From f5e2b249a9f50964f1d87a57671274a462ab200e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 28 Jan 2021 00:31:05 +0000 Subject: [PATCH 01/41] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 0511a22..f7eeeae 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.10 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -79,6 +79,9 @@ if [[ $(%{buildroot}%{_bindir}/%{fc_name} --version) == %{version} ]] ; then ech %{nodejs_sitelib}/%{npm_name} %changelog +* Thu Jan 28 2021 Fedora Release Engineering - 1.22.10-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Fri Oct 09 2020 zsvetlik@redhat.com - 1.22.10-1 - Update to 1.22.10 - Resolves: RHBZ#1816262, RHBZ#1851876 From 14ae8539b16c3c622ee83102a0b6f95a21985929 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 23 Jul 2021 22:06:05 +0000 Subject: [PATCH 02/41] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index f7eeeae..acd87dc 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.10 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -79,6 +79,9 @@ if [[ $(%{buildroot}%{_bindir}/%{fc_name} --version) == %{version} ]] ; then ech %{nodejs_sitelib}/%{npm_name} %changelog +* Fri Jul 23 2021 Fedora Release Engineering - 1.22.10-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Thu Jan 28 2021 Fedora Release Engineering - 1.22.10-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild From 7769ea91f435e808a8b5991157a3cf2d0b880b89 Mon Sep 17 00:00:00 2001 From: Neal Gompa Date: Mon, 30 Aug 2021 10:33:50 -0400 Subject: [PATCH 03/41] Misc fixes to make yarnpkg usable - Work around broken brp-mangle-shebangs behavior (see RHBZ#1998924) - Fix broken macro variable for legacy "nodejs-yarn" binary name --- yarnpkg.spec | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index acd87dc..2966097 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -8,11 +8,11 @@ %global enable_tests 1 # don't require bundled modules -%global __requires_exclude_from ^%{nodejs_sitelib}/yarn/.*$ +%global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ Name: yarnpkg Version: 1.22.10 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -54,7 +54,11 @@ cp -pr package.json lib bin node_modules \ mkdir -p %{buildroot}%{_bindir} ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarnpkg ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarn -ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/%{fc_name} +ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/%{old_name} + +# Fix the shebang in yarn.js because brp-mangle-shebangs fails to detect this properly (rhbz#1998924) +sed -e "s|^#!/usr/bin/env node$|#!/usr/bin/node|" \ + -i %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js # Remove executable bits from bundled dependency tests find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \ @@ -66,7 +70,7 @@ find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \ %nodejs_symlink_deps --check if [[ $(%{buildroot}%{_bindir}/yarnpkg --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi -if [[ $(%{buildroot}%{_bindir}/%{fc_name} --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi +if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi %endif @@ -75,10 +79,14 @@ if [[ $(%{buildroot}%{_bindir}/%{fc_name} --version) == %{version} ]] ; then ech %license LICENSE %{_bindir}/yarnpkg %{_bindir}/yarn -%{_bindir}/%{fc_name} -%{nodejs_sitelib}/%{npm_name} +%{_bindir}/%{old_name} +%{nodejs_sitelib}/%{npm_name}/ %changelog +* Mon Aug 30 2021 Neal Gompa - 1.22.10-4 +- Work around broken brp-mangle-shebangs behavior (see RHBZ#1998924) +- Fix broken macro variable for legacy "nodejs-yarn" binary name + * Fri Jul 23 2021 Fedora Release Engineering - 1.22.10-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From b38f2959a1b304870777c22ee62b8493479e82a7 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Tue, 23 Nov 2021 13:24:00 +0100 Subject: [PATCH 04/41] Update to latest upstream release use --force in yarnpkg-tarball.sh to workaround dependency conflincts --- .gitignore | 1 + sources | 2 +- yarnpkg-tarball.sh | 2 +- yarnpkg.spec | 10 +++++++--- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 15a9635..9cf6025 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /yarnpkg-v1.22.4-bundled.tar.gz /yarnpkg-v1.22.10-bundled.tar.gz +/yarnpkg-v1.22.17-bundled.tar.gz diff --git a/sources b/sources index ea4bb0b..34133ef 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.10-bundled.tar.gz) = 74004919de065831a38c89e82da17dc92145b1bcbb927534bc9b41a78b8819a3e461aae04422088dd6799a71747e1f21b36c9cf64237614beffbdcd147dd872c +SHA512 (yarnpkg-v1.22.17-bundled.tar.gz) = d43e48fbe0c514a273d82da20a6132b6ad45a22734952b1b94ba31fc34cbac6af07dede5d0fc07c051e61e2fde24059bced3daedd800f6a01820b48a435070b3 diff --git a/yarnpkg-tarball.sh b/yarnpkg-tarball.sh index 2842ce3..5de12f2 100644 --- a/yarnpkg-tarball.sh +++ b/yarnpkg-tarball.sh @@ -4,4 +4,4 @@ version=$(rpm -q --specfile --qf='%{version}\n' yarnpkg.spec | head -n1) wget https://github.com/yarnpkg/yarn/archive/v$version.tar.gz tar -zxf v$version.tar.gz cd yarn-$version -npm install && cd .. && tar -zcf yarnpkg-v$version-bundled.tar.gz yarn-$version +npm install --force && cd .. && tar -zcf yarnpkg-v$version-bundled.tar.gz yarn-$version diff --git a/yarnpkg.spec b/yarnpkg.spec index 2966097..c915258 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -11,8 +11,8 @@ %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ Name: yarnpkg -Version: 1.22.10 -Release: 4%{?dist} +Version: 1.22.17 +Release: 1%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -83,9 +83,13 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %{nodejs_sitelib}/%{npm_name}/ %changelog +* Tue Nov 23 2021 zsvetlik@redhat.com - 1.22.17-1 +- Update to latest upstream release +- use --force in yarnpkg-tarball.sh to workaround dependency conflincts + * Mon Aug 30 2021 Neal Gompa - 1.22.10-4 - Work around broken brp-mangle-shebangs behavior (see RHBZ#1998924) -- Fix broken macro variable for legacy "nodejs-yarn" binary name +- Fix broken macro variable for legacy "nodejs-yarn" binary name (RHBZ#1904279) * Fri Jul 23 2021 Fedora Release Engineering - 1.22.10-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From 977dfba16065870554e57335a9ce1ebdc91e608f Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 22 Jan 2022 05:39:40 +0000 Subject: [PATCH 05/41] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index c915258..e13ecf4 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.17 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -83,6 +83,9 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %{nodejs_sitelib}/%{npm_name}/ %changelog +* Sat Jan 22 2022 Fedora Release Engineering - 1.22.17-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Tue Nov 23 2021 zsvetlik@redhat.com - 1.22.17-1 - Update to latest upstream release - use --force in yarnpkg-tarball.sh to workaround dependency conflincts From a65e133d85e50675b5d3fe6edfd0963aeb4864ee Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 23 Jul 2022 13:42:32 +0000 Subject: [PATCH 06/41] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index e13ecf4..a7d79cb 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.17 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -83,6 +83,9 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %{nodejs_sitelib}/%{npm_name}/ %changelog +* Sat Jul 23 2022 Fedora Release Engineering - 1.22.17-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Sat Jan 22 2022 Fedora Release Engineering - 1.22.17-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From c55f8d1c429fb29a837f2b6598075508b71a7c5d Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Thu, 15 Dec 2022 10:33:55 +0100 Subject: [PATCH 07/41] Update to 1.22.19 --- .gitignore | 1 + sources | 2 +- yarnpkg-tarball.sh | 3 ++- yarnpkg.spec | 7 +++++-- 4 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 9cf6025..0a7a7cb 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /yarnpkg-v1.22.4-bundled.tar.gz /yarnpkg-v1.22.10-bundled.tar.gz /yarnpkg-v1.22.17-bundled.tar.gz +/yarnpkg-v1.22.19-bundled.tar.gz diff --git a/sources b/sources index 34133ef..8d40ec4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.17-bundled.tar.gz) = d43e48fbe0c514a273d82da20a6132b6ad45a22734952b1b94ba31fc34cbac6af07dede5d0fc07c051e61e2fde24059bced3daedd800f6a01820b48a435070b3 +SHA512 (yarnpkg-v1.22.19-bundled.tar.gz) = bc5bb744bf157812e5342b75e520007ce1df1a43b790d68523a7646ac5cd166bb8201cf58faab4efdce6eda0764ff256d69940c4cb2173a891c436e3db51a07d diff --git a/yarnpkg-tarball.sh b/yarnpkg-tarball.sh index 5de12f2..821f3f4 100644 --- a/yarnpkg-tarball.sh +++ b/yarnpkg-tarball.sh @@ -4,4 +4,5 @@ version=$(rpm -q --specfile --qf='%{version}\n' yarnpkg.spec | head -n1) wget https://github.com/yarnpkg/yarn/archive/v$version.tar.gz tar -zxf v$version.tar.gz cd yarn-$version -npm install --force && cd .. && tar -zcf yarnpkg-v$version-bundled.tar.gz yarn-$version +sed -i s'|"eslint-plugin-babel": "^5.0.0",|"eslint-plugin-babel": "^4.1.1",|' package.json +npm install && cd .. && tar -zcf yarnpkg-v$version-bundled.tar.gz yarn-$version diff --git a/yarnpkg.spec b/yarnpkg.spec index a7d79cb..ee7a5f5 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -11,8 +11,8 @@ %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ Name: yarnpkg -Version: 1.22.17 -Release: 3%{?dist} +Version: 1.22.19 +Release: 1%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -83,6 +83,9 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %{nodejs_sitelib}/%{npm_name}/ %changelog +* Thu Dec 15 2022 Sandro Mani - 1.22.19-1 +- Update to 1.22.19 + * Sat Jul 23 2022 Fedora Release Engineering - 1.22.17-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From d7e51e4b14620c6258e3f0142d5ecc72d64f67f8 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Thu, 22 Dec 2022 11:15:50 +0100 Subject: [PATCH 08/41] BR npm -> nodejs-npm --- yarnpkg.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index ee7a5f5..112ed4f 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -24,7 +24,7 @@ BuildArch: noarch ExclusiveArch: %{nodejs_arches} noarch BuildRequires: nodejs-packaging -BuildRequires: npm +BuildRequires: nodejs-npm # Package was renamed when Fedora 33 was rawhide # Don't remove this before Fedora 35 From 5edaaae32546e039de4bb6c22e2f90f9d65cad0c Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Wed, 4 Jan 2023 00:12:17 +0100 Subject: [PATCH 09/41] Backport fix for CVE-2021-35065 for bundled glob-parent --- glob-parent-CVE-2021-35065.patch | 39 ++++++++++++++++++++++++++++++++ yarnpkg.spec | 11 +++++++-- 2 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 glob-parent-CVE-2021-35065.patch diff --git a/glob-parent-CVE-2021-35065.patch b/glob-parent-CVE-2021-35065.patch new file mode 100644 index 0000000..c7b1fb1 --- /dev/null +++ b/glob-parent-CVE-2021-35065.patch @@ -0,0 +1,39 @@ +diff -rupN --no-dereference yarn-1.22.19/node_modules/glob-parent/index.js yarn-1.22.19-new/node_modules/glob-parent/index.js +--- yarn-1.22.19/node_modules/glob-parent/index.js 2022-12-15 10:13:44.000000000 +0100 ++++ yarn-1.22.19-new/node_modules/glob-parent/index.js 2023-01-04 00:11:24.718113215 +0100 +@@ -10,7 +10,7 @@ module.exports = function globParent(str + if (isWin32 && str.indexOf('/') < 0) str = str.split('\\').join('/'); + + // special case for strings ending in enclosure containing path separator +- if (/[\{\[].*[\/]*.*[\}\]]$/.test(str)) str += '/'; ++ if (isEnclosure(str)) str += '/'; + + // preserves full path in case of trailing path separator + str += 'a'; +@@ -22,3 +22,26 @@ module.exports = function globParent(str + // remove escape chars and return result + return str.replace(/\\([\*\?\|\[\]\(\)\{\}])/g, '$1'); + }; ++ ++function isEnclosure(str) { ++ var lastChar = str.slice(-1) ++ ++ var enclosureStart; ++ switch (lastChar) { ++ case '}': ++ enclosureStart = '{'; ++ break; ++ case ']': ++ enclosureStart = '['; ++ break; ++ default: ++ return false; ++ } ++ ++ var foundIndex = str.indexOf(enclosureStart); ++ if (foundIndex < 0) { ++ return false; ++ } ++ ++ return str.slice(foundIndex + 1, -1).includes('/'); ++} diff --git a/yarnpkg.spec b/yarnpkg.spec index 112ed4f..04c1b2d 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.19 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -20,6 +20,9 @@ Source0: %{name}-v%{version}-bundled.tar.gz Source1: yarnpkg-tarball.sh License: BSD +# Backport fix for CVE-2021-35065 for bundled glob-parent +Patch1: glob-parent-CVE-2021-35065.patch + BuildArch: noarch ExclusiveArch: %{nodejs_arches} noarch @@ -36,7 +39,8 @@ Fast, reliable, and secure dependency management. %prep -%setup -q -n %{npm_name}-%{version} +%autosetup -p1 -n %{npm_name}-%{version} + %build # use build script @@ -83,6 +87,9 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %{nodejs_sitelib}/%{npm_name}/ %changelog +* Tue Jan 03 2023 Sandro Mani - 1.22.19-2 +- Backport fix for CVE-2021-35065 for bundled glob-parent + * Thu Dec 15 2022 Sandro Mani - 1.22.19-1 - Update to 1.22.19 From ec947c0d94c444f4bb066a75807916012c7dfcb9 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Wed, 4 Jan 2023 00:20:43 +0100 Subject: [PATCH 10/41] BR npm on fedora < 38 --- yarnpkg.