From b699bdb677110bf7c57d86c8a249ab20f28cfa4c Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 3 Feb 2022 16:25:10 -0500 Subject: [PATCH] Update npm to 8.3.1 (CVE-2021-43616) Signed-off-by: Stephen Gallagher --- .gitignore | 1 + 0001-Disable-running-gyp-on-shared-deps.patch | 8 ++++---- 0002-Install-both-binaries-and-use-libdir.patch | 6 +++--- nodejs.spec | 9 ++++++++- sources | 1 + 5 files changed, 17 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index fdd7ef0..2caefcf 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ /.build-*.log /noarch /x86_64 +/0003-deps-upgrade-npm-to-8.3.1.patch diff --git a/0001-Disable-running-gyp-on-shared-deps.patch b/0001-Disable-running-gyp-on-shared-deps.patch index 7155f13..d6f57d1 100644 --- a/0001-Disable-running-gyp-on-shared-deps.patch +++ b/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,14 +1,14 @@ -From 51f31ab027934c3e7aead556752911e6dee1ea69 Mon Sep 17 00:00:00 2001 +From b65f81f25d060b048e788e846f9332a70fa953f1 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Fri, 17 Apr 2020 12:59:44 +0200 -Subject: [PATCH 1/2] Disable running gyp on shared deps +Subject: [PATCH 1/3] Disable running gyp on shared deps --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile -index e55bd8d70242ace659fa9c7945708156e7770f9d..2959b0a436b10c9ff9b104de5130b751d19cb3a9 100644 +index 7671bb804fa6a4f9c4bed07fa97b353e823d42cc..e0b7803710c539d7b291b24708d8a077cd5fb40d 100644 --- a/Makefile +++ b/Makefile @@ -142,11 +142,11 @@ endif @@ -25,5 +25,5 @@ index e55bd8d70242ace659fa9c7945708156e7770f9d..2959b0a436b10c9ff9b104de5130b751 # node_version.h is listed because the N-API version is taken from there -- -2.33.0 +2.34.1 diff --git a/0002-Install-both-binaries-and-use-libdir.patch b/0002-Install-both-binaries-and-use-libdir.patch index 0900d64..5330f56 100644 --- a/0002-Install-both-binaries-and-use-libdir.patch +++ b/0002-Install-both-binaries-and-use-libdir.patch @@ -1,7 +1,7 @@ -From 62ddf8499747fb1e366477d666c0634ad50039a9 Mon Sep 17 00:00:00 2001 +From 73033dbc74778f7bee49f77716968bbac1e80c28 Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Tue, 19 Mar 2019 23:22:40 -0400 -Subject: [PATCH 2/2] Install both binaries and use libdir. +Subject: [PATCH 2/3] Install both binaries and use libdir. This allows us to build with a shared library for other users while still providing the normal executable. @@ -87,5 +87,5 @@ index 41cc1cbc60a9480cc08df3aa0ebe582c2becc3a2..11208f9e7166ab60da46d5ace2257c23 # behave similarly for systemtap -- -2.33.0 +2.34.1 diff --git a/nodejs.spec b/nodejs.spec index 9b5e209..b8d16c7 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -25,7 +25,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 7 +%global baserelease 8 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -141,6 +141,10 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch # Patch to install both node and libnode.so, using the correct libdir Patch2: 0002-Install-both-binaries-and-use-libdir.patch +# Upstream patch to rebase npm to 8.3.1 +# Carrying it until 16.14.0 is released due to CVE-2021-43616 +Patch3: 0003-deps-upgrade-npm-to-8.3.1.patch + BuildRequires: make BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools @@ -729,6 +733,9 @@ end %changelog +* Thu Feb 03 2022 Stephen Gallagher - 1:16.13.2-8 +- Update npm to 8.3.1 (CVE-2021-43616) + * Wed Feb 02 2022 Stephen Gallagher - 1:16.13.2-7 - Fix incorrect version Provides: for npm (bz#2049873) diff --git a/sources b/sources index 410af83..efd68f2 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ SHA512 (node-v16.13.2-stripped.tar.gz) = 2e55952b95681cb18d8ca3ee096105d3076d3c79a92b707e7f580141a5def6e6a45971bc32ecf47307e90fc51de71039dcb00697487fe83d4eb7af01b0ff40b5 SHA512 (icu4c-69_1-src.tgz) = d4aeb781715144ea6e3c6b98df5bbe0490bfa3175221a1d667f3e6851b7bd4a638fa4a37d4a921ccb31f02b5d15a6dded9464d98051964a86f7b1cde0ff0aab7 +SHA512 (0003-deps-upgrade-npm-to-8.3.1.patch) = 756b8b77a11b08cfc57054b809b2d70d7c5a3ce72afa179efff548ebb814747135bcbd051c4d1c86ee045fa0d1fedbe4f1c6268a8b2610e44bf8a2e07be8d656