From 5fd23a45376a5f3cec3706311693fbfadbf87d97 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mon, 9 Jan 2023 09:25:13 -0500 Subject: [PATCH] import nodejs-14.21.1-2.module+el8.7.0+17528+a329cd47 --- .gitignore | 4 + .nodejs.metadata | 4 + ...1-Disable-running-gyp-on-shared-deps.patch | 26 + ...-deps-ansi-regex-fix-potential-ReDoS.patch | 45 + ...ignore-__proto__-keys-CVE-2022-24999.patch | 98 ++ SOURCES/btest402.js | 151 +++ SOURCES/nodejs-tarball.sh | 195 +++ SOURCES/nodejs_native.attr | 2 + SOURCES/npmrc | 2 + SPECS/nodejs.spec | 1050 +++++++++++++++++ 10 files changed, 1577 insertions(+) create mode 100644 .gitignore create mode 100644 .nodejs.metadata create mode 100644 SOURCES/0001-Disable-running-gyp-on-shared-deps.patch create mode 100644 SOURCES/0002-deps-ansi-regex-fix-potential-ReDoS.patch create mode 100644 SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch create mode 100644 SOURCES/btest402.js create mode 100755 SOURCES/nodejs-tarball.sh create mode 100644 SOURCES/nodejs_native.attr create mode 100644 SOURCES/npmrc create mode 100644 SPECS/nodejs.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c9ee73e --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +SOURCES/cjs-module-lexer-1.2.2.tar.gz +SOURCES/icu4c-70_1-src.tgz +SOURCES/node-v14.21.1-stripped.tar.gz +SOURCES/wasi-sdk-wasi-sdk-11.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata new file mode 100644 index 0000000..d20d8cd --- /dev/null +++ b/.nodejs.metadata @@ -0,0 +1,4 @@ +6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz +f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz +2812a06625a63430d5f36ce9019cc2df321956e6 SOURCES/node-v14.21.1-stripped.tar.gz +8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch new file mode 100644 index 0000000..1a12d5f --- /dev/null +++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch @@ -0,0 +1,26 @@ +From 0daef8b47290ffa866f321173a0a45f7c131f172 Mon Sep 17 00:00:00 2001 +From: Zuzana Svetlikova +Date: Fri, 17 Apr 2020 12:59:44 +0200 +Subject: [PATCH] Disable running gyp on shared deps + +Signed-off-by: rpm-build +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 82281b5..9e65fc4 100644 +--- a/Makefile ++++ b/Makefile +@@ -143,7 +143,7 @@ with-code-cache test-code-cache: + $(warning '$@' target is a noop) + + out/Makefile: config.gypi common.gypi node.gyp \ +- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \ ++ deps/llhttp/llhttp.gyp \ + tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ + tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp + $(PYTHON) tools/gyp_node.py -f make +-- +2.38.1 + diff --git a/SOURCES/0002-deps-ansi-regex-fix-potential-ReDoS.patch b/SOURCES/0002-deps-ansi-regex-fix-potential-ReDoS.patch new file mode 100644 index 0000000..e486e3e --- /dev/null +++ b/SOURCES/0002-deps-ansi-regex-fix-potential-ReDoS.patch @@ -0,0 +1,45 @@ +From 8fc20d21cd7861ecc4f034ae82234a05227c2c12 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 9 Dec 2021 15:48:46 +0100 +Subject: [PATCH] deps(ansi-regex): fix potential ReDoS + +This is the upstream fix [1] applied to all applicable bundled deps. + +[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9 + +Fixes: CVE-2021-3807 +Signed-off-by: rpm-build +--- + .../node_modules/string-width/node_modules/ansi-regex/index.js | 2 +- + deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js +index c4aaecf..7d32201 100644 +--- a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js ++++ b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js +@@ -2,7 +2,7 @@ + + module.exports = () => { + const pattern = [ +- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)', ++ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', + '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))' + ].join('|'); + +diff --git a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js +index c254480..9e37ec3 100644 +--- a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js ++++ b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js +@@ -6,7 +6,7 @@ module.exports = options => { + }, options); + + const pattern = [ +- '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', ++ '[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)', + '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))' + ].join('|'); + +-- +2.38.1 + diff --git a/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch b/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch new file mode 100644 index 0000000..81064b3 --- /dev/null +++ b/SOURCES/0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch @@ -0,0 +1,98 @@ +From 00da0b65c4c6bd75be2b91fba196be520e8ccf00 Mon Sep 17 00:00:00 2001 +From: Jordan Harband +Date: Mon, 27 Dec 2021 19:15:57 -0800 +Subject: [PATCH] deps(qs/parse): ignore `__proto__` keys (CVE-2022-24999) + +Signed-off-by: rpm-build +--- + deps/npm/node_modules/qs/lib/parse.js | 2 +- + deps/npm/node_modules/qs/test/parse.js | 60 ++++++++++++++++++++++++++ + 2 files changed, 61 insertions(+), 1 deletion(-) + +diff --git a/deps/npm/node_modules/qs/lib/parse.js b/deps/npm/node_modules/qs/lib/parse.js +index 8c9872e..08e623a 100644 +--- a/deps/npm/node_modules/qs/lib/parse.js ++++ b/deps/npm/node_modules/qs/lib/parse.js +@@ -69,7 +69,7 @@ var parseObject = function (chain, val, options) { + ) { + obj = []; + obj[index] = leaf; +- } else { ++ } else if (cleanRoot !== '__proto__') { + obj[cleanRoot] = leaf; + } + } +diff --git a/deps/npm/node_modules/qs/test/parse.js b/deps/npm/node_modules/qs/test/parse.js +index 0f8fe45..3e93784 100644 +--- a/deps/npm/node_modules/qs/test/parse.js ++++ b/deps/npm/node_modules/qs/test/parse.js +@@ -515,6 +515,66 @@ test('parse()', function (t) { + st.end(); + }); + ++ t.test('dunder proto is ignored', function (st) { ++ var payload = 'categories[__proto__]=login&categories[__proto__]&categories[length]=42'; ++ var result = qs.parse(payload, { allowPrototypes: true }); ++ ++ st.deepEqual( ++ result, ++ { ++ categories: { ++ length: '42' ++ } ++ }, ++ 'silent [[Prototype]] payload' ++ ); ++ ++ var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true }); ++ ++ st.deepEqual( ++ plainResult, ++ { ++ __proto__: null, ++ categories: { ++ __proto__: null, ++ length: '42' ++ } ++ }, ++ 'silent [[Prototype]] payload: plain objects' ++ ); ++ ++ var query = qs.parse('categories[__proto__]=cats&categories[__proto__]=dogs&categories[some][json]=toInject', { allowPrototypes: true }); ++ ++ st.notOk(Array.isArray(query.categories), 'is not an array'); ++ st.notOk(query.categories instanceof Array, 'is not instanceof an array'); ++ st.deepEqual(query.categories, { some: { json: 'toInject' } }); ++ st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array'); ++ ++ st.deepEqual( ++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true }), ++ { ++ foo: { ++ bar: 'stuffs' ++ } ++ }, ++ 'hidden values' ++ ); ++ ++ st.deepEqual( ++ qs.parse('foo[__proto__][hidden]=value&foo[bar]=stuffs', { allowPrototypes: true, plainObjects: true }), ++ { ++ __proto__: null, ++ foo: { ++ __proto__: null, ++ bar: 'stuffs' ++ } ++ }, ++ 'hidden values: plain objects' ++ ); ++ ++ st.end(); ++ }); ++ + t.test('can return null objects', { skip: !Object.create }, function (st) { + var expected = Object.create(null); + expected.a = Object.create(null); +-- +2.38.1 + diff --git a/SOURCES/btest402.js b/SOURCES/btest402.js new file mode 100644 index 0000000..277319c --- /dev/null +++ b/SOURCES/btest402.js @@ -0,0 +1,151 @@ +// Copyright (C) 2014 IBM Corporation and Others. All Rights Reserved. +// This file is part of the Node.JS ICU enablement work +// https://github.com/joyent/node/pull/7719 +// and is under the same license. +// +// This is a very, very, very basic test of es402 +// +// URL: https://github.com/srl295/btest402 +// Author: Steven R. Loomis +// +// for a complete test, see http://test262.ecmascript.org +// +// Usage: node btest402.js + +try { + console.log("You have console.log."); +} catch(e) { + // this works on d8 + console = { log: print }; + console.log("Now you have console.log."); +} + +function runbtest() { + var summary = {}; + + try { + var i = Intl; + summary.haveIntl = true; + console.log("+ Congrats, you have the Intl object."); + } catch(e) { + console.log("You don't have the Intl object: " + e); + } + + if(summary.haveIntl) { + var locs = [ "en", "mt", "ja","tlh"]; + var d = new Date(196400000); + for ( var n=0; n 0 ) { + lsummary.haveSlo = true; + } + } catch (e) { + console.log("SLO err: " + e); + } + var dstr = "ERR"; + try { + lsummary.dstr = d.toLocaleString(loc,{month: "long",day:"numeric",weekday:"long",year:"numeric"}); + console.log(" date: (supported:"+sl+") " + lsummary.dstr); + } catch (e) { + console.log(" Date Format err: " + e); + } + try { + new Intl.v8BreakIterator(); + console.log(" Intl.v8BreakIterator:" + + Intl.v8BreakIterator.supportedLocalesOf(loc) + " Supported, first()==" + + new Intl.v8BreakIterator(loc).first() ); + lsummary.brkOk = true; + } catch ( e) { + console.log(" Intl.v8BreakIterator error (NOT part of EcmaScript402): " + e); + } + console.log(); + } + } + + // print summary + console.log(); + console.log("--------- Analysis ---------"); + stxt = ""; + if( summary.haveIntl ) { + console.log("* You have the 'Intl' object. Congratulations! You have the possibility of being EcmaScript 402 compliant."); + stxt += "Have Intl, "; + + if ( !summary.en.haveSlo ) { + stxt += "Date:no EN, "; + console.log("* English isn't a supported language by the date formatter. Perhaps the data isn't installed properly?"); + } + if ( !summary.tlh.haveSlo ) { + stxt += "Date:no 'tlh', "; + console.log("* Klingon isn't a supported language by the date formatter. It is without honor!"); + } + // now, what is it actually saying + if( summary.en.dstr.indexOf("1970") == -1) { + stxt += "Date:bad 'en', "; + console.log("* the English date format text looks bad to me. Doesn't even have the year."); + } else { + if( summary.en.dstr.indexOf("Jan") == -1) { + stxt += "Date:bad 'en', "; + console.log("* The English date format text looks bad to me. Doesn't have the right month."); + } + } + + if( summary.mt.dstr == summary.en.dstr ) { + stxt += "Date:'mt'=='en', "; + console.log("* The English and Maltese look the same to me. Probably a 'small' build."); + } else if( summary.mt.dstr.indexOf("1970") == -1) { + stxt += "Date:bad 'mt', "; + console.log("* the Maltese date format text looks bad to me. Doesn't even have the year. (This data is missing from the Chromium ICU build)"); + } else { + if( summary.mt.dstr.indexOf("Jann") == -1) { + stxt += "Date:bad 'mt', "; + console.log("* The Maltese date format text looks bad to me. Doesn't have the right month. (This data is missing from the Chromium ICU build)"); + } + } + + if ( !summary.ja.haveSlo ) { + stxt += "Date:no 'ja', "; + console.log("* Japanese isn't a supported language by the date formatter. Could be a 'small' build."); + } else { + if( summary.ja.dstr.indexOf("1970") == -1) { + stxt += "Date:bad 'ja', "; + console.log("* the Japanese date format text looks bad to me. Doesn't even have the year."); + } else { + if( summary.ja.dstr.indexOf("日") == -1) { + stxt += "Date:bad 'ja', "; + console.log("* The Japanese date format text looks bad to me."); + } + } + } + if ( summary.en.brkOk ) { + stxt += "FYI: v8Brk:have 'en', "; + console.log("* You have Intl.v8BreakIterator support. (Note: not part of ES402.)"); + } + } else { + console.log("* You don't have the 'Intl' object. You aren't EcmaScript 402 compliant."); + stxt += " NO Intl. "; + } + + // 1-liner. + console.log(); + console.log("----------------"); + console.log( "SUMMARY:" + stxt ); +} + +var dorun = true; + +try { + if(btest402_noautorun) { + dorun = false; + } +} catch(e) {} + +if(dorun) { + console.log("Running btest.."); + runbtest(); +} diff --git a/SOURCES/nodejs-tarball.sh b/SOURCES/nodejs-tarball.sh new file mode 100755 index 0000000..a055ccb --- /dev/null +++ b/SOURCES/nodejs-tarball.sh @@ -0,0 +1,195 @@ +#!/bin/sh +# Uses Argbash to generate command argument parsing. To update +# arguments, make sure to call +# `argbash nodejs-tarball.sh -o nodejs-tarball.sh` + +# ARG_POSITIONAL_SINGLE([version],[Node.js release version],[""]) +# ARG_DEFAULTS_POS([]) +# ARG_HELP([Tool to aid in Node.js packaging of new releases]) +# ARGBASH_GO() +# needed because of Argbash --> m4_ignore([ +### START OF CODE GENERATED BY Argbash v2.8.1 one line above ### +# Argbash is a bash code generator used to get arguments parsing right. +# Argbash is FREE SOFTWARE, see https://argbash.io for more info + + +die() +{ + local _ret=$2 + test -n "$_ret" || _ret=1 + test "$_PRINT_HELP" = yes && print_help >&2 + echo "$1" >&2 + exit ${_ret} +} + + +begins_with_short_option() +{ + local first_option all_short_options='h' + first_option="${1:0:1}" + test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0 +} + +# THE DEFAULTS INITIALIZATION - POSITIONALS +_positionals=() +_arg_version="" +# THE DEFAULTS INITIALIZATION - OPTIONALS + + +print_help() +{ + printf '%s\n' "Tool to aid in Node.js packaging of new releases" + printf 'Usage: %s [-h|--help] []\n' "$0" + printf '\t%s\n' ": Node.js release version (default: '""')" + printf '\t%s\n' "-h, --help: Prints help" +} + + +parse_commandline() +{ + _positionals_count=0 + while test $# -gt 0 + do + _key="$1" + case "$_key" in + -h|--help) + print_help + exit 0 + ;; + -h*) + print_help + exit 0 + ;; + *) + _last_positional="$1" + _positionals+=("$_last_positional") + _positionals_count=$((_positionals_count + 1)) + ;; + esac + shift + done +} + + +handle_passed_args_count() +{ + test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect between 0 and 1, but got ${_positionals_count} (the last one was: '${_last_positional}')." 