diff --git a/.gitignore b/.gitignore index a1b6061..15a9635 100644 --- a/.gitignore +++ b/.gitignore @@ -1,18 +1,2 @@ /yarnpkg-v1.22.4-bundled.tar.gz /yarnpkg-v1.22.10-bundled.tar.gz -/yarnpkg-v1.22.17-bundled.tar.gz -/yarnpkg-v1.22.19-bundled.tar.gz -/yarnpkg-v1.22.19-bundled-20230321.tar.gz -/yarnpkg-v1.22.21-bundled-20240217.tar.gz -/yarnpkg-v1.22.21-bundled-20240219.tar.gz -/v1.22.22.tar.gz -/yarnpkg-v1.22.22-bundled-20240309.tar.gz -/yarnpkg-v1.22.22-bundled-20240704.tar.gz -/yarnpkg-v1.22.22-bundled-20241010.tar.gz -/yarnpkg-v1.22.22-bundled-20241015.tar.gz -/yarnpkg-v1.22.22-bundled-20250328.tar.gz -/yarnpkg-v1.22.22-bundled-20250604.tar.gz -/yarnpkg-v1.22.22-bundled-20250624.tar.gz -/yarnpkg-v1.22.22-bundled-20250728.tar.gz -/yarnpkg-v1.22.22-bundled-20250930.tar.gz -/yarnpkg-v1.22.22-bundled-20251203.tar.gz diff --git a/CVE-2022-37599.patch b/CVE-2022-37599.patch deleted file mode 100644 index cdeb7cc..0000000 --- a/CVE-2022-37599.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -rupN --no-dereference yarn-1.22.22/node_modules/loader-utils/index.js yarn-1.22.22-new/node_modules/loader-utils/index.js ---- yarn-1.22.22/node_modules/loader-utils/index.js 2025-07-28 09:42:24.000000000 +0200 -+++ yarn-1.22.22-new/node_modules/loader-utils/index.js 2025-07-31 00:36:49.585249573 +0200 -@@ -299,7 +299,7 @@ exports.interpolateName = function inter - var url = filename; - if(content) { - // Match hash template -- url = url.replace(/\[(?:(\w+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() { -+ url = url.replace(/\[(?:([^[:\]]+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() { - return exports.getHashDigest(content, arguments[1], arguments[2], parseInt(arguments[3], 10)); - }).replace(/\[emoji(?::(\d+))?\]/ig, function() { - return encodeStringToEmoji(content, arguments[1]); diff --git a/CVE-2023-26136.patch b/CVE-2023-26136.patch deleted file mode 100644 index dccadfe..0000000 --- a/CVE-2023-26136.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -rupN --no-dereference yarn-1.22.22/node_modules/tough-cookie/lib/memstore.js yarn-1.22.22-new/node_modules/tough-cookie/lib/memstore.js ---- yarn-1.22.22/node_modules/tough-cookie/lib/memstore.js 2025-07-28 11:18:19.000000000 +0200 -+++ yarn-1.22.22-new/node_modules/tough-cookie/lib/memstore.js 2025-07-31 00:36:47.884055369 +0200 -@@ -36,7 +36,7 @@ var util = require('util'); - - function MemoryCookieStore() { - Store.call(this); -- this.idx = {}; -+ this.idx = Object.create(null); - } - util.inherits(MemoryCookieStore, Store); - exports.MemoryCookieStore = MemoryCookieStore; -@@ -115,10 +115,10 @@ MemoryCookieStore.prototype.findCookies - - MemoryCookieStore.prototype.putCookie = function(cookie, cb) { - if (!this.idx[cookie.domain]) { -- this.idx[cookie.domain] = {}; -+ this.idx[cookie.domain] = Object.create(null); - } - if (!this.idx[cookie.domain][cookie.path]) { -- this.idx[cookie.domain][cookie.path] = {}; -+ this.idx[cookie.domain][cookie.path] = Object.create(null); - } - this.idx[cookie.domain][cookie.path][cookie.key] = cookie; - cb(null); diff --git a/CVE-2024-4067.patch b/CVE-2024-4067.patch deleted file mode 100644 index 1d28ec7..0000000 --- a/CVE-2024-4067.