diff --git a/.gitignore b/.gitignore index 8692d82..0b6d40a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ -SOURCES/icu4c-70_1-src.tgz -SOURCES/node-v16.16.0-stripped.tar.gz +SOURCES/cjs-module-lexer-1.2.2.tar.gz +SOURCES/icu4c-71_1-src.tgz +SOURCES/node-v16.17.1-stripped.tar.gz +SOURCES/undici-5.8.0.tar.gz +SOURCES/wasi-sdk-wasi-sdk-11.tar.gz +SOURCES/wasi-sdk-wasi-sdk-14.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index c2ce414..ba29bc3 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,6 @@ -f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz -17d4c0f6337149c1171c478dbebc8c224ebd0778 SOURCES/node-v16.16.0-stripped.tar.gz +b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz +406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz +b121cbaced686489dce040cacd91b652b0a2dfb8 SOURCES/node-v16.17.1-stripped.tar.gz +0ad2dd058ce40f08ae2c0fe1e0226b613def8dd1 SOURCES/undici-5.8.0.tar.gz +8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz +900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch index 361ea08..fc528b5 100644 --- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch +++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch @@ -22,7 +22,7 @@ index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp $(PYTHON) tools/gyp_node.py -f make - + # node_version.h is listed because the N-API version is taken from there -- 2.29.2 diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index b2ebdbf..c8f2607 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -17,20 +17,25 @@ # # create bootstrapping build with bundled deps and extra release suffix %bcond_with bootstrap -# bundle dependencies that are not available as Fedora modules +# bundle dependencies that are not available in CentOS +# currently hardcoded to bundle; see Fedora spec on how to make this dependent on bootstrap %if %{with bootstrap} %bcond_without bundled %else %bcond_with bundled %endif +%if 0%{?rhel} && 0%{?rhel} < 9 %bcond_without python3_fixup +%else +%bcond_with python3_fixup +%endif # == Master Relase == # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 3 +%global baserelease 1 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -41,8 +46,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 16 -%global nodejs_minor 16 -%global nodejs_patch 0 +%global nodejs_minor 17 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 93 @@ -58,7 +63,7 @@ %global v8_major 9 %global v8_minor 4 %global v8_build 146 -%global v8_patch 24 +%global v8_patch 26 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -74,7 +79,7 @@ # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_major 6 %global llhttp_minor 0 -%global llhttp_patch 7 +%global llhttp_patch 9 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} # libuv - from deps/uv/include/uv/version.h @@ -102,7 +107,7 @@ %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch} # ICU - from tools/icu/current_ver.dep -%global icu_major 70 +%global icu_major 71 %global icu_minor 1 %global icu_version %{icu_major}.%{icu_minor} @@ -134,7 +139,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 %global npm_major 8 -%global npm_minor 11 +%global npm_minor 15 %global npm_patch 0 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} @@ -182,15 +187,41 @@ Source100: %{name}-tarball.sh # nodejs-packaging SRPM. Source7: nodejs_native.attr +# These are full sources for dependencies included as WASM blobs in the source of Node itself. +# Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to. +# Recipes for creating these blobs are included in the sources. + +# Version: jq '.version' deps/cjs-module-lexer/package.json +# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz +# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm +Source101: cjs-module-lexer-1.2.2.tar.gz +# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in. +# Version source: Makefile +Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz + +# Version: jq '.version' deps/undici/src/package.json +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.8.0.tar.gz +# Adjustments: rm -f undici-5.8.0/lib/llhttp/llhttp*.wasm* +Source111: undici-5.8.0.tar.gz +# The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. +# Version source: build/Dockerfile +Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz + # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch BuildRequires: make BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-jinja2 +%if !%{with python3_fixup} +BuildRequires: python-unversioned-command +%endif BuildRequires: zlib-devel BuildRequires: brotli-devel BuildRequires: gcc >= 8.3.0 BuildRequires: gcc-c++ >= 8.3.0 +BuildRequires: jq # needed to generate bundled provides for npm dependencies # https://src.fedoraproject.org/rpms/nodejs/pull-request/2 # https://pagure.io/nodejs-packaging/pull-request/10 @@ -206,7 +237,7 @@ BuildRequires: libuv-devel >= 1:%{libuv_version} Requires: libuv >= 1:%{libuv_version} %endif -%if %{with bundled} +%if %{with bundled} || !(0%{?fedora} || 0%{?rhel} >= 9) Provides: bundled(nghttp2) = %{nghttp2_version} %else BuildRequires: libnghttp2-devel >= %{nghttp2_version} @@ -278,12 +309,7 @@ Provides: bundled(uvwasi) = %{uvwasi_version} Provides: bundled(histogram) = %{histogram_version} # Make sure we keep NPM up to date when we update Node.js -%if 0%{?rhel} < 8 -# EPEL doesn't support Recommends, so make it strict -Requires: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} -%else Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} -%endif %description Node.js is a platform built on Chrome's JavaScript runtime @@ -365,6 +391,8 @@ The API documentation for the Node.js JavaScript runtime. # remove bundled dependencies that we aren't building rm -rf deps/zlib rm -rf deps/brotli +rm -rf deps/v8/third_party/jinja2 +rm -rf tools/inspector_protocol/jinja2 # Replace any instances of unversioned python' with python3 %if %{with python3_fixup} @@ -664,8 +692,9 @@ end %doc %{_mandir}/man5/npm-shrinkwrap-json.5* %doc %{_mandir}/man7/config.7* %doc %{_mandir}/man7/developers.7* -%doc %{_mandir}/man7/orgs.7* %doc %{_mandir}/man7/logging.7* +%doc %{_mandir}/man7/orgs.7* +%doc %{_mandir}/man7/package-spec.7* %doc %{_mandir}/man7/registry.7* %doc %{_mandir}/man7/removal.7* %doc %{_mandir}/man7/scope.7* @@ -681,6 +710,12 @@ end %changelog +* Fri Oct 07 2022 Zuzana Svetlikova - 1:16.17.1-1 +- Rebase to version 16.17.1 +- Resolves: CVE-2022-35255 CVE-2022-35256 +- Resolves: #2132004, #2130552 +- Resolves #2121095 + * Fri Aug 05 2022 Zuzana Svetlikova - 1:16.16.0-3 - Fix build - Resolves: RHBZ#2111416