yarnpkg/SPECS/yarnpkg.spec

%global debug_package %{nil}
%global npm_name yarn

%{?nodejs_find_provides_and_requires}

%global enable_tests 1

# don't require bundled modules
%global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$

%global bundledate 20240704

Name:           yarnpkg
Version:        1.22.22
Release:        3%{?dist}
Summary:        Fast, reliable, and secure dependency management.
License:        BSD-2-Clause
URL:            https://github.com/yarnpkg/yarn
# we need tarball with node_modules
Source0:        %{name}-v%{version}-bundled-%{bundledate}.tar.gz
Source1:        yarnpkg-tarball.sh

# These are applied by yarnpkg-tarball.sh
# async-CVE-2021-43138.prebundle.patch
# minimatch-CVE-2022-3517.prebundle.patch
# thenify-CVE-2020-7677.prebundle.patch
# decode-uri-component-CVE-2022-38900.prebundle.patch

Patch0:         CVE-2023-26136.patch
Patch1:         CVE-2022-37599.patch
Patch2:         CVE-2023-46234.patch
Patch3:         CVE-2024-4067.patch


ExclusiveArch:  %{nodejs_arches}

BuildRequires:  nodejs-packaging
BuildRequires:  nodejs-npm

%description
Fast, reliable, and secure dependency management.


%prep
%autosetup -p1 -n %{npm_name}-%{version}


%build
# use build script
npm run build


%install
mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}

cp -pr package.json lib bin node_modules \
    %{buildroot}%{nodejs_sitelib}/%{npm_name}

mkdir -p %{buildroot}%{_bindir}
ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarnpkg
ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarn

# Fix the shebang in yarn.js because brp-mangle-shebangs fails to detect this properly (rhbz#1998924)
sed -e "s|^#!/usr/bin/env node$|#!/usr/bin/node|" \
    -i %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js

# Remove executable bits from bundled dependency tests
find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \
    -ipath '*/test/*' -type f -executable \
    -exec chmod -x '{}' +

%if 0%{?enable_tests}
%check
%nodejs_symlink_deps --check
if [[ $(%{buildroot}%{_bindir}/yarnpkg --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi
if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi
%endif


%files
%doc README.md
%license LICENSE
%{_bindir}/yarnpkg
%{_bindir}/yarn
%{nodejs_sitelib}/%{npm_name}/

%changelog
* Sat Jan 04 2025 Arkady L. Shane <tigro@msvsphere-os.ru> - 1.22.22-3
- Rebuilt for MSVSphere 10

* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild

* Thu Jul 04 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-2
- Backport patch for CVE-2024-4067

* Sat Mar 09 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-1
- Update to 1.22.22

* Mon Feb 19 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-2
- Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234

* Fri Feb 16 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-1
- Update to 1.22.21

* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild

* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

* Wed May 03 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-6
- Rebuild (nodejs20)

* Tue Mar 21 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-5
- Add patch for CVE-2022-38900, proper fixes for CVE-2021-43138, CVE-2022-3517,
  CVE-2020-7677

* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild

* Wed Jan 11 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-3
- Add patches for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677

* Tue Jan 03 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-2
- Backport fix for CVE-2021-35065 for bundled glob-parent

* Thu Dec 15 2022 Sandro Mani <manisandro@gmail.com> - 1.22.19-1
- Update to 1.22.19

* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.17-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild

* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.17-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

* Tue Nov 23 2021 zsvetlik@redhat.com - 1.22.17-1
- Update to latest upstream release
- use --force in yarnpkg-tarball.sh to workaround dependency conflincts

* Mon Aug 30 2021 Neal Gompa <ngompa@fedoraproject.org> - 1.22.10-4
- Work around broken brp-mangle-shebangs behavior (see RHBZ#1998924)
- Fix broken macro variable for legacy "nodejs-yarn" binary name (RHBZ#1904279)

* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.10-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

* Thu Jan 28 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.10-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

* Fri Oct 09 2020 zsvetlik@redhat.com - 1.22.10-1
- Update to 1.22.10
- Resolves: RHBZ#1816262, RHBZ#1851876
- Long resolved CVEs, just not mentioned in changelog

* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

* Mon Jun 22 2020 Neal Gompa <ngompa13@gmail.com> - 1.22.4-2
- Ensure Obsoletes + Provides stanza takes effect
- Fix broken author identity in changelog entries

* Tue Apr 14 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.22.4-1
- Rename to yarnpkg, remove symlink-deps macro
- Update to 1.22.4