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -rupN --no-dereference yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js ---- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200 -+++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js 2025-07-31 00:36:51.203223937 +0200 -@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op - } - - function expand() { -- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { -+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { - return utils.arrayify(pattern); - } - return braces(pattern, options); -diff -rupN --no-dereference yarn-1.22.22/node_modules/liftoff/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/liftoff/node_modules/micromatch/index.js ---- yarn-1.22.22/node_modules/liftoff/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200 -+++ yarn-1.22.22-new/node_modules/liftoff/node_modules/micromatch/index.js 2025-07-31 00:36:51.203775750 +0200 -@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op - } - - function expand() { -- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { -+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { - return utils.arrayify(pattern); - } - return braces(pattern, options); -diff -rupN --no-dereference yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js ---- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200 -+++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js 2025-07-31 00:36:51.204199053 +0200 -@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op - } - - function expand() { -- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { -+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { - return utils.arrayify(pattern); - } - return braces(pattern, options); -diff -rupN --no-dereference yarn-1.22.22/node_modules/readdirp/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/readdirp/node_modules/micromatch/index.js ---- yarn-1.22.22/node_modules/readdirp/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200 -+++ yarn-1.22.22-new/node_modules/readdirp/node_modules/micromatch/index.js 2025-07-31 00:36:51.204611282 +0200 -@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op - } - - function expand() { -- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { -+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { - return utils.arrayify(pattern); - } - return braces(pattern, options); diff --git a/CVE-2025-8262.patch b/CVE-2025-8262.patch deleted file mode 100644 index b531b79..0000000 --- a/CVE-2025-8262.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -rupN --no-dereference yarn-1.22.22/src/resolvers/exotics/hosted-git-resolver.js yarn-1.22.22-new/src/resolvers/exotics/hosted-git-resolver.js ---- yarn-1.22.22/src/resolvers/exotics/hosted-git-resolver.js 2024-03-09 22:33:28.000000000 +0100 -+++ yarn-1.22.22-new/src/resolvers/exotics/hosted-git-resolver.js 2025-07-31 00:36:53.007366080 +0200 -@@ -30,8 +30,9 @@ export function explodeHostedGitFragment - } - - const parts = fragment -- .replace(/(.*?)#.*/, '$1') // Strip hash -- .replace(/.*:(.*)/, '$1') // Strip prefixed protocols -+ .split('#', 1)[0] -+ .split(':') -+ .pop() - .replace(/.git$/, '') // Strip the .git suffix - .split('/'); - diff --git a/CVE-2025-8263.patch b/CVE-2025-8263.patch deleted file mode 100644 index 7d31b12..0000000 --- a/CVE-2025-8263.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff -rupN yarn-1.22.22/node_modules/form-data/lib/form_data.js yarn-1.22.22-new/node_modules/form-data/lib/form_data.js ---- yarn-1.22.22/node_modules/form-data/lib/form_data.js 2025-07-28 11:18:19.000000000 +0200 -+++ yarn-1.22.22-new/node_modules/form-data/lib/form_data.js 2025-07-31 00:39:06.012116839 +0200 -@@ -5,6 +5,7 @@ var http = require('http'); - var https = require('https'); - var parseUrl = require('url').parse; - var fs = require('fs'); -+var crypto = require('crypto'); - var mime = require('mime-types'); - var asynckit = require('asynckit'); - var populate = require('./populate.js'); -@@ -316,12 +317,7 @@ FormData.prototype.getBoundary = functio - FormData.prototype._generateBoundary = function() { - // This generates a 50 character boundary similar to those used by Firefox. - // They are optimized for boyer-moore parsing. -- var boundary = '--------------------------'; -- for (var i = 0; i < 24; i++) { -- boundary += Math.floor(Math.random() * 10).toString(16); -- } -- -- this._boundary = boundary; -+ this._boundary = '--------------------------' + crypto.randomBytes(12).toString('hex'); - }; - - // Note: getLengthSync DOESN'T calculate streams length diff --git a/sources b/sources index b1beda2..ea4bb0b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.22-bundled-20251203.tar.gz) = afcf0f4e3719a1d41e60b8e9a9633291161f3a7b04b67d85b3f12cfd9dce8abf9fef3f7be2eab90f3e8efa49e564342175a20ca1e305665a1d453a116b1f79d2 +SHA512 (yarnpkg-v1.22.10-bundled.tar.gz) = 74004919de065831a38c89e82da17dc92145b1bcbb927534bc9b41a78b8819a3e461aae04422088dd6799a71747e1f21b36c9cf64237614beffbdcd147dd872c diff --git a/yarn-no-commitizen.prebundle.patch b/yarn-no-commitizen.prebundle.patch deleted file mode 100644 index dbc8d85..0000000 --- a/yarn-no-commitizen.prebundle.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -rupN --no-dereference yarn-1.22.22/package.json yarn-1.22.22-new/package.json ---- yarn-1.22.22/package.json 2025-09-30 14:26:03.561888356 +0200 -+++ yarn-1.22.22-new/package.json 2025-09-30 14:26:03.566194507 +0200 -@@ -69,7 +69,6 @@ - "babel-preset-flow": "^6.23.0", - "babel-preset-stage-0": "^6.0.0", - "babylon": "^6.5.0", -- "commitizen": "^2.9.6", - "cz-conventional-changelog": "^2.0.0", - "eslint": "^4.3.0", - "eslint-config-fb-strict": "^22.0.0", -@@ -131,8 +130,7 @@ - "test-only": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --verbose", - "test-only-debug": "node --inspect-brk --max_old_space_size=4096 node_modules/jest/bin/jest.js --runInBand --verbose", - "test-coverage": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --coverage --verbose", -- "watch": "gulp watch", -- "commit": "git-cz" -+ "watch": "gulp watch" - }, - "jest": { - "collectCoverageFrom": [ -@@ -152,8 +150,5 @@ - ] - }, - "config": { -- "commitizen": { -- "path": "./node_modules/cz-conventional-changelog" -- } - } - } diff --git a/yarn-no-eslint.prebundle.patch b/yarn-no-eslint.prebundle.patch deleted file mode 100644 index de0f7a4..0000000 --- a/yarn-no-eslint.prebundle.patch +++ /dev/null @@ -1,116 +0,0 @@ -diff -rupN --no-dereference yarn-1.22.22/.eslintignore yarn-1.22.22-new/.eslintignore ---- yarn-1.22.22/.eslintignore 2024-03-09 22:33:28.000000000 +0100 -+++ yarn-1.22.22-new/.eslintignore 1970-01-01 01:00:00.000000000 +0100 -@@ -1,12 +0,0 @@ --__tests__/fixtures --lib --lib-legacy --node_modules --flow-typed --coverage --gulpfile.js --scripts --updates --artifacts --dist --packages -diff -rupN --no-dereference yarn-1.22.22/.eslintrc.json yarn-1.22.22-new/.eslintrc.json ---- yarn-1.22.22/.eslintrc.json 2024-03-09 22:33:28.000000000 +0100 -+++ yarn-1.22.22-new/.eslintrc.json 1970-01-01 01:00:00.000000000 +0100 -@@ -1,56 +0,0 @@ --{ -- "extends": "eslint-config-fb-strict", -- "env": { -- "jest": true -- }, -- "plugins": [ -- "flowtype", -- "yarn-internal", -- "prettier" -- ], -- "rules": { -- "yarn-internal/warn-language": "error", -- "max-len": ["error", 