diff --git a/.gitignore b/.gitignore index be7c0f5..a1b6061 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,16 @@ /yarnpkg-v1.22.17-bundled.tar.gz /yarnpkg-v1.22.19-bundled.tar.gz /yarnpkg-v1.22.19-bundled-20230321.tar.gz +/yarnpkg-v1.22.21-bundled-20240217.tar.gz +/yarnpkg-v1.22.21-bundled-20240219.tar.gz +/v1.22.22.tar.gz +/yarnpkg-v1.22.22-bundled-20240309.tar.gz +/yarnpkg-v1.22.22-bundled-20240704.tar.gz +/yarnpkg-v1.22.22-bundled-20241010.tar.gz +/yarnpkg-v1.22.22-bundled-20241015.tar.gz +/yarnpkg-v1.22.22-bundled-20250328.tar.gz +/yarnpkg-v1.22.22-bundled-20250604.tar.gz +/yarnpkg-v1.22.22-bundled-20250624.tar.gz +/yarnpkg-v1.22.22-bundled-20250728.tar.gz +/yarnpkg-v1.22.22-bundled-20250930.tar.gz +/yarnpkg-v1.22.22-bundled-20251203.tar.gz diff --git a/CVE-2022-37599.patch b/CVE-2022-37599.patch new file mode 100644 index 0000000..cdeb7cc --- /dev/null +++ b/CVE-2022-37599.patch @@ -0,0 +1,12 @@ +diff -rupN --no-dereference yarn-1.22.22/node_modules/loader-utils/index.js yarn-1.22.22-new/node_modules/loader-utils/index.js +--- yarn-1.22.22/node_modules/loader-utils/index.js 2025-07-28 09:42:24.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/loader-utils/index.js 2025-07-31 00:36:49.585249573 +0200 +@@ -299,7 +299,7 @@ exports.interpolateName = function inter + var url = filename; + if(content) { + // Match hash template +- url = url.replace(/\[(?:(\w+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() { ++ url = url.replace(/\[(?:([^[:\]]+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() { + return exports.getHashDigest(content, arguments[1], arguments[2], parseInt(arguments[3], 10)); + }).replace(/\[emoji(?::(\d+))?\]/ig, function() { + return encodeStringToEmoji(content, arguments[1]); diff --git a/CVE-2023-26136.patch b/CVE-2023-26136.patch new file mode 100644 index 0000000..dccadfe --- /dev/null +++ b/CVE-2023-26136.patch @@ -0,0 +1,25 @@ +diff -rupN --no-dereference yarn-1.22.22/node_modules/tough-cookie/lib/memstore.js yarn-1.22.22-new/node_modules/tough-cookie/lib/memstore.js +--- yarn-1.22.22/node_modules/tough-cookie/lib/memstore.js 2025-07-28 11:18:19.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/tough-cookie/lib/memstore.js 2025-07-31 00:36:47.884055369 +0200 +@@ -36,7 +36,7 @@ var util = require('util'); + + function MemoryCookieStore() { + Store.call(this); +- this.idx = {}; ++ this.idx = Object.create(null); + } + util.inherits(MemoryCookieStore, Store); + exports.MemoryCookieStore = MemoryCookieStore; +@@ -115,10 +115,10 @@ MemoryCookieStore.prototype.findCookies + + MemoryCookieStore.prototype.putCookie = function(cookie, cb) { + if (!this.idx[cookie.domain]) { +- this.idx[cookie.domain] = {}; ++ this.idx[cookie.domain] = Object.create(null); + } + if (!this.idx[cookie.domain][cookie.path]) { +- this.idx[cookie.domain][cookie.path] = {}; ++ this.idx[cookie.domain][cookie.path] = Object.create(null); + } + this.idx[cookie.domain][cookie.path][cookie.key] = cookie; + cb(null); diff --git a/CVE-2024-4067.patch b/CVE-2024-4067.patch new file mode 100644 index 0000000..1d28ec7 --- /dev/null +++ b/CVE-2024-4067.patch @@ -0,0 +1,48 @@ +diff -rupN --no-dereference yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js 2025-07-31 00:36:51.203223937 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); +diff -rupN --no-dereference yarn-1.22.22/node_modules/liftoff/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/liftoff/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/liftoff/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/liftoff/node_modules/micromatch/index.js 