import llhttp-9.2.1-1.el9

.gitignore

@@ -0,0 +1 @@
+SOURCES/llhttp-9.2.1.tar.gz

.llhttp.metadata

@@ -0,0 +1 @@
+a9bc2288b1fbb830bb4f454ea9803fe317472375  SOURCES/llhttp-9.2.1.tar.gz

SOURCES/audited-null-licenses.toml

@@ -0,0 +1,56 @@
+[any]
+
+[prod]
+
+[dev]
+
+# Just a module wrapper around the code in tslib, which does have a proper
+# license (0BSD) in its package.json:
+# tslib/modules
+modules = "<unknown version>"
+# A “dummy” module in the tests for tslib
+# tslib/test/validateModuleExportsMatchCommonJS
+validateModuleExportsMatchCommonJS = "<unknown version>"
+
+# Similarly, these are all just ES6 module (mjs) or CommonJS (cjs) module
+# wrappers in packages that do have proper license information:
+# node_modules_dev/@ungap/structured-clone/cjs
+# node_modules_dev/@typescript-eslint/utils/node_modules/minimatch/dist/cjs
+# node_modules_dev/@typescript-eslint/utils/node_modules/minimatch/dist/mjs
+# node_modules_dev/@typescript-eslint/parser/node_modules/minimatch/dist/cjs
+# node_modules_dev/@typescript-eslint/parser/node_modules/minimatch/dist/mjs
+# node_modules_dev/@typescript-eslint/type-utils/node_modules/minimatch/dist/cjs
+# node_modules_dev/@typescript-eslint/type-utils/node_modules/minimatch/dist/mjs
+# node_modules_dev/flatted/cjs
+cjs = "<unknown version>"
+mjs = "<unknown version>"
+
+# These are all “dummy” modules in the tests for resolve:
+# resolve/test/module_dir/zmodules/bbb
+bbb = "<unknown version>"
+# resolve/test/resolver/invalid_main
+"invalid main" = "<unknown version>"
+# resolve/test/resolver/incorrect_main
+incorrect_main = "<unknown version>"
+# resolve/test/resolver/dot_slash_main
+dot_slash_main = "<unknown version>"
+# resolve/test/resolver/dot_main
+dot_main = "<unknown version>"
+# resolve/test/resolver/baz
+baz = "<unknown version>"
+# resolve/test/resolver/browser_field
+browser_field = "<unknown version>"
+# resolve/test/resolver/symlinked/package
+package = "<unknown version>"
+
+# These are all part of nanoid, which is MIT-licensed.
+# nanoid/url-alphabet
+url-alphabet = "<unknown version>"
+# nanoid/non-secure
+non-secure = "<unknown version>"
+# nanoid/async
+async = "<unknown version>"
+
+# This is part of yargs, which is MIT-licensed.
+# mocha/node_modules/yargs/helpers
+helpers = "<unknown version>"

