commit 5b3a0f0e0d45c32a534b15617a6ee4fcf9198db9
Author: tigro <tigro@msvsphere-os.ru>
Date:   Sat Jan 4 15:23:26 2025 +0300

    import yarnpkg-1.22.22-3.el10

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..037724f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/yarnpkg-v1.22.22-bundled-20240704.tar.gz
diff --git a/.yarnpkg.metadata b/.yarnpkg.metadata
new file mode 100644
index 0000000..1b4076a
--- /dev/null
+++ b/.yarnpkg.metadata
@@ -0,0 +1 @@
+035fccda0fb380a8cd530f0835d9ce81af059c4b  SOURCES/yarnpkg-v1.22.22-bundled-20240704.tar.gz
diff --git a/SOURCES/CVE-2022-37599.patch b/SOURCES/CVE-2022-37599.patch
new file mode 100644
index 0000000..7636ff8
--- /dev/null
+++ b/SOURCES/CVE-2022-37599.patch
@@ -0,0 +1,12 @@
+diff -rupN yarn-1.22.21/node_modules/loader-utils/index.js yarn-1.22.21-new/node_modules/loader-utils/index.js
+--- yarn-1.22.21/node_modules/loader-utils/index.js	2024-02-16 23:35:57.000000000 +0100
++++ yarn-1.22.21-new/node_modules/loader-utils/index.js	2024-02-19 11:05:56.885775046 +0100
+@@ -299,7 +299,7 @@ exports.interpolateName = function inter
+ 	var url = filename;
+ 	if(content) {
+ 		// Match hash template
+-		url = url.replace(/\[(?:(\w+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() {
++		url = url.replace(/\[(?:([^[:\]]+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() {
+ 			return exports.getHashDigest(content, arguments[1], arguments[2], parseInt(arguments[3], 10));
+ 		}).replace(/\[emoji(?::(\d+))?\]/ig, function() {
+ 			return encodeStringToEmoji(content, arguments[1]);
diff --git a/SOURCES/CVE-2023-26136.patch b/SOURCES/CVE-2023-26136.patch
new file mode 100644
index 0000000..3300cce
--- /dev/null
+++ b/SOURCES/CVE-2023-26136.patch
@@ -0,0 +1,25 @@
+diff -rupN yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js
+--- yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js	2024-02-16 23:36:08.000000000 +0100
++++ yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js	2024-02-19 10:48:11.215668646 +0100
+@@ -36,7 +36,7 @@ var util = require('util');
+ 
+ function MemoryCookieStore() {
+   Store.call(this);
+-  this.idx = {};
++  this.idx = Object.create(null);
+ }
+ util.inherits(MemoryCookieStore, Store);
+ exports.MemoryCookieStore = MemoryCookieStore;
+@@ -115,10 +115,10 @@ MemoryCookieStore.prototype.findCookies
+ 
+ MemoryCookieStore.prototype.putCookie = function(cookie, cb) {
+   if (!this.idx[cookie.domain]) {
+-    this.idx[cookie.domain] = {};
++    this.idx[cookie.domain] = Object.create(null);
+   }
+   if (!this.idx[cookie.domain][cookie.path]) {
+-    this.idx[cookie.domain][cookie.path] = {};
++    this.idx[cookie.domain][cookie.path] = Object.create(null);
+   }
+   this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
+   cb(null);
diff --git a/SOURCES/CVE-2023-46234.patch b/SOURCES/CVE-2023-46234.patch
new file mode 100644
index 0000000..0820ae6
--- /dev/null
+++ b/SOURCES/CVE-2023-46234.patch
@@ -0,0 +1,12 @@
+diff -rupN yarn-1.22.21/node_modules/browserify-sign/browser/verify.js yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js
+--- yarn-1.22.21/node_modules/browserify-sign/browser/verify.js	2024-02-16 23:36:10.000000000 +0100
++++ yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js	2024-02-19 11:14:55.923549230 +0100
+@@ -77,7 +77,7 @@ function dsaVerify (sig, hash, pub) {
+ 
+ function checkValue (b, q) {
+   if (b.cmpn(0) <= 0) throw new Error('invalid sig')
+-  if (b.cmp(q) >= q) throw new Error('invalid sig')
++  if (b.cmp(q) >= 0) throw new Error('invalid sig')
+ }
+ 
+ module.exports = verify
diff --git a/SOURCES/CVE-2024-4067.patch b/SOURCES/CVE-2024-4067.patch
new file mode 100644
index 0000000..d56082e
--- /dev/null
+++ b/SOURCES/CVE-2024-4067.patch
@@ -0,0 +1,60 @@
+diff -rupN yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
++++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js	2024-07-04 23:35:09.633072156 +0200
+@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
+   }
+ 
+   function expand() {
+-    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
++    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