2025-07-31 00:36:51.203775750 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); +diff -rupN --no-dereference yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js 2025-07-31 00:36:51.204199053 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); +diff -rupN --no-dereference yarn-1.22.22/node_modules/readdirp/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/readdirp/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/readdirp/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/readdirp/node_modules/micromatch/index.js 2025-07-31 00:36:51.204611282 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); diff --git a/CVE-2025-8262.patch b/CVE-2025-8262.patch new file mode 100644 index 0000000..b531b79 --- /dev/null +++ b/CVE-2025-8262.patch @@ -0,0 +1,15 @@ +diff -rupN --no-dereference yarn-1.22.22/src/resolvers/exotics/hosted-git-resolver.js yarn-1.22.22-new/src/resolvers/exotics/hosted-git-resolver.js +--- yarn-1.22.22/src/resolvers/exotics/hosted-git-resolver.js 2024-03-09 22:33:28.000000000 +0100 ++++ yarn-1.22.22-new/src/resolvers/exotics/hosted-git-resolver.js 2025-07-31 00:36:53.007366080 +0200 +@@ -30,8 +30,9 @@ export function explodeHostedGitFragment + } + + const parts = fragment +- .replace(/(.*?)#.*/, '$1') // Strip hash +- .replace(/.*:(.*)/, '$1') // Strip prefixed protocols ++ .split('#', 1)[0] ++ .split(':') ++ .pop() + .replace(/.git$/, '') // Strip the .git suffix + .split('/'); + diff --git a/CVE-2025-8263.patch b/CVE-2025-8263.patch new file mode 100644 index 0000000..7d31b12 --- /dev/null +++ b/CVE-2025-8263.patch @@ -0,0 +1,25 @@ +diff -rupN yarn-1.22.22/node_modules/form-data/lib/form_data.js yarn-1.22.22-new/node_modules/form-data/lib/form_data.js +--- yarn-1.22.22/node_modules/form-data/lib/form_data.js 2025-07-28 11:18:19.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/form-data/lib/form_data.js 2025-07-31 00:39:06.012116839 +0200 +@@ -5,6 +5,7 @@ var http = require('http'); + var https = require('https'); + var parseUrl = require('url').parse; + var fs = require('fs'); ++var crypto = require('crypto'); + var mime = require('mime-types'); + var asynckit = require('asynckit'); + var populate = require('./populate.js'); +@@ -316,12 +317,7 @@ FormData.prototype.getBoundary = functio + FormData.prototype._generateBoundary = function() { + // This generates a 50 character boundary similar to those used by Firefox. + // They are optimized for boyer-moore parsing. +- var boundary = '--------------------------'; +- for (var i = 0; i < 24; i++) { +- boundary += Math.floor(Math.random() * 10).toString(16); +- } +- +- this._boundary = boundary; ++ this._boundary = '--------------------------' + crypto.randomBytes(12).toString('hex'); + }; + + // Note: getLengthSync DOESN'T calculate streams length diff --git a/async-CVE-2021-43138.prebundle.patch b/async-CVE-2021-43138.prebundle.patch deleted file mode 100644 index f426b87..0000000 --- a/async-CVE-2021-43138.prebundle.