SOURCES/check-null-licenses

@@ -0,0 +1,182 @@
+#!/usr/bin/python3
+# -*- coding: utf-8 -*-
+
+import json
+from argparse import ArgumentParser, FileType, RawDescriptionHelpFormatter
+from pathlib import Path
+from sys import exit, stderr
+
+try:
+    import tomllib
+except ImportError:
+    import tomli as tomllib
+
+
+def main():
+    args = parse_args()
+    problem = False
+    if not args.tree.is_dir():
+        return f"Not a directory: {args.tree}"
+    for pjpath in args.tree.glob("**/package.json"):
+        name, version, license = parse(pjpath)
+        identity = f"{name} {version}"
+        if version in args.exceptions.get(name, ()):
+            continue  # Do not even check the license
+        elif license is None:
+            problem = True
+            print(f"Missing license in package.json for {identity}", file=stderr)
+        elif isinstance(license, dict):
+            if isinstance(license.get("type"), str):
+                continue
+            print(
+                (
+                    "Missing type for (deprecated) license object in "
+                    f"package.json for {identity}: {license}"
+                ),
+                file=stderr,
+            )
+        elif isinstance(license, list):
+            if license and all(
+                isinstance(entry, dict) and isinstance(entry.get("type"), str)
+                for entry in license
+            ):
+                continue
+            print(
+                (
+                    "Defective (deprecated) licenses array-of objects in "
+                    f"package.json for {identity}: {license}"
+                ),
+                file=stderr,
+            )
+        elif isinstance(license, str):
+            continue
+        else:
+            print(
+                (
+                    "Weird type for license in "
+                    f"package.json for {identity}: {license}"
+                ),
+                file=stderr,
+            )
+        problem = True
+    if problem:
+        return "At least one missing license was found."
+
+
+def parse(package_json_path):
+    with package_json_path.open("rb") as pjfile:
+        pj = json.load(pjfile)
+    try:
+        license = pj["license"]
+    except KeyError:
+        license = pj.get("licenses")
+    try:
+        name = pj["name"]
+    except KeyError:
+        name = package_json_path.parent.name
+    version = pj.get("version", "<unknown version>")
+
+    return name, version, license
+
+
+def parse_args():
+    parser = ArgumentParser(
+        formatter_class=RawDescriptionHelpFormatter,
+        description=("Search for bundled dependencies without declared licenses"),
+        epilog="""
+
+The exceptions file must be a TOML file with zero or more tables. Each table’s
+keys are package names; the corresponding values values are exact version
+number strings, or arrays of version number strings, that have been manually
+audited to determine their license status and should therefore be ignored.
+
+Exceptions in a table called “any” are always applied. Otherwise, exceptions
+are applied only if a corresponding --with TABLENAME argument is given;
+multiple such arguments may be given.
+
+For
+example:
+
+    [any]
+    example-foo = "1.0.0"
+
+    [prod]
+    example-bar = [ "2.0.0", "2.0.1",]
+
+    [dev]
+    example-bat = [ "3.7.4",]
+
+would always ignore version 1.0.0 of example-foo. It would ignore example-bar
+2.0.1 only when called with “--with prod”.
+
+Comments may (and should) be used to describe the manual audits upon which the
+exclusions are based.
+
+Otherwise, any package.json with missing or null license field in the tree is
+considered an error, and the program returns with nonzero status.
+""",
+    )
+    parser.add_argument(
+        "-x",
+        "--exceptions",
+        type=FileType("rb"),
+        help="Manually audited package versions file",
+    )
+    parser.add_argument(
+        "-w",
+        "--with",
+        action="append",
+        default=[],
+        help="Enable a table in the exceptions file",
+    )
+    parser.add_argument(
+        "tree",
+        metavar="node_modules_dir",
+        type=Path,
+        help="Path to search recursively",
+        default=".",
+    )
+    args = parser.parse_args()
+
+    if args.exceptions is None:
+        args.exceptions = {}
+        xname = None
+    else:
+        with args.exceptions as xfile:
+            xname = getattr(xfile, "name", "<exceptions>")
+            args.exceptions = tomllib.load(args.exceptions)
+        if not isinstance(args.exceptions, dict):
+            parser.error(f"Invalid format in {xname}: not an object")
+        for tablename, table in args.exceptions.items():
+            if not isinstance(table, dict):
+                parser.error(f"Non-table entry in {xname}: {tablename} = {table!r}")
+            overlay = {}
+            for key, value in table.items():
+                if isinstance(value, str):
+                    overlay[key] = [value]
+                elif not isinstance(value, list) or not all(
+                    isinstance(entry, str) for entry in value
+                ):
+                    parser.error(
+                        f"Invalid format in {xname} in [{tablename}]: "
+                        f"{key!r} = {value!r}"
+                    )
+            table.update(overlay)
+
+    x = args.exceptions.get("any", {})
+    for add in getattr(args, "with"):
+        try:
+            x.update(args.exceptions[add])
+        except KeyError:
+            if xname is None:
+                parser.error(f"No table {add}, as no exceptions file was given")
+            else:
+                parser.error(f"No table {add} in {xname}")
+    # Store the merged dictionary
+    args.exceptions = x
+
+    return args
+
+
+if __name__ == "__main__":
+    exit(main())