+       return utils.arrayify(pattern);
+     }
+     return braces(pattern, options);
+diff -rupN yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
++++ yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js	2024-07-04 23:35:22.753040820 +0200
+@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
+   }
+ 
+   function expand() {
+-    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
++    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
+       return utils.arrayify(pattern);
+     }
+     return braces(pattern, options);
+diff -rupN yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
++++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js	2024-07-04 23:35:32.817016784 +0200
+@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
+   }
+ 
+   function expand() {
+-    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
++    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
+       return utils.arrayify(pattern);
+     }
+     return braces(pattern, options);
+diff -rupN yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
++++ yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js	2024-07-04 23:35:41.536995958 +0200
+@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
+   }
+ 
+   function expand() {
+-    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
++    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
+       return utils.arrayify(pattern);
+     }
+     return braces(pattern, options);
+diff -rupN yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
++++ yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js	2024-07-04 23:35:49.438977085 +0200
+@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
+   }
+ 
+   function expand() {
+-    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
++    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
+       return utils.arrayify(pattern);
+     }
+     return braces(pattern, options);
diff --git a/SOURCES/yarnpkg-tarball.sh b/SOURCES/yarnpkg-tarball.sh
new file mode 100755
index 0000000..b0dba21
--- /dev/null
+++ b/SOURCES/yarnpkg-tarball.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+version=$(rpm -q --specfile --qf='%{version}\n' yarnpkg.spec | head -n1)
+timestamp=$(date +%Y%m%d)
+if [ ! -e v$version.tar.gz ]; then
+wget https://github.com/yarnpkg/yarn/archive/v$version.tar.gz
+fi
+rm -rf yarn-$version
+tar -zxf v$version.tar.gz
+cd yarn-$version
+for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do
+patch -p1 < $file
+done
+yarn install
+yarn audit fix
+# Delete all binary files in node_modules
+echo "Deleting binary files..."
+find node_modules -type f -not -name '*.js' -exec file {} \; | grep ELF | awk -F':' '{print $1}' | xargs rm
+cd ..
+tar -zcf yarnpkg-v$version-bundled-$timestamp.tar.gz yarn-$version
diff --git a/SPECS/yarnpkg.spec b/SPECS/yarnpkg.spec
new file mode 100644
index 0000000..8093d5b
--- /dev/null
+++ b/SPECS/yarnpkg.spec
@@ -0,0 +1,220 @@
+%global debug_package %{nil}
+%global npm_name yarn
+
+%{?nodejs_find_provides_and_requires}
+
+%global enable_tests 1
+
+# don't require bundled modules
+%global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$
+
+%global bundledate 20240704
+
+Name:           yarnpkg
+Version:        1.22.22
+Release:        3%{?dist}
+Summary:        Fast, reliable, and secure dependency management.
+License:        BSD-2-Clause
+URL:            https://github.com/yarnpkg/yarn
+# we need tarball with node_modules
+Source0:        %{name}-v%{version}-bundled-%{bundledate}.tar.gz
+Source1:        yarnpkg-tarball.sh
+
+# These are applied by yarnpkg-tarball.sh
+# async-CVE-2021-43138.prebundle.patch
+# minimatch-CVE-2022-3517.prebundle.patch
+# thenify-CVE-2020-7677.prebundle.patch
+# decode-uri-component-CVE-2022-38900.prebundle.patch
+
+Patch0:         CVE-2023-26136.patch
+Patch1:         CVE-2022-37599.patch
+Patch2:         CVE-2023-46234.patch
+Patch3:         CVE-2024-4067.patch
+
+
+ExclusiveArch:  %{nodejs_arches}
+
+BuildRequires:  nodejs-packaging
+BuildRequires:  nodejs-npm
+
+%description
+Fast, reliable, and secure dependency management.