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yarnpkg.spec b/yarnpkg.spec index 04c1b2d..31bd798 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -27,7 +27,11 @@ BuildArch: noarch ExclusiveArch: %{nodejs_arches} noarch BuildRequires: nodejs-packaging +%if 0%{?fedora} > 37 BuildRequires: nodejs-npm +%else +BuildRequires: npm +%endif # Package was renamed when Fedora 33 was rawhide # Don't remove this before Fedora 35 From 652c375ec7400fd3d7cb3be8897f6edb94b589e7 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Wed, 11 Jan 2023 15:17:16 +0100 Subject: [PATCH 11/41] Add patches for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677 --- async-CVE-2021-43138.prebundle.patch | 12 ++++++++++++ minimatch-CVE-2022-3517.prebundle.patch | 12 ++++++++++++ sources | 2 +- thenify-CVE-2020-7677.prebundle.patch | 12 ++++++++++++ yarnpkg-tarball.sh | 3 +++ yarnpkg.spec | 5 +++++ 6 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 async-CVE-2021-43138.prebundle.patch create mode 100644 minimatch-CVE-2022-3517.prebundle.patch create mode 100644 thenify-CVE-2020-7677.prebundle.patch diff --git a/async-CVE-2021-43138.prebundle.patch b/async-CVE-2021-43138.prebundle.patch new file mode 100644 index 0000000..9c76e69 --- /dev/null +++ b/async-CVE-2021-43138.prebundle.patch @@ -0,0 +1,12 @@ +diff -rupN yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock +--- yarn-1.22.19/yarn.lock 2022-05-10 19:48:34.000000000 +0200 ++++ yarn-1.22.19-new/yarn.lock 2023-01-11 13:58:01.877559819 +0100 +@@ -498,7 +498,7 @@ async@^1.4.0: + integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo= + + async@^2.1.2, async@^2.1.4: +- version "2.6.1" ++ version "2.6.4" + resolved "https://registry.yarnpkg.com/async/-/async-2.6.1.tgz#b245a23ca71930044ec53fa46aa00a3e87c6a610" + integrity sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ== + dependencies: diff --git a/minimatch-CVE-2022-3517.prebundle.patch b/minimatch-CVE-2022-3517.prebundle.patch new file mode 100644 index 0000000..0f2cf18 --- /dev/null +++ b/minimatch-CVE-2022-3517.prebundle.patch @@ -0,0 +1,12 @@ +diff -rupN yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock +--- yarn-1.22.19/yarn.lock 2023-01-11 13:58:23.728600342 +0100 ++++ yarn-1.22.19-new/yarn.lock 2023-01-11 13:58:39.441629806 +0100 +@@ -5235,7 +5235,7 @@ minimalistic-crypto-utils@^1.0.0, minima + integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo= + + "minimatch@2 || 3", minimatch@^3.0.2, minimatch@^3.0.3, minimatch@^3.0.4: +- version "3.0.4" ++ version "3.0.5" + resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083" + integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA== + dependencies: diff --git a/sources b/sources index 8d40ec4..b9a06d0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.19-bundled.tar.gz) = bc5bb744bf157812e5342b75e520007ce1df1a43b790d68523a7646ac5cd166bb8201cf58faab4efdce6eda0764ff256d69940c4cb2173a891c436e3db51a07d +SHA512 (yarnpkg-v1.22.19-bundled.tar.gz) = 1338be756b3261b6dd0c38132239b7d66afeb152cdbcdd1c942a05d19dae2a9f94def4a4efb31ca2a92b7627029c7a347882bd68d06e98d298a2767dba150270 diff --git a/thenify-CVE-2020-7677.prebundle.patch b/thenify-CVE-2020-7677.prebundle.patch new file mode 100644 index 0000000..b3614aa --- /dev/null +++ b/thenify-CVE-2020-7677.prebundle.patch @@ -0,0 +1,12 @@ +diff -rupN yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock +--- yarn-1.22.19/yarn.lock 2023-01-11 13:59:22.463711801 +0100 ++++ yarn-1.22.19-new/yarn.lock 2023-01-11 13:59:40.665747047 +0100 +@@ -7212,7 +7212,7 @@ thenify-all@^1.0.0: + thenify ">= 3.1.0 < 4" + + "thenify@>= 3.1.0 < 4": +- version "3.3.0" ++ version "3.3.1" + resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.0.tgz#e69e38a1babe969b0108207978b9f62b88604839" + integrity sha1-5p44obq+lpsBCCB5eLn2K4hgSDk= + dependencies: diff --git a/yarnpkg-tarball.sh b/yarnpkg-tarball.sh index 821f3f4..9374e8f 100644 --- a/yarnpkg-tarball.sh +++ b/yarnpkg-tarball.sh @@ -4,5 +4,8 @@ version=$(rpm -q --specfile --qf='%{version}\n' yarnpkg.spec | head -n1) wget https://github.com/yarnpkg/yarn/archive/v$version.tar.gz tar -zxf v$version.tar.gz cd yarn-$version +for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do +patch -p1 < $file +done sed -i s'|"eslint-plugin-babel": "^5.0.0",|"eslint-plugin-babel": "^4.1.1",|' package.json npm install && cd .. && tar -zcf yarnpkg-v$version-bundled.tar.gz yarn-$version diff --git a/yarnpkg.spec b/yarnpkg.spec index 31bd798..6b3b7ab 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -20,6 +20,11 @@ Source0: %{name}-v%{version}-bundled.tar.gz Source1: yarnpkg-tarball.sh License: BSD +# These are applied by yarnpkg-tarball.sh +# async-CVE-2021-43138.prebundle.patch +# minimatch-CVE-2022-3517.prebundle.patch +# thenify-CVE-2020-7677.prebundle.patch + # Backport fix for CVE-2021-35065 for bundled glob-parent Patch1: glob-parent-CVE-2021-35065.patch From 1e3f182ab89f63f02a613f26376757ad9213a1b7 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Wed, 11 Jan 2023 15:31:49 +0100 Subject: [PATCH 12/41] Bump release --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 6b3b7ab..14def0b 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.19 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -96,6 +96,9 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %{nodejs_sitelib}/%{npm_name}/ %changelog +* Wed Jan 11 2023 Sandro Mani - 1.22.19-3 +- Add patches for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677 + * Tue Jan 03 2023 Sandro Mani - 1.22.19-2 - Backport fix for CVE-2021-35065 for bundled glob-parent From b3964f3ad6db478a56d7a68a7d532717aa4edd82 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 21 Jan 2023 08:02:42 +0000 Subject: [PATCH 13/41] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 14def0b..4c98f77 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.19 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -96,6 +96,9 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %{nodejs_sitelib}/%{npm_name}/ %changelog +* Sat Jan 21 2023 Fedora Release Engineering - 1.22.19-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Wed Jan 11 2023 Sandro Mani - 1.22.19-3 - Add patches for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677 From 3f6c4fd9e9bbf6717dd761f9b6553ea297e3b3ca Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Tue, 21 Mar 2023 14:51:21 +0100 Subject: [PATCH 14/41] Add patch for CVE-2022-38900, proper fixes for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677 --- .gitignore | 1 + async-CVE-2021-43138.prebundle.patch | 31 +++++++++++++++---- ...i-component-CVE-2022-38900.prebundle.patch | 16 ++++++++++ minimatch-CVE-2022-3517.prebundle.patch | 18 ++++++----- sources | 2 +- thenify-CVE-2020-7677.prebundle.patch | 16 ++++++---- yarnpkg-tarball.sh | 7 ++++- yarnpkg.spec | 11 +++++-- 8 files changed, 79 insertions(+), 23 deletions(-) create mode 100644 decode-uri-component-CVE-2022-38900.prebundle.patch diff --git a/.gitignore b/.gitignore index 0a7a7cb..be7c0f5 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /yarnpkg-v1.22.10-bundled.tar.gz /yarnpkg-v1.22.17-bundled.tar.gz /yarnpkg-v1.22.19-bundled.tar.gz +/yarnpkg-v1.22.19-bundled-20230321.tar.gz diff --git a/async-CVE-2021-43138.prebundle.patch b/async-CVE-2021-43138.prebundle.patch index 9c76e69..f426b87 100644 --- a/async-CVE-2021-43138.prebundle.patch +++ b/async-CVE-2021-43138.prebundle.patch @@ -1,12 +1,31 @@ -diff -rupN yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock ---- yarn-1.22.19/yarn.lock 2022-05-10 19:48:34.000000000 +0200 -+++ yarn-1.22.19-new/yarn.lock 2023-01-11 13:58:01.877559819 +0100 -@@ -498,7 +498,7 @@ async@^1.4.0: +diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock +--- yarn-1.22.19/yarn.lock 2023-03-21 11:58:50.508393147 +0100 ++++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:59:28.850636157 +0100 +@@ -498,11 +498,11 @@ async@^1.4.0: integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo= async@^2.1.2, async@^2.1.4: - version "2.6.1" +- resolved "https://registry.yarnpkg.com/async/-/async-2.6.1.tgz#b245a23ca71930044ec53fa46aa00a3e87c6a610" +- integrity sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ== + version "2.6.4" - resolved "https://registry.yarnpkg.com/async/-/async-2.6.1.tgz#b245a23ca71930044ec53fa46aa00a3e87c6a610" - integrity sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ== ++ resolved "https://registry.yarnpkg.com/async/-/async-2.6.4.tgz#706b7ff6084664cd7eae713f6f965433b5504221" ++ integrity sha512-mzo5dfJYwAn29PeiJ0zvwTo04zj8HDJj0Mn8TD7sno7q12prdbnasKJHhkm2c1LgrhlJ0teaea8860oxi51mGA== dependencies: +- lodash "^4.17.10" ++ lodash "^4.17.14" + + asynckit@^0.4.0: + version "0.4.0" +@@ -5036,6 +5036,11 @@ lodash@^4.13.1, lodash@^4.17.10, lodash@ + resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.10.tgz#1b7793cf7259ea38fb3661d4d38b3260af8ae4e7" + integrity sha512-UejweD1pDoXu+AD825lWwp4ZGtSwgnpZxb3JDViD7StjQz+Nb/6l093lx4OQ0foGWNRoc19mWy7BzL+UAK2iVg== + ++lodash@^4.17.14: ++ version "4.17.21" ++ resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c" ++ integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg== ++ + longest@^1.0.1: + version "1.0.1" + resolved "https://registry.yarnpkg.com/longest/-/longest-1.0.1.tgz#30a0b2da38f73770e8294a0d22e6625ed77d0097" diff --git a/decode-uri-component-CVE-2022-38900.prebundle.patch b/decode-uri-component-CVE-2022-38900.prebundle.patch new file mode 100644 index 0000000..0364a0a --- /dev/null +++ b/decode-uri-component-CVE-2022-38900.prebundle.patch @@ -0,0 +1,16 @@ +diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock +--- yarn-1.22.19/yarn.lock 2022-05-10 19:48:34.000000000 +0200 ++++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:57:26.891976168 +0100 +@@ -2208,9 +2208,9 @@ decamelize@^1.0.0, decamelize@^1.1.1: + integrity sha1-9lNNFRSCabIDUue+4m9QH5oZEpA= + + decode-uri-component@^0.2.0: +- version "0.2.0" +- resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.0.tgz#eb3913333458775cb84cd1a1fae062106bb87545" +- integrity sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU= ++ version "0.2.2" ++ resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.2.tgz#e69dbe25d37941171dd540e024c444cd5188e1e9" ++ integrity sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ== + + dedent@0.6.0: + version "0.6.0" diff --git a/minimatch-CVE-2022-3517.prebundle.patch b/minimatch-CVE-2022-3517.prebundle.patch index 0f2cf18..3238222 100644 --- a/minimatch-CVE-2022-3517.prebundle.patch +++ b/minimatch-CVE-2022-3517.prebundle.patch @@ -1,12 +1,16 @@ -diff -rupN yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock ---- yarn-1.22.19/yarn.lock 2023-01-11 13:58:23.728600342 +0100 -+++ yarn-1.22.19-new/yarn.lock 2023-01-11 13:58:39.441629806 +0100 -@@ -5235,7 +5235,7 @@ minimalistic-crypto-utils@^1.0.0, minima +diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock +--- yarn-1.22.19/yarn.lock 2023-03-21 12:00:04.395885047 +0100 ++++ yarn-1.22.19-new/yarn.lock 2023-03-21 12:00:32.419095290 +0100 +@@ -5240,9 +5240,9 @@ minimalistic-crypto-utils@^1.0.0, minima integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo= "minimatch@2 || 3", minimatch@^3.0.2, minimatch@^3.0.3, minimatch@^3.0.4: - version "3.0.4" -+ version "3.0.5" - resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083" - integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA== +- resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083" +- integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA== ++ version "3.1.2" ++ resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b" ++ integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw== dependencies: + brace-expansion "^1.1.7" + diff --git a/sources b/sources index b9a06d0..d63cfe0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.19-bundled.tar.gz) = 1338be756b3261b6dd0c38132239b7d66afeb152cdbcdd1c942a05d19dae2a9f94def4a4efb31ca2a92b7627029c7a347882bd68d06e98d298a2767dba150270 +SHA512 (yarnpkg-v1.22.19-bundled-20230321.tar.gz) = 0ac081346a3c8006d535736c62b874ea50f7295fa3beeda7b1773564309f20c3eca72061bca8307c26b19d27fcbce0256019ee5baf54c01e6658d2fa815dae22 diff --git a/thenify-CVE-2020-7677.prebundle.patch b/thenify-CVE-2020-7677.prebundle.patch index b3614aa..ac40234 100644 --- a/thenify-CVE-2020-7677.prebundle.patch +++ b/thenify-CVE-2020-7677.prebundle.patch @@ -1,12 +1,16 @@ -diff -rupN yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock ---- yarn-1.22.19/yarn.lock 2023-01-11 13:59:22.463711801 +0100 -+++ yarn-1.22.19-new/yarn.lock 2023-01-11 13:59:40.665747047 +0100 -@@ -7212,7 +7212,7 @@ thenify-all@^1.0.0: +diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock +--- yarn-1.22.19/yarn.lock 2023-03-21 11:57:48.181065612 +0100 ++++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:58:21.377228725 +0100 +@@ -7212,9 +7212,9 @@ thenify-all@^1.0.0: thenify ">= 3.1.0 < 4" "thenify@>= 3.1.0 < 4": - version "3.3.0" +- resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.0.tgz#e69e38a1babe969b0108207978b9f62b88604839" +- integrity sha1-5p44obq+lpsBCCB5eLn2K4hgSDk= + version "3.3.1" - resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.0.tgz#e69e38a1babe969b0108207978b9f62b88604839" - integrity sha1-5p44obq+lpsBCCB5eLn2K4hgSDk= ++ resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.1.tgz#8932e686a4066038a016dd9e2ca46add9838a95f" ++ integrity sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw== dependencies: + any-promise "^1.0.0" + diff --git a/yarnpkg-tarball.sh b/yarnpkg-tarball.sh index 9374e8f..5d5fc0e 100644 --- a/yarnpkg-tarball.sh +++ b/yarnpkg-tarball.sh @@ -1,6 +1,8 @@ #!