1 +} + + +assign_positional_args() +{ + local _positional_name _shift_for=$1 + _positional_names="_arg_version " + + shift "$_shift_for" + for _positional_name in ${_positional_names} + do + test $# -gt 0 || break + eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1 + shift + done +} + +parse_commandline "$@" +handle_passed_args_count +assign_positional_args 1 "${_positionals[@]}" + +# OTHER STUFF GENERATED BY Argbash + +### END OF CODE GENERATED BY Argbash (sortof) ### ]) +# [ <-- needed because of Argbash + + +set -e + +echo $_arg_version + +if [ x$_arg_version != x ]; then + version=$_arg_version +else + version=$(rpm -q --specfile --qf='%{version}\n' nodejs.spec | head -n1) +fi + +rm -f node-v${version}.tar.gz node-v${version}-stripped.tar.gz +wget http://nodejs.org/dist/v${version}/node-v${version}.tar.gz \ + http://nodejs.org/dist/v${version}/SHASUMS256.txt +sha256sum -c SHASUMS256.txt --ignore-missing +tar -zxf node-v${version}.tar.gz +rm -rf node-v${version}/deps/openssl +tar -zcf node-v${version}-stripped.tar.gz node-v${version} + +# Download the matching version of ICU +rm -f icu4c*-src.tgz icu.md5 +ICUMD5=$(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].md5') +wget $(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].url') +ICUTARBALL=$(ls -1 icu4c*-src.tgz) +echo "$ICUMD5 $ICUTARBALL" > icu.md5 +md5sum -c icu.md5 +rm -f icu.md5 SHASUMS256.txt + +rhpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz + +rm -f node-v${version}.tar.gz + +set +e + +# Determine the bundled versions of the various packages +echo "Bundled software versions" +echo "-------------------------" +echo +echo "libnode shared object version" +echo "=========================" +grep "define NODE_MODULE_VERSION" node-v${version}/src/node_version.h +echo +echo "V8" +echo "=========================" +grep "define V8_MAJOR_VERSION" node-v${version}/deps/v8/include/v8-version.h +grep "define V8_MINOR_VERSION" node-v${version}/deps/v8/include/v8-version.h +grep "define V8_BUILD_NUMBER" node-v${version}/deps/v8/include/v8-version.h +grep "define V8_PATCH_LEVEL" node-v${version}/deps/v8/include/v8-version.h +echo +echo "c-ares" +echo "=========================" +grep "define ARES_VERSION_MAJOR" node-v${version}/deps/cares/include/ares_version.h +grep "define ARES_VERSION_MINOR" node-v${version}/deps/cares/include/ares_version.h +grep "define ARES_VERSION_PATCH" node-v${version}/deps/cares/include/ares_version.h +echo +echo "llhttp" +echo "=========================" +grep "define LLHTTP_VERSION_MAJOR" node-v${version}/deps/llhttp/include/llhttp.h +grep "define LLHTTP_VERSION_MINOR" node-v${version}/deps/llhttp/include/llhttp.h +grep "define LLHTTP_VERSION_PATCH" node-v${version}/deps/llhttp/include/llhttp.h +echo +echo "libuv" +echo "=========================" +grep "define UV_VERSION_MAJOR" node-v${version}/deps/uv/include/uv/version.h +grep "define UV_VERSION_MINOR" node-v${version}/deps/uv/include/uv/version.h +grep "define UV_VERSION_PATCH" node-v${version}/deps/uv/include/uv/version.h +echo +echo "nghttp2" +echo "=========================" +grep "define NGHTTP2_VERSION " node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h +echo +echo "ICU" +echo "=========================" +grep "url" node-v${version}/tools/icu/current_ver.dep +echo +echo "punycode" +echo "=========================" +grep "'version'" node-v${version}/lib/punycode.js +echo +echo "uvwasi" +echo "=========================" +grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h +grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h +grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h +echo +echo "npm" +echo "=========================" +grep "\"version\":" node-v${version}/deps/npm/package.json +echo +echo "Make sure these versions match what is in the RPM spec file" + +rm -rf node-v${version} +# ] <-- needed because of Argbash diff --git a/SOURCES/nodejs_native.attr b/SOURCES/nodejs_native.attr new file mode 100644 index 0000000..0527af6 --- /dev/null +++ b/SOURCES/nodejs_native.attr @@ -0,0 +1,2 @@ +%__nodejs_native_requires %{_rpmconfigdir}/nodejs_native.req +%__nodejs_native_path ^/usr/lib.*/node_modules/.*\\.node$ diff --git a/SOURCES/npmrc b/SOURCES/npmrc new file mode 100644 index 0000000..50be1d1 --- /dev/null +++ b/SOURCES/npmrc @@ -0,0 +1,2 @@ +prefix=/usr/local +python=/usr/bin/python3 diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec new file mode 100644 index 0000000..81b8048 --- /dev/null +++ b/SPECS/nodejs.spec @@ -0,0 +1,1050 @@ +%bcond_with debug + +# PowerPC, s390x and aarch64 segfault during Debug builds +# https://github.com/nodejs/node/issues/20642 +%ifarch %{power64} s390x aarch64 +%bcond_with debug +%endif + +# The following macros control the usage of dependencies bundled from upstream. +# +# When to use what: +# - Regular (presumably non-modular) build: use neither (the default in Fedora) +# - Early bootstrapping build that is not intended to be shipped: +# use --with=bootstrap; this will bundle deps and add `~bootstrap` release suffix +# - Build with some dependencies not avalaible in necessary versions (i.e. module build): +# use --with=bundled; will bundle deps, but do not add the suffix +# +# create bootstrapping build with bundled deps and extra release suffix +%bcond_with bootstrap +# bundle dependencies that are not available as Fedora modules +%if %{with bootstrap} +%bcond_without bundled +%else +%bcond_with bundled +%endif + +%bcond_without python3_fixup + +# == Master Relase == +# This is used by both the nodejs package and the npm subpackage that +# has a separate version - the name is special so that rpmdev-bumpspec +# will bump this rather than adding .1 to the end. +%global baserelease 2 + +%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} + +# == Node.js Version == +# Note: Fedora should only ship LTS versions of Node.js (currently expected +# to be major versions with even numbers). The odd-numbered versions are new +# feature releases that are only supported for nine months, which is shorter +# than a Fedora release lifecycle. +%global nodejs_epoch 1 +%global nodejs_major 14 +%global nodejs_minor 21 +%global nodejs_patch 1 +%global nodejs_abi %{nodejs_major}.