diff --git a/.gitignore b/.gitignore index 8692d82..a6e94a4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ -SOURCES/icu4c-70_1-src.tgz -SOURCES/node-v16.16.0-stripped.tar.gz +SOURCES/cjs-module-lexer-1.2.2.tar.gz +SOURCES/icu4c-71_1-src.tgz +SOURCES/node-v16.18.1-stripped.tar.gz +SOURCES/undici-5.10.0.tar.gz +SOURCES/wasi-sdk-wasi-sdk-11.tar.gz +SOURCES/wasi-sdk-wasi-sdk-14.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index c2ce414..c58aefc 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,6 @@ -f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz -17d4c0f6337149c1171c478dbebc8c224ebd0778 SOURCES/node-v16.16.0-stripped.tar.gz +b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz +406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz +0e8bf36bf0ed737011cc49026a1e7b82d7a1f638 SOURCES/node-v16.18.1-stripped.tar.gz +a2668423c8ed5321e39ce08e239141b084563bb5 SOURCES/undici-5.10.0.tar.gz +8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz +900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch index 361ea08..fc528b5 100644 --- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch +++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch @@ -22,7 +22,7 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp $(PYTHON) tools/gyp_node.py -f make - + # node_version.h is listed because the N-API version is taken from there -- 2.29.2 diff --git a/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch b/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch new file mode 100644 index 0000000..f055d91 --- /dev/null +++ b/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch @@ -0,0 +1,31 @@ +From 9872b897d6a9a39e3392c39bca70cfd9dd084558 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 26 Sep 2022 16:02:39 +0200 +Subject: [PATCH] install: keep installing dtrace and systemtap files + +Partly reverts commit e27e709d3ca93b3e7036ddc4f4d28dfde228bfb6. + +Signed-off-by: rpm-build +--- + tools/install.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/install.py b/tools/install.py +index 4b01d67..dc16797 100755 +--- a/tools/install.py ++++ b/tools/install.py +@@ -178,6 +178,11 @@ def files(action): + output_lib = 'libnode.' + variables.get('shlib_suffix') + action([output_prefix + output_lib], variables.get('libdir') + '/' + output_lib) + ++ if 'true' == variables.get('node_use_dtrace'): ++ action(['out/Release/node.d'], variables.get('libdir') + '/dtrace/node.d') ++ ++ action(['src/node.stp'], 'share/systemtap/tapset/') ++ + action(['deps/v8/tools/gdbinit'], 'share/doc/node/') + action(['deps/v8/tools/lldb_commands.py'], 'share/doc/node/') + +-- +2.37.3 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index b2ebdbf..e0fe410 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -17,14 +17,19 @@ # # create bootstrapping build with bundled deps and extra release suffix %bcond_with bootstrap -# bundle dependencies that are not available as Fedora modules +# bundle dependencies that are not available in CentOS +# currently hardcoded to bundle; see Fedora spec on how to make this dependent on bootstrap %if %{with bootstrap} %bcond_without bundled %else %bcond_with bundled %endif +%if 0%{?rhel} && 0%{?rhel} < 9 %bcond_without python3_fixup +%else +%bcond_with python3_fixup +%endif # == Master Relase == # This is used by both the nodejs package and the npm subpackage that @@ -41,8 +46,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 16 -%global nodejs_minor 16 -%global nodejs_patch 0 +%global nodejs_minor 18 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 93 @@ -58,7 +63,7 @@ %global v8_major 9 %global v8_minor 4 %global v8_build 146 -%global v8_patch 24 +%global v8_patch 26 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -74,7 +79,7 @@ # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_major 6 %global llhttp_minor 0 -%global llhttp_patch 7 +%global llhttp_patch 10 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} # libuv - from deps/uv/include/uv/version.h @@ -91,18 +96,18 @@ # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %global nghttp3_major 0 -%global nghttp3_minor 1 -%global nghttp3_patch 0-DEV +%global nghttp3_minor 7 +%global nghttp3_patch 0 %global nghttp3_version %{nghttp3_major}.%{nghttp3_minor}.%{nghttp3_patch} # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h %global ngtcp2_major 0 -%global ngtcp2_minor 1 -%global ngtcp2_patch 0-DEV +%global ngtcp2_minor 8 +%global ngtcp2_patch 1 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch} # ICU - from tools/icu/current_ver.dep -%global icu_major 70 +%global icu_major 71 %global icu_minor 1 %global icu_version %{icu_major}.