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock ---- yarn-1.22.19/yarn.lock 2023-03-21 11:58:50.508393147 +0100 -+++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:59:28.850636157 +0100 -@@ -498,11 +498,11 @@ async@^1.4.0: - integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo= - - async@^2.1.2, async@^2.1.4: -- version "2.6.1" -- resolved "https://registry.yarnpkg.com/async/-/async-2.6.1.tgz#b245a23ca71930044ec53fa46aa00a3e87c6a610" -- integrity sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ== -+ version "2.6.4" -+ resolved "https://registry.yarnpkg.com/async/-/async-2.6.4.tgz#706b7ff6084664cd7eae713f6f965433b5504221" -+ integrity sha512-mzo5dfJYwAn29PeiJ0zvwTo04zj8HDJj0Mn8TD7sno7q12prdbnasKJHhkm2c1LgrhlJ0teaea8860oxi51mGA== - dependencies: -- lodash "^4.17.10" -+ lodash "^4.17.14" - - asynckit@^0.4.0: - version "0.4.0" -@@ -5036,6 +5036,11 @@ lodash@^4.13.1, lodash@^4.17.10, lodash@ - resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.10.tgz#1b7793cf7259ea38fb3661d4d38b3260af8ae4e7" - integrity sha512-UejweD1pDoXu+AD825lWwp4ZGtSwgnpZxb3JDViD7StjQz+Nb/6l093lx4OQ0foGWNRoc19mWy7BzL+UAK2iVg== - -+lodash@^4.17.14: -+ version "4.17.21" -+ resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c" -+ integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg== -+ - longest@^1.0.1: - version "1.0.1" - resolved "https://registry.yarnpkg.com/longest/-/longest-1.0.1.tgz#30a0b2da38f73770e8294a0d22e6625ed77d0097" diff --git a/decode-uri-component-CVE-2022-38900.prebundle.patch b/decode-uri-component-CVE-2022-38900.prebundle.patch deleted file mode 100644 index 0364a0a..0000000 --- a/decode-uri-component-CVE-2022-38900.prebundle.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock ---- yarn-1.22.19/yarn.lock 2022-05-10 19:48:34.000000000 +0200 -+++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:57:26.891976168 +0100 -@@ -2208,9 +2208,9 @@ decamelize@^1.0.0, decamelize@^1.1.1: - integrity sha1-9lNNFRSCabIDUue+4m9QH5oZEpA= - - decode-uri-component@^0.2.0: -- version "0.2.0" -- resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.0.tgz#eb3913333458775cb84cd1a1fae062106bb87545" -- integrity sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU= -+ version "0.2.2" -+ resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.2.tgz#e69dbe25d37941171dd540e024c444cd5188e1e9" -+ integrity sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ== - - dedent@0.6.0: - version "0.6.0" diff --git a/glob-parent-CVE-2021-35065.patch b/glob-parent-CVE-2021-35065.patch deleted file mode 100644 index c7b1fb1..0000000 --- a/glob-parent-CVE-2021-35065.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -rupN --no-dereference yarn-1.22.19/node_modules/glob-parent/index.js yarn-1.22.19-new/node_modules/glob-parent/index.js ---- yarn-1.22.19/node_modules/glob-parent/index.js 2022-12-15 10:13:44.000000000 +0100 -+++ yarn-1.22.19-new/node_modules/glob-parent/index.js 2023-01-04 00:11:24.718113215 +0100 -@@ -10,7 +10,7 @@ module.exports = function globParent(str - if (isWin32 && str.indexOf('/') < 0) str = str.split('\\').join('/'); - - // special case for strings ending in enclosure containing path separator -- if (/[\{\[].*[\/]*.*[\}\]]$/.test(str)) str += '/'; -+ if (isEnclosure(str)) str += '/'; - - // preserves full path in case of trailing path separator - str += 'a'; -@@ -22,3 +22,26 @@ module.exports = function globParent(str - // remove escape chars and return result - return str.replace(/\\([\*\?\|\[\]\(\)\{\}])/g, '$1'); - }; -+ -+function isEnclosure(str) { -+ var lastChar = str.slice(-1) -+ -+ var enclosureStart; -+ switch (lastChar) { -+ case '}': -+ enclosureStart = '{'; -+ break; -+ case ']': -+ enclosureStart = '['; -+ break; -+ default: -+ return false; -+ } -+ -+ var foundIndex = str.indexOf(enclosureStart); -+ if (foundIndex < 0) { -+ return false; -+ } -+ -+ return str.slice(foundIndex + 1, -1).includes('/'); -+} diff --git a/minimatch-CVE-2022-3517.prebundle.patch b/minimatch-CVE-2022-3517.prebundle.patch deleted file mode 100644 index 3238222..0000000 --- a/minimatch-CVE-2022-3517.prebundle.