%{nodejs_minor} +%global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch} +%global nodejs_release %{baserelease} + +%global nodejs_datadir %{_datarootdir}/nodejs + +# == Bundled Dependency Versions == +# v8 - from deps/v8/include/v8-version.h +# Epoch is set to ensure clean upgrades from the old v8 package +%global v8_epoch 2 +%global v8_major 8 +%global v8_minor 4 +%global v8_build 371 +%global v8_patch 23 +# V8 presently breaks ABI at least every x.y release while never bumping SONAME +%global v8_abi %{v8_major}.%{v8_minor} +%global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} +%global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} + +# c-ares - from deps/cares/include/ares_version.h +# https://github.com/nodejs/node/pull/9332 +%global c_ares_major 1 +%global c_ares_minor 18 +%global c_ares_patch 1 +%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} + +# llhttp - from deps/llhttp/include/llhttp.h +%global llhttp_major 2 +%global llhttp_minor 1 +%global llhttp_patch 6 +%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch} + +# libuv - from deps/uv/include/uv/version.h +%global libuv_major 1 +%global libuv_minor 42 +%global libuv_patch 0 +%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch} + +# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h +%global nghttp2_major 1 +%global nghttp2_minor 42 +%global nghttp2_patch 0 +%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch} + +# ICU - from tools/icu/current_ver.dep +%global icu_major 70 +%global icu_minor 1 +%global icu_version %{icu_major}.%{icu_minor} + +%global icudatadir %{nodejs_datadir}/icudata +%{!?little_endian: %global little_endian %(%{__python3} -c "import sys;print (0 if sys.byteorder=='big' else 1)")} +# " this line just fixes syntax highlighting for vim that is confused by the above and continues literal + +%global sys_icu_version %(/usr/bin/icu-config --version) + +%if "%{sys_icu_version}" >= "%{icu_version}" +%global bundled_icu 0 +%global icu_flag system-icu +%else +%global bundled_icu 1 +%global icu_flag full-icu +%endif + +# OpenSSL minimum version +%global openssl_minimum 1:1.1.1 + +# punycode - from lib/punycode.js +# Note: this was merged into the mainline since 0.6.x +# Note: this will be unmerged in an upcoming major release +%global punycode_major 2 +%global punycode_minor 1 +%global punycode_patch 0 +%global punycode_version %{punycode_major}.%{punycode_minor}.%{punycode_patch} + +# npm - from deps/npm/package.json +%global npm_epoch 1 +%global npm_major 6 +%global npm_minor 14 +%global npm_patch 17 +%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} + +# uvwasi - from deps/uvwasi/include/uvwasi.h +%global uvwasi_major 0 +%global uvwasi_minor 0 +%global uvwasi_patch 11 +%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch} + +# histogram_c - assumed from timestamps +%global histogram_major 0 +%global histogram_minor 9 +%global histogram_patch 7 +%global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch} + +# In order to avoid needing to keep incrementing the release version for the +# main package forever, we will just construct one for npm that is guaranteed +# to increment safely. Changing this can only be done during an update when the +# base npm version number is increasing. +%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} + + +Name: nodejs +Epoch: %{nodejs_epoch} +Version: %{nodejs_version} +Release: %{nodejs_release}%{?dist} +Summary: JavaScript runtime +License: MIT and ASL 2.0 and ISC and BSD +Group: Development/Languages +URL: http://nodejs.org/ + +ExclusiveArch: %{nodejs_arches} + +# nodejs bundles openssl, but we use the system version in Fedora +# because openssl contains prohibited code, we remove openssl completely from +# the tarball, using the script in Source100 +Source0: node-v%{nodejs_version}-stripped.tar.gz +Source1: npmrc +Source2: btest402.js +Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-src.tgz +Source100: %{name}-tarball.sh + +# The native module Requires generator remains in the nodejs SRPM, so it knows +# the nodejs and v8 versions. The remainder has migrated to the +# nodejs-packaging SRPM. +Source7: nodejs_native.attr + +# These are full sources for dependencies included as WASM blobs in the source of Node itself. +# Note: These sources would also include pre-compiled WASM blobs… so they are adjusted not to. +# Recipes for creating these blobs are included in the sources. + +# Version: jq '.version' deps/cjs-module-lexer/package.json +# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz +# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm +Source101: cjs-module-lexer-1.2.2.tar.gz +# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in. +# Version source: Makefile +Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz + +# Disable running gyp on bundled deps we don't use +Patch1: 0001-Disable-running-gyp-on-shared-deps.patch +# Dependency vulnerabilities +Patch2: 0002-deps-ansi-regex-fix-potential-ReDoS.patch +Patch3: 0003-deps-qs-parse-ignore-__proto__-keys-CVE-2022-24999.patch + +BuildRequires: make +BuildRequires: python3-devel +BuildRequires: zlib-devel +BuildRequires: brotli-devel +BuildRequires: gcc >= 6.3.0 +BuildRequires: gcc-c++ >= 6.3.0 +# needed to generate bundled provides for npm dependencies +# https://src.fedoraproject.org/rpms/nodejs/pull-request/2 +# https://pagure.io/nodejs-packaging/pull-request/10 +BuildRequires: nodejs-packaging +BuildRequires: chrpath +BuildRequires: libatomic +BuildRequires: systemtap-sdt-devel + +%if %{with bundled} +Provides: bundled(libuv) = %{libuv_version} +%else +BuildRequires: libuv-devel >= 1:%{libuv_version} +Requires: libuv >= 1:%{libuv_version} +%endif + +%if %{with bundled} +Provides: bundled(nghttp2) = %{nghttp2_version} +%else +BuildRequires: libnghttp2-devel >= %{nghttp2_version} +Requires: libnghttp2 >= %{nghttp2_version} +%endif + +# Temporarily bundle llhttp because the upstream doesn't +# provide releases for it. +Provides: bundled(llhttp) = %{llhttp_version} + +BuildRequires: openssl-devel >= %{openssl_minimum} +Requires: openssl >= %{openssl_minimum} + +# we need the system certificate store +Requires: ca-certificates + +# Pull in the full-icu data by default +Recommends: nodejs-full-i18n%{?