* Mon Jan 27 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.21.1-1
- Resolves: RHBZ#1627748, #1687099, #1788329
- Update to 1.21.1
- Provides /usr/bin/yarn
- Resolves CVE-2019-10773

* Thu Dec 05 2019 Neal Gompa <ngompa@datto.com> - 1.13.0-4
- Rename nodejs-yarn binary package to yarnpkg (similar to other distros)
- Use nodejs macros consistently throughout spec
- Make the tests fail the build if the tests fail

* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild

* Wed Feb 13 2019 Jan Staněk <jstanek@redhat.com> - 1.13.0-2
- Remove executable bits from bundled tests
- Related: rhbz#1674073

* Thu Feb 07 2019 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.13.0-1
- Update

* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

* Mon Jul 30 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.9.2-1
- Update to 1.9.2

* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Thu May 24 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.7.0-1
- Update to 1.7.0

* Wed May 09 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.6.0-1
- Rebase, rebuild with new packaging

* Wed Mar 21 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.5.1-2
- Add requires_exclude_from macro
- rename nodejs-yarnpkg to yarn

* Wed Mar 21 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.5.1-1
- Rebase

* Tue Jan 30 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.4.1-1
- rebase
- package from GH, build with npm

* Tue Dec 05 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.3.2-2
- Add fedora readme so users are able to find renamed commands
- change source url
- rename license according to guidelines

* Mon Nov 27 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.3.2-1
- Initial build
import yarnpkg-1.22.22-3.el10 1 month ago			`%global debug_package %{nil}`
			`%global npm_name yarn`

			`%{?nodejs_find_provides_and_requires}`

			`%global enable_tests 1`

			`# don't require bundled modules`
			`%global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.\|%{nodejs_sitelib}/yarn/bin/yarn(\|\\.cmd\|\\.ps1\|pkg.))$`

			`%global bundledate 20240704`

			`Name: yarnpkg`
			`Version: 1.22.22`
			`Release: 3%{?dist}`
			`Summary: Fast, reliable, and secure dependency management.`
			`License: BSD-2-Clause`
			`URL: https://github.com/yarnpkg/yarn`
			`# we need tarball with node_modules`
			`Source0: %{name}-v%{version}-bundled-%{bundledate}.tar.gz`
			`Source1: yarnpkg-tarball.sh`

			`# These are applied by yarnpkg-tarball.sh`
			`# async-CVE-2021-43138.prebundle.patch`
			`# minimatch-CVE-2022-3517.prebundle.patch`
			`# thenify-CVE-2020-7677.prebundle.patch`
			`# decode-uri-component-CVE-2022-38900.prebundle.patch`

			`Patch0: CVE-2023-26136.patch`
			`Patch1: CVE-2022-37599.patch`
			`Patch2: CVE-2023-46234.patch`
			`Patch3: CVE-2024-4067.patch`


			`ExclusiveArch: %{nodejs_arches}`

			`BuildRequires: nodejs-packaging`
			`BuildRequires: nodejs-npm`

			`%description`
			`Fast, reliable, and secure dependency management.`


			`%prep`
			`%autosetup -p1 -n %{npm_name}-%{version}`


			`%build`
			`# use build script`
			`npm run build`


			`%install`
			`mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}`

			`cp -pr package.json lib bin node_modules \`
			`%{buildroot}%{nodejs_sitelib}/%{npm_name}`

			`mkdir -p %{buildroot}%{_bindir}`
			`ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarnpkg`
			`ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarn`

			`# Fix the shebang in yarn.js because brp-mangle-shebangs fails to detect this properly (rhbz#1998924)`
			`sed -e "s\|^#!/usr/bin/env node$\|#!/usr/bin/node\|" \`
			`-i %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js`

			`# Remove executable bits from bundled dependency tests`
			`find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \`
			`-ipath '/test/' -type f -executable \`
			`-exec chmod -x '{}' +`

			`%if 0%{?enable_tests}`
			`%check`
			`%nodejs_symlink_deps --check`
			`if [[ $(%{buildroot}%{_bindir}/yarnpkg --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi`
			`if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi`
			`%endif`


			`%files`
			`%doc README.md`
			`%license LICENSE`
			`%{_bindir}/yarnpkg`
			`%{_bindir}/yarn`
			`%{nodejs_sitelib}/%{npm_name}/`