120], -- "prefer-arrow-callback": "off", -- "flowtype/require-valid-file-annotation": ["error", "always"], -- "flowtype/space-after-type-colon": ["error", "always"], -- "flowtype/require-return-type": ["error", "always", {"excludeArrowFunctions": true}], -- "require-await": "error", -- "no-process-exit": "error", -- "no-return-await": "error", -- "sort-keys": "off", -- "prettier/prettier": ["error", { -- "singleQuote": true, -- "trailingComma": "all", -- "bracketSpacing": false, -- "printWidth": 120, -- "parser": "flow" -- }] -- }, -- "overrides": [ -- { -- "files": [ -- "__tests__/fixtures/**/*.js", -- "bin/*.js", -- "src/cli/index.js" -- ], -- "rules": { -- "no-console": "off" -- } -- }, -- { -- "files": [ -- "src/util/generate-pnp-map-api.tpl.js" -- ], -- "rules": { -- "prettier/prettier": ["error", { -- "singleQuote": true, -- "trailingComma": "es5", -- "bracketSpacing": false, -- "printWidth": 120, -- "parser": "flow" -- }] -- } -- } -- ] --} -diff -rupN --no-dereference yarn-1.22.22/package.json yarn-1.22.22-new/package.json ---- yarn-1.22.22/package.json 2025-09-30 14:26:03.997138837 +0200 -+++ yarn-1.22.22-new/package.json 2025-09-30 14:26:04.000964590 +0200 -@@ -58,7 +58,6 @@ - }, - "devDependencies": { - "babel-core": "^6.26.0", -- "babel-eslint": "^7.2.3", - "babel-loader": "^6.2.5", - "babel-plugin-array-includes": "^2.0.3", - "babel-plugin-inline-import": "^3.0.0", -@@ -70,18 +69,6 @@ - "babel-preset-stage-0": "^6.0.0", - "babylon": "^6.5.0", - "cz-conventional-changelog": "^2.0.0", -- "eslint": "^4.3.0", -- "eslint-config-fb-strict": "^22.0.0", -- "eslint-plugin-babel": "^5.0.0", -- "eslint-plugin-flowtype": "^2.35.0", -- "eslint-plugin-jasmine": "^2.6.2", -- "eslint-plugin-jest": "^21.0.0", -- "eslint-plugin-jsx-a11y": "^6.0.2", -- "eslint-plugin-prefer-object-spread": "^1.2.1", -- "eslint-plugin-prettier": "^2.1.2", -- "eslint-plugin-react": "^7.1.0", -- "eslint-plugin-relay": "^0.0.28", -- "eslint-plugin-yarn-internal": "file:scripts/eslint-rules", - "execa": "^0.11.0", - "fancy-log": "^1.3.2", - "flow-bin": "^0.66.0", -@@ -122,9 +109,7 @@ - "build-win-installer": "scripts\\build-windows-installer.bat", - "changelog": "git-release-notes $(git describe --tags --abbrev=0 $(git describe --tags --abbrev=0)^)..$(git describe --tags --abbrev=0) scripts/changelog.md", - "dupe-check": "yarn jsinspect ./src", -- "lint": "eslint . && flow check", - "pkg-tests": "yarn --cwd packages/pkg-tests jest yarn.test.js", -- "prettier": "eslint src __tests__ --fix", - "release-branch": "./scripts/release-branch.sh", - "test": "yarn lint && yarn test-only", - "test-only": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --verbose", diff --git a/yarn-update-jest.prebundle.patch b/yarn-update-jest.prebundle.patch deleted file mode 100644 index ec5049f..0000000 --- a/yarn-update-jest.prebundle.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -rupN yarn-1.22.22/package.json yarn-1.22.22-new/package.json ---- yarn-1.22.22/package.json 2024-03-09 22:33:28.000000000 +0100 -+++ yarn-1.22.22-new/package.json 2025-07-28 10:33:09.427716996 +0200 -@@ -93,7 +93,7 @@ - "gulp-newer": "^1.0.0", - "gulp-plumber": "^1.0.1", - "gulp-sourcemaps": "^2.2.0", -- "jest": "^22.4.4", -+ "jest": "^30.0.5", - "jsinspect": "^0.12.6", - "minimatch": "^3.0.4", - "mock-stdin": "^0.3.0", diff --git a/yarnpkg-tarball.sh b/yarnpkg-tarball.sh old mode 100755 new mode 100644 index 363f5bf..2842ce3 --- a/yarnpkg-tarball.sh +++ b/yarnpkg-tarball.sh @@ -1,22 +1,7 @@ #!