import yarnpkg-1.22.22-3.el10

1 month ago · 5b3a0f0e0d
commit 5b3a0f0e0d
8 changed files with 351 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
 SOURCES/yarnpkg-v1.22.22-bundled-20240704.tar.gz
--- a/.yarnpkg.metadata
+++ b/.yarnpkg.metadata
@ -0,0 +1 @@
 035fccda0fb380a8cd530f0835d9ce81af059c4b  SOURCES/yarnpkg-v1.22.22-bundled-20240704.tar.gz
--- a/SOURCES/CVE-2022-37599.patch
+++ b/SOURCES/CVE-2022-37599.patch
@ -0,0 +1,12 @@
 diff -rupN yarn-1.22.21/node_modules/loader-utils/index.js yarn-1.22.21-new/node_modules/loader-utils/index.js
 --- yarn-1.22.21/node_modules/loader-utils/index.js	2024-02-16 23:35:57.000000000 +0100
 +++ yarn-1.22.21-new/node_modules/loader-utils/index.js	2024-02-19 11:05:56.885775046 +0100
@@ -299,7 +299,7 @@ exports.interpolateName = function inter
 	var url = filename;
 	if(content) {
 		// Match hash template
 -		url = url.replace(/\[(?:(\w+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() {
 +		url = url.replace(/\[(?:([^[:\]]+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() {
 			return exports.getHashDigest(content, arguments[1], arguments[2], parseInt(arguments[3], 10));
 		}).replace(/\[emoji(?::(\d+))?\]/ig, function() {
 			return encodeStringToEmoji(content, arguments[1]);
--- a/SOURCES/CVE-2023-26136.patch
+++ b/SOURCES/CVE-2023-26136.patch
@ -0,0 +1,25 @@
 diff -rupN yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js
 --- yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js	2024-02-16 23:36:08.000000000 +0100
 +++ yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js	2024-02-19 10:48:11.215668646 +0100
@@ -36,7 +36,7 @@ var util = require('util');
 function MemoryCookieStore() {
   Store.call(this);
 -  this.idx = {};
 +  this.idx = Object.create(null);
 }
 util.inherits(MemoryCookieStore, Store);
 exports.MemoryCookieStore = MemoryCookieStore;
@@ -115,10 +115,10 @@ MemoryCookieStore.prototype.findCookies
 MemoryCookieStore.prototype.putCookie = function(cookie, cb) {
   if (!this.idx[cookie.domain]) {
 -    this.idx[cookie.domain] = {};
 +    this.idx[cookie.domain] = Object.create(null);
   }
   if (!this.idx[cookie.domain][cookie.path]) {
 -    this.idx[cookie.domain][cookie.path] = {};
 +    this.idx[cookie.domain][cookie.path] = Object.create(null);
   }
   this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
   cb(null);
--- a/SOURCES/CVE-2023-46234.patch
+++ b/SOURCES/CVE-2023-46234.patch
@ -0,0 +1,12 @@
 diff -rupN yarn-1.22.21/node_modules/browserify-sign/browser/verify.js yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js
 --- yarn-1.22.21/node_modules/browserify-sign/browser/verify.js	2024-02-16 23:36:10.000000000 +0100
 +++ yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js	2024-02-19 11:14:55.923549230 +0100
@@ -77,7 +77,7 @@ function dsaVerify (sig, hash, pub) {
 function checkValue (b, q) {
   if (b.cmpn(0) <= 0) throw new Error('invalid sig')
 -  if (b.cmp(q) >= q) throw new Error('invalid sig')
 +  if (b.cmp(q) >= 0) throw new Error('invalid sig')
 }
 module.exports = verify
--- a/SOURCES/CVE-2024-4067.patch
+++ b/SOURCES/CVE-2024-4067.patch
@ -0,0 +1,60 @@
 diff -rupN yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js
 --- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
 +++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js	2024-07-04 23:35:09.633072156 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
   }
   function expand() {
 -    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
 +    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
       return utils.arrayify(pattern);
     }
     return braces(pattern, options);
 diff -rupN yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js
 --- yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
