diff --git a/.gitignore b/.gitignore index 0b6d40a..a6e94a4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/icu4c-71_1-src.tgz -SOURCES/node-v16.17.1-stripped.tar.gz -SOURCES/undici-5.8.0.tar.gz +SOURCES/node-v16.18.1-stripped.tar.gz +SOURCES/undici-5.10.0.tar.gz SOURCES/wasi-sdk-wasi-sdk-11.tar.gz SOURCES/wasi-sdk-wasi-sdk-14.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 9e157c7..6d890b2 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,6 +1,6 @@ -6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz +b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz 406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz -34ffd79dbdcb5aecebbb117d28023cac56414b80 SOURCES/node-v16.17.1-stripped.tar.gz -ef225709142c4bd9fbb37598ff42a1228951e48b SOURCES/undici-5.8.0.tar.gz +71f2019e8d646be20ec962859e6a356b13663313 SOURCES/node-v16.18.1-stripped.tar.gz +a2668423c8ed5321e39ce08e239141b084563bb5 SOURCES/undici-5.10.0.tar.gz 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz 900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz diff --git a/SOURCES/0002-Install-both-binaries-and-use-libdir.patch b/SOURCES/0002-Install-both-binaries-and-use-libdir.patch deleted file mode 100644 index ed89d0d..0000000 --- a/SOURCES/0002-Install-both-binaries-and-use-libdir.patch +++ /dev/null @@ -1,72 +0,0 @@ -From e2ff0fc92ddbaa5535d684e353c55cefe99eb081 Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Tue, 27 Sep 2022 13:48:12 +0200 -Subject: [PATCH] Install both binaries and use libdir - -Signed-off-by: rpm-build ---- - configure.py | 7 +++++++ - tools/install.py | 8 +++++--- - 2 files changed, 12 insertions(+), 3 deletions(-) - -diff --git a/configure.py b/configure.py -index 1a7023d..b16db0c 100755 ---- a/configure.py -+++ b/configure.py -@@ -739,6 +739,12 @@ parser.add_argument('--shared', - help='compile shared library for embedding node in another project. ' + - '(This mode is not officially supported for regular applications)') - -+parser.add_argument('--libdir', -+ action='store', -+ dest='libdir', -+ default='lib', -+ help='a directory to install the shared library into') -+ - parser.add_argument('--without-v8-platform', - action='store_true', - dest='without_v8_platform', -@@ -1368,6 +1374,7 @@ def configure_node(o): - o['variables']['node_no_browser_globals'] = b(options.no_browser_globals) - - o['variables']['node_shared'] = b(options.shared) -+ o['variables']['libdir'] = options.libdir - node_module_version = getmoduleversion.get_version() - - if options.dest_os == 'android': -diff --git a/tools/install.py b/tools/install.py -index a6d1f8b..e3ef9d7 100755 ---- a/tools/install.py -+++ b/tools/install.py -@@ -144,6 +144,7 @@ def files(action): - is_windows = sys.platform == 'win32' - output_file = 'node' - output_prefix = 'out/Release/' -+ output_libprefix = output_prefix - - if is_windows: - output_file += '.exe' -@@ -151,8 +152,8 @@ def files(action): - - if 'true' == variables.get('node_shared'): - if is_windows: -- action([output_prefix + 'libnode.dll'], 'bin/libnode.dll') -- action([output_prefix + 'libnode.lib'], 'lib/libnode.lib') -+ action([output_libprefix + 'libnode.dll'], 'bin/libnode.dll') -+ action([output_libprefix + 'libnode.lib'], 'lib/libnode.lib') - elif sys.platform == 'zos': - # GYP will output to lib.target; see _InstallableTargetInstallPath - # function in tools/gyp/pylib/gyp/generator/make.py -@@ -176,7 +177,8 @@ def files(action): - try_symlink(so_name, link_path) - else: - output_lib = 'libnode.' + variables.get('shlib_suffix') -- action([output_prefix + output_lib], 'lib/' + output_lib) -+ action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib) -+ - if 'true' == variables.get('node_use_dtrace'): - action(['out/Release/node.d'], 'lib/dtrace/node.d') - --- -2.37.3 - diff --git a/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch b/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch new file mode 100644 index 0000000..f055d91 --- /dev/null +++ b/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch @@ -0,0 +1,31 @@ +From 9872b897d6a9a39e3392c39bca70cfd9dd084558 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 26 Sep 2022 16:02:39 +0200 +Subject: [PATCH] install: keep installing dtrace and systemtap files + +Partly reverts commit e27e709d3ca93b3e7036ddc4f4d28dfde228bfb6. + +Signed-off-by: rpm-build +--- + tools/install.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/tools/install.py b/tools/install.py +index 4b01d67..dc16797 100755 +--- a/tools/install.py ++++ b/tools/install.py +@@ -178,6 +178,11 @@ def files(action): + output_lib = 'libnode.' + variables.get('shlib_suffix') + action([output_prefix + output_lib], variables.get('libdir') + '/' + output_lib) + ++ if 'true' == variables.get('node_use_dtrace'): ++ action(['out/Release/node.d'], variables.get('libdir') + '/dtrace/node.d') ++ ++ action(['src/node.stp'], 'share/systemtap/tapset/') ++ + action(['deps/v8/tools/gdbinit'], 'share/doc/node/') + action(['deps/v8/tools/lldb_commands.py'], 'share/doc/node/') + +-- +2.37.3 + diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index b0215c7..51541db 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -30,7 +30,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 1 +%global baserelease 3 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -41,7 +41,7 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 16 -%global nodejs_minor 17 +%global nodejs_minor 18 %global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -69,7 +69,7 @@ %global c_ares_version 1.18.1 # llhttp - from deps/llhttp/include/llhttp.h -%global llhttp_version 6.0.9 +%global llhttp_version 6.0.10 # libuv - from deps/uv/include/uv/version.h %global libuv_version 1.43.0 @@ -79,14 +79,14 @@ # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %global nghttp3_major 0 -%global nghttp3_minor 1 -%global nghttp3_patch 0-DEV +%global nghttp3_minor 7 +%global nghttp3_patch 0 %global nghttp3_version %{nghttp3_major}.%{nghttp3_minor}.%{nghttp3_patch} # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h %global ngtcp2_major 0 -%global ngtcp2_minor 1 -%global ngtcp2_patch 0-DEV +%global ngtcp2_minor 8 +%global ngtcp2_patch 1 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch} # ICU - from tools/icu/current_ver.dep @@ -118,7 +118,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 8.15.0 +%global npm_version 8.19.2 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -127,10 +127,10 @@ %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} # uvwasi - from deps/uvwasi/include/uvwasi.h -%global uvwasi_version 0.0.12 +%global uvwasi_version 0.0.13 # histogram_c - assumed from timestamps -%global histogram_version 0.9.7 +%global histogram_version 0.11.2 Name: nodejs Epoch: %{nodejs_epoch} @@ -170,18 +170,16 @@ Source101: cjs-module-lexer-1.2.2.tar.gz Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.8.0.tar.gz -# Adjustments: rm -f undici-5.8.0/lib/llhttp/llhttp*.wasm* -Source111: undici-5.8.0.tar.gz +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.10.0.tar.gz +# Adjustments: rm -f undici-5.10.0/lib/llhttp/llhttp*.wasm* +Source111: undici-5.10.0.tar.gz # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. # Version source: build/Dockerfile Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch - -# Patch to install both node and libnode.so, using the correct libdir -Patch2: 0002-Install-both-binaries-and-use-libdir.patch +Patch2: 0002-install-keep-installing-dtrace-and-systemtap-files.patch BuildRequires: make BuildRequires: python3-devel @@ -406,6 +404,22 @@ rm -rf deps/brotli rm -rf deps/v8/third_party/jinja2 rm -rf tools/inspector_protocol/jinja2 +# check for correct versions of dependencies we are bundling +check_wasm_dep() { + local -r name="$1" source="$2" packagejson="$3" + local -r expected_version="$(jq -r '.version' "${packagejson}")" + + if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then + printf '%s version matches\n' "${name}" >&2 + else + printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2 + return 1 + fi +} + +check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json +check_wasm_dep undici '%{SOURCE111}' deps/undici/src/package.json + # Replace any instances of unversioned python' with python3 %if %{with python3_fixup} pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js") @@ -436,21 +450,13 @@ export CXX='%{__cxx}' # build with debugging symbols and add defines from libuv (#892601) # Node's v8 breaks with GCC 6 because of incorrect usage of methods on # NULL objects. We need to pass -fno-delete-null-pointer-checks -export CFLAGS='%{optflags} \ - -D_LARGEFILE_SOURCE \ - -D_FILE_OFFSET_BITS=64 \ - -DZLIB_CONST \ - -fno-delete-null-pointer-checks' -export CXXFLAGS='%{optflags} \ - -D_LARGEFILE_SOURCE \ - -D_FILE_OFFSET_BITS=64 \ - -DZLIB_CONST \ - -fno-delete-null-pointer-checks' - -# Explicit new lines in C(XX)FLAGS can break naive build scripts -export CFLAGS="$(echo ${CFLAGS} | tr '\n\\' ' ')" -export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' ' ')" - +extra_cflags=( + -D_LARGEFILE_SOURCE + -D_FILE_OFFSET_BITS=64 + -DZLIB_CONST + -fno-delete-null-pointer-checks +) +export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cflags[*]}" export LDFLAGS="%{build_ldflags}" %{__python3} configure.py --prefix=%{_prefix} \ @@ -461,7 +467,7 @@ export LDFLAGS="%{build_ldflags}" --shared-brotli \ %{!?with_bundled:--shared-libuv} \ %{!?with_bundled:--shared-nghttp2} \ - --with-dtrace \ + %{?with_bundled:--without-dtrace}%{!?with_bundled:--with-dtrace} \ --with-intl=small-icu \ --with-icu-default-data-dir=%{icudatadir} \ --without-corepack \ @@ -635,11 +641,14 @@ end %dir %{_datadir}/systemtap/tapset %{_datadir}/systemtap/tapset/node.stp +%if %{without bundled} %dir %{_usr}/lib/dtrace %{_usr}/lib/dtrace/node.d +%endif %{_rpmconfigdir}/fileattrs/nodejs_native.attr %{_rpmconfigdir}/nodejs_native.req +%license LICENSE %doc AUTHORS CHANGELOG.md onboarding.md GOVERNANCE.md README.md %doc %{_mandir}/man1/node.1* @@ -690,6 +699,7 @@ end %doc %{_mandir}/man5/package-lock-json.5* %doc %{_mandir}/man5/npm-shrinkwrap-json.5* %doc %{_mandir}/man7/config.7* +%doc %{_mandir}/man7/dependency-selectors.7* %doc %{_mandir}/man7/developers.7* %doc %{_mandir}/man7/logging.7* %doc %{_mandir}/man7/orgs.7* @@ -709,6 +719,21 @@ end %changelog +* Wed Dec 07 2022 Jan Staněk - 1:16.18.1-3 +- Update sources of undici WASM blobs + Resolves: rhbz#2151617 + +* Mon Dec 05 2022 Zuzana Svetlikova - 1:16.18.1-2 +- Add back libs and v8-devel subpackages +- Related: RHBZ#2121126 +- Record previously fixed CVE +- Resolves: CVE-2021-44906 + +* Wed Nov 16 2022 Zuzana Svetlikova - 1:16.18.1-1 +- Rebase + CVEs +- Resolves: #2142808 +- Resolves: #2142826, #2131745, #2142855 + * Tue Sep 27 2022 Jan Staněk - 16.17.1-1 - Rebase to version 16.17.1 Resolves: CVE-2022-35255 CVE-2022-35256 @@ -726,9 +751,9 @@ end - Apply lock file validation fixes Resolves: CVE-2021-43616 -* Mon Mar 07 2022 Zuzana Svetlikova - 1:16.14.0-3 -- Resolves: #2059949 -- Make Brew not append ~bootstrap when the macro is used +* Thu Mar 31 2022 Jan Staněk - 16.14.0-3 +- Refactor bootstap handling and configure script invocation + Resolves: rhbz#2056969 * Sun Feb 13 2022 Zuzana Svetlikova - 1:16.14.0-2 - Build with bootstrap by default due to old versions of dependencies available