diff --git a/.gitignore b/.gitignore index 0e81494..08911b0 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/nodemon-v2.0.3-bundled.tar.gz +SOURCES/nodemon-v2.0.19-bundled.tar.gz diff --git a/.rh-nodejs14-nodejs-nodemon.metadata b/.rh-nodejs14-nodejs-nodemon.metadata index c722014..ebea1f0 100644 --- a/.rh-nodejs14-nodejs-nodemon.metadata +++ b/.rh-nodejs14-nodejs-nodemon.metadata @@ -1 +1 @@ -4ab27e422a201354464544f2e80678bd5b6a22c2 SOURCES/nodemon-v2.0.3-bundled.tar.gz +eb0c6a31054c1739d10bd491295394686429d75c SOURCES/nodemon-v2.0.19-bundled.tar.gz diff --git a/SOURCES/0001-fix-redirect-help.patch b/SOURCES/0001-fix-redirect-help.patch deleted file mode 100644 index 89cfc0a..0000000 --- a/SOURCES/0001-fix-redirect-help.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 190d081bdbc703d34124aba06f3903c27e4f7c11 Mon Sep 17 00:00:00 2001 -From: Remy Sharp -Date: Wed, 6 Jan 2021 10:38:53 +0000 -Subject: [PATCH] fix: redirect help - -Fixes: #1807 - -Allows for nodemon --help > help.txt - -Signed-off-by: rpm-build ---- - lib/nodemon.js | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/lib/nodemon.js b/lib/nodemon.js -index b3badea..ce649cb 100644 ---- a/lib/nodemon.js -+++ b/lib/nodemon.js -@@ -39,7 +39,9 @@ function nodemon(settings) { - } - - if (settings.help) { -- process.stdout._handle.setBlocking(true); // nodejs/node#6456 -+ if (process.stdout.isTTY) { -+ process.stdout._handle.setBlocking(true); // nodejs/node#6456 -+ } - console.log(help(settings.help)); - if (!config.required) { - process.exit(0); --- -2.31.1 - diff --git a/SOURCES/0002-Fix-ReDoS-for-data-URLs.patch b/SOURCES/0002-Fix-ReDoS-for-data-URLs.patch deleted file mode 100644 index c16dd66..0000000 --- a/SOURCES/0002-Fix-ReDoS-for-data-URLs.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 099828b738527c3a1e9fcba8ed9b0b1a5103526f Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Fri, 2 Jul 2021 16:30:14 +0200 -Subject: [PATCH] Fix ReDoS for data URLs - -Backported from -https://github.com/sindresorhus/normalize-url/commit/b1fdb5120b6d27a88400d8800e67ff5a22bd2103 - -Signed-off-by: rpm-build ---- - node_modules/got/node_modules/normalize-url/index.js | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/node_modules/got/node_modules/normalize-url/index.js b/node_modules/got/node_modules/normalize-url/index.js -index 4eea255..2ab7f57 100644 ---- a/node_modules/got/node_modules/normalize-url/index.js -+++ b/node_modules/got/node_modules/normalize-url/index.js -@@ -11,7 +11,7 @@ const testParameter = (name, filters) => { - }; - - const normalizeDataURL = (urlString, {stripHash}) => { -- const parts = urlString.match(/^data:(.*?),(.*?)(?:#(.*))?$/); -+ const parts = urlString.match(/^data:([^,]*?),([^#]*?)(?:#(.*))?$/); - - if (!parts) { - throw new Error(`Invalid URL: ${urlString}`); --- -2.31.1 - diff --git a/SOURCES/0003-fix-eliminate-ReDoS-36.patch b/SOURCES/0003-fix-eliminate-ReDoS-36.patch deleted file mode 100644 index a8a208b..0000000 --- a/SOURCES/0003-fix-eliminate-ReDoS-36.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 77d803b877935e51c42e8bd66510d41f3e76460c Mon Sep 17 00:00:00 2001 -From: Rich Trott -Date: Sat, 6 Mar 2021 13:16:16 -0800 -Subject: [PATCH] fix: eliminate ReDoS (#36) - -This change fixes a regular expression denial of service -vulnerability. - -Refs: https://github.com/gulpjs/glob-parent/issues/32 -Refs: https://app.snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 -Signed-off-by: rpm-build ---- - node_modules/glob-parent/index.js | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/node_modules/glob-parent/index.js b/node_modules/glob-parent/index.js -index 2ded6ea..c7b3bd3 100644 ---- a/node_modules/glob-parent/index.js -+++ b/node_modules/glob-parent/index.js -@@ -6,7 +6,7 @@ var isWin32 = require('os').platform() === 'win32'; - - var slash = '/'; - var backslash = /\\/g; --var enclosure = /[\{\[].