SOURCES/llhttp-packaging-bundler

@@ -0,0 +1,110 @@
+#!/bin/bash
+set -o nounset
+set -o errexit
+
+OUTPUT_DIR="$(rpm -E '%{_sourcedir}')"
+SPEC_FILE="${PWD}/llhttp.spec"
+
+usage() {
+  cat 1>&2 <<EOF
+Usage: $(basename "$0")
+
+Given llhttp.spec in the working directory, download the source and the prod
+and dev dependencies, each in their own tarball.
+
+Also finds licenses for prod dependencies.
+
+All three tarballs and the license list are copied to
+${OUTPUT_DIR}.
+EOF
+  exit 1
+}
+
+if ! [[ -f /usr/bin/npm ]]
+then 
+  cat 1>&2 <<EOF
+$(basename "${0}") requires npm to run
+
+Run the following to fix this:
+  sudo dnf install npm
+
+EOF
+  exit 2
+fi 
+
+if [[ $# -gt 0 ]]; then 
+  usage
+fi 
+
+TMP_DIR="$(mktemp -d -t ci-XXXXXXXXXX)"
+trap "cd /; rm -rf '${TMP_DIR}'" INT TERM EXIT
+cd "${TMP_DIR}"
+
+echo "Reading ${SPEC_FILE}; downloading source archive" 1>&2
+VERSION="$(awk '$1 == "Version:" { print $2; exit }' "${SPEC_FILE}")"
+echo "Version is ${VERSION}" 1>&2
+echo "Downloading source archive" 1>&2
+spectool -g "${SPEC_FILE}"
+
+ARCHIVE="$(
+  find . -mindepth 1 -maxdepth 1 -type f -name '*.tar.gz' -print -quit
+)"
+echo "Downloaded $(basename "${ARCHIVE}")" 1>&2
+
+tar -xzf "${ARCHIVE}"
+XDIR="$(find . -mindepth 1 -maxdepth 1 -type d -print -quit)"
+echo "Extracted to $(basename "${XDIR}")" 1>&2
+
+cd "${XDIR}"
+
+echo "Downloading prod dependencies" 1>&2
+# Compared to nodejs-packaging-bundler, we must add --ignore-scripts or npm
+# unsuccessfully attempts to build the package.
+npm install --no-optional --only=prod --ignore-scripts
+echo "Successful prod dependencies download" 1>&2
+mv node_modules/ node_modules_prod
+
+echo "LICENSES IN BUNDLE:"
+LICENSE_FILE="${TMP_DIR}/llhttp-${VERSION}-bundled-licenses.txt"
+find . -name 'package.json' -exec jq '.license | strings' '{}' ';' \
+    >> "${LICENSE_FILE}"
+for what in '.license | objects | .type' '.licenses[] .type'
+do
+  find . -name 'package.json' -exec jq "${what}" '{}' ';' \
+      >> "${LICENSE_FILE}" 2>/dev/null
+done
+sort -u -o "${LICENSE_FILE}" "${LICENSE_FILE}"
+
+# Locate any dependencies without a provided license
+find . -type f -name 'package.json' -execdir jq \
+    'if .license==null and .licenses==null then .name else null end' '{}' '+' |
+  grep -vE '^null$' |
+  sort -u > "${TMP_DIR}/nolicense.txt"
+
+if [[ -s "${TMP_DIR}/nolicense.txt" ]]
+then
+  echo -e "\e[5m\e[41mSome dependencies do not list a license. Manual verification required!\e[0m"
+  cat "${TMP_DIR}/nolicense.txt"
+  echo -e "\e[5m\e[41m======================================================================\e[0m"
+fi
+
+echo "Downloading dev dependencies" 1>&2
+# Compared to nodejs-packaging-bundler, we must add --ignore-scripts or npm
+# unsuccessfully attempts to build the package.
+npm install --no-optional --only=dev --ignore-scripts
+echo "Successful dev dependencies download" 1>&2
+mv node_modules/ node_modules_dev
+
+if [[ -d node_modules_prod ]]
+then
+  tar -cf "../llhttp-${VERSION}-nm-prod.tar" node_modules_prod
+fi
+if [[ -d node_modules_dev ]]
+then
+  tar -cf "../llhttp-${VERSION}-nm-dev.tar" node_modules_dev
+fi
+zstdmt --ultra -22 "../llhttp-${VERSION}-nm-prod.tar" "../llhttp-${VERSION}-nm-dev.tar"
+
+cd ..
+find . -mindepth 1 -maxdepth 1 -type f \( -name "$(basename "${ARCHIVE}")" \
+    -o -name "llhttp-${VERSION}*" \) -exec cp -vp '{}' "${OUTPUT_DIR}" ';'