			`%changelog`
			`* Sat Jan 04 2025 Arkady L. Shane <tigro@msvsphere-os.ru> - 1.22.22-3`
			`- Rebuilt for MSVSphere 10`

			`* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-3`
			`- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild`

			`* Thu Jul 04 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-2`
			`- Backport patch for CVE-2024-4067`

			`* Sat Mar 09 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-1`
			`- Update to 1.22.22`

			`* Mon Feb 19 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-2`
			`- Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234`

			`* Fri Feb 16 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-1`
			`- Update to 1.22.21`

			`* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-8`
			`- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild`

			`* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-7`
			`- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild`

			`* Wed May 03 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-6`
			`- Rebuild (nodejs20)`

			`* Tue Mar 21 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-5`
			`- Add patch for CVE-2022-38900, proper fixes for CVE-2021-43138, CVE-2022-3517,`
			`CVE-2020-7677`

			`* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-4`
			`- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild`

			`* Wed Jan 11 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-3`
			`- Add patches for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677`

			`* Tue Jan 03 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-2`
			`- Backport fix for CVE-2021-35065 for bundled glob-parent`

			`* Thu Dec 15 2022 Sandro Mani <manisandro@gmail.com> - 1.22.19-1`
			`- Update to 1.22.19`

			`* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.17-3`
			`- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild`

			`* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.17-2`
			`- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild`

			`* Tue Nov 23 2021 zsvetlik@redhat.com - 1.22.17-1`
			`- Update to latest upstream release`
			`- use --force in yarnpkg-tarball.sh to workaround dependency conflincts`

			`* Mon Aug 30 2021 Neal Gompa <ngompa@fedoraproject.org> - 1.22.10-4`
			`- Work around broken brp-mangle-shebangs behavior (see RHBZ#1998924)`
			`- Fix broken macro variable for legacy "nodejs-yarn" binary name (RHBZ#1904279)`

			`* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.10-3`
			`- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild`

			`* Thu Jan 28 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.10-2`
			`- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild`

			`* Fri Oct 09 2020 zsvetlik@redhat.com - 1.22.10-1`
			`- Update to 1.22.10`
			`- Resolves: RHBZ#1816262, RHBZ#1851876`
			`- Long resolved CVEs, just not mentioned in changelog`

			`* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.4-3`
			`- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild`

			`* Mon Jun 22 2020 Neal Gompa <ngompa13@gmail.com> - 1.22.4-2`
			`- Ensure Obsoletes + Provides stanza takes effect`
			`- Fix broken author identity in changelog entries`

			`* Tue Apr 14 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.22.4-1`
			`- Rename to yarnpkg, remove symlink-deps macro`
			`- Update to 1.22.4`

			`* Mon Jan 27 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.21.1-1`
			`- Resolves: RHBZ#1627748, #1687099, #1788329`
			`- Update to 1.21.1`
			`- Provides /usr/bin/yarn`
			`- Resolves CVE-2019-10773`

			`* Thu Dec 05 2019 Neal Gompa <ngompa@datto.com> - 1.13.0-4`
			`- Rename nodejs-yarn binary package to yarnpkg (similar to other distros)`
			`- Use nodejs macros consistently throughout spec`
			`- Make the tests fail the build if the tests fail`

			`* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-3`
			`- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild`

			`* Wed Feb 13 2019 Jan Staněk <jstanek@redhat.com> - 1.13.0-2`
			`- Remove executable bits from bundled tests`
			`- Related: rhbz#1674073`

			`* Thu Feb 07 2019 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.13.0-1`
			`- Update`

			`* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-2`
			`- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild`

			`* Mon Jul 30 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.9.2-1`
			`- Update to 1.9.2`

			`* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.0-2`
			`- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild`

			`* Thu May 24 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.7.0-1`
			`- Update to 1.7.0`

			`* Wed May 09 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.6.0-1`
			`- Rebase, rebuild with new packaging`

			`* Wed Mar 21 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.5.1-2`
			`- Add requires_exclude_from macro`
			`- rename nodejs-yarnpkg to yarn`

			`* Wed Mar 21 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.5.1-1`
			`- Rebase`

			`* Tue Jan 30 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.4.1-1`
			`- rebase`
			`- package from GH, build with npm`

			`* Tue Dec 05 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.3.2-2`
			`- Add fedora readme so users are able to find renamed commands`
			`- change source url`
			`- rename license according to guidelines`

			`* Mon Nov 27 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.3.2-1`
			`- Initial build`