*[\/]*.*[\}\]]$/; -+var enclosure = /[\{\[].*[\}\]]$/; - var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/; - var escaped = /\\([\*\?\|\[\]\(\)\{\}])/g; - --- -2.31.1 - diff --git a/SOURCES/0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch b/SOURCES/0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch deleted file mode 100644 index 85f2ba4..0000000 --- a/SOURCES/0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 26bf6f9b5118302d41cc702587e5bb9c5ac51350 Mon Sep 17 00:00:00 2001 -From: isaacs -Date: Tue, 8 Dec 2020 14:21:50 -0800 -Subject: [PATCH] do not allow invalid hazardous string as section name - -Signed-off-by: rpm-build ---- - node_modules/ini/ini.js | 8 ++++++ - node_modules/ini/test/proto.js | 45 ++++++++++++++++++++++++++++++++++ - 2 files changed, 53 insertions(+) - create mode 100644 node_modules/ini/test/proto.js - -diff --git a/node_modules/ini/ini.js b/node_modules/ini/ini.js -index 590195d..0401258 100644 ---- a/node_modules/ini/ini.js -+++ b/node_modules/ini/ini.js -@@ -80,6 +80,12 @@ function decode (str) { - if (!match) return - if (match[1] !== undefined) { - section = unsafe(match[1]) -+ if (section === '__proto__') { -+ // not allowed -+ // keep parsing the section, but don't attach it. -+ p = {} -+ return -+ } - p = out[section] = out[section] || {} - return - } -@@ -94,6 +100,7 @@ function decode (str) { - // Convert keys with '[]' suffix to an array - if (key.length > 2 && key.slice(-2) === '[]') { - key = key.substring(0, key.length - 2) -+ if (key === '__proto__') return - if (!p[key]) { - p[key] = [] - } else if (!Array.isArray(p[key])) { -@@ -125,6 +132,7 @@ function decode (str) { - var l = parts.pop() - var nl = l.replace(/\\\./g, '.') - parts.forEach(function (part, _, __) { -+ if (part === '__proto__') return - if (!p[part] || typeof p[part] !== 'object') p[part] = {} - p = p[part] - }) -diff --git a/node_modules/ini/test/proto.js b/node_modules/ini/test/proto.js -new file mode 100644 -index 0000000..ab35533 ---- /dev/null -+++ b/node_modules/ini/test/proto.js -@@ -0,0 +1,45 @@ -+var ini = require('../') -+var t = require('tap') -+ -+var data = ` -+__proto__ = quux -+foo = baz -+[__proto__] -+foo = bar -+[other] -+foo = asdf -+[kid.__proto__.foo] -+foo = kid -+[arrproto] -+hello = snyk -+__proto__[] = you did a good job -+__proto__[] = so you deserve arrays -+thanks = true -+` -+var res = ini.parse(data) -+t.deepEqual(res, { -+ foo: 'baz', -+ other: { -+ foo: 'asdf', -+ }, -+ kid: { -+ foo: { -+ foo: 'kid', -+ }, -+ }, -+ arrproto: { -+ hello: 'snyk', -+ thanks: true, -+ }, -+}) -+t.equal(res.__proto__, Object.prototype) -+t.equal(res.kid.__proto__, Object.prototype) -+t.equal(res.kid.foo.__proto__, Object.prototype) -+t.equal(res.arrproto.__proto__, Object.prototype) -+t.equal(Object.prototype.foo, undefined) -+t.equal(Object.prototype[0], undefined) -+t.equal(Object.prototype['0'], undefined) -+t.equal(Object.prototype[1], undefined) -+t.equal(Object.prototype['1'], undefined) -+t.equal(Array.prototype[0], undefined) -+t.equal(Array.prototype[1], undefined) --- -2.31.1 - diff --git a/SOURCES/0005-dep-ansi-regex-fix-potential-ReDoS.patch b/SOURCES/0005-dep-ansi-regex-fix-potential-ReDoS.patch deleted file mode 100644 index a3b9795..0000000 --- a/SOURCES/0005-dep-ansi-regex-fix-potential-ReDoS.