/bin/sh version=$(rpm -q --specfile --qf='%{version}\n' yarnpkg.spec | head -n1) +timestamp=$(date +%Y%m%d) +rm -f v$version.tar.gz wget https://github.com/yarnpkg/yarn/archive/v$version.tar.gz tar -zxf v$version.tar.gz cd yarn-$version @@ -8,4 +10,7 @@ for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do patch -p1 < $file done sed -i s'|"eslint-plugin-babel": "^5.0.0",|"eslint-plugin-babel": "^4.1.1",|' package.json -npm install && cd .. && tar -zcf yarnpkg-v$version-bundled.tar.gz yarn-$version +npm install +npm audit fix +cd .. +tar -zcf yarnpkg-v$version-bundled-$timestamp.tar.gz yarn-$version diff --git a/yarnpkg.spec b/yarnpkg.spec index 4c98f77..70820f6 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -10,13 +10,15 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ +%global bundledate 20230321 + Name: yarnpkg Version: 1.22.19 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules -Source0: %{name}-v%{version}-bundled.tar.gz +Source0: %{name}-v%{version}-bundled-%{bundledate}.tar.gz Source1: yarnpkg-tarball.sh License: BSD @@ -24,6 +26,7 @@ License: BSD # async-CVE-2021-43138.prebundle.patch # minimatch-CVE-2022-3517.prebundle.patch # thenify-CVE-2020-7677.prebundle.patch +# decode-uri-component-CVE-2022-38900.prebundle.patch # Backport fix for CVE-2021-35065 for bundled glob-parent Patch1: glob-parent-CVE-2021-35065.patch @@ -96,6 +99,10 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %{nodejs_sitelib}/%{npm_name}/ %changelog +* Tue Mar 21 2023 Sandro Mani - 1.22.19-5 +- Add patch for CVE-2022-38900, proper fixes for CVE-2021-43138, CVE-2022-3517, + CVE-2020-7677 + * Sat Jan 21 2023 Fedora Release Engineering - 1.22.19-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From 16f74878c5299a26f3c0a508bf7254065e96c6e7 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Tue, 21 Mar 2023 15:10:34 +0100 Subject: [PATCH 15/41] BR: nodejs-npm also for F37 --- yarnpkg.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 70820f6..bbcb5f1 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -35,7 +35,7 @@ BuildArch: noarch ExclusiveArch: %{nodejs_arches} noarch BuildRequires: nodejs-packaging -%if 0%{?fedora} > 37 +%if 0%{?fedora} >= 37 BuildRequires: nodejs-npm %else BuildRequires: npm From 5dda4bd63c6ec073e26910b16aa3f209f4d9bd03 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Wed, 3 May 2023 14:45:29 +0200 Subject: [PATCH 16/41] Rebuild (nodejs20) --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index bbcb5f1..4b2b700 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -14,7 +14,7 @@ Name: yarnpkg Version: 1.22.19 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -99,6 +99,9 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %{nodejs_sitelib}/%{npm_name}/ %changelog +* Wed May 03 2023 Sandro Mani - 1.22.19-6 +- Rebuild (nodejs20) + * Tue Mar 21 2023 Sandro Mani - 1.22.19-5 - Add patch for CVE-2022-38900, proper fixes for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677 From 1fee24d03ccbdb5564ca43405b8dd1fe66e2bfd2 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 22 Jul 2023 19:28:24 +0000 Subject: [PATCH 17/41] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 4b2b700..75ae8a0 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -14,7 +14,7 @@ Name: yarnpkg Version: 1.22.19 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -99,6 +99,9 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %{nodejs_sitelib}/%{npm_name}/ %changelog +* Sat Jul 22 2023 Fedora Release Engineering - 1.22.19-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Wed May 03 2023 Sandro Mani - 1.22.19-6 - Rebuild (nodejs20) From ead93bd06af2a03f0dc7d5973c9bb698e1499c66 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 27 Jan 2024 10:40:49 +0000 Subject: [PATCH 18/41] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 75ae8a0..01ad7a1 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -14,7 +14,7 @@ Name: yarnpkg Version: 1.22.19 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Fast, reliable, and secure dependency management. URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules @@ -99,6 +99,9 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %{nodejs_sitelib}/%{npm_name}/ %changelog +* Sat Jan 27 2024 Fedora Release Engineering - 1.22.19-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Sat Jul 22 2023 Fedora Release Engineering - 1.22.19-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild From aaadf7e09259079417d0619b918857c108b6f615 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Sat, 17 Feb 2024 00:36:17 +0100 Subject: [PATCH 19/41] Update to 1.22.21 --- .gitignore | 1 + glob-parent-CVE-2021-35065.patch | 39 -------------------------------- sources | 2 +- yarnpkg-tarball.sh | 9 ++++---- yarnpkg.spec | 39 +++++++++----------------------- 5 files changed, 18 insertions(+), 72 deletions(-) delete mode 100644 glob-parent-CVE-2021-35065.patch diff --git a/.gitignore b/.gitignore index be7c0f5..f77bf22 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /yarnpkg-v1.22.17-bundled.tar.gz /yarnpkg-v1.22.19-bundled.tar.gz /yarnpkg-v1.22.19-bundled-20230321.tar.gz +/yarnpkg-v1.22.21-bundled-20240217.tar.gz diff --git a/glob-parent-CVE-2021-35065.patch b/glob-parent-CVE-2021-35065.patch deleted file mode 100644 index c7b1fb1..0000000 --- a/glob-parent-CVE-2021-35065.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -rupN --no-dereference yarn-1.22.19/node_modules/glob-parent/index.js yarn-1.22.19-new/node_modules/glob-parent/index.js ---- yarn-1.22.19/node_modules/glob-parent/index.js 2022-12-15 10:13:44.000000000 +0100 -+++ yarn-1.22.19-new/node_modules/glob-parent/index.js 2023-01-04 00:11:24.718113215 +0100 -@@ -10,7 +10,7 @@ module.exports = function globParent(str - if (isWin32 && str.indexOf('/') < 0) str = str.split('\\').join('/'); - - // special case for strings ending in enclosure containing path separator -- if (/[\{\[].*[\/]*.*[\}\]]$/.test(str)) str += '/'; -+ if (isEnclosure(str)) str += '/'; - - // preserves full path in case of trailing path separator - str += 'a'; -@@ -22,3 +22,26 @@ module.exports = function globParent(str - // remove escape chars and return result - return str.replace(/\\([\*\?\|\[\]\(\)\{\}])/g, '$1'); - }; -+ -+function isEnclosure(str) { -+ var lastChar = str.slice(-1) -+ -+ var enclosureStart; -+ switch (lastChar) { -+ case '}': -+ enclosureStart = '{'; -+ break; -+ case ']': -+ enclosureStart = '['; -+ break; -+ default: -+ return false; -+ } -+ -+ var foundIndex = str.indexOf(enclosureStart); -+ if (foundIndex < 0) { -+ return false; -+ } -+ -+ return str.slice(foundIndex + 1, -1).includes('/'); -+} diff --git a/sources b/sources index d63cfe0..6d96a41 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.19-bundled-20230321.tar.gz) = 0ac081346a3c8006d535736c62b874ea50f7295fa3beeda7b1773564309f20c3eca72061bca8307c26b19d27fcbce0256019ee5baf54c01e6658d2fa815dae22 +SHA512 (yarnpkg-v1.22.21-bundled-20240217.tar.gz) = f11c4dbf561c6ccf9e0d810d72c20bddd3b07d0f080b3188dad0d1587e278c321babf93c58eeb38fe994f0623afb6ca1d91044be7d6f04b48e354ca99a71b0c8 diff --git a/yarnpkg-tarball.sh b/yarnpkg-tarball.sh index 5d5fc0e..9b6a2e5 100644 --- a/yarnpkg-tarball.sh +++ b/yarnpkg-tarball.sh @@ -2,15 +2,16 @@ version=$(rpm -q --specfile --qf='%{version}\n' yarnpkg.spec | head -n1) timestamp=$(date +%Y%m%d) -rm -f v$version.tar.gz +if [ ! -e v$version.tar.gz ]; then wget https://github.com/yarnpkg/yarn/archive/v$version.tar.gz +fi +rm -rf yarn-$version tar -zxf v$version.tar.gz cd yarn-$version for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do patch -p1 < $file done -sed -i s'|"eslint-plugin-babel": "^5.0.0",|"eslint-plugin-babel": "^4.1.1",|' package.json -npm install -npm audit fix +yarn install +yarn audit fix cd .. tar -zcf yarnpkg-v$version-bundled-$timestamp.tar.gz yarn-$version diff --git a/yarnpkg.spec b/yarnpkg.spec index 01ad7a1..f138323 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -1,7 +1,5 @@ +%global debug_package %{nil} %global npm_name yarn -# name yarn would probably confict with cmdtest and hadoop-yarn -# https://bugzilla.redhat.com/show_bug.cgi?id=1507312 -%global old_name nodejs-yarn %{?nodejs_find_provides_and_requires} @@ -10,17 +8,17 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20230321 +%global bundledate 20240217 Name: yarnpkg -Version: 1.22.19 -Release: 8%{?dist} +Version: 1.22.21 +Release: 1%{?dist} Summary: Fast, reliable, and secure dependency management. +License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules Source0: %{name}-v%{version}-bundled-%{bundledate}.tar.gz Source1: yarnpkg-tarball.sh -License: BSD # These are applied by yarnpkg-tarball.sh # async-CVE-2021-43138.prebundle.patch @@ -28,23 +26,10 @@ License: BSD # thenify-CVE-2020-7677.prebundle.patch # decode-uri-component-CVE-2022-38900.prebundle.patch -# Backport fix for CVE-2021-35065 for bundled glob-parent -Patch1: glob-parent-CVE-2021-35065.patch - -BuildArch: noarch -ExclusiveArch: %{nodejs_arches} noarch +ExclusiveArch: %{nodejs_arches} BuildRequires: nodejs-packaging -%if 0%{?fedora} >= 37 -BuildRequires: nodejs-npm -%else -BuildRequires: npm -%endif - -# Package was renamed when Fedora 33 was rawhide -# Don't remove this before Fedora 35 -Obsoletes: %{old_name} < 1.22.4-1 -Provides: %{old_name} = %{version}-%{release} +BuildRequires: yarnpkg %description Fast, reliable, and secure dependency management. @@ -56,10 +41,8 @@ Fast, reliable, and secure dependency management. %build # use build script -npm run build +yarn build -# remove build dependencies from node_modules -npm prune --production %install mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name} @@ -70,7 +53,6 @@ cp -pr package.json lib bin node_modules \ mkdir -p %{buildroot}%{_bindir} ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarnpkg ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarn -ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/%{old_name} # Fix the shebang in yarn.js because brp-mangle-shebangs fails to detect this properly (rhbz#1998924) sed -e "s|^#!/usr/bin/env node$|#!/usr/bin/node|" \ @@ -86,7 +68,6 @@ find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \ %nodejs_symlink_deps --check if [[ $(%{buildroot}%{_bindir}/yarnpkg --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi -if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi %endif @@ -95,10 +76,12 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %license LICENSE %{_bindir}/yarnpkg %{_bindir}/yarn -%{_bindir}/%{old_name} %{nodejs_sitelib}/%{npm_name}/ %changelog +* Fri Feb 16 2024 Sandro Mani - 1.22.21-1 +- Update to 1.22.21 + * Sat Jan 27 2024 Fedora Release Engineering - 1.22.19-8 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From e47b902f7143483290954f059bd2b8cd8ed6960b Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Mon, 19 Feb 2024 11:16:41 +0100 Subject: [PATCH 20/41] Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234 --- CVE-2022-37599.patch | 12 ++++++++++++ CVE-2023-26136.patch | 25 +++++++++++++++++++++++++ CVE-2023-46234.patch | 12 ++++++++++++ yarnpkg.spec | 8 +++++++- 4 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-37599.patch create mode 100644 CVE-2023-26136.patch create mode 100644 CVE-2023-46234.patch diff --git a/CVE-2022-37599.patch b/CVE-2022-37599.patch new file mode 100644 index 0000000..7636ff8 --- /dev/null +++ b/CVE-2022-37599.patch @@ -0,0 +1,12 @@ +diff -rupN yarn-1.22.21/node_modules/loader-utils/index.js yarn-1.22.21-new/node_modules/loader-utils/index.js +--- yarn-1.22.21/node_modules/loader-utils/index.js 2024-02-16 23:35:57.000000000 +0100 ++++ yarn-1.22.21-new/node_modules/loader-utils/index.js 2024-02-19 11:05:56.885775046 +0100 +@@ -299,7 +299,7 @@ exports.interpolateName = function inter + var url = filename; + if(content) { + // Match hash template +- url = url.replace(/\[(?:(\w+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() { ++ url = url.replace(/\[(?:([^[:\]]+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() { + return exports.getHashDigest(content, arguments[1], arguments[2], parseInt(arguments[3], 10)); + }).replace(/\[emoji(?::(\d+))?