+
+
+%prep
+%autosetup -p1 -n %{npm_name}-%{version}
+
+
+%build
+# use build script
+npm run build
+
+
+%install
+mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
+
+cp -pr package.json lib bin node_modules \
+    %{buildroot}%{nodejs_sitelib}/%{npm_name}
+
+mkdir -p %{buildroot}%{_bindir}
+ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarnpkg
+ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarn
+
+# Fix the shebang in yarn.js because brp-mangle-shebangs fails to detect this properly (rhbz#1998924)
+sed -e "s|^#!/usr/bin/env node$|#!/usr/bin/node|" \
+    -i %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js
+
+# Remove executable bits from bundled dependency tests
+find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \
+    -ipath '*/test/*' -type f -executable \
+    -exec chmod -x '{}' +
+
+%if 0%{?enable_tests}
+%check
+%nodejs_symlink_deps --check
+if [[ $(%{buildroot}%{_bindir}/yarnpkg --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi
+if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi
+%endif
+
+
+%files
+%doc README.md
+%license LICENSE
+%{_bindir}/yarnpkg
+%{_bindir}/yarn
+%{nodejs_sitelib}/%{npm_name}/
+
+%changelog
+* Sat Jan 04 2025 Arkady L. Shane <tigro@msvsphere-os.ru> - 1.22.22-3
+- Rebuilt for MSVSphere 10
+
+* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Thu Jul 04 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-2
+- Backport patch for CVE-2024-4067
+
+* Sat Mar 09 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-1
+- Update to 1.22.22
+
+* Mon Feb 19 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-2
+- Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234
+
+* Fri Feb 16 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-1
+- Update to 1.22.21
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed May 03 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-6
+- Rebuild (nodejs20)
+
+* Tue Mar 21 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-5
+- Add patch for CVE-2022-38900, proper fixes for CVE-2021-43138, CVE-2022-3517,
+  CVE-2020-7677
+
+* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Jan 11 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-3
+- Add patches for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677
+
+* Tue Jan 03 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-2
+- Backport fix for CVE-2021-35065 for bundled glob-parent
+
+* Thu Dec 15 2022 Sandro Mani <manisandro@gmail.com> - 1.22.19-1
+- Update to 1.22.19
+
+* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.17-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.17-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Nov 23 2021 zsvetlik@redhat.com - 1.22.17-1
+- Update to latest upstream release
+- use --force in yarnpkg-tarball.sh to workaround dependency conflincts
+
+* Mon Aug 30 2021 Neal Gompa <ngompa@fedoraproject.org> - 1.22.10-4
+- Work around broken brp-mangle-shebangs behavior (see RHBZ#1998924)
+- Fix broken macro variable for legacy "nodejs-yarn" binary name (RHBZ#1904279)
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.10-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu Jan 28 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Oct 09 2020 zsvetlik@redhat.com - 1.22.10-1
+- Update to 1.22.10
+- Resolves: RHBZ#1816262, RHBZ#1851876
+- Long resolved CVEs, just not mentioned in changelog
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jun 22 2020 Neal Gompa <ngompa13@gmail.com> - 1.22.4-2
+- Ensure Obsoletes + Provides stanza takes effect
+- Fix broken author identity in changelog entries
+
+* Tue Apr 14 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.22.4-1
+- Rename to yarnpkg, remove symlink-deps macro
+- Update to 1.22.4
+
+* Mon Jan 27 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.21.1-1
+- Resolves: RHBZ#1627748, #1687099, #1788329
+- Update to 1.21.1
+- Provides /usr/bin/yarn
+- Resolves CVE-2019-10773
+
+* Thu Dec 05 2019 Neal Gompa <ngompa@datto.com> - 1.13.0-4
+- Rename nodejs-yarn binary package to yarnpkg (similar to other distros)
+- Use nodejs macros consistently throughout spec
+- Make the tests fail the build if the tests fail
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Feb 13 2019 Jan Staněk <jstanek@redhat.com> - 1.13.0-2
+- Remove executable bits from bundled tests
+- Related: rhbz#1674073
+
+* Thu Feb 07 2019 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.13.0-1
+- Update
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jul 30 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.9.2-1
+- Update to 1.9.2
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu May 24 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.7.0-1
+- Update to 1.7.0
+
+* Wed May 09 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.6.0-1
+- Rebase, rebuild with new packaging
+
+* Wed Mar 21 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.5.1-2
+- Add requires_exclude_from macro
+- rename nodejs-yarnpkg to yarn
+
+* Wed Mar 21 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.5.1-1
+- Rebase
+
+* Tue Jan 30 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.4.1-1
+- rebase
+- package from GH, build with npm
+
+* Tue Dec 05 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.3.2-2
+- Add fedora readme so users are able to find renamed commands
+- change source url
+- rename license according to guidelines
+
+* Mon Nov 27 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.3.2-1
+- Initial build