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock ---- yarn-1.22.19/yarn.lock 2023-03-21 12:00:04.395885047 +0100 -+++ yarn-1.22.19-new/yarn.lock 2023-03-21 12:00:32.419095290 +0100 -@@ -5240,9 +5240,9 @@ minimalistic-crypto-utils@^1.0.0, minima - integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo= - - "minimatch@2 || 3", minimatch@^3.0.2, minimatch@^3.0.3, minimatch@^3.0.4: -- version "3.0.4" -- resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083" -- integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA== -+ version "3.1.2" -+ resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b" -+ integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw== - dependencies: - brace-expansion "^1.1.7" - diff --git a/sources b/sources index d63cfe0..b1beda2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.19-bundled-20230321.tar.gz) = 0ac081346a3c8006d535736c62b874ea50f7295fa3beeda7b1773564309f20c3eca72061bca8307c26b19d27fcbce0256019ee5baf54c01e6658d2fa815dae22 +SHA512 (yarnpkg-v1.22.22-bundled-20251203.tar.gz) = afcf0f4e3719a1d41e60b8e9a9633291161f3a7b04b67d85b3f12cfd9dce8abf9fef3f7be2eab90f3e8efa49e564342175a20ca1e305665a1d453a116b1f79d2 diff --git a/thenify-CVE-2020-7677.prebundle.patch b/thenify-CVE-2020-7677.prebundle.patch deleted file mode 100644 index ac40234..0000000 --- a/thenify-CVE-2020-7677.prebundle.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock ---- yarn-1.22.19/yarn.lock 2023-03-21 11:57:48.181065612 +0100 -+++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:58:21.377228725 +0100 -@@ -7212,9 +7212,9 @@ thenify-all@^1.0.0: - thenify ">= 3.1.0 < 4" - - "thenify@>= 3.1.0 < 4": -- version "3.3.0" -- resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.0.tgz#e69e38a1babe969b0108207978b9f62b88604839" -- integrity sha1-5p44obq+lpsBCCB5eLn2K4hgSDk= -+ version "3.3.1" -+ resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.1.tgz#8932e686a4066038a016dd9e2ca46add9838a95f" -+ integrity sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw== - dependencies: - any-promise "^1.0.0" - diff --git a/yarn-no-commitizen.prebundle.patch b/yarn-no-commitizen.prebundle.patch new file mode 100644 index 0000000..dbc8d85 --- /dev/null +++ b/yarn-no-commitizen.prebundle.patch @@ -0,0 +1,30 @@ +diff -rupN --no-dereference yarn-1.22.22/package.json yarn-1.22.22-new/package.json +--- yarn-1.22.22/package.json 2025-09-30 14:26:03.561888356 +0200 ++++ yarn-1.22.22-new/package.json 2025-09-30 14:26:03.566194507 +0200 +@@ -69,7 +69,6 @@ + "babel-preset-flow": "^6.23.0", + "babel-preset-stage-0": "^6.0.0", + "babylon": "^6.5.0", +- "commitizen": "^2.9.6", + "cz-conventional-changelog": "^2.0.0", + "eslint": "^4.3.0", + "eslint-config-fb-strict": "^22.0.0", +@@ -131,8 +130,7 @@ + "test-only": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --verbose", + "test-only-debug": "node --inspect-brk --max_old_space_size=4096 node_modules/jest/bin/jest.js --runInBand --verbose", + "test-coverage": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --coverage --verbose", +- "watch": "gulp watch", +- "commit": "git-cz" ++ "watch": "gulp watch" + }, + "jest": { + "collectCoverageFrom": [ +@@ -152,8 +150,5 @@ + ] + }, + "config": { +- "commitizen": { +- "path": "./node_modules/cz-conventional-changelog" +- } + } + } diff --git a/yarn-no-eslint.prebundle.patch b/yarn-no-eslint.prebundle.patch new file mode 100644 index 