Commit Graph

764 Commits

Author SHA1 Message Date
Lukas Javorsky
d180e34c2b Add helping script for missing bundled packages, fix typo 2024-02-14 15:00:18 +00:00
Honza Horak
e081ba9a28 Update licenses in the template spec 2024-02-09 15:22:34 +01:00
Honza Horak
f2292967e5 Fix typos and add info where to find license-validate 2024-02-09 14:20:18 +01:00
Honza Horak
06bf5fc3d1 SPDX migration and introduction of bundled_licenses.py
The Python script bundled_licenses.py should help identifying
licenses used in the bundled deps. It simply parses package.json
files in the given directory and returns best guess about the
License: RPM tag.

The expected usage is like this:
* run bundled_licenses.py on the binary RPMs to see what is
  bundled in the shipped RPMs
* validate the output of bundled_licenses.py
* add licenses identiefied in the source code of nodejs itself
* validate the resulting License tag suggestion by license-validate tool
2024-02-09 12:20:15 +01:00
Zephyr Lykos
2961a50035
Fix loading unbundled undici builtin (rhbz#2259320) 2024-02-08 01:12:55 +08:00
Fedora Release Engineering
37c03d4ecf Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-25 09:11:17 +00:00
Fedora Release Engineering
52a3d8b3dc Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-21 09:49:22 +00:00
Stephen Gallagher
3d4cbef75d Update to 20.11.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-01-10 10:03:36 -05:00
Jan Staněk
ed578ec737 remove bundled WASM blobs
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-29 15:18:42 -05:00
Stephen Gallagher
f523665c4d sitelib is a symlink, not a dir
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-29 12:58:06 -05:00
Stephen Gallagher
9b2e0bcd71 Fix missing %dir
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-27 12:08:28 -05:00
Stephen Gallagher
4c864a0d68 Update to v20.10.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-27 10:39:23 -05:00
Stephen Gallagher
5f953c4f03 Bump release to rebuild with newer nodejs-packaging
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-10-26 10:41:52 -04:00
Stephen Gallagher
2ceeb8628f Update to 20.9.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-10-25 14:16:03 -04:00
Stephen Gallagher
8f462ce5d3 Update to 20.8.1
This is a security release.

The following CVEs are fixed in this release:

* [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High)
* [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High)
* [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High)
* [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High)
* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552):  Integrity checks according to policies can be circumvented (Medium)
* [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low)

More detailed information on each of the vulnerabilities can be found in [October 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/) blog post.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-10-16 11:59:52 -04:00
Stephen Gallagher
29ba6214c9 Update to 20.8.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-29 07:35:38 -04:00
Stephen Gallagher
8f4100250b Update to 20.7.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-20 13:44:46 -04:00
Stephen Gallagher
302a20ab06 Update to 20.6.1
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-15 10:12:29 -04:00
Stephen Gallagher
52f84b80ec Fix variable substitution
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-07 16:29:05 -04:00
Stephen Gallagher
b64d26c94a Add default Obsoletes: for nodejsXX
This takes its cue from the Python 3.X approach

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-07 14:41:32 -04:00
Stephen Gallagher
f57981cf35 Update to 20.6.0
Starting from Node.js v20.6.0, Node.js supports `.env` files for configuring environment variables.

Your configuration file should follow the INI file format, with each line containing a key-value pair for an environment variable.
To initialize your Node.js application with predefined configurations, use the following CLI command: `node --env-file=config.env index.js`.

For example, you can access the following environment variable using `process.env.PASSWORD` when your application is initialized:

```text
PASSWORD=nodejs
```

In addition to environment variables, this change allows you to define your `NODE_OPTIONS` directly in the `.env` file, eliminating the need to include it in your `package.json`.

This feature was contributed by Yagiz Nizipli in [#48890](https://github.com/nodejs/node/pull/48890).

In ES modules, [`import.meta.resolve(specifier)`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/import.meta/resolve) can be used to get an absolute URL string to which `specifier` resolves, similar to `require.resolve` in CommonJS. This aligns Node.js with browsers and other server-side runtimes.

This feature was contributed by Guy Bedford in <https://github.com/nodejs/node/pull/49028>

There is a new API `register` available on `node:module` to specify a file that exports module customization hooks, and pass data to the hooks, and establish communication channels with them. The “define the file with the hooks” part was previously handled by a flag `--experimental-loader`, but when the hooks moved into a dedicated thread in 20.0.0 there was a need to provide a way to communicate between the main (application) thread and the hooks thread. This can now be done by calling `register` from the main thread and passing data, including `MessageChannel` instances.