 +++ yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js	2024-07-04 23:35:22.753040820 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
   }
   function expand() {
 -    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
 +    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
       return utils.arrayify(pattern);
     }
     return braces(pattern, options);
 diff -rupN yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js
 --- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
 +++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js	2024-07-04 23:35:32.817016784 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
   }
   function expand() {
 -    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
 +    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
       return utils.arrayify(pattern);
     }
     return braces(pattern, options);
 diff -rupN yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js
 --- yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
 +++ yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js	2024-07-04 23:35:41.536995958 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
   }
   function expand() {
 -    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
 +    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
       return utils.arrayify(pattern);
     }
     return braces(pattern, options);
 diff -rupN yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js
 --- yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
 +++ yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js	2024-07-04 23:35:49.438977085 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
   }
   function expand() {
 -    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
 +    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
       return utils.arrayify(pattern);
     }
     return braces(pattern, options);
--- a/SOURCES/yarnpkg-tarball.sh
+++ b/SOURCES/yarnpkg-tarball.sh
@ -0,0 +1,20 @@
 #!/bin/sh
 version=$(rpm -q --specfile --qf='%{version}\n' yarnpkg.spec | head -n1)
 timestamp=$(date +%Y%m%d)
 if [ ! -e v$version.tar.gz ]; then
 wget https://github.com/yarnpkg/yarn/archive/v$version.tar.gz
 fi
 rm -rf yarn-$version
 tar -zxf v$version.tar.gz
 cd yarn-$version
 for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do
 patch -p1 < $file
 done
 yarn install
 yarn audit fix
 # Delete all binary files in node_modules
 echo "Deleting binary files..."
 find node_modules -type f -not -name '*.js' -exec file {} \; | grep ELF | awk -F':' '{print $1}' | xargs rm
 cd ..
 tar -zcf yarnpkg-v$version-bundled-$timestamp.tar.gz yarn-$version
--- a/SPECS/yarnpkg.spec
+++ b/SPECS/yarnpkg.spec
@ -0,0 +1,220 @@
 %global debug_package %{nil}
 %global npm_name yarn
 %{?nodejs_find_provides_and_requires}
 %global enable_tests 1
 # don't require bundled modules
 %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$
 %global bundledate 20240704
 Name:           yarnpkg
 Version:        1.22.22
 Release:        3%{?dist}
 Summary:        Fast, reliable, and secure dependency management.
 License:        BSD-2-Clause
 URL:            https://github.com/yarnpkg/yarn
 # we need tarball with node_modules
 Source0:        %{name}-v%{version}-bundled-%{bundledate}.tar.gz
 Source1:        yarnpkg-tarball.sh
 # These are applied by yarnpkg-tarball.sh
 # async-CVE-2021-43138.prebundle.patch
 # minimatch-CVE-2022-3517.prebundle.patch
 # thenify-CVE-2020-7677.prebundle.patch
 # decode-uri-component-CVE-2022-38900.prebundle.patch
 Patch0:         CVE-2023-26136.patch
 Patch1:         CVE-2022-37599.patch
 Patch2:         CVE-2023-46234.patch
 Patch3:         CVE-2024-4067.patch
 ExclusiveArch:  %{nodejs_arches}
 BuildRequires:  nodejs-packaging
 BuildRequires:  nodejs-npm
 %description
 Fast, reliable, and secure dependency management.