0000000..de0f7a4 --- /dev/null +++ b/yarn-no-eslint.prebundle.patch @@ -0,0 +1,116 @@ +diff -rupN --no-dereference yarn-1.22.22/.eslintignore yarn-1.22.22-new/.eslintignore +--- yarn-1.22.22/.eslintignore 2024-03-09 22:33:28.000000000 +0100 ++++ yarn-1.22.22-new/.eslintignore 1970-01-01 01:00:00.000000000 +0100 +@@ -1,12 +0,0 @@ +-__tests__/fixtures +-lib +-lib-legacy +-node_modules +-flow-typed +-coverage +-gulpfile.js +-scripts +-updates +-artifacts +-dist +-packages +diff -rupN --no-dereference yarn-1.22.22/.eslintrc.json yarn-1.22.22-new/.eslintrc.json +--- yarn-1.22.22/.eslintrc.json 2024-03-09 22:33:28.000000000 +0100 ++++ yarn-1.22.22-new/.eslintrc.json 1970-01-01 01:00:00.000000000 +0100 +@@ -1,56 +0,0 @@ +-{ +- "extends": "eslint-config-fb-strict", +- "env": { +- "jest": true +- }, +- "plugins": [ +- "flowtype", +- "yarn-internal", +- "prettier" +- ], +- "rules": { +- "yarn-internal/warn-language": "error", +- "max-len": ["error", 120], +- "prefer-arrow-callback": "off", +- "flowtype/require-valid-file-annotation": ["error", "always"], +- "flowtype/space-after-type-colon": ["error", "always"], +- "flowtype/require-return-type": ["error", "always", {"excludeArrowFunctions": true}], +- "require-await": "error", +- "no-process-exit": "error", +- "no-return-await": "error", +- "sort-keys": "off", +- "prettier/prettier": ["error", { +- "singleQuote": true, +- "trailingComma": "all", +- "bracketSpacing": false, +- "printWidth": 120, +- "parser": "flow" +- }] +- }, +- "overrides": [ +- { +- "files": [ +- "__tests__/fixtures/**/*.js", +- "bin/*.js", +- "src/cli/index.js" +- ], +- "rules": { +- "no-console": "off" +- } +- }, +- { +- "files": [ +- "src/util/generate-pnp-map-api.tpl.js" +- ], +- "rules": { +- "prettier/prettier": ["error", { +- "singleQuote": true, +- "trailingComma": "es5", +- "bracketSpacing": false, +- "printWidth": 120, +- "parser": "flow" +- }] +- } +- } +- ] +-} +diff -rupN --no-dereference yarn-1.22.22/package.json yarn-1.22.22-new/package.json +--- yarn-1.22.22/package.json 2025-09-30 14:26:03.997138837 +0200 ++++ yarn-1.22.22-new/package.json 2025-09-30 14:26:04.000964590 +0200 +@@ -58,7 +58,6 @@ + }, + "devDependencies": { + "babel-core": "^6.26.0", +- "babel-eslint": "^7.2.3", + "babel-loader": "^6.2.5", + "babel-plugin-array-includes": "^2.0.3", + "babel-plugin-inline-import": "^3.0.0", +@@ -70,18 +69,6 @@ + "babel-preset-stage-0": "^6.0.0", + "babylon": "^6.5.0", + "cz-conventional-changelog": "^2.0.0", +- "eslint": "^4.3.0", +- "eslint-config-fb-strict": "^22.0.0", +- "eslint-plugin-babel": "^5.0.0", +- "eslint-plugin-flowtype": "^2.35.0", +- "eslint-plugin-jasmine": "^2.6.2", +- "eslint-plugin-jest": "^21.0.0", +- "eslint-plugin-jsx-a11y": "^6.0.2", +- "eslint-plugin-prefer-object-spread": "^1.2.1", +- "eslint-plugin-prettier": "^2.1.2", +- "eslint-plugin-react": "^7.1.0", +- "eslint-plugin-relay": "^0.0.28", +- "eslint-plugin-yarn-internal": "file:scripts/eslint-rules", + "execa": "^0.11.0", + "fancy-log": "^1.3.2", + "flow-bin": "^0.66.0", +@@ -122,9 +109,7 @@ + "build-win-installer": "scripts\\build-windows-installer.bat", + "changelog": "git-release-notes $(git describe --tags --abbrev=0 $(git describe --tags --abbrev=0)^)..