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 03704852379d943e3252f6bfa5978d5485b8b10b Mon Sep 17 00:00:00 2001 -From: rpm-build -Date: Mon, 13 Dec 2021 12:18:27 +0100 -Subject: [PATCH] dep(ansi-regex): fix potential ReDoS - -This is application of upstream patch [1] to all bundled deps. - -[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9 - -Fixes: CVE-2021-3807 -Signed-off-by: rpm-build ---- - node_modules/ansi-align/node_modules/ansi-regex/index.js | 2 +- - node_modules/boxen/node_modules/ansi-regex/index.js | 2 +- - node_modules/widest-line/node_modules/ansi-regex/index.js | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/node_modules/ansi-align/node_modules/ansi-regex/index.js b/node_modules/ansi-align/node_modules/ansi-regex/index.js -index c254480..f4d035c 100644 ---- a/node_modules/ansi-align/node_modules/ansi-regex/index.js -+++ b/node_modules/ansi-align/node_modules/ansi-regex/index.js -@@ -6,7 +6,7 @@ module.exports = options => { - }, options); - - const pattern = [ -- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', -+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', - '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' - ].join('|'); - -diff --git a/node_modules/boxen/node_modules/ansi-regex/index.js b/node_modules/boxen/node_modules/ansi-regex/index.js -index 35054aa..624d38b 100644 ---- a/node_modules/boxen/node_modules/ansi-regex/index.js -+++ b/node_modules/boxen/node_modules/ansi-regex/index.js -@@ -2,7 +2,7 @@ - - module.exports = ({onlyFirst = false} = {}) => { - const pattern = [ -- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', -+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', - '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' - ].join('|'); - -diff --git a/node_modules/widest-line/node_modules/ansi-regex/index.js b/node_modules/widest-line/node_modules/ansi-regex/index.js -index 35054aa..624d38b 100644 ---- a/node_modules/widest-line/node_modules/ansi-regex/index.js -+++ b/node_modules/widest-line/node_modules/ansi-regex/index.js -@@ -2,7 +2,7 @@ - - module.exports = ({onlyFirst = false} = {}) => { - const pattern = [ -- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', -+ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', - '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' - ].join('|'); - --- -2.33.1 - diff --git a/SPECS/nodejs-nodemon.spec b/SPECS/nodejs-nodemon.spec index e051a8e..23fcdcd 100644 --- a/SPECS/nodejs-nodemon.spec +++ b/SPECS/nodejs-nodemon.spec @@ -8,19 +8,13 @@ %bcond_with tests Name: %{?scl_prefix}nodejs-%{npm_name} -Version: 2.0.3 -Release: 6%{?dist} +Version: 2.0.19 +Release: 1%{?dist} Summary: Simple monitor script for use during development of a node.js app License: MIT URL: https://github.com/remy/nodemon Source0: %{npm_name}-v%{version}-bundled.tar.gz -Patch0: 0001-fix-redirect-help.patch -Patch1: 0002-Fix-ReDoS-for-data-URLs.patch -Patch2: 0003-fix-eliminate-ReDoS-36.patch -Patch4: 0004-do-not-allow-invalid-hazardous-string-as-section-nam.patch -Patch5: 0005-dep-ansi-regex-fix-potential-ReDoS.patch - BuildRequires: %{?scl_prefix}nodejs-devel BuildRequires: %{?scl_prefix}npm @@ -82,6 +76,10 @@ npm run test %{_bindir}/nodemon %changelog +* Tue Jul 19 2022 Jan Staněk - 2.0.19-1 +- Rebase to version 2.0.19 + Resolves: CVE-2022-33987 + * Mon Dec 13 2021 Jan Staněk - 2.0.3-6 - Address potential ReDoS in ansi-regex (CVE-2021-3807) Resolves: rhbz#2013833