\]/ig, function() { + return encodeStringToEmoji(content, arguments[1]); diff --git a/CVE-2023-26136.patch b/CVE-2023-26136.patch new file mode 100644 index 0000000..3300cce --- /dev/null +++ b/CVE-2023-26136.patch @@ -0,0 +1,25 @@ +diff -rupN yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js +--- yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js 2024-02-16 23:36:08.000000000 +0100 ++++ yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js 2024-02-19 10:48:11.215668646 +0100 +@@ -36,7 +36,7 @@ var util = require('util'); + + function MemoryCookieStore() { + Store.call(this); +- this.idx = {}; ++ this.idx = Object.create(null); + } + util.inherits(MemoryCookieStore, Store); + exports.MemoryCookieStore = MemoryCookieStore; +@@ -115,10 +115,10 @@ MemoryCookieStore.prototype.findCookies + + MemoryCookieStore.prototype.putCookie = function(cookie, cb) { + if (!this.idx[cookie.domain]) { +- this.idx[cookie.domain] = {}; ++ this.idx[cookie.domain] = Object.create(null); + } + if (!this.idx[cookie.domain][cookie.path]) { +- this.idx[cookie.domain][cookie.path] = {}; ++ this.idx[cookie.domain][cookie.path] = Object.create(null); + } + this.idx[cookie.domain][cookie.path][cookie.key] = cookie; + cb(null); diff --git a/CVE-2023-46234.patch b/CVE-2023-46234.patch new file mode 100644 index 0000000..0820ae6 --- /dev/null +++ b/CVE-2023-46234.patch @@ -0,0 +1,12 @@ +diff -rupN yarn-1.22.21/node_modules/browserify-sign/browser/verify.js yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js +--- yarn-1.22.21/node_modules/browserify-sign/browser/verify.js 2024-02-16 23:36:10.000000000 +0100 ++++ yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js 2024-02-19 11:14:55.923549230 +0100 +@@ -77,7 +77,7 @@ function dsaVerify (sig, hash, pub) { + + function checkValue (b, q) { + if (b.cmpn(0) <= 0) throw new Error('invalid sig') +- if (b.cmp(q) >= q) throw new Error('invalid sig') ++ if (b.cmp(q) >= 0) throw new Error('invalid sig') + } + + module.exports = verify diff --git a/yarnpkg.spec b/yarnpkg.spec index f138323..9c0c8df 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.21 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -25,6 +25,9 @@ Source1: yarnpkg-tarball.sh # minimatch-CVE-2022-3517.prebundle.patch # thenify-CVE-2020-7677.prebundle.patch # decode-uri-component-CVE-2022-38900.prebundle.patch +Patch0: CVE-2023-26136.patch +Patch1: CVE-2022-37599.patch +Patch2: CVE-2023-46234.patch ExclusiveArch: %{nodejs_arches} @@ -79,6 +82,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %{nodejs_sitelib}/%{npm_name}/ %changelog +* Mon Feb 19 2024 Sandro Mani - 1.22.21-2 +- Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234 + * Fri Feb 16 2024 Sandro Mani - 1.22.21-1 - Update to 1.22.21 From 6e3f039e6a0c23ce3ebcad526a5306c409bdbfac Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Mon, 19 Feb 2024 12:37:32 +0100 Subject: [PATCH 21/41] Repackage bundle without bundled binaries, use npm to build --- .gitignore | 1 + sources | 2 +- yarnpkg-tarball.sh | 3 +++ yarnpkg.spec | 6 +++--- 4 files changed, 8 insertions(+), 4 deletions(-) mode change 100644 => 100755 yarnpkg-tarball.sh diff --git a/.gitignore b/.gitignore index f77bf22..71cb754 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /yarnpkg-v1.22.19-bundled.tar.gz /yarnpkg-v1.22.19-bundled-20230321.tar.gz /yarnpkg-v1.22.21-bundled-20240217.tar.gz +/yarnpkg-v1.22.21-bundled-20240219.tar.gz diff --git a/sources b/sources index 6d96a41..e74f8ea 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.21-bundled-20240217.tar.gz) = f11c4dbf561c6ccf9e0d810d72c20bddd3b07d0f080b3188dad0d1587e278c321babf93c58eeb38fe994f0623afb6ca1d91044be7d6f04b48e354ca99a71b0c8 +SHA512 (yarnpkg-v1.22.21-bundled-20240219.tar.gz) = 40a628f545f073d2013f51f244c246c96e38969a012b40dac7c1cc01f4173a594c4c509448bc52519bb7a66d7c38847d1fe99c5cd03a94373e6c45b367ab2dd5 diff --git a/yarnpkg-tarball.sh b/yarnpkg-tarball.sh old mode 100644 new mode 100755 index 9b6a2e5..b0dba21 --- a/yarnpkg-tarball.sh +++ b/yarnpkg-tarball.sh @@ -13,5 +13,8 @@ patch -p1 < $file done yarn install yarn audit fix +# Delete all binary files in node_modules +echo "Deleting binary files..." +find node_modules -type f -not -name '*.js' -exec file {} \; | grep ELF | awk -F':' '{print $1}' | xargs rm cd .. tar -zcf yarnpkg-v$version-bundled-$timestamp.tar.gz yarn-$version diff --git a/yarnpkg.spec b/yarnpkg.spec index 9c0c8df..b3d644a 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -8,7 +8,7 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20240217 +%global bundledate 20240219 Name: yarnpkg Version: 1.22.21 @@ -32,7 +32,7 @@ Patch2: CVE-2023-46234.patch ExclusiveArch: %{nodejs_arches} BuildRequires: nodejs-packaging -BuildRequires: yarnpkg +BuildRequires: nodejs-npm %description Fast, reliable, and secure dependency management. @@ -44,7 +44,7 @@ Fast, reliable, and secure dependency management. %build # use build script -yarn build +npm run build %install From 9fc9e8350c22f701d8946c079fcf20021a30cbd4 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Sun, 10 Mar 2024 00:24:08 +0100 Subject: [PATCH 22/41] Update to 1.22.22 --- .gitignore | 2 ++ sources | 3 ++- yarnpkg.spec | 9 ++++++--- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 71cb754..6ba780a 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,5 @@ /yarnpkg-v1.22.19-bundled-20230321.tar.gz /yarnpkg-v1.22.21-bundled-20240217.tar.gz /yarnpkg-v1.22.21-bundled-20240219.tar.gz +/v1.22.22.tar.gz +/yarnpkg-v1.22.22-bundled-20240309.tar.gz diff --git a/sources b/sources index e74f8ea..1f6e54c 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (yarnpkg-v1.22.21-bundled-20240219.tar.gz) = 40a628f545f073d2013f51f244c246c96e38969a012b40dac7c1cc01f4173a594c4c509448bc52519bb7a66d7c38847d1fe99c5cd03a94373e6c45b367ab2dd5 +SHA512 (v1.22.22.tar.gz) = aba357d6a0c2bf355d58575df09109f355226f642ea4b5cdd9f4db4e7917d63b09072545c4ad4a5e76f9eef8f4850c31b22106e7cbfec8ca7eed27ca271a1f4a +SHA512 (yarnpkg-v1.22.22-bundled-20240309.tar.gz) = 47a392227ab46ca64e04d7212ae0baecd756cf29a15a0657e323bcf053659bd7bc50dbf7e7bfb9de9460dc59be37bb537ecbb75c5d55e8aecc5316ab44301318 diff --git a/yarnpkg.spec b/yarnpkg.spec index b3d644a..eaf8e6a 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -8,11 +8,11 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20240219 +%global bundledate 20240309 Name: yarnpkg -Version: 1.22.21 -Release: 2%{?dist} +Version: 1.22.22 +Release: 1%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -82,6 +82,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %{nodejs_sitelib}/%{npm_name}/ %changelog +* Sat Mar 09 2024 Sandro Mani - 1.22.22-1 +- Update to 1.22.22 + * Mon Feb 19 2024 Sandro Mani - 1.22.21-2 - Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234 From f327e0c442a537aeee68b99ffa5667ef3735ecb3 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Thu, 4 Jul 2024 23:50:59 +0200 Subject: [PATCH 23/41] Backport fix for CVE-2024-4067.patch --- .gitignore | 1 + CVE-2024-4067.patch | 60 +++++++++++++++++++++++++++++++++++++++++++++ sources | 3 +-- yarnpkg.spec | 3 +++ 4 files changed, 65 insertions(+), 2 deletions(-) create mode 100644 CVE-2024-4067.patch diff --git a/.gitignore b/.gitignore index 6ba780a..da61000 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ /yarnpkg-v1.22.21-bundled-20240219.tar.gz /v1.22.22.tar.gz /yarnpkg-v1.22.22-bundled-20240309.tar.gz +/yarnpkg-v1.22.22-bundled-20240704.tar.gz diff --git a/CVE-2024-4067.patch b/CVE-2024-4067.patch new file mode 100644 index 0000000..d56082e --- /dev/null +++ b/CVE-2024-4067.patch @@ -0,0 +1,60 @@ +diff -rupN yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js 2024-07-04 23:35:09.633072156 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); +diff -rupN yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js 2024-07-04 23:35:22.753040820 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); +diff -rupN yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js 2024-07-04 23:35:32.817016784 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); +diff -rupN yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js 2024-07-04 23:35:41.536995958 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); +diff -rupN yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js 2024-07-04 23:35:49.438977085 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); diff --git a/sources b/sources index 1f6e54c..983af15 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (v1.22.22.tar.gz) = aba357d6a0c2bf355d58575df09109f355226f642ea4b5cdd9f4db4e7917d63b09072545c4ad4a5e76f9eef8f4850c31b22106e7cbfec8ca7eed27ca271a1f4a -SHA512 (yarnpkg-v1.22.22-bundled-20240309.tar.gz) = 47a392227ab46ca64e04d7212ae0baecd756cf29a15a0657e323bcf053659bd7bc50dbf7e7bfb9de9460dc59be37bb537ecbb75c5d55e8aecc5316ab44301318 +SHA512 (yarnpkg-v1.22.22-bundled-20240704.tar.gz) = 0a9b17526571f73efc46f91159d176aa71b8b8b60dd2b07cfd931efc4331174bdaea17ae25405a0dc36be23d086d2657cdc8b4053a2bf4d11795aef9774024e0 diff --git a/yarnpkg.spec b/yarnpkg.spec index eaf8e6a..e142a81 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -25,9 +25,12 @@ Source1: yarnpkg-tarball.sh # minimatch-CVE-2022-3517.prebundle.patch # thenify-CVE-2020-7677.prebundle.patch # decode-uri-component-CVE-2022-38900.prebundle.patch + Patch0: CVE-2023-26136.patch Patch1: CVE-2022-37599.patch Patch2: CVE-2023-46234.patch +Patch3: CVE-2024-4067.patch + ExclusiveArch: %{nodejs_arches} From 61ffee4fce978a3646f8f17ab86648bc075f7d1c Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Thu, 4 Jul 2024 23:53:36 +0200 Subject: [PATCH 24/41] Bump release --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index e142a81..247dd53 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.22 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -85,6 +85,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %{nodejs_sitelib}/%{npm_name}/ %changelog +* Thu Jul 04 2024 Sandro Mani - 1.22.22-2 +- Backport patch for CVE-2024-4067 + * Sat Mar 09 2024 Sandro Mani - 1.22.22-1 - Update to 1.22.22 From 36a0d03078fff61a4f70bcd3f8906a86583134f7 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Fri, 5 Jul 2024 00:00:31 +0200 Subject: [PATCH 25/41] Bump bundle date --- yarnpkg.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 247dd53..918b8c2 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -8,7 +8,7 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20240309 +%global bundledate 20240704 Name: yarnpkg Version: 1.22.22 From 1e61f5aca8cc233ec52d9a84474760fa855c18d2 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 20 Jul 2024 10:39:17 +0000 Subject: [PATCH 26/41] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 918b8c2..2ca4df3 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.22 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -85,6 +85,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %{nodejs_sitelib}/%{npm_name}/ %changelog +* Sat Jul 20 2024 Fedora Release Engineering - 1.22.22-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + * Thu Jul 04 2024 Sandro Mani - 1.22.22-2 - Backport patch for CVE-2024-4067 From 94fb969f2df2a9d83d3de7f52fac3b00eb16f7a1 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Fri, 11 Oct 2024 10:03:19 +0200 Subject: [PATCH 27/41] Add CVE-2024-48949.prebundle.patch and regenerate bundle --- .gitignore | 1 + CVE-2024-48949.prebundle.patch | 91 ++++++++++++++++++++++++++++++++++ sources | 2 +- yarnpkg.spec | 8 ++- 4 files changed, 99 insertions(+), 3 deletions(-) create mode 100644 CVE-2024-48949.prebundle.patch diff --git a/.gitignore b/.gitignore index da61000..397f352 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ /v1.22.22.tar.gz /yarnpkg-v1.22.22-bundled-20240309.tar.gz /yarnpkg-v1.22.22-bundled-20240704.tar.gz +/yarnpkg-v1.22.22-bundled-20241010.tar.gz diff --git a/CVE-2024-48949.prebundle.patch b/CVE-2024-48949.prebundle.patch new file mode 100644 index 0000000..247f3cc --- /dev/null +++ b/CVE-2024-48949.prebundle.patch @@ -0,0 +1,91 @@ +diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock +--- yarn-1.22.22/yarn.lock 2024-10-10 12:46:29.329322568 +0200 ++++ yarn-1.22.22-new/yarn.lock 2024-10-10 12:37:38.256366136 +0200 +@@ -1404,11 +1404,16 @@ bl@^1.0.0: + readable-stream "^2.3.5" + safe-buffer "^5.1.1" + +-bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.1.1, bn.js@^4.4.0: ++bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.1.1: + version "4.11.8" + resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.11.8.tgz#2cde09eb5ee341f484746bb0309b3253b1b1442f" + integrity sha512-ItfYfPLkWHUjckQCk8xC+LwxgK8NYcXywGigJgSwOP8Y2iyWT4f2vsZnoOXTTbo+o5yXmIUJ4gn5538SO5S3gA== + ++bn.js@^4.11.9: ++ version "4.12.0" ++ resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.12.0.tgz#775b3f278efbb9718eec7361f483fb36fbbfea88" ++ integrity sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA== ++ + brace-expansion@^1.1.7: + version "1.1.11" + resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd" +@@ -1450,7 +1455,7 @@ broccoli-kitchen-sink-helpers@^0.3.1: + glob "^5.0.10" + mkdirp "^0.5.1" + +-brorand@^1.0.1: ++brorand@^1.0.1, brorand@^1.1.0: + version "1.1.0" + resolved "https://registry.yarnpkg.com/brorand/-/brorand-1.1.0.tgz#12c25efe40a45e3c323eb8675a0a0ce57b22371f" + integrity sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8= +@@ -2424,17 +2429,17 @@ electron-to-chromium@^1.3.47: + integrity sha1-8VDhCyC3fZ1Br8yjEu/gw7Gn/c4= + + elliptic@^6.0.0: +- version "6.4.0" +- resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.4.0.tgz#cac9af8762c85836187003c8dfe193e5e2eae5df" +- integrity sha1-ysmvh2LIWDYYcAPI3+GT5eLq5d8= ++ version "6.5.7" ++ resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.7.tgz#8ec4da2cb2939926a1b9a73619d768207e647c8b" ++ integrity sha512-ESVCtTwiA+XhY3wyh24QqRGBoP3rEdDUl3EDUUo9tft074fi19IrdpH7hLCMMP3CIj7jb3W96rn8lt/BqIlt5Q== + dependencies: +- bn.js "^4.4.0" +- brorand "^1.0.1" ++ bn.js "^4.11.9" ++ brorand "^1.1.0" + hash.js "^1.0.0" +- hmac-drbg "^1.0.0" +- inherits "^2.0.1" +- minimalistic-assert "^1.0.0" +- minimalistic-crypto-utils "^1.0.0" ++ hmac-drbg "^1.0.1" ++ inherits "^2.0.4" ++ minimalistic-assert "^1.0.1" ++ minimalistic-crypto-utils "^1.0.1" + + emoji-regex@^6.5.1: + version "6.5.1" +@@ -3711,10 +3716,10 @@ heimdalljs@^0.2.0, heimdalljs@^0.2.3: + dependencies: + rsvp "~3.2.1" + +-hmac-drbg@^1.0.0: ++hmac-drbg@^1.0.1: + version "1.0.1" + resolved "https://registry.yarnpkg.com/hmac-drbg/-/hmac-drbg-1.0.1.tgz#d2745701025a6c775a6c545793ed502fc0c649a1" +- integrity sha1-0nRXAQJabHdabFRXk+1QL8DGSaE= ++ integrity sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg== + dependencies: + hash.js "^1.0.3" + minimalistic-assert "^1.0.0" +@@ -3841,6 +3846,11 @@ inherits@2.0.1: + resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.1.tgz#b17d08d326b4423e568eff719f91b0b1cbdf69f1" + integrity sha1-sX0I0ya0Qj5Wjv9xn5GwscvfafE= + ++inherits@^2.0.4: ++ version "2.0.4" ++ resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c" ++ integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ== ++ + ini@^1.3.4, ini@~1.3.0: + version "1.3.5" + resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.5.tgz#eee25f56db1c9ec6085e0c22778083f596abf927" +@@ -5234,7 +5244,7 @@ minimalistic-assert@^1.0.0, minimalistic + resolved "https://registry.yarnpkg.com/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz#2e194de044626d4a10e7f7fbc00ce73e83e4d5c7" + integrity sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A== + +-minimalistic-crypto-utils@^1.0.0, minimalistic-crypto-utils@^1.0.1: ++minimalistic-crypto-utils@^1.0.1: + version "1.0.1" + resolved "https://registry.yarnpkg.com/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz#f6c00c1c0b082246e5c4d99dfb8c7c083b2b582a" + integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo= diff --git a/sources b/sources index 983af15..c3ea23f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.22-bundled-20240704.tar.gz) = 0a9b17526571f73efc46f91159d176aa71b8b8b60dd2b07cfd931efc4331174bdaea17ae25405a0dc36be23d086d2657cdc8b4053a2bf4d11795aef9774024e0 +SHA512 (yarnpkg-v1.22.22-bundled-20241010.tar.gz) = 4275a0e01e7d8cf1b1d6382d37c418d4fa8c5f4934de758abae839968724ad9c1bede50d297e271b208fbe032a27f213cef422c4d537ecd26c441d8e137140dd diff --git a/yarnpkg.spec b/yarnpkg.spec index 2ca4df3..b106195 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -8,11 +8,11 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20240704 +%global bundledate 20241010 Name: yarnpkg Version: 1.22.22 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -25,6 +25,7 @@ Source1: yarnpkg-tarball.sh # minimatch-CVE-2022-3517.prebundle.patch # thenify-CVE-2020-7677.prebundle.patch # decode-uri-component-CVE-2022-38900.prebundle.patch +# CVE-2024-48949.prebundle.patch Patch0: CVE-2023-26136.patch Patch1: CVE-2022-37599.patch @@ -85,6 +86,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %{nodejs_sitelib}/%{npm_name}/ %changelog +* Thu Oct 10 2024 Sandro Mani - 1.22.22-4 +- Update bundled elliptic (CVE-2024-48949) + * Sat Jul 20 2024 Fedora Release Engineering - 1.22.22-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 8f1e40bcfe3cc43c20e62a679b8218d3ea408615 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Tue, 15 Oct 2024 15:22:53 +0200 Subject: [PATCH 28/41] Update bundled ws (CVE-2024-37890) --- .gitignore | 1 + CVE-2024-37890.prebundle.patch | 16 ++++++++++++++++ sources | 2 +- yarnpkg.spec | 8 ++++++-- 4 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 CVE-2024-37890.prebundle.patch diff --git a/.gitignore b/.gitignore index 397f352..13ebd64 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ /yarnpkg-v1.22.22-bundled-20240309.tar.gz /yarnpkg-v1.22.22-bundled-20240704.tar.gz /yarnpkg-v1.22.22-bundled-20241010.tar.gz +/yarnpkg-v1.22.22-bundled-20241015.tar.gz diff --git a/CVE-2024-37890.prebundle.patch b/CVE-2024-37890.prebundle.patch new file mode 100644 index 0000000..5376f36 --- /dev/null +++ b/CVE-2024-37890.prebundle.patch @@ -0,0 +1,16 @@ +diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock +--- yarn-1.22.22/yarn.lock 2024-10-10 12:55:05.000000000 +0200 ++++ yarn-1.22.22-new/yarn.lock 2024-10-15 14:59:01.318140933 +0200 +@@ -7809,9 +7809,9 @@ write@^0.2.1: + mkdirp "^0.5.1" + + ws@^5.2.0: +- version "5.2.2" +- resolved "https://registry.yarnpkg.com/ws/-/ws-5.2.2.tgz#dffef14866b8e8dc9133582514d1befaf96e980f" +- integrity sha512-jaHFD6PFv6UgoIVda6qZllptQsMlDEJkTQcybzzXDYM1XO9Y8em691FGMPmM46WGyLU4z9KMgQN+qrux/nhlHA== ++ version "5.2.4" ++ resolved "https://registry.yarnpkg.com/ws/-/ws-5.2.4.tgz#c7bea9f1cfb5f410de50e70e82662e562113f9a7" ++ integrity sha512-fFCejsuC8f9kOSu9FYaOw8CdO68O3h5v0lg4p74o8JqWpwTf9tniOD+nOB78aWoVSS6WptVUmDrp/KPsMVBWFQ== + dependencies: + async-limiter "~1.0.0" + diff --git a/sources b/sources index c3ea23f..c7568e4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.22-bundled-20241010.tar.gz) = 4275a0e01e7d8cf1b1d6382d37c418d4fa8c5f4934de758abae839968724ad9c1bede50d297e271b208fbe032a27f213cef422c4d537ecd26c441d8e137140dd +SHA512 (yarnpkg-v1.22.22-bundled-20241015.tar.gz) = 1db1a751f34858daf7f530d8f28dd2377ec4e7e996bd74a4c8e70e21b54777824396979d9c0585f857e367c8b03ebf70fab686be71add4f450eb91e61071dc9e diff --git a/yarnpkg.spec b/yarnpkg.spec index b106195..8555721 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -8,11 +8,11 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20241010 +%global bundledate 20241015 Name: yarnpkg Version: 1.22.22 -Release: 4%{?dist} +Release: 5%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -26,6 +26,7 @@ Source1: yarnpkg-tarball.sh # thenify-CVE-2020-7677.prebundle.patch # decode-uri-component-CVE-2022-38900.prebundle.patch # CVE-2024-48949.prebundle.patch +# CVE-2024-37890.prebundle.patch Patch0: CVE-2023-26136.patch Patch1: CVE-2022-37599.patch @@ -86,6 +87,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %{nodejs_sitelib}/%{npm_name}/ %changelog +* Tue Oct 15 2024 Sandro Mani - 1.22.22-5 +- Update bundled ws (CVE-2024-37890) + * Thu Oct 10 2024 Sandro Mani - 1.22.22-4 - Update bundled elliptic (CVE-2024-48949) From fc6b0f36469c384d8231b4df6ad4deab4d5533eb Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Tue, 15 Oct 2024 17:07:20 +0200 Subject: [PATCH 29/41] BR: npm on EPEL --- yarnpkg.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/yarnpkg.spec b/yarnpkg.spec index 8555721..4bd2382 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -37,7 +37,11 @@ Patch3: CVE-2024-4067.patch ExclusiveArch: %{nodejs_arches} BuildRequires: nodejs-packaging +%if 0%{?fedora} BuildRequires: nodejs-npm +%else +BuildRequires: npm +%endif %description Fast, reliable, and secure dependency management. From ba480f35c69e7c1d447fe538be907391cbb8f209 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sun, 19 Jan 2025 16:30:51 +0000 Subject: [PATCH 30/41] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 4bd2382..f28acc2 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.22 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -91,6 +91,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %{nodejs_sitelib}/%{npm_name}/ %changelog +* Sun Jan 19 2025 Fedora Release Engineering - 1.22.22-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + * Tue Oct 15 2024 Sandro Mani - 1.22.22-5 - Update bundled ws (CVE-2024-37890) From 34fc78f99c5097ea2d1066a378aebbe0d20ab540 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Fri, 28 Mar 2025 20:49:55 +0100 Subject: [PATCH 31/41] Add CVE-2024-12905.prebundle.patch --- .gitignore | 1 + CVE-2024-12905.prebundle.patch | 16 ++++++++++++++++ sources | 2 +- yarnpkg.spec | 8 ++++++-- 4 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 CVE-2024-12905.prebundle.patch diff --git a/.gitignore b/.gitignore index 13ebd64..ad331f1 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ /yarnpkg-v1.22.22-bundled-20240704.tar.gz /yarnpkg-v1.22.22-bundled-20241010.tar.gz /yarnpkg-v1.22.22-bundled-20241015.tar.gz +/yarnpkg-v1.22.22-bundled-20250328.tar.gz diff --git a/CVE-2024-12905.prebundle.patch b/CVE-2024-12905.prebundle.patch new file mode 100644 index 0000000..773fce0 --- /dev/null +++ b/CVE-2024-12905.prebundle.patch @@ -0,0 +1,16 @@ +diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock +--- yarn-1.22.22/yarn.lock 2024-10-15 15:12:52.000000000 +0200 ++++ yarn-1.22.22-new/yarn.lock 2025-03-28 20:35:23.508887708 +0100 +@@ -7150,9 +7150,9 @@ tapable@^0.2.7, tapable@~0.2.5: + integrity sha1-mTcqXJmb8t8WCvwNdL7U9HlIzSI= + + tar-fs@^1.16.0: +- version "1.16.3" +- resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.3.tgz#966a628841da2c4010406a82167cbd5e0c72d509" +- integrity sha512-NvCeXpYx7OsmOh8zIOP/ebG55zZmxLE0etfWRbWok+q2Qo8x/vOR/IJT1taADXPe+jsiu9axDb3X4B+iIgNlKw== ++ version "1.16.4" ++ resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.4.tgz#d3f0e1edf164b821f086640b1f0596f004021dc8" ++ integrity sha512-u3XczWoYAIVXe5GOKK6+VeWaHjtc47W7hyuTo3+4cNakcCcuDmlkYiiHEsECwTkcI3h1VUgtwBQ54+RvY6cM4w== + dependencies: + chownr "^1.0.1" + mkdirp "^0.5.1" diff --git a/sources b/sources index c7568e4..3cf4f24 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.22-bundled-20241015.tar.gz) = 1db1a751f34858daf7f530d8f28dd2377ec4e7e996bd74a4c8e70e21b54777824396979d9c0585f857e367c8b03ebf70fab686be71add4f450eb91e61071dc9e +SHA512 (yarnpkg-v1.22.22-bundled-20250328.tar.gz) = e888dc0ce9fe5dbaefe56db75de78c892a92a668b14025d5e357641209982b3b02cd10a7f52835a75bdbc62b024d224b0c700be08e0568440a5c60c4cec2131f diff --git a/yarnpkg.spec b/yarnpkg.spec index f28acc2..3188759 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -8,11 +8,11 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20241015 +%global bundledate 20250328 Name: yarnpkg Version: 1.22.22 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -27,6 +27,7 @@ Source1: yarnpkg-tarball.sh # decode-uri-component-CVE-2022-38900.prebundle.patch # CVE-2024-48949.prebundle.patch # CVE-2024-37890.prebundle.patch +# CVE-2024-12905.prebundle.patch Patch0: CVE-2023-26136.patch Patch1: CVE-2022-37599.patch @@ -91,6 +92,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %{nodejs_sitelib}/%{npm_name}/ %changelog +* Fri Mar 28 2025 Sandro Mani - 1.22.22-7 +- Fix CVE-2024-12905 + * Sun Jan 19 2025 Fedora Release Engineering - 1.22.22-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 4f435399aa3cfd7a7399474ebc8773689c55867a Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Wed, 4 Jun 2025 10:33:43 +0200 Subject: [PATCH 32/41] Refresh bundle tarball for CVE-2025-48387 --- .gitignore | 1 + ...e.patch => CVE-2024-12905_CVE-2025-48387.prebundle.patch | 6 +++--- sources | 2 +- yarnpkg.spec | 5 ++++- 4 files changed, 9 insertions(+), 5 deletions(-) rename CVE-2024-12905.prebundle.patch => CVE-2024-12905_CVE-2025-48387.prebundle.patch (71%) diff --git a/.gitignore b/.gitignore index ad331f1..de742b3 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ /yarnpkg-v1.22.22-bundled-20241010.tar.gz /yarnpkg-v1.22.22-bundled-20241015.tar.gz /yarnpkg-v1.22.22-bundled-20250328.tar.gz +/yarnpkg-v1.22.22-bundled-20250604.tar.gz diff --git a/CVE-2024-12905.prebundle.patch b/CVE-2024-12905_CVE-2025-48387.prebundle.patch similarity index 71% rename from CVE-2024-12905.prebundle.patch rename to CVE-2024-12905_CVE-2025-48387.prebundle.patch index 773fce0..78e2ee8 100644 --- a/CVE-2024-12905.prebundle.patch +++ b/CVE-2024-12905_CVE-2025-48387.prebundle.patch @@ -8,9 +8,9 @@ diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock - version "1.16.3" - resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.3.tgz#966a628841da2c4010406a82167cbd5e0c72d509" - integrity sha512-NvCeXpYx7OsmOh8zIOP/ebG55zZmxLE0etfWRbWok+q2Qo8x/vOR/IJT1taADXPe+jsiu9axDb3X4B+iIgNlKw== -+ version "1.16.4" -+ resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.4.tgz#d3f0e1edf164b821f086640b1f0596f004021dc8" -+ integrity sha512-u3XczWoYAIVXe5GOKK6+VeWaHjtc47W7hyuTo3+4cNakcCcuDmlkYiiHEsECwTkcI3h1VUgtwBQ54+RvY6cM4w== ++ version "1.16.5" ++ resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.5.tgz#716a323609c11182d1d3d7b5bf277d15dc128665" ++ integrity sha512-1ergVCCysmwHQNrOS+Pjm4DQ4nrGp43+Xnu4MRGjCnQu/m3hEgLNS78d5z+B8OJ1hN5EejJdCSFZE1oM6AQXAQ== dependencies: chownr "^1.0.1" mkdirp "^0.5.1" diff --git a/sources b/sources index 3cf4f24..cc3616e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.22-bundled-20250328.tar.gz) = e888dc0ce9fe5dbaefe56db75de78c892a92a668b14025d5e357641209982b3b02cd10a7f52835a75bdbc62b024d224b0c700be08e0568440a5c60c4cec2131f +SHA512 (yarnpkg-v1.22.22-bundled-20250604.tar.gz) = c30c447338b1037614abeb2ee5bf337aa2bc1b912e8f1acb2619d7e3f38caf13938d022f152ab0051d13cb627ffcf22110f1a6a2658690b21c1f77fdf8cc0a08 diff --git a/yarnpkg.spec b/yarnpkg.spec index 3188759..43e3073 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.22 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -92,6 +92,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %{nodejs_sitelib}/%{npm_name}/ %changelog +* Wed Jun 04 2025 Sandro Mani - 1.22.22-8 +- Refresh bundle tarball for CVE-2025-48387 + * Fri Mar 28 2025 Sandro Mani - 1.22.22-7 - Fix CVE-2024-12905 From 8307434c372324862633e8bd77bf1f6f92bd2848 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Wed, 4 Jun 2025 10:44:40 +0200 Subject: [PATCH 33/41] Fix bundledate --- yarnpkg.