Update npm to 8.3.1 (CVE-2021-43616)

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
This commit is contained in:
Stephen Gallagher 2022-02-03 16:25:10 -05:00
parent 56f025de66
commit b699bdb677
No known key found for this signature in database
GPG Key ID: 45DB85A568286D11
5 changed files with 17 additions and 8 deletions

1
.gitignore vendored
View File

@ -7,3 +7,4 @@
/.build-*.log /.build-*.log
/noarch /noarch
/x86_64 /x86_64
/0003-deps-upgrade-npm-to-8.3.1.patch

View File

@ -1,14 +1,14 @@
From 51f31ab027934c3e7aead556752911e6dee1ea69 Mon Sep 17 00:00:00 2001 From b65f81f25d060b048e788e846f9332a70fa953f1 Mon Sep 17 00:00:00 2001
From: Zuzana Svetlikova <zsvetlik@redhat.com> From: Zuzana Svetlikova <zsvetlik@redhat.com>
Date: Fri, 17 Apr 2020 12:59:44 +0200 Date: Fri, 17 Apr 2020 12:59:44 +0200
Subject: [PATCH 1/2] Disable running gyp on shared deps Subject: [PATCH 1/3] Disable running gyp on shared deps
--- ---
Makefile | 2 +- Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile diff --git a/Makefile b/Makefile
index e55bd8d70242ace659fa9c7945708156e7770f9d..2959b0a436b10c9ff9b104de5130b751d19cb3a9 100644 index 7671bb804fa6a4f9c4bed07fa97b353e823d42cc..e0b7803710c539d7b291b24708d8a077cd5fb40d 100644
--- a/Makefile --- a/Makefile
+++ b/Makefile +++ b/Makefile
@@ -142,11 +142,11 @@ endif @@ -142,11 +142,11 @@ endif
@ -25,5 +25,5 @@ index e55bd8d70242ace659fa9c7945708156e7770f9d..2959b0a436b10c9ff9b104de5130b751
# node_version.h is listed because the N-API version is taken from there # node_version.h is listed because the N-API version is taken from there
-- --
2.33.0 2.34.1

View File

@ -1,7 +1,7 @@
From 62ddf8499747fb1e366477d666c0634ad50039a9 Mon Sep 17 00:00:00 2001 From 73033dbc74778f7bee49f77716968bbac1e80c28 Mon Sep 17 00:00:00 2001
From: Elliott Sales de Andrade <quantum.analyst@gmail.com> From: Elliott Sales de Andrade <quantum.analyst@gmail.com>
Date: Tue, 19 Mar 2019 23:22:40 -0400 Date: Tue, 19 Mar 2019 23:22:40 -0400
Subject: [PATCH 2/2] Install both binaries and use libdir. Subject: [PATCH 2/3] Install both binaries and use libdir.
This allows us to build with a shared library for other users while This allows us to build with a shared library for other users while
still providing the normal executable. still providing the normal executable.
@ -87,5 +87,5 @@ index 41cc1cbc60a9480cc08df3aa0ebe582c2becc3a2..11208f9e7166ab60da46d5ace2257c23
# behave similarly for systemtap # behave similarly for systemtap
-- --
2.33.0 2.34.1

View File

@ -25,7 +25,7 @@
# This is used by both the nodejs package and the npm subpackage that # This is used by both the nodejs package and the npm subpackage that
# has a separate version - the name is special so that rpmdev-bumpspec # has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end. # will bump this rather than adding .1 to the end.
%global baserelease 7 %global baserelease 8
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -141,6 +141,10 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
# Patch to install both node and libnode.so, using the correct libdir # Patch to install both node and libnode.so, using the correct libdir
Patch2: 0002-Install-both-binaries-and-use-libdir.patch Patch2: 0002-Install-both-binaries-and-use-libdir.patch
# Upstream patch to rebase npm to 8.3.1
# Carrying it until 16.14.0 is released due to CVE-2021-43616
Patch3: 0003-deps-upgrade-npm-to-8.3.1.patch
BuildRequires: make BuildRequires: make
BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools
@ -729,6 +733,9 @@ end
%changelog %changelog
* Thu Feb 03 2022 Stephen Gallagher <sgallagh@redhat.com> - 1:16.13.2-8
- Update npm to 8.3.1 (CVE-2021-43616)
* Wed Feb 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 1:16.13.2-7 * Wed Feb 02 2022 Stephen Gallagher <sgallagh@redhat.com> - 1:16.13.2-7
- Fix incorrect version Provides: for npm (bz#2049873) - Fix incorrect version Provides: for npm (bz#2049873)

View File

@ -1,2 +1,3 @@
SHA512 (node-v16.13.2-stripped.tar.gz) = 2e55952b95681cb18d8ca3ee096105d3076d3c79a92b707e7f580141a5def6e6a45971bc32ecf47307e90fc51de71039dcb00697487fe83d4eb7af01b0ff40b5 SHA512 (node-v16.13.2-stripped.tar.gz) = 2e55952b95681cb18d8ca3ee096105d3076d3c79a92b707e7f580141a5def6e6a45971bc32ecf47307e90fc51de71039dcb00697487fe83d4eb7af01b0ff40b5
SHA512 (icu4c-69_1-src.tgz) = d4aeb781715144ea6e3c6b98df5bbe0490bfa3175221a1d667f3e6851b7bd4a638fa4a37d4a921ccb31f02b5d15a6dded9464d98051964a86f7b1cde0ff0aab7 SHA512 (icu4c-69_1-src.tgz) = d4aeb781715144ea6e3c6b98df5bbe0490bfa3175221a1d667f3e6851b7bd4a638fa4a37d4a921ccb31f02b5d15a6dded9464d98051964a86f7b1cde0ff0aab7
SHA512 (0003-deps-upgrade-npm-to-8.3.1.patch) = 756b8b77a11b08cfc57054b809b2d70d7c5a3ce72afa179efff548ebb814747135bcbd051c4d1c86ee045fa0d1fedbe4f1c6268a8b2610e44bf8a2e07be8d656