We encourage users to migrate to an approach that uses [`--import`](https://nodejs.org/api/cli.html#--importmodule) with `register`, such as:

```bash
node --import ./file-that-calls-register.js ./app.js
```

Using `--import` ensures that the customization hooks are registered before any application code runs, even the entry point.

This feature was contributed by Izaak Schroeder in <https://github.com/nodejs/node/pull/48842> and <https://github.com/nodejs/node/pull/48559>

Authors of module customization hooks can how handle both ES module and CommonJS sources in the `load` hook. This works for CommonJS modules referenced via either `import` or `require`, so long as [the main entry point of the application is handled by the ES module loader](https://nodejs.org/api/cli.html#program-entry-point) (such as because the entry point is an ES module file, or if the `--import` flag is passed). This should simplify the customization of the Node.js module loading process, as package authors can customize more of Node.js without relying on deprecated APIs such as `require.extensions`.

This feature was contributed by Antoine du Hamel in <https://github.com/nodejs/node/pull/47999>

Now when Node.js starts up, it makes sure that there is a `v8::CppHeap` attached to the V8 isolate. This enables users to allocate in the `v8::CppHeap` using `<cppgc/*>` headers from V8, which are now also included into the Node.js headers available to addons. Note that since Node.js only bundles the cppgc library coming from V8, [the ABI stability](https://nodejs.org/en/docs/guides/abi-stability#abi-stability-in-nodejs) of cppgc is currently not guaranteed in semver-minor and -patch updates, but we do not expect the ABI to break often, as it has been stable and battle-tested in Chromium for years. We may consider including cppgc into the ABI stability guarantees when it gets enough adoption internally and externally.

To help addon authors create JavaScript-to-C++ references of which V8's garbage collector can be aware, a helper function [`node::SetCppgcReference(isolate, js_object, cppgc_object)`](https://github.com/nodejs/node/blob/v20.6.0/test/addons/cppgc-object/binding.cc) has been added to `node.h`. V8 may provide a native alternative in the future, which could then replace this Node.js-specific helper. In the mean time, users can use this API to avoid having to hard-code the layout of JavaScript wrapper objects. An example of how to create garbage-collected C++ objects in the unified heap and wrap it in a JavaScript object can be found in the [Node.js addon tests](https://github.com/nodejs/node/blob/v20.6.0/test/addons/cppgc-object/binding.cc).

The existing `node::ObjectWrap` helper would continue to work, while cppgc-based object management serves as an alternative with some advantages mentioned in [the V8 blog post about Oilpan](https://v8.dev/blog/oilpan-library).

This feature was contributed by Daryl Haresign and Joyee Cheung in <https://github.com/nodejs/node/pull/48660> and <https://github.com/nodejs/node/pull/45704>.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-05 10:46:54 -04:00
Stephen Gallagher
e257c9bd18 Add version note to packaging readme
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-08-28 18:43:55 -04:00
Jan Staněk
61dfae6179 Specify openssl configuration section
By default, node does not use the common openssl configuration section,
relying instead on node-specific `nodejs_conf` section.
Since we want node to use the system configuration, the section name
should be changed (back) to `openssl_conf`.

See discussion in https://github.com/nodejs/node/pull/48950
for the reason this change is suggested.
2023-08-28 18:34:01 -04:00
Stephen Gallagher
fd717eb4cc Update to 20.5.1
** 2023-08-09, Version 20.5.1 (Current), @RafaelGSS

This is a security release.

*** Notable Changes

The following CVEs are fixed in this release:

* [CVE-2023-32002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32002):  Policies can be bypassed via Module.\_load (High)
* [CVE-2023-32558](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32558): process.binding() can bypass the permission model through path traversal (High)
* [CVE-2023-32004](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32004): Permission model can be bypassed by specifying a path traversal sequence in a Buffer (High)
* [CVE-2023-32006](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32006): Policies can be bypassed by module.constructor.createRequire (Medium)
* [CVE-2023-32559](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32559): Policies can be bypassed via process.binding (Medium)
* [CVE-2023-32005](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32005): fs.statfs can bypass the permission model (Low)
* [CVE-2023-32003](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32003): fs.mkdtemp() and fs.mkdtempSync() can bypass the permission model (Low)
* OpenSSL Security Releases
  * [OpenSSL security advisory 14th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html).
  * [OpenSSL security advisory 19th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html).
  * [OpenSSL security advisory 31st July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html)

More detailed information on each of the vulnerabilities can be found in [August 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/) blog post.

