validate-lockfile.js +@@ -0,0 +1,82 @@ ++const t = require('tap') ++const validateLockfile = require('../../../lib/utils/validate-lockfile.js') ++ ++t.test('identical inventory for both idealTree and virtualTree', async t => { ++ t.matchSnapshot( ++ validateLockfile( ++ new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ['bar', { name: 'bar', version: '2.0.0' }], ++ ]), ++ new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ['bar', { name: 'bar', version: '2.0.0' }], ++ ]) ++ ), ++ 'should have no errors on identical inventories' ++ ) ++}) ++ ++t.test('extra inventory items on idealTree', async t => { ++ t.matchSnapshot( ++ validateLockfile( ++ new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ['bar', { name: 'bar', version: '2.0.0' }], ++ ]), ++ new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ['bar', { name: 'bar', version: '2.0.0' }], ++ ['baz', { name: 'baz', version: '3.0.0' }], ++ ]) ++ ), ++ 'should have missing entries error' ++ ) ++}) ++ ++t.test('extra inventory items on virtualTree', async t => { ++ t.matchSnapshot( ++ validateLockfile( ++ new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ['bar', { name: 'bar', version: '2.0.0' }], ++ ['baz', { name: 'baz', version: '3.0.0' }], ++ ]), ++ new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ['bar', { name: 'bar', version: '2.0.0' }], ++ ]) ++ ), ++ 'should have no errors if finding virtualTree extra items' ++ ) ++}) ++ ++t.test('mismatching versions on inventory', async t => { ++ t.matchSnapshot( ++ validateLockfile( ++ new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ['bar', { name: 'bar', version: '2.0.0' }], ++ ]), ++ new Map([ ++ ['foo', { name: 'foo', version: '2.0.0' }], ++ ['bar', { name: 'bar', version: '3.0.0' }], ++ ]) ++ ), ++ 'should have errors for each mismatching version' ++ ) ++}) ++ ++t.test('missing virtualTree inventory', async t => { ++ t.matchSnapshot( ++ validateLockfile( ++ new Map([]), ++ new Map([ ++ ['foo', { name: 'foo', version: '1.0.0' }], ++ ['bar', { name: 'bar', version: '2.0.0' }], ++ ['baz', { name: 'baz', version: '3.0.0' }], ++ ]) ++ ), ++ 'should have errors for each mismatching version' ++ ) ++}) +-- +2.35.1 + diff --git a/SOURCES/nodejs-tarball.sh b/SOURCES/nodejs-tarball.sh index a439469..f59d5c2 100755 --- a/SOURCES/nodejs-tarball.sh +++ b/SOURCES/nodejs-tarball.sh @@ -128,7 +128,7 @@ echo "$ICUMD5 $ICUTARBALL" > icu.md5 md5sum -c icu.md5 rm -f icu.md5 SHASUMS256.txt -rhpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz +#fedpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz rm -f node-v${version}.tar.gz diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 9548f15..ed02cca 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -6,15 +6,31 @@ %global with_debug 0 %endif -# bundle dependencies that are not available as Fedora modules +# The following macros control the usage of dependencies bundled from upstream. +# +# When to use what: +# - Regular (presumably non-modular) build: use neither (the default in Fedora) +# - Early bootstrapping build that is not intended to be shipped: +# use --with=bootstrap; this will bundle deps and add `~bootstrap` release suffix +# - Build with some dependencies not avalaible in necessary versions (i.e. module build): +# use --with=bundled; will bundle deps, but do not add the suffix +# +# create bootstrapping build with bundled deps and extra release suffix %bcond_with bootstrap +# bundle dependencies that are not available as Fedora modules +%if %{with bootstrap} +%bcond_without bundled +%else +%bcond_with bundled +%endif + %bcond_without python3_fixup # == Master Relase == -# This is used by both the nodejs package and the npm subpackage thar +# This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 3 +%global baserelease 5 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -25,8 +41,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 16 -%global nodejs_minor 13 -%global nodejs_patch 1 +%global nodejs_minor 14 +%global nodejs_patch 0 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 93 @@ -63,7 +79,7 @@ # libuv - from deps/uv/include/uv/version.h %global libuv_major 1 -%global libuv_minor 42 +%global libuv_minor 43 %global libuv_patch 0 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch} @@ -86,7 +102,7 @@ %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch} # ICU - from tools/icu/current_ver.dep -%global icu_major 69 +%global icu_major 70 %global icu_minor 1 %global icu_version %{icu_major}.