_isa} = %{nodejs_epoch}:%{version}-%{release} + +# we need ABI virtual provides where SONAMEs aren't enough/not present so deps +# break when binary compatibility is broken +Provides: nodejs(abi) = %{nodejs_abi} +Provides: nodejs(abi%{nodejs_major}) = %{nodejs_abi} +Provides: nodejs(v8-abi) = %{v8_abi} +Provides: nodejs(v8-abi%{v8_major}) = %{v8_abi} + +# this corresponds to the "engine" requirement in package.json +Provides: nodejs(engine) = %{nodejs_version} + +# Node.js currently has a conflict with the 'node' package in Fedora +# The ham-radio group has agreed to rename their binary for us, but +# in the meantime, we're setting an explicit Conflicts: here +Conflicts: node <= 0.3.2-12 + +# The punycode module was absorbed into the standard library in v0.6. +# It still exists as a seperate package for the benefit of users of older +# versions. Since we've never shipped anything older than v0.10 in Fedora, +# we don't need the seperate nodejs-punycode package, so we Provide it here so +# dependent packages don't need to override the dependency generator. +# See also: RHBZ#11511811 +# UPDATE: punycode will be deprecated and so we should unbundle it in Node v8 +# and use upstream module instead +# https://github.com/nodejs/node/commit/29e49fc286080215031a81effbd59eac092fff2f +Provides: nodejs-punycode = %{punycode_version} +Provides: npm(punycode) = %{punycode_version} + +# Node.js has forked c-ares from upstream in an incompatible way, so we need +# to carry the bundled version internally. +# See https://github.com/nodejs/node/commit/766d063e0578c0f7758c3a965c971763f43fec85 +Provides: bundled(c-ares) = %{c_ares_version} + +# Node.js is closely tied to the version of v8 that is used with it. It makes +# sense to use the bundled version because upstream consistently breaks ABI +# even in point releases. Node.js upstream has now removed the ability to build +# against a shared system version entirely. +# See https://github.com/nodejs/node/commit/d726a177ed59c37cf5306983ed00ecd858cfbbef +Provides: bundled(v8) = %{v8_version} + +# Node.js is bound to a specific version of ICU which may not match the OS +# We cannot pin the OS to this version of ICU because every update includes +# an ABI-break, so we'll use the bundled copy. +Provides: bundled(icu) = %{icu_version} + +# Upstream added new dependencies, but so far they are not available in Fedora +# or there's no option to built it as a shared dependency, so we bundle them +Provides: bundled(uvwasi) = %{uvwasi_version} +Provides: bundled(histogram) = %{histogram_version} + +# Make sure we keep NPM up to date when we update Node.js +%if 0%{?rhel} < 8 +# EPEL doesn't support Recommends, so make it strict +Requires: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} +%else +Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist} +%endif + +%description +Node.js is a platform built on Chrome's JavaScript runtime +for easily building fast, scalable network applications. +Node.js uses an event-driven, non-blocking I/O model that +makes it lightweight and efficient, perfect for data-intensive +real-time applications that run across distributed devices. + + +%package devel +Summary: JavaScript runtime - development headers +Group: Development/Languages +Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Requires: openssl-devel%{?_isa} +Requires: zlib-devel%{?_isa} +Requires: brotli-devel%{?_isa} +Requires: nodejs-packaging + +%if %{without bundled} +Requires: libuv-devel%{?_isa} +%endif + +%description devel +Development headers for the Node.js JavaScript runtime. + + +%package full-i18n +Summary: Non-English locale data for Node.js +Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} + +%description full-i18n +Optional data files to provide full-icu support for Node.js. Remove this +package to save space if non-English locales are not needed. + + +%package -n npm +Summary: Node.js Package Manager +Epoch: %{npm_epoch} +Version: %{npm_version} +Release: %{npm_release}%{?dist} + +# We used to ship npm separately, but it is so tightly integrated with Node.js +# (and expected to be present on all Node.js systems) that we ship it bundled +# now. +Obsoletes: npm < 0:3.5.4-6 +Provides: npm = %{npm_epoch}:%{npm_version} +Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +%if 0%{?fedora} || 0%{?rhel} >= 8 +Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +%endif + +# Do not add epoch to the virtual NPM provides or it will break +# the automatic dependency-generation script. +Provides: npm(npm) = %{npm_version} + +%description -n npm +npm is a package manager for node.js. You can use it to install and publish +your node programs. It manages dependencies and does other cool stuff. + + +%package docs +Summary: Node.js API documentation +Group: Documentation +BuildArch: noarch + +# We don't require that the main package be installed to +# use the docs, but if it is installed, make sure the +# version always matches +Conflicts: %{name} > %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} +Conflicts: %{name} < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist} + +%description docs +The API documentation for the Node.js JavaScript runtime. + + +%prep +%autosetup -p1 -n node-v%{nodejs_version} + +# remove bundled dependencies that we aren't building +rm -rf deps/zlib +rm -rf deps/brotli + +# check for correct versions of dependencies we are bundling +check_wasm_dep() { + local -r name="$1" source="$2" packagejson="$3" + local -r expected_version="$(jq -r '.version' "${packagejson}")" + + if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then + printf '%s version matches\n' "${name}" >&2 + else + printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2 + return 1 + fi +} + +check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json + +# Replace any instances of unversioned python' with python3 +%if %{with python3_fixup} +pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js") +find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python3~" {} \; +find . -type f -exec sed -i "s~/usr\/bin\/python\W~/usr/bin/python3~" {} \; +sed -i "s~usr\/bin\/python2~usr\/bin\/python3~" ./deps/v8/tools/gen-inlining-tests.py +sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_unittest.py +find . -type f -exec sed -i "s~python -c~python3 -c~" {} \; +%endif + +%build + +%ifarch s390 s390x %{arm} %ix86 +# Decrease debuginfo verbosity to reduce memory consumption during final +# library linking +%global optflags %(echo %{optflags} | sed 's/-g /-g1 /') +%endif + +export CC='gcc' +export CXX='g++' +%{?with_python3_fixup:export NODE_GYP_FORCE_PYTHON=%{__python3}} + +# build with debugging symbols and add defines from libuv (#892601) +# Node's v8 breaks with GCC 6 because of incorrect usage of methods on +# NULL objects. We need to pass -fno-delete-null-pointer-checks + +extra_cflags=( + -D_LARGEFILE_SOURCE + -D_FILE_OFFSET_BITS=64 + -DZLIB_CONST + -fno-delete-null-pointer-checks +) +export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cflags[*]}" +export LDFLAGS="%{build_ldflags}" + +%{__python3} configure.py --prefix=%{_prefix} \ + --shared-openssl \ + --shared-zlib \ + --shared-brotli \ + %{!?with_bundled:--shared-libuv} \ + %{!?with_bundled:--shared-nghttp2} \ + %{?with_bundled:--without-dtrace}%{!?with_bundled:--with-dtrace} \ + --with-intl=small-icu \ + --with-icu-default-data-dir=%{icudatadir} \ + --without-corepack \ + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM + +%if %{with debug} +# Setting BUILDTYPE=Debug builds both release and debug binaries +make BUILDTYPE=Debug %{?