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 43e3073..c1eeecb 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -8,7 +8,7 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20250328 +%global bundledate 20250604 Name: yarnpkg Version: 1.22.22 From 7b47a112ce986591639d7b0d55869f771c2bebde Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Tue, 24 Jun 2025 10:42:04 +0200 Subject: [PATCH 34/41] Add CVE-2025-6545_6547.prebundle.patch and regenerate bundle Fixes CVE-2025-6545 and CVE-2025-6547. --- .gitignore | 1 + CVE-2025-6545_6547.prebundle.patch | 21 +++++++++++++++++++++ sources | 2 +- yarnpkg.spec | 8 ++++++-- 4 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 CVE-2025-6545_6547.prebundle.patch diff --git a/.gitignore b/.gitignore index de742b3..451bd33 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ /yarnpkg-v1.22.22-bundled-20241015.tar.gz /yarnpkg-v1.22.22-bundled-20250328.tar.gz /yarnpkg-v1.22.22-bundled-20250604.tar.gz +/yarnpkg-v1.22.22-bundled-20250624.tar.gz diff --git a/CVE-2025-6545_6547.prebundle.patch b/CVE-2025-6545_6547.prebundle.patch new file mode 100644 index 0000000..e586613 --- /dev/null +++ b/CVE-2025-6545_6547.prebundle.patch @@ -0,0 +1,21 @@ +diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock +--- yarn-1.22.22/yarn.lock 2024-03-09 22:33:28.000000000 +0100 ++++ yarn-1.22.22-new/yarn.lock 2025-06-24 10:24:15.448061691 +0200 +@@ -5905,17 +5905,6 @@ path-type@^1.0.0: + pify "^2.0.0" + pinkie-promise "^2.0.0" + +-pbkdf2@^3.0.3: +- version "3.0.16" +- resolved "https://registry.yarnpkg.com/pbkdf2/-/pbkdf2-3.0.16.tgz#7404208ec6b01b62d85bf83853a8064f8d9c2a5c" +- integrity sha512-y4CXP3thSxqf7c0qmOF+9UeOTrifiVTIM+u7NWlq+PRsHbr7r7dpCmvzrZxa96JJUNi0Y5w9VqG5ZNeCVMoDcA== +- dependencies: +- create-hash "^1.1.2" +- create-hmac "^1.1.4" +- ripemd160 "^2.0.1" +- safe-buffer "^5.0.1" +- sha.js "^2.4.8" +- + peek-stream@^1.1.0: + version "1.1.3" + resolved "https://registry.yarnpkg.com/peek-stream/-/peek-stream-1.1.3.tgz#3b35d84b7ccbbd262fff31dc10da56856ead6d67" diff --git a/sources b/sources index cc3616e..333edd5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.22-bundled-20250604.tar.gz) = c30c447338b1037614abeb2ee5bf337aa2bc1b912e8f1acb2619d7e3f38caf13938d022f152ab0051d13cb627ffcf22110f1a6a2658690b21c1f77fdf8cc0a08 +SHA512 (yarnpkg-v1.22.22-bundled-20250624.tar.gz) = 4bea09a02ad6bc3d7c0a275e01118af9ad198bc7d07af7c41eab11c89a75f233d9180a7dc6d111ee4a923716050830dccf593ae0bc240d1de5c3fd08fb575f9c diff --git a/yarnpkg.spec b/yarnpkg.spec index c1eeecb..07fbe58 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -8,11 +8,11 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20250604 +%global bundledate 20250624 Name: yarnpkg Version: 1.22.22 -Release: 8%{?dist} +Release: 9%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -28,6 +28,7 @@ Source1: yarnpkg-tarball.sh # CVE-2024-48949.prebundle.patch # CVE-2024-37890.prebundle.patch # CVE-2024-12905.prebundle.patch +# CVE-2025-6545_6547.prebundle.patch Patch0: CVE-2023-26136.patch Patch1: CVE-2022-37599.patch @@ -92,6 +93,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %{nodejs_sitelib}/%{npm_name}/ %changelog +* Tue Jun 24 2025 Sandro Mani - 1.22.22-9 +- Add CVE-2025-6545_6547.prebundle.patch and regenerate bundle. Fixes CVE-2025-6545 and CVE-2025-6547. + * Wed Jun 04 2025 Sandro Mani - 1.22.22-8 - Refresh bundle tarball for CVE-2025-48387 From fe5e10ede7bda40cd4d454a3d7e4cb4238f81024 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 21:10:49 +0000 Subject: [PATCH 35/41] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 07fbe58..8d7580e 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.22 -Release: 9%{?dist} +Release: 10%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -93,6 +93,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %{nodejs_sitelib}/%{npm_name}/ %changelog +* Fri Jul 25 2025 Fedora Release Engineering - 1.22.22-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + * Tue Jun 24 2025 Sandro Mani - 1.22.22-9 - Add CVE-2025-6545_6547.prebundle.patch and regenerate bundle. Fixes CVE-2025-6545 and CVE-2025-6547. From 63570511935c887f8f1423c642227e3954801449 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Thu, 31 Jul 2025 00:52:10 +0200 Subject: [PATCH 36/41] Refresh bundle, drop obsolete patches, add patches for CVE-2025-8262, CVE-2025-8263 --- .gitignore | 1 + CVE-2022-37599.patch | 6 +- CVE-2023-26136.patch | 6 +- CVE-2023-46234.patch | 12 --- CVE-2024-12905_CVE-2025-48387.prebundle.patch | 16 ---- CVE-2024-37890.prebundle.patch | 16 ---- CVE-2024-4067.patch | 36 +++----- CVE-2024-48949.prebundle.patch | 91 ------------------- CVE-2025-6545_6547.prebundle.patch | 21 ----- CVE-2025-8262.patch | 15 +++ CVE-2025-8263.patch | 25 +++++ async-CVE-2021-43138.prebundle.patch | 31 ------- ...i-component-CVE-2022-38900.prebundle.patch | 16 ---- minimatch-CVE-2022-3517.prebundle.patch | 16 ---- sources | 2 +- thenify-CVE-2020-7677.prebundle.patch | 16 ---- yarn-update-jest.prebundle.patch | 12 +++ yarnpkg-tarball.sh | 2 + yarnpkg.spec | 29 +++--- 19 files changed, 90 insertions(+), 279 deletions(-) delete mode 100644 CVE-2023-46234.patch delete mode 100644 CVE-2024-12905_CVE-2025-48387.prebundle.patch delete mode 100644 CVE-2024-37890.prebundle.patch delete mode 100644 CVE-2024-48949.prebundle.patch delete mode 100644 CVE-2025-6545_6547.prebundle.patch create mode 100644 CVE-2025-8262.patch create mode 100644 CVE-2025-8263.patch delete mode 100644 async-CVE-2021-43138.prebundle.patch delete mode 100644 decode-uri-component-CVE-2022-38900.prebundle.patch delete mode 100644 minimatch-CVE-2022-3517.prebundle.patch delete mode 100644 thenify-CVE-2020-7677.prebundle.patch create mode 100644 yarn-update-jest.prebundle.patch diff --git a/.gitignore b/.gitignore index 451bd33..2d1ca57 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ /yarnpkg-v1.22.22-bundled-20250328.tar.gz /yarnpkg-v1.22.22-bundled-20250604.tar.gz /yarnpkg-v1.22.22-bundled-20250624.tar.gz +/yarnpkg-v1.22.22-bundled-20250728.tar.gz diff --git a/CVE-2022-37599.patch b/CVE-2022-37599.patch index 7636ff8..cdeb7cc 100644 --- a/CVE-2022-37599.patch +++ b/CVE-2022-37599.patch @@ -1,6 +1,6 @@ -diff -rupN yarn-1.22.21/node_modules/loader-utils/index.js yarn-1.22.21-new/node_modules/loader-utils/index.js ---- yarn-1.22.21/node_modules/loader-utils/index.js 2024-02-16 23:35:57.000000000 +0100 -+++ yarn-1.22.21-new/node_modules/loader-utils/index.js 2024-02-19 11:05:56.885775046 +0100 +diff -rupN --no-dereference yarn-1.22.22/node_modules/loader-utils/index.js yarn-1.22.22-new/node_modules/loader-utils/index.js +--- yarn-1.22.22/node_modules/loader-utils/index.js 2025-07-28 09:42:24.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/loader-utils/index.js 2025-07-31 00:36:49.585249573 +0200 @@ -299,7 +299,7 @@ exports.interpolateName = function inter var url = filename; if(content) { diff --git a/CVE-2023-26136.patch b/CVE-2023-26136.patch index 3300cce..dccadfe 100644 --- a/CVE-2023-26136.patch +++ b/CVE-2023-26136.patch @@ -1,6 +1,6 @@ -diff -rupN yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js ---- yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js 2024-02-16 23:36:08.000000000 +0100 -+++ yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js 2024-02-19 10:48:11.215668646 +0100 +diff -rupN --no-dereference yarn-1.22.22/node_modules/tough-cookie/lib/memstore.js yarn-1.22.22-new/node_modules/tough-cookie/lib/memstore.js +--- yarn-1.22.22/node_modules/tough-cookie/lib/memstore.js 2025-07-28 11:18:19.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/tough-cookie/lib/memstore.js 2025-07-31 00:36:47.884055369 +0200 @@ -36,7 +36,7 @@ var util = require('util'); function MemoryCookieStore() { diff --git a/CVE-2023-46234.patch b/CVE-2023-46234.patch deleted file mode 100644 index 0820ae6..0000000 --- a/CVE-2023-46234.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -rupN yarn-1.22.21/node_modules/browserify-sign/browser/verify.js yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js ---- yarn-1.22.21/node_modules/browserify-sign/browser/verify.js 2024-02-16 23:36:10.000000000 +0100 -+++ yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js 2024-02-19 11:14:55.923549230 +0100 -@@ -77,7 +77,7 @@ function dsaVerify (sig, hash, pub) { - - function checkValue (b, q) { - if (b.cmpn(0) <= 0) throw new Error('invalid sig') -- if (b.cmp(q) >= q) throw new Error('invalid sig') -+ if (b.cmp(q) >= 0) throw new Error('invalid sig') - } - - module.exports = verify diff --git a/CVE-2024-12905_CVE-2025-48387.prebundle.patch b/CVE-2024-12905_CVE-2025-48387.prebundle.patch deleted file mode 100644 index 78e2ee8..0000000 --- a/CVE-2024-12905_CVE-2025-48387.prebundle.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock ---- yarn-1.22.22/yarn.lock 2024-10-15 15:12:52.000000000 +0200 -+++ yarn-1.22.22-new/yarn.lock 2025-03-28 20:35:23.508887708 +0100 -@@ -7150,9 +7150,9 @@ tapable@^0.2.7, tapable@~0.2.5: - integrity sha1-mTcqXJmb8t8WCvwNdL7U9HlIzSI= - - tar-fs@^1.16.0: -- version "1.16.3" -- resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.3.tgz#966a628841da2c4010406a82167cbd5e0c72d509" -- integrity sha512-NvCeXpYx7OsmOh8zIOP/ebG55zZmxLE0etfWRbWok+q2Qo8x/vOR/IJT1taADXPe+jsiu9axDb3X4B+iIgNlKw== -+ version "1.16.5" -+ resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.5.tgz#716a323609c11182d1d3d7b5bf277d15dc128665" -+ integrity sha512-1ergVCCysmwHQNrOS+Pjm4DQ4nrGp43+Xnu4MRGjCnQu/m3hEgLNS78d5z+B8OJ1hN5EejJdCSFZE1oM6AQXAQ== - dependencies: - chownr "^1.0.1" - mkdirp "^0.5.1" diff --git a/CVE-2024-37890.prebundle.patch b/CVE-2024-37890.prebundle.patch deleted file mode 100644 index 5376f36..0000000 --- a/CVE-2024-37890.prebundle.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock ---- yarn-1.22.22/yarn.lock 2024-10-10 12:55:05.000000000 +0200 -+++ yarn-1.22.22-new/yarn.lock 2024-10-15 14:59:01.318140933 +0200 -@@ -7809,9 +7809,9 @@ write@^0.2.1: - mkdirp "^0.5.1" - - ws@^5.2.0: -- version "5.2.2" -- resolved "https://registry.yarnpkg.com/ws/-/ws-5.2.2.tgz#dffef14866b8e8dc9133582514d1befaf96e980f" -- integrity sha512-jaHFD6PFv6UgoIVda6qZllptQsMlDEJkTQcybzzXDYM1XO9Y8em691FGMPmM46WGyLU4z9KMgQN+qrux/nhlHA== -+ version "5.2.4" -+ resolved "https://registry.yarnpkg.com/ws/-/ws-5.2.4.tgz#c7bea9f1cfb5f410de50e70e82662e562113f9a7" -+ integrity sha512-fFCejsuC8f9kOSu9FYaOw8CdO68O3h5v0lg4p74o8JqWpwTf9tniOD+nOB78aWoVSS6WptVUmDrp/KPsMVBWFQ== - dependencies: - async-limiter "~1.0.0" - diff --git a/CVE-2024-4067.patch b/CVE-2024-4067.patch index d56082e..1d28ec7 100644 --- a/CVE-2024-4067.patch +++ b/CVE-2024-4067.patch @@ -1,6 +1,6 @@ -diff -rupN yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js ---- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 -+++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js 2024-07-04 23:35:09.633072156 +0200 +diff -rupN --no-dereference yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js 2025-07-31 00:36:51.203223937 +0200 @@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op } @@ -10,9 +10,9 @@ diff -rupN yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js y return utils.arrayify(pattern); } return braces(pattern, options); -diff -rupN yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js ---- yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 -+++ yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js 2024-07-04 23:35:22.753040820 +0200 +diff -rupN --no-dereference yarn-1.22.22/node_modules/liftoff/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/liftoff/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/liftoff/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/liftoff/node_modules/micromatch/index.js 2025-07-31 00:36:51.203775750 +0200 @@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op } @@ -22,9 +22,9 @@ diff -rupN yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.j return utils.arrayify(pattern); } return braces(pattern, options); -diff -rupN yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js ---- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 -+++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js 2024-07-04 23:35:32.817016784 +0200 +diff -rupN --no-dereference yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js 2025-07-31 00:36:51.204199053 +0200 @@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op } @@ -34,21 +34,9 @@ diff -rupN yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js y return utils.arrayify(pattern); } return braces(pattern, options); -diff -rupN yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js ---- yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 -+++ yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js 2024-07-04 23:35:41.536995958 +0200 -@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op - } - - function expand() { -- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { -+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { - return utils.arrayify(pattern); - } - return braces(pattern, options); -diff -rupN yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js ---- yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 -+++ yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js 2024-07-04 23:35:49.438977085 +0200 +diff -rupN --no-dereference yarn-1.22.22/node_modules/readdirp/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/readdirp/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/readdirp/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/readdirp/node_modules/micromatch/index.js 2025-07-31 00:36:51.204611282 +0200 @@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op } diff --git a/CVE-2024-48949.prebundle.patch b/CVE-2024-48949.prebundle.patch deleted file mode 100644 index 247f3cc..0000000 --- a/CVE-2024-48949.prebundle.patch +++ /dev/null @@ -1,91 +0,0 @@ -diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock ---- yarn-1.22.22/yarn.lock 2024-10-10 12:46:29.329322568 +0200 -+++ yarn-1.22.22-new/yarn.lock 2024-10-10 12:37:38.256366136 +0200 -@@ -1404,11 +1404,16 @@ bl@^1.0.0: - readable-stream "^2.3.5" - safe-buffer "^5.1.1" - --bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.1.1, bn.js@^4.4.0: -+bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.1.1: - version "4.11.8" - resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.11.8.tgz#2cde09eb5ee341f484746bb0309b3253b1b1442f" - integrity sha512-ItfYfPLkWHUjckQCk8xC+LwxgK8NYcXywGigJgSwOP8Y2iyWT4f2vsZnoOXTTbo+o5yXmIUJ4gn5538SO5S3gA== - -+bn.js@^4.11.9: -+ version "4.12.0" -+ resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.12.0.tgz#775b3f278efbb9718eec7361f483fb36fbbfea88" -+ integrity sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA== -+ - brace-expansion@^1.1.7: - version "1.1.11" - resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd" -@@ -1450,7 +1455,7 @@ broccoli-kitchen-sink-helpers@^0.3.1: - glob "^5.0.10" - mkdirp "^0.5.1" - --brorand@^1.0.1: -+brorand@^1.0.1, brorand@^1.1.0: - version "1.1.0" - resolved "https://registry.yarnpkg.com/brorand/-/brorand-1.1.0.tgz#12c25efe40a45e3c323eb8675a0a0ce57b22371f" - integrity sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8= -@@ -2424,17 +2429,17 @@ electron-to-chromium@^1.3.47: - integrity sha1-8VDhCyC3fZ1Br8yjEu/gw7Gn/c4= - - elliptic@^6.0.0: -- version "6.4.0" -- resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.4.0.tgz#cac9af8762c85836187003c8dfe193e5e2eae5df" -- integrity sha1-ysmvh2LIWDYYcAPI3+GT5eLq5d8= -+ version "6.5.7" -+ resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.7.tgz#8ec4da2cb2939926a1b9a73619d768207e647c8b" -+ integrity sha512-ESVCtTwiA+XhY3wyh24QqRGBoP3rEdDUl3EDUUo9tft074fi19IrdpH7hLCMMP3CIj7jb3W96rn8lt/BqIlt5Q== - dependencies: -- bn.js "^4.4.0" -- brorand "^1.0.1" -+ bn.js "^4.11.9" -+ brorand "^1.1.0" - hash.js "^1.0.0" -- hmac-drbg "^1.0.0" -- inherits "^2.0.1" -- minimalistic-assert "^1.0.0" -- minimalistic-crypto-utils "^1.0.0" -+ hmac-drbg "^1.0.1" -+ inherits "^2.0.4" -+ minimalistic-assert "^1.0.1" -+ minimalistic-crypto-utils "^1.0.1" - - emoji-regex@^6.5.1: - version "6.5.1" -@@ -3711,10 +3716,10 @@ heimdalljs@^0.2.0, heimdalljs@^0.2.3: - dependencies: - rsvp "~3.2.1" - --hmac-drbg@^1.0.0: -+hmac-drbg@^1.0.1: - version "1.0.1" - resolved "https://registry.yarnpkg.com/hmac-drbg/-/hmac-drbg-1.0.1.tgz#d2745701025a6c775a6c545793ed502fc0c649a1" -- integrity sha1-0nRXAQJabHdabFRXk+1QL8DGSaE= -+ integrity sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg== - dependencies: - hash.js "^1.0.3" - minimalistic-assert "^1.0.0" -@@ -3841,6 +3846,11 @@ inherits@2.0.1: - resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.1.tgz#b17d08d326b4423e568eff719f91b0b1cbdf69f1" - integrity sha1-sX0I0ya0Qj5Wjv9xn5GwscvfafE= - -+inherits@^2.0.4: -+ version "2.0.4" -+ resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c" -+ integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ== -+ - ini@^1.3.4, ini@~1.3.0: - version "1.3.5" - resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.5.tgz#eee25f56db1c9ec6085e0c22778083f596abf927" -@@ -5234,7 +5244,7 @@ minimalistic-assert@^1.0.0, minimalistic - resolved "https://registry.yarnpkg.com/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz#2e194de044626d4a10e7f7fbc00ce73e83e4d5c7" - integrity sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A== - --minimalistic-crypto-utils@^1.0.0, minimalistic-crypto-utils@^1.0.1: -+minimalistic-crypto-utils@^1.0.1: - version "1.0.1" - resolved "https://registry.yarnpkg.com/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz#f6c00c1c0b082246e5c4d99dfb8c7c083b2b582a" - integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo= diff --git a/CVE-2025-6545_6547.prebundle.patch b/CVE-2025-6545_6547.prebundle.patch deleted file mode 100644 index e586613..0000000 --- a/CVE-2025-6545_6547.prebundle.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock ---- yarn-1.22.22/yarn.lock 2024-03-09 22:33:28.000000000 +0100 -+++ yarn-1.22.22-new/yarn.lock 2025-06-24 10:24:15.448061691 +0200 -@@ -5905,17 +5905,6 @@ path-type@^1.0.0: - pify "^2.0.0" - pinkie-promise "^2.0.0" - --pbkdf2@^3.0.3: -- version "3.0.16" -- resolved "https://registry.yarnpkg.com/pbkdf2/-/pbkdf2-3.0.16.tgz#7404208ec6b01b62d85bf83853a8064f8d9c2a5c" -- integrity sha512-y4CXP3thSxqf7c0qmOF+9UeOTrifiVTIM+u7NWlq+PRsHbr7r7dpCmvzrZxa96JJUNi0Y5w9VqG5ZNeCVMoDcA== -- dependencies: -- create-hash "^1.1.2" -- create-hmac "^1.1.4" -- ripemd160 "^2.0.1" -- safe-buffer "^5.0.1" -- sha.js "^2.4.8" -- - peek-stream@^1.1.0: - version "1.1.3" - resolved "https://registry.yarnpkg.com/peek-stream/-/peek-stream-1.1.3.tgz#3b35d84b7ccbbd262fff31dc10da56856ead6d67" diff --git a/CVE-2025-8262.patch b/CVE-2025-8262.patch new file mode 100644 index 0000000..b531b79 --- /dev/null +++ b/CVE-2025-8262.patch @@ -0,0 +1,15 @@ +diff -rupN --no-dereference yarn-1.22.22/src/resolvers/exotics/hosted-git-resolver.js yarn-1.22.22-new/src/resolvers/exotics/hosted-git-resolver.js +--- yarn-1.22.22/src/resolvers/exotics/hosted-git-resolver.js 2024-03-09 22:33:28.000000000 +0100 ++++ yarn-1.22.22-new/src/resolvers/exotics/hosted-git-resolver.js 2025-07-31 00:36:53.007366080 +0200 +@@ -30,8 +30,9 @@ export function explodeHostedGitFragment + } + + const parts = fragment +- .replace(/(.*?)#.*/, '$1') // Strip hash +- .replace(/.*:(.*)/, '$1') // Strip prefixed protocols ++ .split('#', 1)[0] ++ .split(':') ++ .pop() + .replace(/.git$/, '') // Strip the .git suffix + .split('/'); + diff --git a/CVE-2025-8263.patch b/CVE-2025-8263.patch new file mode 100644 index 0000000..7d31b12 --- /dev/null +++ b/CVE-2025-8263.patch @@ -0,0 +1,25 @@ +diff -rupN yarn-1.22.22/node_modules/form-data/lib/form_data.js yarn-1.22.22-new/node_modules/form-data/lib/form_data.js +--- yarn-1.22.22/node_modules/form-data/lib/form_data.js 2025-07-28 11:18:19.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/form-data/lib/form_data.js 2025-07-31 00:39:06.012116839 +0200 +@@ -5,6 +5,7 @@ var http = require('http'); + var https = require('https'); + var parseUrl = require('url').parse; + var fs = require('fs'); ++var crypto = require('crypto'); + var mime = require('mime-types'); + var asynckit = require('asynckit'); + var populate = require('./populate.js'); +@@ -316,12 +317,7 @@ FormData.prototype.getBoundary = functio + FormData.prototype._generateBoundary = function() { + // This generates a 50 character boundary similar to those used by Firefox. + // They are optimized for boyer-moore parsing. +- var boundary = '--------------------------'; +- for (var i = 0; i < 24; i++) { +- boundary += Math.floor(Math.random() * 10).toString(16); +- } +- +- this._boundary = boundary; ++ this._boundary = '--------------------------' + crypto.randomBytes(12).toString('hex'); + }; + + // Note: getLengthSync DOESN'T calculate streams length diff --git a/async-CVE-2021-43138.prebundle.patch b/async-CVE-2021-43138.prebundle.patch deleted file mode 100644 index f426b87..0000000 --- a/async-CVE-2021-43138.prebundle.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock ---- yarn-1.22.19/yarn.lock 2023-03-21 11:58:50.508393147 +0100 -+++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:59:28.850636157 +0100 -@@ -498,11 +498,11 @@ async@^1.4.0: - integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo= - - async@^2.1.2, async@^2.1.4: -- version "2.6.1" -- resolved "https://registry.yarnpkg.com/async/-/async-2.6.1.tgz#b245a23ca71930044ec53fa46aa00a3e87c6a610" -- integrity sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ== -+ version "2.6.4" -+ resolved "https://registry.yarnpkg.com/async/-/async-2.6.4.tgz#706b7ff6084664cd7eae713f6f965433b5504221" -+ integrity sha512-mzo5dfJYwAn29PeiJ0zvwTo04zj8HDJj0Mn8TD7sno7q12prdbnasKJHhkm2c1LgrhlJ0teaea8860oxi51mGA== - dependencies: -- lodash "^4.17.10" -+ lodash "^4.17.14" - - asynckit@^0.4.0: - version "0.4.0" -@@ -5036,6 +5036,11 @@ lodash@^4.13.1, lodash@^4.17.10, lodash@ - resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.10.tgz#1b7793cf7259ea38fb3661d4d38b3260af8ae4e7" - integrity sha512-UejweD1pDoXu+AD825lWwp4ZGtSwgnpZxb3JDViD7StjQz+Nb/6l093lx4OQ0foGWNRoc19mWy7BzL+UAK2iVg== - -+lodash@^4.17.14: -+ version "4.17.21" -+ resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c" -+ integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg== -+ - longest@^1.0.1: - version "1.0.1" - resolved "https://registry.yarnpkg.com/longest/-/longest-1.0.1.tgz#30a0b2da38f73770e8294a0d22e6625ed77d0097" diff --git a/decode-uri-component-CVE-2022-38900.prebundle.patch b/decode-uri-component-CVE-2022-38900.prebundle.patch deleted file mode 100644 index 0364a0a..0000000 --- a/decode-uri-component-CVE-2022-38900.prebundle.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock ---- yarn-1.22.19/yarn.lock 2022-05-10 19:48:34.000000000 +0200 -+++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:57:26.891976168 +0100 -@@ -2208,9 +2208,9 @@ decamelize@^1.0.0, decamelize@^1.1.1: - integrity sha1-9lNNFRSCabIDUue+4m9QH5oZEpA= - - decode-uri-component@^0.2.0: -- version "0.2.0" -- resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.0.tgz#eb3913333458775cb84cd1a1fae062106bb87545" -- integrity sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU= -+ version "0.2.2" -+ resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.2.tgz#e69dbe25d37941171dd540e024c444cd5188e1e9" -+ integrity sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ== - - dedent@0.6.0: - version "0.6.0" diff --git a/minimatch-CVE-2022-3517.prebundle.patch b/minimatch-CVE-2022-3517.prebundle.patch deleted file mode 100644 index 3238222..0000000 --- a/minimatch-CVE-2022-3517.prebundle.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock ---- yarn-1.22.19/yarn.lock 2023-03-21 12:00:04.395885047 +0100 -+++ yarn-1.22.19-new/yarn.lock 2023-03-21 12:00:32.419095290 +0100 -@@ -5240,9 +5240,9 @@ minimalistic-crypto-utils@^1.0.0, minima - integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo= - - "minimatch@2 || 3", minimatch@^3.0.2, minimatch@^3.0.3, minimatch@^3.0.4: -- version "3.0.4" -- resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083" -- integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA== -+ version "3.1.2" -+ resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b" -+ integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw== - dependencies: - brace-expansion "^1.1.7" - diff --git a/sources b/sources index 333edd5..932a1e1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.22-bundled-20250624.tar.gz) = 4bea09a02ad6bc3d7c0a275e01118af9ad198bc7d07af7c41eab11c89a75f233d9180a7dc6d111ee4a923716050830dccf593ae0bc240d1de5c3fd08fb575f9c +SHA512 (yarnpkg-v1.22.22-bundled-20250728.tar.gz) = 9ab791226073e3c7c1e9eaba3de6b4be215785cad5bfc20f9da4894b9e87ea11f5df014147a59bcdff6c334110e074a52c1f8e91d8144edf2513484666a40269 diff --git a/thenify-CVE-2020-7677.prebundle.patch b/thenify-CVE-2020-7677.prebundle.patch deleted file mode 100644 index ac40234..0000000 --- a/thenify-CVE-2020-7677.prebundle.