SPECS/llhttp.spec

@@ -0,0 +1,268 @@
+## START: Set by rpmautospec
+## (rpmautospec version 0.6.3)
+## RPMAUTOSPEC: autorelease, autochangelog
+%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
+    release_number = 1;
+    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
+    print(release_number + base_release_number - 1);
+}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
+## END: Set by rpmautospec
+
+# This package is rather exotic. The compiled library is a typical shared
+# library with a C API. However, it has only a tiny bit of C source code. Most
+# of the library is written in TypeScript, which is transpiled to C, via LLVM
+# IR, using llparse (https://github.com/nodejs/llparse)—all of which happens
+# within the NodeJS ecosystem.
+#
+# The package therefore “builds like” a NodeJS package, and to the extent they
+# are relevant we apply the NodeJS packaging guidelines. However, the result of
+# the build “installs like” a traditional C library package and has no NodeJS
+# dependencies, including bundled ones.
+#
+# Furthermore, the package is registered with npm as “llhttp”, but current
+# releases are not published there, so we use the GitHub archive as the
+# canonical source and use a custom bundler script based on
+# nodejs-packaging-bundler to fetch NodeJS build dependencies.
+#
+# Overall, we cherry-pick from the standard and NodeJS packaging guidelines as
+# each seems to best apply, understanding that this package does not fit well
+# into any of the usual patterns or templates.
+#
+# Note that there is now a “release” tarball, e.g.
+# https://github.com/nodejs/llhttp/archive/refs/tags/release/v%%{version}tar.gz,
+# that allows this package to be built without the NodeJS/TypeScript machinery.
+# However, the release archive lacks the original TypeScript source code for
+# the generated C code, which we would need to include in the source RPM as an
+# additional source even if we do not do the re-generation ourselves.
+
+Name:           llhttp
+Version:        9.2.1
+%global so_version 9.2
+Release:        %autorelease
+Summary:        Port of http_parser to llparse
+
+# License of llhttp is (SPDX) MIT; nothing from the NodeJS dependency bundle is
+# installed, so its contents do not contribute to the license of the binary
+# RPMs, and we do not need a file llhttp-%%{version}-bundled-licenses.txt.
+License:        MIT
+URL:            https://github.com/nodejs/llhttp
+Source0:        %{url}/archive/v%{version}/llhttp-%{version}.tar.gz
+
+# Based closely on nodejs-packaging-bundler, except:
+#
+# - The GitHub source tarball specified in this spec file is used since the
+#   current version is not typically published on npm
+# - No production dependency bundle is generated, since none is needed—and
+#   therefore, no bundled licenses text file is generated either
+Source1:        llhttp-packaging-bundler
+# Created with llhttp-packaging-bundler (Source1):
+Source2:        llhttp-%{version}-nm-dev.tar.zst
+
+# While nothing in the dev bundle is installed, we still choose to audit for
+# null licenses at build time and to keep manually-approved exceptions in a
+# file.
+Source3:        check-null-licenses
+Source4:        audited-null-licenses.toml
+
+# The compiled RPM does not depend on NodeJS at all, but we cannot *build* it
+# on architectures without NodeJS.