_smp_mflags} +%else +make BUILDTYPE=Release %{?_smp_mflags} +%endif + +# Extract the ICU data and convert it to the appropriate endianness +pushd deps/ +tar xfz %SOURCE3 + +pushd icu/source + +mkdir -p converted +%if 0%{?little_endian} +# The little endian data file is included in the ICU sources +install -Dpm0644 data/in/icudt%{icu_major}l.dat converted/ + +%else +# For the time being, we need to build ICU and use the included `icupkg` tool +# to convert the little endian data file into a big-endian one. +# At some point in the future, ICU releases will start including both data +# files and we should switch to those. +mkdir -p data/out/tmp + +%configure +%make_build + +icu_root=$(pwd) +LD_LIBRARY_PATH=./lib ./bin/icupkg -tb data/in/icudt%{icu_major}l.dat \ + converted/icudt%{icu_major}b.dat +%endif + +popd # icu/source +popd # deps + + +%install +rm -rf %{buildroot} + +./tools/install.py install %{buildroot} %{_prefix} + +# Set the binary permissions properly +chmod 0755 %{buildroot}/%{_bindir}/node +chrpath --delete %{buildroot}%{_bindir}/node + +%if %{with debug} +# Install the debug binary and set its permissions +install -Dpm0755 out/Debug/node %{buildroot}/%{_bindir}/node_g +%endif + +# own the sitelib directory +mkdir -p %{buildroot}%{_prefix}/lib/node_modules + +# ensure Requires are added to every native module that match the Provides from +# the nodejs build in the buildroot +install -Dpm0644 %{SOURCE7} %{buildroot}%{_rpmconfigdir}/fileattrs/nodejs_native.attr +cat << EOF > %{buildroot}%{_rpmconfigdir}/nodejs_native.req +#!/bin/sh +echo 'nodejs(abi%{nodejs_major}) >= %nodejs_abi' +echo 'nodejs(v8-abi%{v8_major}) >= %v8_abi' +EOF +chmod 0755 %{buildroot}%{_rpmconfigdir}/nodejs_native.req + +# install documentation +mkdir -p %{buildroot}%{_pkgdocdir}/html +cp -pr doc/* %{buildroot}%{_pkgdocdir}/html +rm -f %{buildroot}%{_pkgdocdir}/html/nodejs.1 + +# node-gyp needs common.gypi too +mkdir -p %{buildroot}%{_datadir}/node +cp -p common.gypi %{buildroot}%{_datadir}/node + +# Install the GDB init tool into the documentation directory +mv %{buildroot}/%{_datadir}/doc/node/gdbinit %{buildroot}/%{_pkgdocdir}/gdbinit + +# install NPM docs to mandir +mkdir -p %{buildroot}%{_mandir} \ + %{buildroot}%{_pkgdocdir}/npm + +cp -pr deps/npm/man/* %{buildroot}%{_mandir}/ +rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/man +ln -sf %{_mandir} %{buildroot}%{_prefix}/lib/node_modules/npm/man + +# Install Gatsby HTML documentation to %%{_pkgdocdir} +cp -pr deps/npm/docs %{buildroot}%{_pkgdocdir}/npm/ +rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/docs + +ln -sf %{_pkgdocdir}/npm %{buildroot}%{_prefix}/lib/node_modules/npm/docs + +# Node tries to install some python files into a documentation directory +# (and not the proper one). Remove them for now until we figure out what to +# do with them. +rm -f %{buildroot}/%{_defaultdocdir}/node/lldb_commands.py \ + %{buildroot}/%{_defaultdocdir}/node/lldbinit + +# Some NPM bundled deps are executable but should not be. This causes +# unnecessary automatic dependencies to be added. Make them not executable. +# Skip the npm bin directory or the npm binary will not work. +find %{buildroot}%{_prefix}/lib/node_modules/npm \ + -not -path "%{buildroot}%{_prefix}/lib/node_modules/npm/bin/*" \ + -executable -type f \ + -exec chmod -x {} \; + +# The above command is a little overzealous. Add a few permissions back. +chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/npm-lifecycle/node-gyp-bin/node-gyp +chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js + +# Drop the NPM default configuration in place +mkdir -p %{buildroot}%{_sysconfdir} +cp %{SOURCE1} %{buildroot}%{_sysconfdir}/npmrc + +# NPM upstream expects it to be in /usr/etc/npmrc, so we'll put a symlink here +# This is done in the interests of keeping /usr read-only. +mkdir -p %{buildroot}%{_prefix}/etc +ln -s %{_sysconfdir}/npmrc %{buildroot}%{_prefix}/etc/npmrc + +# Install the full-icu data files +install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/* + + +%check +# Fail the build if the versions don't match +%{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.node, '%{nodejs_version}')" +%{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')" +%{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.ares.replace(/-DEV$/, ''), '%{c_ares_version}')" + +# Ensure we have punycode and that the version matches +%{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')" + +# Ensure we have npm and that the version matches +NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')" + +# Make sure i18n support is working +NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2} + + +%pretrans -n npm -p +-- Remove all of the symlinks from the bundled npm node_modules directory +-- This scriptlet can be removed in Fedora 31 +base_path = "%{_prefix}/lib/node_modules/npm/node_modules/" +d_st = posix.stat(base_path) +if d_st then + for f in posix.files(base_path) do + path = base_path..f + st = posix.stat(path) + if st and st.type == "link" then + os.remove(path) + end + end +end + +-- Replace the npm docs directory with a symlink +-- Drop this scriptlet when F31 is EOL +path = "%{_prefix}/lib/node_modules/npm/doc" +st = posix.stat(path) +if st and st.type == "directory" then + status = os.rename(path, path .. ".rpmmoved") + if not status then + suffix = 0 + while not status do + suffix = suffix + 1 + status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix) + end + os.rename(path, path .. ".rpmmoved") + end +end + +-- Replace the npm docs directory with a symlink +-- Drop this scriptlet when F31 is EOL +path = "%{_prefix}/lib/node_modules/npm/html" +st = posix.stat(path) +if st and st.type == "directory" then + status = os.rename(path, path .. ".rpmmoved") + if