/bin/sh version=$(rpm -q --specfile --qf='%{version}\n' yarnpkg.spec | head -n1) -timestamp=$(date +%Y%m%d) -if [ ! -e v$version.tar.gz ]; then wget https://github.com/yarnpkg/yarn/archive/v$version.tar.gz -fi -rm -rf yarn-$version tar -zxf v$version.tar.gz cd yarn-$version -for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do -patch -p1 < $file -done -rm yarn.lock -yarn install -yarn autoclean --force -yarn audit fix -# Delete all binary files in node_modules -echo "Deleting binary files..." -find node_modules -type f -not -name '*.js' -exec file {} \; | grep ELF | awk -F':' '{print $1}' | xargs rm -cd .. -tar -zcf yarnpkg-v$version-bundled-$timestamp.tar.gz yarn-$version +npm install && cd .. && tar -zcf yarnpkg-v$version-bundled.tar.gz yarn-$version diff --git a/yarnpkg.spec b/yarnpkg.spec index 1fa8989..0511a22 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -1,59 +1,49 @@ -%global debug_package %{nil} %global npm_name yarn +# name yarn would probably confict with cmdtest and hadoop-yarn +# https://bugzilla.redhat.com/show_bug.cgi?id=1507312 +%global old_name nodejs-yarn %{?nodejs_find_provides_and_requires} %global enable_tests 1 # don't require bundled modules -%global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ - -%global bundledate 20251203 +%global __requires_exclude_from ^%{nodejs_sitelib}/yarn/.*$ Name: yarnpkg -Version: 1.22.22 -Release: 14%{?dist} +Version: 1.22.10 +Release: 1%{?dist} Summary: Fast, reliable, and secure dependency management. -License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules -Source0: %{name}-v%{version}-bundled-%{bundledate}.tar.gz +Source0: %{name}-v%{version}-bundled.tar.gz Source1: yarnpkg-tarball.sh +License: BSD -# These are applied by yarnpkg-tarball.sh -# yarn-update-jest.prebundle.patch -# yarn-no-commitizen.prebundle.patch -# yarn-no-eslint.prebundle.patch - -Patch0: CVE-2023-26136.patch -Patch1: CVE-2022-37599.patch -Patch2: CVE-2024-4067.patch -# https://github.com/yarnpkg/yarn/commit/97731871e674bf93bcbf29e9d3258da8685f3076.patch -Patch3: CVE-2025-8262.patch -# https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0 -Patch4: CVE-2025-8263.patch - -ExclusiveArch: %{nodejs_arches} +BuildArch: noarch +ExclusiveArch: %{nodejs_arches} noarch BuildRequires: nodejs-packaging -%if 0%{?fedora} -BuildRequires: nodejs-npm -%else BuildRequires: npm -%endif + +# Package was renamed when Fedora 33 was rawhide +# Don't remove this before Fedora 35 +Obsoletes: %{old_name} < 1.22.4-1 +Provides: %{old_name} = %{version}-%{release} %description Fast, reliable, and secure dependency management. %prep -%autosetup -p1 -n %{npm_name}-%{version} - +%setup -q -n %{npm_name}-%{version} %build # use build script npm run build +# remove build dependencies from node_modules +npm prune --production %install mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name} @@ -64,22 +54,19 @@ cp -pr package.json lib bin node_modules \ mkdir -p %{buildroot}%{_bindir} ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarnpkg ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarn - -# Fix the shebang in yarn.js because brp-mangle-shebangs fails to detect this properly (rhbz#1998924) -sed -e "s|^#!/usr/bin/env node$|#!/usr/bin/node|" \ - -i %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js +ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/%{fc_name} # Remove executable bits from bundled dependency tests find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \ -ipath '*/test/*' -type f -executable \ -exec chmod -x '{}' + - %if 0%{?enable_tests} %check %nodejs_symlink_deps --check if [[ $(%{buildroot}%{_bindir}/yarnpkg --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi +if [[ $(%{buildroot}%{_bindir}/%{fc_name} --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi %endif @@ -88,107 +75,10 