%{icu_minor} @@ -134,20 +139,20 @@ # npm - from deps/npm/package.json %global npm_epoch 1 %global npm_major 8 -%global npm_minor 11 -%global npm_patch 0 +%global npm_minor 19 +%global npm_patch 2 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h %global uvwasi_major 0 %global uvwasi_minor 0 -%global uvwasi_patch 12 +%global uvwasi_patch 13 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch} # histogram_c - assumed from timestamps %global histogram_major 0 -%global histogram_minor 9 -%global histogram_patch 7 +%global histogram_minor 11 +%global histogram_patch 2 %global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch} # In order to avoid needing to keep incrementing the release version for the @@ -182,15 +187,42 @@ Source100: %{name}-tarball.sh # nodejs-packaging SRPM. Source7: nodejs_native.attr +# These are full sources for dependencies included as WASM blobs in the source of Node itself. +# Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to. +# Recipes for creating these blobs are included in the sources. + +# Version: jq '.version' deps/cjs-module-lexer/package.json +# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz +# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm +Source101: cjs-module-lexer-1.2.2.tar.gz +# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in. +# Version source: Makefile +Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz + +# Version: jq '.version' deps/undici/src/package.json +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.10.0.tar.gz +# Adjustments: rm -f undici-5.10.0/lib/llhttp/llhttp*.wasm* +Source111: undici-5.10.0.tar.gz +# The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. +# Version source: build/Dockerfile +Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz + # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch +Patch2: 0002-install-keep-installing-dtrace-and-systemtap-files.patch BuildRequires: make BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-jinja2 +%if !%{with python3_fixup} +BuildRequires: python-unversioned-command +%endif BuildRequires: zlib-devel BuildRequires: brotli-devel BuildRequires: gcc >= 8.3.0 BuildRequires: gcc-c++ >= 8.3.0 +BuildRequires: jq # needed to generate bundled provides for npm dependencies # https://src.fedoraproject.org/rpms/nodejs/pull-request/2 # https://pagure.io/nodejs-packaging/pull-request/10 @@ -206,7 +238,7 @@ BuildRequires: libuv-devel >= 1:%{libuv_version} Requires: libuv >= 1:%{libuv_version} %endif -%if %{with bundled} +%if %{with bundled} || !(0%{?fedora} || 0%{?rhel} >= 9) Provides: bundled(nghttp2) = %{nghttp2_version} %else BuildRequires: libnghttp2-devel >= %{nghttp2_version} @@ -278,12 +310,7 @@ Provides: bundled(uvwasi) = %{uvwasi_version} Provides: bundled(histogram) = %{histogram_version} # Make sure we keep NPM up to date when we update Node.js -%if 0%{?rhel} < 8 -# EPEL doesn't support Recommends, so make it strict -Requires: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} -%else Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} -%endif %description Node.js is a platform built on Chrome's JavaScript runtime @@ -365,6 +392,24 @@ The API documentation for the Node.js JavaScript runtime. # remove bundled dependencies that we aren't building rm -rf deps/zlib rm -rf deps/brotli +rm -rf deps/v8/third_party/jinja2 +rm -rf tools/inspector_protocol/jinja2 + +# check for correct versions of dependencies we are bundling +check_wasm_dep() { + local -r name="$1" source="$2" packagejson="$3" + local -r expected_version="$(jq -r '.version' "${packagejson}")" + + if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then + printf '%s version matches\n' "${name}" >&2 + else + printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2 + return 1 + fi +} + +check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json +check_wasm_dep undici '%{SOURCE111}' deps/undici/src/package.json # Replace any instances of unversioned python' with python3 %if %{with python3_fixup} @@ -663,9 +708,11 @@ end %doc %{_mandir}/man5/package-lock-json.5* %doc %{_mandir}/man5/npm-shrinkwrap-json.5* %doc %{_mandir}/man7/config.7* +%doc %{_mandir}/man7/dependency-selectors.7* %doc %{_mandir}/man7/developers.7* -%doc %{_mandir}/man7/orgs.7* %doc %{_mandir}/man7/logging.7* +%doc %{_mandir}/man7/orgs.7* +%doc %{_mandir}/man7/package-spec.7* %doc %{_mandir}/man7/registry.7* %doc %{_mandir}/man7/removal.7* %doc %{_mandir}/man7/scope.7* @@ -681,24 +728,41 @@ end %changelog -* Fri Aug 05 2022 Zuzana Svetlikova - 1:16.16.0-3 -- Fix build -- Resolves: RHBZ#2111416 - -* Fri Aug 05 2022 Zuzana Svetlikova - 1:16.16.0-2 -- Refactor spec -- Resolves: RHBZ#2111416 - -* Tue Jul 26 2022 Zuzana Svetlikova - 1:16.16.0-1 -- Rebase to latest version -- Resolves: RHBZ#2106369 -- CVE fixes for CVE-2022-32212/3/4/5 -- Resolves: #2109578, #2109581, #2109584, #2109588 +* Wed Dec 07 2022 Jan Staněk - 1:16.18.1-3 +- Update sources of undici WASM blobs + Resolves: rhbz#2151546 + +* Fri Dec 02 2022 Jan Staněk - 1:16.18.1-2 +- Record CVE references already addressed in this or previous upstream versions + Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 + +* Wed Nov 16 2022 Zuzana Svetlikova - 1:16.18.1-1 +- Rebase + CVE fixes +- Resolves: #2142806 +- Resolves: #2142837, #2142851 + +* Fri Oct 07 2022 Zuzana Svetlikova - 1:16.17.1-1 +- Rebase to version 16.17.1 +- Resolves: CVE-2022-35255 CVE-2022-35256 +- Resolves: #2130553 +- Resolves #2132003 +- Resolves #2121095 + +* Tue Aug 23 2022 Zuzana Svetlikova - 1:16.16.0-1 +- Resolves: #2104754, #2108057, #2108062, #2108067, #2108072 +- Resolves CVE-2022-29244, CVE-2022-32212/3/4/5 +- Resolves: #2106285 +- Rebase to latest release + +* Mon Apr 25 2022 Jan Staněk - 1:16.14.0-5 +- Unify configure calls into single command +- Refactor bootstrap-related parts +- Decouple dependency bundling from bootstrapping * Mon Apr 11 2022 Zuzana Svetlikova - 1:16.14.0-4 - Apply lock file validation fixes -- Resolves CVE-2021-43616 -- Resolves: RHBZ#2070012 +- Resolves: CVE-2021-43616 +- Resolves: RHBZ#2070013 * Mon Dec 06 2021 Zuzana Svetlikova - 1:16.13.1-3 - Resolves: RHBZ#2026329