** 2023-07-18, Version 20.5.0 (Current), @juanarbol

*** Notable Changes

* \[[`45be29d89f`](https://github.com/nodejs/node/commit/45be29d89f)] - **doc**: add atlowChemi to collaborators (atlowChemi) [#48757](https://github.com/nodejs/node/pull/48757)
* \[[`a316808136`](https://github.com/nodejs/node/commit/a316808136)] - **(SEMVER-MINOR)** **events**: allow safely adding listener to abortSignal (Chemi Atlow) [#48596](https://github.com/nodejs/node/pull/48596)
* \[[`986b46a567`](https://github.com/nodejs/node/commit/986b46a567)] - **fs**: add a fast-path for readFileSync utf-8 (Yagiz Nizipli) [#48658](https://github.com/nodejs/node/pull/48658)
* \[[`0ef73ff6f0`](https://github.com/nodejs/node/commit/0ef73ff6f0)] - **(SEMVER-MINOR)** **test\_runner**: add shards support (Raz Luvaton) [#48639](https://github.com/nodejs/node/pull/48639)

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-08-09 16:13:26 -04:00
Fedora Release Engineering
f9d7c9978d Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-07-20 16:47:45 +00:00
Stephen Gallagher
c311390922 sources: Check for node binary
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-07-12 12:50:47 -04:00
Stephen Gallagher
2dee98da40 Release 20.4.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-07-12 12:50:28 -04:00
Stephen Gallagher
9d9ff2a528 Update to security release 20.3.1
- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
- https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.3.1

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-06-22 12:54:46 -04:00
Stephen Gallagher
c8a3601325 sources: install jinja2 if needed
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-06-21 10:26:10 -04:00
Stephen Gallagher
3febae4956 sources: Fix indentation
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-06-21 10:25:49 -04:00
Stephen Gallagher
6fdba8a532
Release Node.js 20.2.0
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.2.0

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-05-17 09:23:34 -04:00
Stephen Gallagher
6d822b2572
Update to 20.1.0
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.1.0

Also drop upstreamed patch

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-05-04 16:16:03 -04:00
Stephen Gallagher
d8fdc60e0f
Temporarily reduce optimizations
Something in -O2 is causing segfaults in v8

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-05-02 17:35:20 -04:00
Stephen Gallagher
1a9e720653
Fix up shebangs for npm and npx
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-28 10:43:13 -04:00
Stephen Gallagher
46596a23c9
Add README for packagers
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-27 11:47:47 -04:00
Stephen Gallagher
adbbe46d3c
nodejs-sources.sh: Add --debug flag
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-27 08:57:01 -04:00
Stephen Gallagher
f2b853130c
Apply changes to spec template
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-27 08:28:45 -04:00
Jan Staněk
1827854f11
Replace /usr/etc/npmrc symlink with builtin configuration
We want to have the system-level npmrc located at /etc/npmrc.
By default, npm looks for it in /usr/etc/npmrc,
so we placed a symlink to /etc/npmrc there.
However, we are the only known package that has anything in /usr/etc,
which confuses and/or breaks various tooling (see related bug).

This gets rid of the symlink,
and instead uses "builtin"-level configuration of npm
to cause it to load the system-level configuration from /etc/npmrc.

Related: rhbz#2177776
2023-04-27 13:23:13 +02:00
Stephen Gallagher
8a6ffdbb6a
Fix npm manpage symlinks
Resolves: rhbz#2187978

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-26 14:54:17 -04:00
Stephen Gallagher
443480e5d2
Fix bug on gcc13
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-26 14:53:08 -04:00
Stephen Gallagher
1047bf482c
Update to 20.0.0
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.0.0

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-26 12:02:51 -04:00
Stephen Gallagher
280abb5a74
Apply changes to actual spec
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-12 16:21:09 -04:00
Stephen Gallagher
92480e0459
Don't 'Provides:npm' on non-default
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-11 10:52:20 -04:00
Stephen Gallagher
4443d6afb2
Update to 19.9.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-11 10:51:53 -04:00
Stephen Gallagher
64f0989a8d
Adjust nodejs-devel Provides
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-03 09:05:25 -04:00
Stephen Gallagher
a293cec3bf
Add pkg-config files
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-29 18:09:21 -04:00
Stephen Gallagher
7f25939b50
More v8-devel fixes
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-29 13:56:00 -04:00
Stephen Gallagher
559c6e6d44
Drop extraneous endif
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-27 19:06:53 -04:00
Stephen Gallagher
39a633e36e
Fix build issue on non-default releases
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-27 19:05:15 -04:00
Stephen Gallagher
2e164bd121
Fix libv8 packaging issue
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-27 14:57:59 -04:00