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %license LICENSE %{_bindir}/yarnpkg %{_bindir}/yarn -%{nodejs_sitelib}/%{npm_name}/ - +%{_bindir}/%{fc_name} +%{nodejs_sitelib}/%{npm_name} %changelog -* Wed Dec 03 2025 Sandro Mani - 1.22.22-14 -- Bump release - -* Wed Dec 03 2025 Sandro Mani - 1.22.22-13 -- Refresh bundle, fixes CVE-2025-64756 - -* Tue Sep 30 2025 Sandro Mani - 1.22.22-12 -- Regenerate bundle, fixes CVE-2025-59343 -- Patch out eslint and commitizen devDependencies to reduce dependencies - -* Wed Jul 30 2025 Sandro Mani - 1.22.22-11 -- Refresh bundle -- Drop patches obsoleted by new bundle -- Add yarn-update-jest.prebundle.patch to update jest and avoid some vulerable dependencies -- Apply fixes for CVE-2025-8262 and CVE-2025-8263 - -* Fri Jul 25 2025 Fedora Release Engineering - 1.22.22-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Tue Jun 24 2025 Sandro Mani - 1.22.22-9 -- Add CVE-2025-6545_6547.prebundle.patch and regenerate bundle. Fixes CVE-2025-6545 and CVE-2025-6547. - -* Wed Jun 04 2025 Sandro Mani - 1.22.22-8 -- Refresh bundle tarball for CVE-2025-48387 - -* Fri Mar 28 2025 Sandro Mani - 1.22.22-7 -- Fix CVE-2024-12905 - -* Sun Jan 19 2025 Fedora Release Engineering - 1.22.22-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Tue Oct 15 2024 Sandro Mani - 1.22.22-5 -- Update bundled ws (CVE-2024-37890) - -* Thu Oct 10 2024 Sandro Mani - 1.22.22-4 -- Update bundled elliptic (CVE-2024-48949) - -* Sat Jul 20 2024 Fedora Release Engineering - 1.22.22-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Thu Jul 04 2024 Sandro Mani - 1.22.22-2 -- Backport patch for CVE-2024-4067 - -* Sat Mar 09 2024 Sandro Mani - 1.22.22-1 -- Update to 1.22.22 - -* Mon Feb 19 2024 Sandro Mani - 1.22.21-2 -- Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234 - -* Fri Feb 16 2024 Sandro Mani - 1.22.21-1 -- Update to 1.22.21 - -* Sat Jan 27 2024 Fedora Release Engineering - 1.22.19-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Sat Jul 22 2023 Fedora Release Engineering - 1.22.19-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Wed May 03 2023 Sandro Mani - 1.22.19-6 -- Rebuild (nodejs20) - -* Tue Mar 21 2023 Sandro Mani - 1.22.19-5 -- Add patch for CVE-2022-38900, proper fixes for CVE-2021-43138, CVE-2022-3517, - CVE-2020-7677 - -* Sat Jan 21 2023 Fedora Release Engineering - 1.22.19-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Wed Jan 11 2023 Sandro Mani - 1.22.19-3 -- Add patches for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677 - -* Tue Jan 03 2023 Sandro Mani - 1.22.19-2 -- Backport fix for CVE-2021-35065 for bundled glob-parent - -* Thu Dec 15 2022 Sandro Mani - 1.22.19-1 -- Update to 1.22.19 - -* Sat Jul 23 2022 Fedora Release Engineering - 1.22.17-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Sat Jan 22 2022 Fedora Release Engineering - 1.22.17-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Tue Nov 23 2021 zsvetlik@redhat.com - 1.22.17-1 -- Update to latest upstream release -- use --force in yarnpkg-tarball.sh to workaround dependency conflincts - -* Mon Aug 30 2021 Neal Gompa - 1.22.10-4 -- Work around broken brp-mangle-shebangs behavior (see RHBZ#1998924) -- Fix broken macro variable for legacy "nodejs-yarn" binary name (RHBZ#1904279) - -* Fri Jul 23 2021 Fedora Release Engineering - 1.22.10-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Thu Jan 28 2021 Fedora Release Engineering - 1.22.10-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - * Fri Oct 09 2020 zsvetlik@redhat.com - 1.22.10-1 - Update to 1.22.10 - Resolves: RHBZ#1816262, RHBZ#1851876