$(git describe --tags --abbrev=0) scripts/changelog.md", + "dupe-check": "yarn jsinspect ./src", +- "lint": "eslint . && flow check", + "pkg-tests": "yarn --cwd packages/pkg-tests jest yarn.test.js", +- "prettier": "eslint src __tests__ --fix", + "release-branch": "./scripts/release-branch.sh", + "test": "yarn lint && yarn test-only", + "test-only": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --verbose", diff --git a/yarn-update-jest.prebundle.patch b/yarn-update-jest.prebundle.patch new file mode 100644 index 0000000..ec5049f --- /dev/null +++ b/yarn-update-jest.prebundle.patch @@ -0,0 +1,12 @@ +diff -rupN yarn-1.22.22/package.json yarn-1.22.22-new/package.json +--- yarn-1.22.22/package.json 2024-03-09 22:33:28.000000000 +0100 ++++ yarn-1.22.22-new/package.json 2025-07-28 10:33:09.427716996 +0200 +@@ -93,7 +93,7 @@ + "gulp-newer": "^1.0.0", + "gulp-plumber": "^1.0.1", + "gulp-sourcemaps": "^2.2.0", +- "jest": "^22.4.4", ++ "jest": "^30.0.5", + "jsinspect": "^0.12.6", + "minimatch": "^3.0.4", + "mock-stdin": "^0.3.0", diff --git a/yarnpkg-tarball.sh b/yarnpkg-tarball.sh old mode 100644 new mode 100755 index 5d5fc0e..363f5bf --- a/yarnpkg-tarball.sh +++ b/yarnpkg-tarball.sh @@ -2,15 +2,21 @@ version=$(rpm -q --specfile --qf='%{version}\n' yarnpkg.spec | head -n1) timestamp=$(date +%Y%m%d) -rm -f v$version.tar.gz +if [ ! -e v$version.tar.gz ]; then wget https://github.com/yarnpkg/yarn/archive/v$version.tar.gz +fi +rm -rf yarn-$version tar -zxf v$version.tar.gz cd yarn-$version for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do patch -p1 < $file done -sed -i s'|"eslint-plugin-babel": "^5.0.0",|"eslint-plugin-babel": "^4.1.1",|' package.json -npm install -npm audit fix +rm yarn.lock +yarn install +yarn autoclean --force +yarn audit fix +# Delete all binary files in node_modules +echo "Deleting binary files..." +find node_modules -type f -not -name '*.js' -exec file {} \; | grep ELF | awk -F':' '{print $1}' | xargs rm cd .. tar -zcf yarnpkg-v$version-bundled-$timestamp.tar.gz yarn-$version diff --git a/yarnpkg.spec b/yarnpkg.spec index bbcb5f1..1fa8989 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -1,7 +1,5 @@ +%global debug_package %{nil} %global npm_name yarn -# name yarn would probably confict with cmdtest and hadoop-yarn -# https://bugzilla.redhat.com/show_bug.cgi?id=1507312 -%global old_name nodejs-yarn %{?nodejs_find_provides_and_requires} @@ -10,42 +8,40 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20230321 +%global bundledate 20251203 Name: yarnpkg -Version: 1.22.19 -Release: 5%{?dist} +Version: 1.22.22 +Release: 14%{?dist} Summary: Fast, reliable, and secure dependency management. +License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules Source0: %{name}-v%{version}-bundled-%{bundledate}.tar.gz Source1: yarnpkg-tarball.sh -License: BSD # These are applied by yarnpkg-tarball.sh -# async-CVE-2021-43138.prebundle.patch -# minimatch-CVE-2022-3517.prebundle.patch -# thenify-CVE-2020-7677.prebundle.patch -# decode-uri-component-CVE-2022-38900.prebundle.patch +# yarn-update-jest.prebundle.patch +# yarn-no-commitizen.prebundle.patch +# yarn-no-eslint.prebundle.patch -# Backport fix for CVE-2021-35065 for bundled glob-parent -Patch1: glob-parent-CVE-2021-35065.patch +Patch0: CVE-2023-26136.patch +Patch1: CVE-2022-37599.patch +Patch2: CVE-2024-4067.patch +# https://github.com/yarnpkg/yarn/commit/97731871e674bf93bcbf29e9d3258da8685f3076.patch +Patch3: CVE-2025-8262.patch +# https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0 +Patch4: CVE-2025-8263.patch -BuildArch: noarch -ExclusiveArch: %{nodejs_arches} noarch +ExclusiveArch: %{nodejs_arches} BuildRequires: nodejs-packaging -%if 0%{?fedora} >= 37 +%if 0%{?fedora} BuildRequires: nodejs-npm %else BuildRequires: npm %endif -# Package was renamed when Fedora 33 was