not status then + suffix = 0 + while not status do + suffix = suffix + 1 + status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix) + end + os.rename(path, path .. ".rpmmoved") + end +end + +-- Replace the npm man directory with a symlink +-- Drop this scriptlet when F31 is EOL +path = "%{_prefix}/lib/node_modules/npm/man" +st = posix.stat(path) +if st and st.type == "directory" then + status = os.rename(path, path .. ".rpmmoved") + if not status then + suffix = 0 + while not status do + suffix = suffix + 1 + status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix) + end + os.rename(path, path .. ".rpmmoved") + end +end + + +%files +%{_bindir}/node +%dir %{_prefix}/lib/node_modules +%dir %{_datadir}/node +%dir %{_datadir}/systemtap +%dir %{_datadir}/systemtap/tapset +%{_datadir}/systemtap/tapset/node.stp + +%if %{without bundled} +%dir %{_usr}/lib/dtrace +%{_usr}/lib/dtrace/node.d +%endif + +%{_rpmconfigdir}/fileattrs/nodejs_native.attr +%{_rpmconfigdir}/nodejs_native.req +%license LICENSE +%doc AUTHORS CHANGELOG.md onboarding.md GOVERNANCE.md README.md +%doc %{_mandir}/man1/node.1* + + +%files devel +%{?with_debug:%{_bindir}/node_g} +%{_includedir}/node +%{_datadir}/node/common.gypi +%{_pkgdocdir}/gdbinit + + +%files full-i18n +%dir %{icudatadir} +%{icudatadir}/icudt%{icu_major}*.dat + + +%files -n npm +%{_bindir}/npm +%{_bindir}/npx +%{_prefix}/lib/node_modules/npm +%config(noreplace) %{_sysconfdir}/npmrc +%{_prefix}/etc/npmrc +%ghost %{_sysconfdir}/npmignore +%doc %{_mandir}/man1/npm*.1* +%doc %{_mandir}/man1/npx.1* +%doc %{_mandir}/man5/folders.5* +%doc %{_mandir}/man5/install.5* +%doc %{_mandir}/man5/npmrc.5* +%doc %{_mandir}/man5/package-json.5* +%doc %{_mandir}/man5/package-lock-json.5* +%doc %{_mandir}/man5/package-locks.5* +%doc %{_mandir}/man5/shrinkwrap-json.5* +%doc %{_mandir}/man7/config.7* +%doc %{_mandir}/man7/developers.7* +%doc %{_mandir}/man7/disputes.7* +%doc %{_mandir}/man7/orgs.7* +%doc %{_mandir}/man7/registry.7* +%doc %{_mandir}/man7/removal.7* +%doc %{_mandir}/man7/scope.7* +%doc %{_mandir}/man7/scripts.7* +%doc %{_mandir}/man7/semver.7* + + +%files docs +%doc doc +%dir %{_pkgdocdir} +%{_pkgdocdir}/html +%{_pkgdocdir}/npm/docs + + +%changelog +* Thu Dec 08 2022 Jan Staněk - 1:14.21.1-2 +- Apply upstream fix for CVE-2022-24999 + Resolves: CVE-2022-24999 +- Record CVEs fixed by current or previous upstream releases + Resolves: CVE-2021-44906 + +* Wed Nov 16 2022 Jan Staněk - 1:14.21.1-1 +- Rebase to version 14.21.1 + Resolves: rhbz#2129805 CVE-2022-43548 CVE-2022-3517 + +* Fri Oct 07 2022 Jan Staněk - 1:14.20.1-2 +- Record issues fixed in the current version + Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 + +* Thu Sep 29 2022 Jan Staněk - 1:14.20.1-1 +- Rebase to version 14.20.1 + Resolves: CVE-2022-35256 + +* Mon Aug 22 2022 Zuzana Svetlikova - 1:14.20.0-1 +- Rebase to latest release +- Resolves: #2106281, #2108056, #2108061, #2108066, #2108071, #2108139 +- Remove libs patch +- Build without corepack + +* Wed May 25 2022 Jan Staněk - 1:14.18.2-2 +- Replace with_* macros with RPM confitionals +- Unify configure calls into single command +- Refactor bootstrap-related parts +- Decouple dependency bundling from bootstrapping + +* Wed Dec 01 2021 Zuzana Svetlikova - 1:14.18.2-1 +- Resolves: RHBZ#2026325 +- Resolves: RHBZ#2014130, RHBZ#2014124, RHBZ#2013826, RHBZ#2024921 +- Rebase to new version to fix CVEs + +* Tue Aug 17 2021 Zuzana Svetlikova - 1:14.17.5-1 +- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, +- CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672 +- Resolves RHBZ#1847529 (make FIPS always available) +- Resolves: RHBZ#1988600, RHBZ#1993815, RHBZ#1993809, RHBZ#1993096 +- Resolves: RHBZ#1986743, RHBZ#1993947, RHBZ#1993940, RHBZ#1989427 +- Resolves: RHBZ#1951620 (make FIPS always available) + +* Mon Aug 09 2021 Zuzana Svetlikova - 1:14.17.3-3 +- Resolves: RHBZ#1945513, RHBZ#1945287 +- Resolves CVE-2021-23362 CVE-2021-27290 +- Bump for missing mentions of CVEs + +* Thu Jul 08 2021 Zuzana Svetlikova - 1:14.17.3-2 +- Resolves: RHBZ#1979844, RHBZ#1977829 +- Resolves: RHBZ#1842826 +- Don't use patch3 + +* Thu Jul 08 2021 Zuzana Svetlikova - 1:14.17.3-1 +- Resolves: RHBZ#1979844, RHBZ#1977829 +- Resolves: RHBZ#1842826 +- Resolves CVE-2021-22918(libuv), use system cipher list + +* Wed Mar 10 2021 Zuzana Svetlikova - 1:14.16.0-3 +- Resolves: RHBZ#1930775 +- Always build with systemtap + +* Mon Mar 01 2021 Zuzana Svetlikova - 1:14.16.0-2 +- Resolves RHBZ#1930775 +- remove --debug-nghttp2 option + +* Mon Mar 01 2021 Zuzana Svetlikova - 1:14.16.0-1 +- Resolves CVE-2021-22883 CVE-2021-22884 +- Resolves: RHBZ#1934566, RHBZ#1934599 +- Rebase, remove ini patch + +* Tue Jan 26 2021 Zuzana Svetlikova - 1:14.15.4-2 +- Add patch for yarn crash +- Resolves: RHBZ#1915296 + +* Tue Jan 19 2021 Zuzana Svetlikova - 1:14.15.4-1 +- Security rebase to 14.15.4 +- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ +- Resolves: RHBZ#1913001, RHBZ#1912953 +- Resolves: RHBZ#1912636, RHBZ#1898602, RHBZ#1898768, RHBZ#1893987, RHBZ#1893184 + +* Thu Oct 29 2020 Zuzana Svetlikova - 1:14.15.0-1 +- Resolves: RHBZ#1858864 +- Update to LTS release + +* Mon Sep 21 2020 Jan Staněk - 1:14.11.0-1 +- Security update to 14.11.0 + +* Wed Jun 03 2020 Zuzana Svetlikova - 1:14.4.0-1 +- Security update to 14.4.0 +- Resolves: RHBZ#1815402 + +* Thu May 21 2020 Zuzana Svetlikova - 1:14.3.0-1 +- Update to 14.3.0 +- Fix optflags to save memory +- Resolves: RHBZ#1815402 + +* Wed May 06 2020 Zuzana Svetlikova - 1:14.2.0-1 +- Update to 14.2.0 +- build with python3 only +- some clean up + +* Tue Mar 17 2020 Zuzana Svetlikova - 1:12.16.1-2 +- Fix CVE-2020-10531 + +* Thu Feb 20 2020 Zuzana Svetlikova - 1:12.16.1-1 +- Rebase to 12.16.1 + +* Wed Jan 15 2020 Jan Staněk - 1:12.14.1-1 +- Rebase to 12.14.1 + +* Fri Nov 29 2019 Zuzana Svetlikova - 1:12.13.1-1 +- Resolves: RHBZ# 1773503, update to 12.13.1 +- minor clean up and sync with Fedora spec +- turn off debug builds + +* Thu Aug 01 2019 Zuzana Svetlikova - 1:12.4.0-2 +- Add condition to libs + +* Wed Jun 12 2019 Zuzana Svetlikova - 1:12.4.0-1 +- Update to v12.x +- Add v8-devel and libs subpackages from fedora + +* Thu Mar 14 2019 Zuzana Svetlikova - 1:10.14.1-2 +- move nodejs-packaging BR out of conditional + +* Tue Dec 11 2018 Zuzana Svetlikova - 1:10.14.1-1 +- Resolves RHBZ#1644207 +- fixes node-gyp permissions +- rebase + +* Thu Oct 11 2018 Jan Staněk - 1:10.11.0-2 +- BuildRequire nodejs-packaging for proper npm dependency generation +- Resolves: rhbz#1615947 + +* Mon Oct 08 2018 Jan Staněk - 1:10.11.0-1 +- Rebase to 