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock ---- yarn-1.22.19/yarn.lock 2023-03-21 11:57:48.181065612 +0100 -+++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:58:21.377228725 +0100 -@@ -7212,9 +7212,9 @@ thenify-all@^1.0.0: - thenify ">= 3.1.0 < 4" - - "thenify@>= 3.1.0 < 4": -- version "3.3.0" -- resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.0.tgz#e69e38a1babe969b0108207978b9f62b88604839" -- integrity sha1-5p44obq+lpsBCCB5eLn2K4hgSDk= -+ version "3.3.1" -+ resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.1.tgz#8932e686a4066038a016dd9e2ca46add9838a95f" -+ integrity sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw== - dependencies: - any-promise "^1.0.0" - diff --git a/yarn-update-jest.prebundle.patch b/yarn-update-jest.prebundle.patch new file mode 100644 index 0000000..ec5049f --- /dev/null +++ b/yarn-update-jest.prebundle.patch @@ -0,0 +1,12 @@ +diff -rupN yarn-1.22.22/package.json yarn-1.22.22-new/package.json +--- yarn-1.22.22/package.json 2024-03-09 22:33:28.000000000 +0100 ++++ yarn-1.22.22-new/package.json 2025-07-28 10:33:09.427716996 +0200 +@@ -93,7 +93,7 @@ + "gulp-newer": "^1.0.0", + "gulp-plumber": "^1.0.1", + "gulp-sourcemaps": "^2.2.0", +- "jest": "^22.4.4", ++ "jest": "^30.0.5", + "jsinspect": "^0.12.6", + "minimatch": "^3.0.4", + "mock-stdin": "^0.3.0", diff --git a/yarnpkg-tarball.sh b/yarnpkg-tarball.sh index b0dba21..363f5bf 100755 --- a/yarnpkg-tarball.sh +++ b/yarnpkg-tarball.sh @@ -11,7 +11,9 @@ cd yarn-$version for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do patch -p1 < $file done +rm yarn.lock yarn install +yarn autoclean --force yarn audit fix # Delete all binary files in node_modules echo "Deleting binary files..." diff --git a/yarnpkg.spec b/yarnpkg.spec index 8d7580e..aaff8b2 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -8,11 +8,11 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20250624 +%global bundledate 20250728 Name: yarnpkg Version: 1.22.22 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -21,20 +21,15 @@ Source0: %{name}-v%{version}-bundled-%{bundledate}.tar.gz Source1: yarnpkg-tarball.sh # These are applied by yarnpkg-tarball.sh -# async-CVE-2021-43138.prebundle.patch -# minimatch-CVE-2022-3517.prebundle.patch -# thenify-CVE-2020-7677.prebundle.patch -# decode-uri-component-CVE-2022-38900.prebundle.patch -# CVE-2024-48949.prebundle.patch -# CVE-2024-37890.prebundle.patch -# CVE-2024-12905.prebundle.patch -# CVE-2025-6545_6547.prebundle.patch +# yarn-update-jest.prebundle.patch Patch0: CVE-2023-26136.patch Patch1: CVE-2022-37599.patch -Patch2: CVE-2023-46234.patch -Patch3: CVE-2024-4067.patch - +Patch2: CVE-2024-4067.patch +# https://github.com/yarnpkg/yarn/commit/97731871e674bf93bcbf29e9d3258da8685f3076.patch +Patch3: CVE-2025-8262.patch +# https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0 +Patch4: CVE-2025-8263.patch ExclusiveArch: %{nodejs_arches} @@ -77,6 +72,7 @@ find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \ -ipath '*/test/*' -type f -executable \ -exec chmod -x '{}' + + %if 0%{?enable_tests} %check %nodejs_symlink_deps --check @@ -92,7 +88,14 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %{_bindir}/yarn %{nodejs_sitelib}/%{npm_name}/ + %changelog +* Wed Jul 30 2025 Sandro Mani - 1.22.22-11 +- Refresh bundle +- Drop patches obsoleted by new bundle +- Add yarn-update-jest.prebundle.patch to update jest and avoid some vulerable dependencies +- Apply fixes for CVE-2025-8262 and CVE-2025-8263 + * Fri Jul 25 2025 Fedora Release Engineering - 1.22.22-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From f3e0e4118adb662904615b0642a6c1f6139365be Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Tue, 30 Sep 2025 23:58:44 +0200 Subject: [PATCH 37/41] Regenerate bundle, fixes CVE-2025-59343 --- .gitignore | 1 + sources | 2 +- yarn-no-commitizen.prebundle.patch | 30 ++++++++ yarn-no-eslint.prebundle.patch | 116 +++++++++++++++++++++++++++++ yarnpkg.spec | 8 +- 5 files changed, 155 insertions(+), 2 deletions(-) create mode 100644 yarn-no-commitizen.prebundle.patch create mode 100644 yarn-no-eslint.prebundle.patch diff --git a/.gitignore b/.gitignore index 2d1ca57..eb7fdc3 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ /yarnpkg-v1.22.22-bundled-20250604.tar.gz /yarnpkg-v1.22.22-bundled-20250624.tar.gz /yarnpkg-v1.22.22-bundled-20250728.tar.gz +/yarnpkg-v1.22.22-bundled-20250930.tar.gz diff --git a/sources b/sources index 932a1e1..8a66190 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.22-bundled-20250728.tar.gz) = 9ab791226073e3c7c1e9eaba3de6b4be215785cad5bfc20f9da4894b9e87ea11f5df014147a59bcdff6c334110e074a52c1f8e91d8144edf2513484666a40269 +SHA512 (yarnpkg-v1.22.22-bundled-20250930.tar.gz) = c6ed6537c82961002eefd2b6051abc18ea29e5ece420ca8c6df0a7ec686e564e32f75dac97092e92e21c95a0d15ee278ad2f06d1cd832223f16cfd439160d502 diff --git a/yarn-no-commitizen.prebundle.patch b/yarn-no-commitizen.prebundle.patch new file mode 100644 index 0000000..dbc8d85 --- /dev/null +++ b/yarn-no-commitizen.prebundle.patch @@ -0,0 +1,30 @@ +diff -rupN --no-dereference yarn-1.22.22/package.json yarn-1.22.22-new/package.json +--- yarn-1.22.22/package.json 2025-09-30 14:26:03.561888356 +0200 ++++ yarn-1.22.22-new/package.json 2025-09-30 14:26:03.566194507 +0200 +@@ -69,7 +69,6 @@ + "babel-preset-flow": "^6.23.0", + "babel-preset-stage-0": "^6.0.0", + "babylon": "^6.5.0", +- "commitizen": "^2.9.6", + "cz-conventional-changelog": "^2.0.0", + "eslint": "^4.3.0", + "eslint-config-fb-strict": "^22.0.0", +@@ -131,8 +130,7 @@ + "test-only": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --verbose", + "test-only-debug": "node --inspect-brk --max_old_space_size=4096 node_modules/jest/bin/jest.js --runInBand --verbose", + "test-coverage": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --coverage --verbose", +- "watch": "gulp watch", +- "commit": "git-cz" ++ "watch": "gulp watch" + }, + "jest": { + "collectCoverageFrom": [ +@@ -152,8 +150,5 @@ + ] + }, + "config": { +- "commitizen": { +- "path": "./node_modules/cz-conventional-changelog" +- } + } + } diff --git a/yarn-no-eslint.prebundle.patch b/yarn-no-eslint.prebundle.patch new file mode 100644 index 0000000..de0f7a4 --- /dev/null +++ b/yarn-no-eslint.prebundle.patch @@ -0,0 +1,116 @@ +diff -rupN --no-dereference yarn-1.22.22/.eslintignore yarn-1.22.22-new/.eslintignore +--- yarn-1.22.22/.eslintignore 2024-03-09 22:33:28.000000000 +0100 ++++ yarn-1.22.22-new/.eslintignore 1970-01-01 01:00:00.000000000 +0100 +@@ -1,12 +0,0 @@ +-__tests__/fixtures +-lib +-lib-legacy +-node_modules +-flow-typed +-coverage +-gulpfile.js +-scripts +-updates +-artifacts +-dist +-packages +diff -rupN --no-dereference yarn-1.22.22/.eslintrc.json yarn-1.22.22-new/.eslintrc.json +--- yarn-1.22.22/.eslintrc.json 2024-03-09 22:33:28.000000000 +0100 ++++ yarn-1.22.22-new/.eslintrc.json 1970-01-01 01:00:00.000000000 +0100 +@@ -1,56 +0,0 @@ +-{ +- "extends": "eslint-config-fb-strict", +- "env": { +- "jest": true +- }, +- "plugins": [ +- "flowtype", +- "yarn-internal", +- "prettier" +- ], +- "rules": { +- "yarn-internal/warn-language": "error", +- "max-len": ["error", 120], +- "prefer-arrow-callback": "off", +- "flowtype/require-valid-file-annotation": ["error", "always"], +- "flowtype/space-after-type-colon": ["error", "always"], +- "flowtype/require-return-type": ["error", "always", {"excludeArrowFunctions": true}], +- "require-await": "error", +- "no-process-exit": "error", +- "no-return-await": "error", +- "sort-keys": "off", +- "prettier/prettier": ["error", { +- "singleQuote": true, +- "trailingComma": "all", +- "bracketSpacing": false, +- "printWidth": 120, +- "parser": "flow" +- }] +- }, +- "overrides": [ +- { +- "files": [ +- "__tests__/fixtures/**/*.js", +- "bin/*.js", +- "src/cli/index.js" +- ], +- "rules": { +- "no-console": "off" +- } +- }, +- { +- "files": [ +- "src/util/generate-pnp-map-api.tpl.js" +- ], +- "rules": { +- "prettier/prettier": ["error", { +- "singleQuote": true, +- "trailingComma": "es5", +- "bracketSpacing": false, +- "printWidth": 120, +- "parser": "flow" +- }] +- } +- } +- ] +-} +diff -rupN --no-dereference yarn-1.22.22/package.json yarn-1.22.22-new/package.json +--- yarn-1.22.22/package.json 2025-09-30 14:26:03.997138837 +0200 ++++ yarn-1.22.22-new/package.json 2025-09-30 14:26:04.000964590 +0200 +@@ -58,7 +58,6 @@ + }, + "devDependencies": { + "babel-core": "^6.26.0", +- "babel-eslint": "^7.2.3", + "babel-loader": "^6.2.5", + "babel-plugin-array-includes": "^2.0.3", + "babel-plugin-inline-import": "^3.0.0", +@@ -70,18 +69,6 @@ + "babel-preset-stage-0": "^6.0.0", + "babylon": "^6.5.0", + "cz-conventional-changelog": "^2.0.0", +- "eslint": "^4.3.0", +- "eslint-config-fb-strict": "^22.0.0", +- "eslint-plugin-babel": "^5.0.0", +- "eslint-plugin-flowtype": "^2.35.0", +- "eslint-plugin-jasmine": "^2.6.2", +- "eslint-plugin-jest": "^21.0.0", +- "eslint-plugin-jsx-a11y": "^6.0.2", +- "eslint-plugin-prefer-object-spread": "^1.2.1", +- "eslint-plugin-prettier": "^2.1.2", +- "eslint-plugin-react": "^7.1.0", +- "eslint-plugin-relay": "^0.0.28", +- "eslint-plugin-yarn-internal": "file:scripts/eslint-rules", + "execa": "^0.11.0", + "fancy-log": "^1.3.2", + "flow-bin": "^0.66.0", +@@ -122,9 +109,7 @@ + "build-win-installer": "scripts\\build-windows-installer.bat", + "changelog": "git-release-notes $(git describe --tags --abbrev=0 $(git describe --tags --abbrev=0)^)..$(git describe --tags --abbrev=0) scripts/changelog.md", + "dupe-check": "yarn jsinspect ./src", +- "lint": "eslint . && flow check", + "pkg-tests": "yarn --cwd packages/pkg-tests jest yarn.test.js", +- "prettier": "eslint src __tests__ --fix", + "release-branch": "./scripts/release-branch.sh", + "test": "yarn lint && yarn test-only", + "test-only": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --verbose", diff --git a/yarnpkg.spec b/yarnpkg.spec index aaff8b2..8b5ef5b 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.22 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -22,6 +22,8 @@ Source1: yarnpkg-tarball.sh # These are applied by yarnpkg-tarball.sh # yarn-update-jest.prebundle.patch +# yarn-no-commitizen.prebundle.patch +# yarn-no-eslint.prebundle.patch Patch0: CVE-2023-26136.patch Patch1: CVE-2022-37599.patch @@ -90,6 +92,10 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %changelog +* Tue Sep 30 2025 Sandro Mani - 1.22.22-12 +- Regenerate bundle, fixes CVE-2025-59343 +- Patch out eslint and commitizen devDependencies to reduce dependencies + * Wed Jul 30 2025 Sandro Mani - 1.22.22-11 - Refresh bundle - Drop patches obsoleted by new bundle From 19097865bc15268e0716a836d217da32dba19ba3 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Wed, 1 Oct 2025 00:04:44 +0200 Subject: [PATCH 38/41] Actually bump bundle date --- yarnpkg.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 8b5ef5b..1411a4d 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -8,7 +8,7 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20250728 +%global bundledate 20250930 Name: yarnpkg Version: 1.22.22 From e456b79af756d29fc24c3e2c85904e12d3fa05d8 Mon Sep 17 00:00:00 2001 From: tjuhasz Date: Tue, 4 Nov 2025 11:02:43 +0100 Subject: [PATCH 39/41] Rebuild for nodejs-packaging Recently, Node.js changed the way node modules are installed to allow for better parallel functionality and easier unbundling of certain parts of Node.js. Previously, Node.js was using a symlink, %{_libdir}/node_modules, which pointed to a versioned path, e.g., %{_libdir}/node_modules_22. This has changed to using a global %{_libdir}/node_modules static shared folder for generic modules and %{_libdir}/node_modules_XX for version-specific modules. This change is better described in the Fedora change proposal wiki: https://fedoraproject.org/wiki/Changes/NodejsNodeModulesPath. This also needed to be reflected in nodejs-packaging macros, which forces a rebuild of dependent packages. --- yarnpkg.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 1411a4d..41fce7d 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.22 -Release: 12%{?dist} +Release: 13%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn From 8dd4bce5fc524a1fb503c00a7979acb74cc9f259 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Wed, 3 Dec 2025 14:13:22 +0100 Subject: [PATCH 40/41] Refresh bundle --- .gitignore | 1 + sources | 2 +- yarnpkg.spec | 5 ++++- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index eb7fdc3..a1b6061 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ /yarnpkg-v1.22.22-bundled-20250624.tar.gz /yarnpkg-v1.22.22-bundled-20250728.tar.gz /yarnpkg-v1.22.22-bundled-20250930.tar.gz +/yarnpkg-v1.22.22-bundled-20251203.tar.gz diff --git a/sources b/sources index 8a66190..b1beda2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.22-bundled-20250930.tar.gz) = c6ed6537c82961002eefd2b6051abc18ea29e5ece420ca8c6df0a7ec686e564e32f75dac97092e92e21c95a0d15ee278ad2f06d1cd832223f16cfd439160d502 +SHA512 (yarnpkg-v1.22.22-bundled-20251203.tar.gz) = afcf0f4e3719a1d41e60b8e9a9633291161f3a7b04b67d85b3f12cfd9dce8abf9fef3f7be2eab90f3e8efa49e564342175a20ca1e305665a1d453a116b1f79d2 diff --git a/yarnpkg.spec b/yarnpkg.spec index 41fce7d..41fb0c5 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -8,7 +8,7 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ -%global bundledate 20250930 +%global bundledate 20251203 Name: yarnpkg Version: 1.22.22 @@ -92,6 +92,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %changelog +* Wed Dec 03 2025 Sandro Mani - 1.22.22-13 +- Refresh bundle, fixes CVE-2025-64756 + * Tue Sep 30 2025 Sandro Mani - 1.22.22-12 - Regenerate bundle, fixes CVE-2025-59343 - Patch out eslint and commitizen devDependencies to reduce dependencies From 18d61cf14152e830c7c588b1c106ccee0bf8c9d2 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Wed, 3 Dec 2025 14:17:20 +0100 Subject: [PATCH 41/41] Bump release --- yarnpkg.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/yarnpkg.spec b/yarnpkg.spec index 41fb0c5..1fa8989 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -12,7 +12,7 @@ Name: yarnpkg Version: 1.22.22 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Fast, reliable, and secure dependency management. License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn @@ -92,6 +92,9 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS %changelog +* Wed Dec 03 2025 Sandro Mani - 1.22.22-14 +- Bump release + * Wed Dec 03 2025 Sandro Mani - 1.22.22-13 - Refresh bundle, fixes CVE-2025-64756