 %prep
 %autosetup -p1 -n %{npm_name}-%{version}
 %build
 # use build script
 npm run build
 %install
 mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
 cp -pr package.json lib bin node_modules \
    %{buildroot}%{nodejs_sitelib}/%{npm_name}
 mkdir -p %{buildroot}%{_bindir}
 ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarnpkg
 ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarn
 # Fix the shebang in yarn.js because brp-mangle-shebangs fails to detect this properly (rhbz#1998924)
 sed -e "s|^#!/usr/bin/env node$|#!/usr/bin/node|" \
    -i %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js
 # Remove executable bits from bundled dependency tests
 find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \
    -ipath '*/test/*' -type f -executable \
    -exec chmod -x '{}' +
 %if 0%{?enable_tests}
 %check
 %nodejs_symlink_deps --check
 if [[ $(%{buildroot}%{_bindir}/yarnpkg --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi
 if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi
 %endif
 %files
 %doc README.md
 %license LICENSE
 %{_bindir}/yarnpkg
 %{_bindir}/yarn
 %{nodejs_sitelib}/%{npm_name}/
 %changelog
 * Sat Jan 04 2025 Arkady L. Shane <tigro@msvsphere-os.ru> - 1.22.22-3
 - Rebuilt for MSVSphere 10
 * Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
 * Thu Jul 04 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-2
 - Backport patch for CVE-2024-4067
 * Sat Mar 09 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-1
 - Update to 1.22.22
 * Mon Feb 19 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-2
 - Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234
 * Fri Feb 16 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-1
 - Update to 1.22.21
 * Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-8
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Wed May 03 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-6
 - Rebuild (nodejs20)
 * Tue Mar 21 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-5
 - Add patch for CVE-2022-38900, proper fixes for CVE-2021-43138, CVE-2022-3517,
  CVE-2020-7677
 * Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Wed Jan 11 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-3
 - Add patches for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677
 * Tue Jan 03 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-2
 - Backport fix for CVE-2021-35065 for bundled glob-parent
 * Thu Dec 15 2022 Sandro Mani <manisandro@gmail.com> - 1.22.19-1
 - Update to 1.22.19
 * Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.17-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.17-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Tue Nov 23 2021 zsvetlik@redhat.com - 1.22.17-1
 - Update to latest upstream release
 - use --force in yarnpkg-tarball.sh to workaround dependency conflincts
 * Mon Aug 30 2021 Neal Gompa <ngompa@fedoraproject.org> - 1.22.10-4
 - Work around broken brp-mangle-shebangs behavior (see RHBZ#1998924)
 - Fix broken macro variable for legacy "nodejs-yarn" binary name (RHBZ#1904279)
 * Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.10-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Thu Jan 28 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.10-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Fri Oct 09 2020 zsvetlik@redhat.com - 1.22.10-1
 - Update to 1.22.10
 - Resolves: RHBZ#1816262, RHBZ#1851876
 - Long resolved CVEs, just not mentioned in changelog
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.4-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Mon Jun 22 2020 Neal Gompa <ngompa13@gmail.com> - 1.22.4-2
 - Ensure Obsoletes + Provides stanza takes effect
 - Fix broken author identity in changelog entries
 * Tue Apr 14 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.22.4-1
 - Rename to yarnpkg, remove symlink-deps macro
 - Update to 1.22.4
 * Mon Jan 27 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.21.1-1
 - Resolves: RHBZ#1627748, #1687099, #1788329
 - Update to 1.21.1
 - Provides /usr/bin/yarn
 - Resolves CVE-2019-10773
 * Thu Dec 05 2019 Neal Gompa <ngompa@datto.com> - 1.13.0-4
 - Rename nodejs-yarn binary package to yarnpkg (similar to other distros)
 - Use nodejs macros consistently throughout spec
 - Make the tests fail the build if the tests fail
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.13.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Wed Feb 13 2019 Jan Staněk <jstanek@redhat.com> - 1.13.0-2
 - Remove executable bits from bundled tests
 - Related: rhbz#1674073
 * Thu Feb 07 2019 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.13.0-1
 - Update
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Mon Jul 30 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.9.2-1
 - Update to 1.9.2
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Thu May 24 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.7.0-1
 - Update to 1.7.0
 * Wed May 09 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.6.0-1
 - Rebase, rebuild with new packaging
 * Wed Mar 21 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.5.1-2
 - Add requires_exclude_from macro
 - rename nodejs-yarnpkg to yarn
 * Wed Mar 21 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.5.1-1
 - Rebase
 * Tue Jan 30 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.4.1-1
 - rebase
 - package from GH, build with npm
 * Tue Dec 05 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.3.2-2
 - Add fedora readme so users are able to find renamed commands
 - change source url
 - rename license according to guidelines
 * Mon Nov 27 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1.3.2-1
 - Initial build
		`@ -0,0 +1 @@`
							`SOURCES/yarnpkg-v1.22.22-bundled-20240704.tar.gz`
		`@ -0,0 +1 @@`
							`035fccda0fb380a8cd530f0835d9ce81af059c4b SOURCES/yarnpkg-v1.22.22-bundled-20240704.tar.gz`