10.11.0 +- Import changes from fedora +- Resolves: rhbz#1621766 + +* Mon Jul 30 2018 Zuzana Svetlikova - 1:10.7.0-5 +- Import sources from fedora +- Allow using python2 at %%build and %%install +- turn off debug for aarch64 + +* Fri Jul 20 2018 Stephen Gallagher - 1:10.7.0-4 +- Fix npm upgrade scriptlet +- Fix unexpected trailing .1 in npm release field + +* Fri Jul 20 2018 Stephen Gallagher - 1:10.7.0-3 +- Restore annotations to binaries +- Fix unexpected trailing .1 in release field + +* Thu Jul 19 2018 Stephen Gallagher - 1:10.7.0-2 +- Update to 10.7.0 +- https://nodejs.org/en/blog/release/v10.7.0/ +- https://nodejs.org/en/blog/release/v10.6.0/ + +* Fri Jul 13 2018 Fedora Release Engineering - 1:10.5.0-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jun 21 2018 Stephen Gallagher - 1:10.5.0-1 +- Update to 10.5.0 +- https://nodejs.org/en/blog/release/v10.5.0/ + +* Thu Jun 14 2018 Stephen Gallagher - 1:10.4.1-1 +- Update to 10.4.1 to address security issues +- https://nodejs.org/en/blog/release/v10.4.1/ +- Resolves: rhbz#1590801 +- Resolves: rhbz#1591014 +- Resolves: rhbz#1591019 + +* Thu Jun 07 2018 Stephen Gallagher - 1:10.4.0-1 +- Update to 10.4.0 +- https://nodejs.org/en/blog/release/v10.4.0/ + +* Wed May 30 2018 Stephen Gallagher - 1:10.3.0-1 +- Update to 10.3.0 +- Update npm to 6.1.0 +- https://nodejs.org/en/blog/release/v10.3.0/ + +* Tue May 29 2018 Stephen Gallagher - 1:10.2.1-2 +- Fix up bare 'python' to be python2 +- Drop redundant entry in docs section + +* Fri May 25 2018 Stephen Gallagher - 1:10.2.1-1 +- Update to 10.2.1 +- https://nodejs.org/en/blog/release/v10.2.1/ + +* Wed May 23 2018 Stephen Gallagher - 1:10.2.0-1 +- Update to 10.2.0 +- https://nodejs.org/en/blog/release/v10.2.0/ + +* Thu May 10 2018 Stephen Gallagher - 1:10.1.0-3 +- Fix incorrect rpm macro + +* Thu May 10 2018 Stephen Gallagher - 1:10.1.0-2 +- Include upstream v8 fix for ppc64[le] +- Disable debug build on ppc64[le] and s390x + +* Wed May 09 2018 Stephen Gallagher - 1:10.1.0-1 +- Update to 10.1.0 +- https://nodejs.org/en/blog/release/v10.1.0/ +- Reenable node_g binary + +* Thu Apr 26 2018 Stephen Gallagher - 1:10.0.0-1 +- Update to 10.0.0 +- https://nodejs.org/en/blog/release/v10.0.0/ +- Drop workaround patch +- Temporarily drop node_g binary due to + https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85587 + +* Fri Apr 13 2018 Rafael dos Santos - 1:9.11.1-2 +- Use standard Fedora linker flags (bug #1543859) + +* Thu Apr 05 2018 Stephen Gallagher - 1:9.11.1-1 +- Update to 9.11.1 +- https://nodejs.org/en/blog/release/v9.11.0/ +- https://nodejs.org/en/blog/release/v9.11.1/ + +* Wed Mar 28 2018 Stephen Gallagher - 1:9.10.0-1 +- Update to 9.10.0 +- https://nodejs.org/en/blog/release/v9.10.0/ + +* Wed Mar 21 2018 Stephen Gallagher - 1:9.9.0-1 +- Update to 9.9.0 +- https://nodejs.org/en/blog/release/v9.9.0/ + +* Thu Mar 08 2018 Stephen Gallagher - 1:9.8.0-1 +- Update to 9.8.0 +- https://nodejs.org/en/blog/release/v9.8.0/ + +* Thu Mar 01 2018 Stephen Gallagher - 1:9.7.0-1 +- Update to 9.7.0 +- https://nodejs.org/en/blog/release/v9.7.0/ +- Work around F28 build issue + +* Sun Feb 25 2018 Stephen Gallagher - 1:9.6.1-1 +- Update to 9.6.1 +- https://nodejs.org/en/blog/release/v9.6.1/ +- https://nodejs.org/en/blog/release/v9.6.0/ + +* Mon Feb 05 2018 Stephen Gallagher - 1:9.5.0-1 +- Package Node.js 9.5.0 + +* Thu Jan 11 2018 Stephen Gallagher - 1:8.9.4-2 +- Fix incorrect Requires: + +* Thu Jan 11 2018 Stephen Gallagher - 1:8.9.4-1 +- Update to 8.9.4 +- https://nodejs.org/en/blog/release/v8.9.4/ +- Switch to system copy of nghttp2 + +* Fri Dec 08 2017 Stephen Gallagher - 1:8.9.3-2 +- Update to 8.9.3 +- https://nodejs.org/en/blog/release/v8.9.3/ +- https://nodejs.org/en/blog/release/v8.9.2/ + +* Thu Nov 30 2017 Pete Walter - 1:8.9.1-2 +- Rebuild for ICU 60.1 + +* Thu Nov 09 2017 Zuzana Svetlikova - 1:8.9.1-1 +- Update to 8.9.1 + +* Tue Oct 31 2017 Stephen Gallagher - 1:8.9.0-1 +- Update to 8.9.0 +- Drop upstreamed patch + +* Thu Oct 26 2017 Stephen Gallagher - 1:8.8.1-1 +- Update to 8.8.1 to fix a regression + +* Wed Oct 25 2017 Zuzana Svetlikova - 1:8.8.0-1 +- Security update to 8.8.0 +- https://nodejs.org/en/blog/release/v8.8.0/ + +* Sun Oct 15 2017 Zuzana Svetlikova - 1:8.7.0-1 +- Update to 8.7.0 +- https://nodejs.org/en/blog/release/v8.7.0/ + +* Fri Oct 06 2017 Zuzana Svetlikova - 1:8.6.0-2 +- Use bcond macro instead of bootstrap conditional + +* Wed Sep 27 2017 Zuzana Svetlikova - 1:8.6.0-1 +- Fix nghttp2 version +- Update to 8.6.0 +- https://nodejs.org/en/blog/release/v8.6.0/ + +* Wed Sep 20 2017 Zuzana Svetlikova - 1:8.5.0-3 +- Build with bootstrap + bundle libuv for modularity +- backport patch for aarch64 debug build + +* Wed Sep 13 2017 Stephen Gallagher - 1:8.5.0-2 +- Disable debug builds on aarch64 due to https://github.com/nodejs/node/issues/15395 + +* Tue Sep 12 2017 Stephen Gallagher - 1:8.5.0-1 +- Update to v8.5.0 +- https://nodejs.org/en/blog/release/v8.5.0/ + +* Thu Sep 07 2017 Zuzana Svetlikova - 1:8.4.0-2 +- Refactor openssl BR + +* Wed Aug 16 2017 Zuzana Svetlikova - 1:8.4.0-1 +- Update to v8.4.0 +- https://nodejs.org/en/blog/release/v8.4.0/ +- http2 is now supported, add bundled nghttp2 +- remove openssl 1.0.1 patches, we won't be using them in fedora + +* Thu Aug 10 2017 Zuzana Svetlikova - 1:8.3.0-1 +- Update to v8.3.0 +- https://nodejs.org/en/blog/release/v8.3.0/ +- update V8 to 6.0 +- update minimal gcc and g++ requirements to 4.9.4 + +* Wed Aug 09 2017 Tom Hughes - 1:8.2.1-2 +- Bump release to fix broken dependencies + +* Thu Aug 03 2017 Fedora Release Engineering - 1:8.2.1-1.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 1:8.2.1-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jul 21 2017 Stephen Gallagher - 1:8.2.1-1 +- Update to v8.2.1 +- https://nodejs.org/en/blog/release/v8.2.1/ + +* Thu Jul 20 2017 Stephen Gallagher - 1:8.2.0-1 +- Update to v8.2.0 +- https://nodejs.org/en/blog/release/v8.2.0/ +- Update npm to 5.3.0 +- Adds npx command + +* Tue Jul 18 2017 Igor Gnatenko - 1:8.1.4-3 +- s/BuildRequires/Requires/ for http-parser-devel%%{?_isa} + +* Mon Jul 17 2017 Zuzana Svetlikova - 1:8.1.4-2 +- Rename python-devel to python2-devel +- own %%{_pkgdocdir}/npm + +* Tue Jul 11 2017 Stephen Gallagher - 1:8.1.4-1 +- Update to v8.1.4 +- https://nodejs.org/en/blog/release/v8.1.4/ +- Drop upstreamed c-ares patch + +* Thu Jun 29 2017 Zuzana Svetlikova - 1:8.1.3-1 +- Update to v8.1.3 +- https://nodejs.org/en/blog/release/v8.1.3/ + +* Wed Jun 28 2017 Zuzana Svetlikova - 1:8.1.2-1 +- Update to v8.1.2 +- remove GCC 7 patch, as it is now fixed in node >= 6.12 +