%{icu_minor} @@ -118,14 +134,14 @@ # npm - from deps/npm/package.json %global npm_epoch 1 %global npm_major 8 -%global npm_minor 1 -%global npm_patch 2 +%global npm_minor 3 +%global npm_patch 1 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h %global uvwasi_major 0 %global uvwasi_minor 0 -%global uvwasi_patch 11 +%global uvwasi_patch 12 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch} # histogram_c - assumed from timestamps @@ -171,6 +187,9 @@ Source7: nodejs_native.attr # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch +# CVE-2021-43616 +Patch2: 0001-fix-ci-lock-file-validation.patch + BuildRequires: make BuildRequires: python3-devel BuildRequires: zlib-devel @@ -185,14 +204,18 @@ BuildRequires: chrpath BuildRequires: libatomic BuildRequires: systemtap-sdt-devel -%if %{with bootstrap} -Provides: bundled(libuv) = %{libuv_version} -Provides: bundled(nghttp2) = %{nghttp2_version} +%if %{with bundled} +Provides: bundled(libuv) = %{libuv_version} %else BuildRequires: libuv-devel >= 1:%{libuv_version} -Requires: libuv >= 1:%{libuv_version} +Requires: libuv >= 1:%{libuv_version} +%endif + +%if %{with bundled} +Provides: bundled(nghttp2) = %{nghttp2_version} +%else BuildRequires: libnghttp2-devel >= %{nghttp2_version} -Requires: libnghttp2 >= %{nghttp2_version} +Requires: libnghttp2 >= %{nghttp2_version} %endif # Temporarily bundle llhttp because the upstream doesn't @@ -285,9 +308,7 @@ Requires: zlib-devel%{?_isa} Requires: brotli-devel%{?_isa} Requires: nodejs-packaging -%if %{with bootstrap} -# deps are bundled -%else +%if %{without bundled} Requires: libuv-devel%{?_isa} %endif @@ -376,45 +397,26 @@ export CXX='g++' # build with debugging symbols and add defines from libuv (#892601) # Node's v8 breaks with GCC 6 because of incorrect usage of methods on # NULL objects. We need to pass -fno-delete-null-pointer-checks -export CFLAGS='%{optflags} \ - -D_LARGEFILE_SOURCE \ - -D_FILE_OFFSET_BITS=64 \ - -DZLIB_CONST \ - -fno-delete-null-pointer-checks' -export CXXFLAGS='%{optflags} \ - -D_LARGEFILE_SOURCE \ - -D_FILE_OFFSET_BITS=64 \ - -DZLIB_CONST \ - -fno-delete-null-pointer-checks' - -# Explicit new lines in C(XX)FLAGS can break naive build scripts -export CFLAGS="$(echo ${CFLAGS} | tr '\n\\' ' ')" -export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')" - +extra_cflags=( + -D_LARGEFILE_SOURCE + -D_FILE_OFFSET_BITS=64 + -DZLIB_CONST + -fno-delete-null-pointer-checks +) +export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cflags[*]}" export LDFLAGS="%{build_ldflags}" -%if %{with bootstrap} %{__python3} configure.py --prefix=%{_prefix} \ --shared-openssl \ --shared-zlib \ --shared-brotli \ - --with-dtrace \ - --with-intl=small-icu \ - --openssl-use-def-ca-store \ - --openssl-default-cipher-list=PROFILE=SYSTEM -%else -%{__python3} configure.py --prefix=%{_prefix} \ - --shared-openssl \ - --shared-zlib \ - --shared-brotli \ - --shared-libuv \ - --shared-nghttp2 \ + %{!?with_bundled:--shared-libuv} \ + %{!?with_bundled:--shared-nghttp2} \ --with-dtrace \ --with-intl=small-icu \ --with-icu-default-data-dir=%{icudatadir} \ --openssl-use-def-ca-store \ --openssl-default-cipher-list=PROFILE=SYSTEM -%endif %if %{?with_debug} == 1 # Setting BUILDTYPE=Debug builds both release and debug binaries @@ -500,7 +502,7 @@ cp -pr deps/npm/man/* %{buildroot}%{_mandir}/ rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/man ln -sf %{_mandir} %{buildroot}%{_prefix}/lib/node_modules/npm/man -# Install Gatsby HTML documentation to %{_pkgdocdir} +# Install Gatsby HTML documentation to %%{_pkgdocdir} cp -pr deps/npm/docs %{buildroot}%{_pkgdocdir}/npm/ rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/docs @@ -521,7 +523,7 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \ -exec chmod -x {} \; # The above command is a little overzealous. Add a few permissions back. -chmod 0775 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp +chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js # Corepack contains a number of executable"shims", including some for Windows @@ -677,6 +679,7 @@ end %doc %{_mandir}/man7/config.7* %doc %{_mandir}/man7/developers.7* %doc %{_mandir}/man7/orgs.7* +%doc %{_mandir}/man7/logging.7* %doc %{_mandir}/man7/registry.7* %doc %{_mandir}/man7/removal.7* %doc %{_mandir}/man7/scope.7* @@ -692,17 +695,27 @@ end %changelog +* Mon Apr 25 2022 Jan Staněk - 1:16.14.0-5 +- Unify configure calls into single command +- Refactor bootstrap-related parts +- Decouple dependency bundling from bootstrapping + +* Mon Apr 11 2022 Zuzana Svetlikova - 1:16.14.0-4 +- Apply lock file validation fixes +- Resolves: CVE-2021-43616 +- Resolves: RHBZ#2070013 + * Mon Dec 06 2021 Zuzana Svetlikova - 1:16.13.1-3 -- Resolves: RHBZ#2027610 +- Resolves: RHBZ#2026329 - Add corepack to spec * Mon Dec 06 2021 Zuzana Svetlikova - 1:16.13.1-2 -- Resolves: RHBZ#2027610 +- Resolves: RHBZ#2026329 - Update npm version test * Thu Dec 02 2021 Zuzana Svetlikova - 1:16.13.1-1 -- Resolves: RHBZ#2027644, RHBZ#2027643, RHBZ#2027638, RHBZ#2027633 -- Resolves: RHBZ#2027610 +- Resolves: RHBZ#2014132, RHBZ#2014126, RHBZ#2013828, RHBZ#2024920 +- Resolves: RHBZ#2026329 - Rebase to LTS release and to fix multiple low and medium CVEs * Mon Sep 13 2021 Zuzana Svetlikova - 1:16.8.0-1