diff --git a/.gitignore b/.gitignore index a4daa1b..4e7cce7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ +SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/icu4c-71_1-src.tgz -SOURCES/node-v18.7.0-stripped.tar.gz +SOURCES/node-v18.12.1-stripped.tar.gz +SOURCES/undici-5.11.0.tar.gz +SOURCES/wasi-sdk-11.0-linux.tar.gz +SOURCES/wasi-sdk-14.0-linux.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index e61d6db..939f105 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,6 @@ +b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz 406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz -2c6a93d05dd6a6fc588d1437d909448a383e73ee SOURCES/node-v18.7.0-stripped.tar.gz +20d62c96ab85808e1043376f0d889f74eb2551df SOURCES/node-v18.12.1-stripped.tar.gz +0ea4e5cfe13969896bf41c0d2d029a621917b944 SOURCES/undici-5.11.0.tar.gz +ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz +c29e21be754c26cac4bf99848c5b1f4e8564e248 SOURCES/wasi-sdk-14.0-linux.tar.gz diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index ef48b44..5d8f9c2 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -40,8 +40,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 18 -%global nodejs_minor 7 -%global nodejs_patch 0 +%global nodejs_minor 12 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 108 @@ -57,7 +57,7 @@ %global v8_major 10 %global v8_minor 2 %global v8_build 154 -%global v8_patch 13 +%global v8_patch 15 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -68,7 +68,7 @@ %global c_ares_version 1.18.1 # llhttp - from deps/llhttp/include/llhttp.h -%global llhttp_version 6.0.7 +%global llhttp_version 6.0.10 # libuv - from deps/uv/include/uv/version.h %global libuv_version 1.43.0 @@ -78,14 +78,14 @@ # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %global nghttp3_major 0 -%global nghttp3_minor 1 -%global nghttp3_patch 0-DEV +%global nghttp3_minor 7 +%global nghttp3_patch 0 %global nghttp3_version %{nghttp3_major}.%{nghttp3_minor}.%{nghttp3_patch} # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h %global ngtcp2_major 0 -%global ngtcp2_minor 1 -%global ngtcp2_patch 0-DEV +%global ngtcp2_minor 8 +%global ngtcp2_patch 1 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch} # ICU - from tools/icu/current_ver.dep @@ -117,7 +117,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 8.15.0 +%global npm_version 8.19.2 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -126,10 +126,10 @@ %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} # uvwasi - from deps/uvwasi/include/uvwasi.h -%global uvwasi_version 0.0.12 +%global uvwasi_version 0.0.13 # histogram_c - assumed from timestamps -%global histogram_version 0.9.7 +%global histogram_version 0.11.2 Name: nodejs Epoch: %{nodejs_epoch} @@ -156,6 +156,26 @@ Source100: %{name}-tarball.sh # nodejs-packaging SRPM. Source7: nodejs_native.attr +# These are full sources for dependencies included as WASM blobs in the source of Node itself. +# Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to. +# Recipes for creating these blobs are included in the sources. + +# Version: jq '.version' deps/cjs-module-lexer/package.json +# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz +# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm +# wasi-sdk version can be found in Makefile +# https://github.com/nodejs/cjs-module-lexer/blob/1.2.2/Makefile +Source101: cjs-module-lexer-1.2.2.tar.gz +Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz + +# Version: jq '.version' deps/undici/src/package.json +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.11.0.tar.gz +# Adjustments: rm -f undici-5.11.0/lib/llhttp/llhttp*.wasm +# wasi-sdk version can be found in Dockerfile +# https://github.com/nodejs/undici/blob/v5.8.2/build/Dockerfile +Source102: undici-5.11.0.tar.gz +Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-14.0-linux.tar.gz + # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch @@ -559,6 +579,7 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %doc %{_mandir}/man5/package-lock-json.5* %doc %{_mandir}/man5/npm-shrinkwrap-json.5* %doc %{_mandir}/man7/config.7* +%doc %{_mandir}/man7/dependency-selectors.7* %doc %{_mandir}/man7/developers.7* %doc %{_mandir}/man7/logging.7* %doc %{_mandir}/man7/orgs.7* @@ -578,6 +599,30 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %changelog +* Wed Nov 16 2022 Zuzana Svetlikova - 1:18.12.1-1 +- Rebase + CVEs +- Resolves: #2142809 +- Resolves: #2142830, #2142856 + +* Sun Oct 09 2022 Zuzana Svetlikova - 1:18.10.0-3 +- Resolves: #2111861 +- Add proper sources for undici + +* Fri Oct 07 2022 Zuzana Svetlikova - 1:18.10.0-2 +- Resolves: #2130565 +- Add missing file + +* Thu Oct 06 2022 Zuzana Svetlikova - 1:18.10.0-1 +- Update to latest release +- Resolves: #2130565 +- Resolves #2111009, #2111861, #2132732 + +* Fri Aug 26 2022 Zuzana Svetlikova - 1:18.8.0-1 +- Update to latest release +- Resolves: RHBZ#2111009 +- Provide undici and cjs-module-lexer + wasi-sdk sources +- Resolves: RBHZ#2111861 + * Mon Aug 08 2022 Zuzana Svetlikova - 1:18.7.0-1 - Update to latest release - Resolves CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215