rawhide -# Don't remove this before Fedora 35 -Obsoletes: %{old_name} < 1.22.4-1 -Provides: %{old_name} = %{version}-%{release} - %description Fast, reliable, and secure dependency management. @@ -58,8 +54,6 @@ Fast, reliable, and secure dependency management. # use build script npm run build -# remove build dependencies from node_modules -npm prune --production %install mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name} @@ -70,7 +64,6 @@ cp -pr package.json lib bin node_modules \ mkdir -p %{buildroot}%{_bindir} ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarnpkg ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarn -ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/%{old_name} # Fix the shebang in yarn.js because brp-mangle-shebangs fails to detect this properly (rhbz#1998924) sed -e "s|^#!/usr/bin/env node$|#!/usr/bin/node|" \ @@ -81,12 +74,12 @@ find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \ -ipath '*/test/*' -type f -executable \ -exec chmod -x '{}' + + %if 0%{?enable_tests} %check %nodejs_symlink_deps --check if [[ $(%{buildroot}%{_bindir}/yarnpkg --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi -if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi %endif @@ -95,10 +88,71 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %license LICENSE %{_bindir}/yarnpkg %{_bindir}/yarn -%{_bindir}/%{old_name} %{nodejs_sitelib}/%{npm_name}/ + %changelog +* Wed Dec 03 2025 Sandro Mani - 1.22.22-14 +- Bump release + +* Wed Dec 03 2025 Sandro Mani - 1.22.22-13 +- Refresh bundle, fixes CVE-2025-64756 + +* Tue Sep 30 2025 Sandro Mani - 1.22.22-12 +- Regenerate bundle, fixes CVE-2025-59343 +- Patch out eslint and commitizen devDependencies to reduce dependencies + +* Wed Jul 30 2025 Sandro Mani - 1.22.22-11 +- Refresh bundle +- Drop patches obsoleted by new bundle +- Add yarn-update-jest.prebundle.patch to update jest and avoid some vulerable dependencies +- Apply fixes for CVE-2025-8262 and CVE-2025-8263 + +* Fri Jul 25 2025 Fedora Release Engineering - 1.22.22-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Tue Jun 24 2025 Sandro Mani - 1.22.22-9 +- Add CVE-2025-6545_6547.prebundle.patch and regenerate bundle. Fixes CVE-2025-6545 and CVE-2025-6547. + +* Wed Jun 04 2025 Sandro Mani - 1.22.22-8 +- Refresh bundle tarball for CVE-2025-48387 + +* Fri Mar 28 2025 Sandro Mani - 1.22.22-7 +- Fix CVE-2024-12905 + +* Sun Jan 19 2025 Fedora Release Engineering - 1.22.22-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Tue Oct 15 2024 Sandro Mani - 1.22.22-5 +- Update bundled ws (CVE-2024-37890) + +* Thu Oct 10 2024 Sandro Mani - 1.22.22-4 +- Update bundled elliptic (CVE-2024-48949) + +* Sat Jul 20 2024 Fedora Release Engineering - 1.22.22-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Thu Jul 04 2024 Sandro Mani - 1.22.22-2 +- Backport patch for CVE-2024-4067 + +* Sat Mar 09 2024 Sandro Mani - 1.22.22-1 +- Update to 1.22.22 + +* Mon Feb 19 2024 Sandro Mani - 1.22.21-2 +- Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234 + +* Fri Feb 16 2024 Sandro Mani - 1.22.21-1 +- Update to 1.22.21 + +* Sat Jan 27 2024 Fedora Release Engineering - 1.22.19-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sat Jul 22 2023 Fedora Release Engineering - 1.22.19-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed May 03 2023 Sandro Mani - 1.22.19-6 +- Rebuild (nodejs20) + * Tue Mar 21 2023 Sandro Mani - 1.22.19-5 - Add patch for CVE-2022-38900, proper fixes for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677