+ExclusiveArch:  %{nodejs_arches}
+
+# For generating the C source “release” from TypeScript:
+BuildRequires:  nodejs-devel
+BuildRequires:  make
+
+# For compiling the C library
+BuildRequires:  cmake
+BuildRequires:  gcc
+
+# For tests
+BuildRequires:  gcc-c++
+
+# For check-null-licenses
+BuildRequires:  python3-devel
+BuildRequires:  (python3dist(tomli) if python3 < 3.11)
+
+%description
+This project is a port of http_parser to TypeScript. llparse is used to
+generate the output C source file, which could be compiled and linked with the
+embedder's program (like Node.js).
+
+
+%package devel
+Summary:        Development files for llhttp
+
+Requires:       llhttp%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
+
+%description devel
+The llhttp-devel package contains libraries and header files for
+developing applications that use llhttp.
+
+
+%prep
+%autosetup
+
+# Remove build flags specifying ISA extensions not in the architectural
+# baseline from the test fixture setup.
+sed -r -i 's@([[:blank:]]*)(.*-m(sse4))@\1// \2@' test/fixtures/index.ts
+
+# We build the library that we install via release/CMakeLists.txt, but the
+# tests are built via Makefile targets. Don’t apply non-default optimization or
+# debug flags to the test executables.
+sed -r -i 's@ -[Og].\b@@g' Makefile
+
+# Set up bundled (dev) node modules required to generate the C sources from the
+# TypeScript sources.
+tar --zstd --extract --file='%{SOURCE2}'
+mkdir -p node_modules
+pushd node_modules
+ln -s ../node_modules_dev/* .
+ln -s ../node_modules_dev/.bin .
+popd
+
+# We run ts-node out of node_modules/.bin rather than using npx (which we will
+# not have available).
+sed -r -i 's@\bnpx[[:blank:]](ts-node)\b@node_modules/.bin/\1@' Makefile
+
+
+%build
+# Generate the C source “release” from TypeScript using the “node_modules_dev”
+# bundle.
+%make_build release RELEASE='%{version}'
+
+# To help prove that nothing from the bundled NodeJS dev dependencies is
+# included in the binary packages, remove the “node_modules” symlinks.
+rm -rvf node_modules
+
+cd release
+%cmake
+%cmake_build
+
+
+%install
+cd release
+%cmake_install
+
+
+%check
+# Symlink the NodeJS bundle again so that we can test with Mocha
+mkdir -p node_modules
+pushd node_modules
+ln -s ../node_modules_dev/* .
+ln -s ../node_modules_dev/.bin .
+popd
+
+# Verify that no bundled dev dependency has a null license field, unless we
+# already audited it by hand. This reduces the chance of accidentally including
+# code with license problems in the source RPM.
+%{python3} '%{SOURCE3}' --exceptions '%{SOURCE4}' --with dev node_modules_dev
+
+%set_build_flags
+# http-loose-request.c:7205:20: error: invalid conversion from 'void*' to
+#     'const unsigned char*' [-fpermissive]
+#  7205 |     start = state->_span_pos0;
+#       |             ~~~~~~~^~~~~~~~~~
+#       |                    |
+#       |                    void*
+export CXXFLAGS="${CXXFLAGS-} -fpermissive"
+export CFLAGS="${CFLAGS-} -fpermissive"
+export CLANG=gcc
+# See scripts.test in package.json:
+NODE_ENV=test node -r ts-node/register/type-check ./test/md-test.ts
+
+
+%files
+%license release/LICENSE-MIT
+%{_libdir}/libllhttp.so.%{so_version}{,.*}
+
+
+%files devel
+%doc release/README.md
+%{_includedir}/llhttp.h
+%{_libdir}/libllhttp.so
+%{_libdir}/pkgconfig/libllhttp.pc
+%{_libdir}/cmake/llhttp/
+
+
+%changelog
+* Thu May 09 2024 Arkady L. Shane <tigro@msvsphere-os.ru> - 9.2.1-1
+- Rebuilt for MSVSphere 9.4
+
+## START: Generated by rpmautospec
+* Thu Apr 11 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 9.2.1-1
+- Update to 9.2.1 (close RHBZ#2273352, fix CVE-2024-27982)
+- Switch from xz to zstd compression for the “dev” bundle archive
+
+* Thu Apr 11 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 9.2.0-4
+- Format check-null-licenses with “ruff format”
+
+* Thu Apr 11 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 9.2.0-1
+- Update to 9.2.0 (close RHBZ#2263250)
+
+* Thu Apr 11 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 9.1.3-2
+- Compress the dev dependency bundle with xz instead of gzip
+
+* Thu Nov 30 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 9.1.3-1
+- Update to 9.1.3 (close RHBZ#2242220)
+
+* Thu Nov 30 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 9.1.2-1
+- Update to 9.1.2
+
+* Thu Nov 30 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 9.1.1-1
+- Update to 9.1.1
+
+* Thu Nov 30 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 9.1.0-1
+- Update to 9.1.0
+
+* Thu Nov 30 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 9.0.1-1
+- Update to 9.0.1 (close RHBZ#2228290)
+
+* Thu Nov 30 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 9.0.0-1
+- Update to 9.0.0
+
+* Sat Jul 29 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.1.1-1
+- Update to 8.1.1 (close RHBZ#2216591)
+
+* Sat Jul 29 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.1.0-3
+- Fix test compiling/execution
+
+* Sat Jul 29 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.1.0-2
+- Indicate dirs. in files list with trailing slashes
+
+* Sat Jul 29 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.1.0-1
+- Update to 8.1.0 (close RHBZ#2131175)
+
+* Sat Jul 29 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 8.0.0-1
+- Update to 8.0.0 (close RHBZ#2131175)
+
+* Sat Jul 29 2023 Stephen Gallagher <sgallagh@redhat.com> - 6.0.10-1
+- Update to v6.0.10
+
+* Sat Jul 29 2023 Miro Hrončok <miro@hroncok.cz> - 6.0.9-2
+- Use tomllib/python-tomli instead of dead upstream python-toml
+
+* Sat Jul 29 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 6.0.9-1
+- Update to 6.0.9 (close RHBZ#2116231)
+- Bumped .so version from downstream 0.1 to upstream 6.0
+- Better upstream support for building and installing a shared library
+- The -devel package now contains a .pc file
+- Tests are now built with gcc and fully respect distro flags
+
+* Sat Jul 29 2023 Benjamin A. Beasley <code@musicinmybrain.net> - 6.0.6-6
+- Drop “forge” macros, which aren’t really doing much here
+
+* Fri Dec 24 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 6.0.6-5
+- Add a note about LLHTTP_STRICT_MODE to the package description
+
+* Fri Dec 24 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 6.0.6-4
+- Revert "Build with LLHTTP_STRICT_MODE enabled"
+
+* Wed Dec 22 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 6.0.6-3
+- Build with LLHTTP_STRICT_MODE enabled
+
+* Tue Dec 14 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 6.0.6-2
+- Dep. on cmake-filesystem is now auto-generated
+
+* Mon Dec 06 2021 Benjamin A. Beasley <code@musicinmybrain.net> - 6.0.6-1
+- Initial package (close RHBZ#2029461)
+## END: Generated by rpmautospec