diff --git a/.gitignore b/.gitignore index 0a7a7cb..451bd33 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,14 @@ /yarnpkg-v1.22.10-bundled.tar.gz /yarnpkg-v1.22.17-bundled.tar.gz /yarnpkg-v1.22.19-bundled.tar.gz +/yarnpkg-v1.22.19-bundled-20230321.tar.gz +/yarnpkg-v1.22.21-bundled-20240217.tar.gz +/yarnpkg-v1.22.21-bundled-20240219.tar.gz +/v1.22.22.tar.gz +/yarnpkg-v1.22.22-bundled-20240309.tar.gz +/yarnpkg-v1.22.22-bundled-20240704.tar.gz +/yarnpkg-v1.22.22-bundled-20241010.tar.gz +/yarnpkg-v1.22.22-bundled-20241015.tar.gz +/yarnpkg-v1.22.22-bundled-20250328.tar.gz +/yarnpkg-v1.22.22-bundled-20250604.tar.gz +/yarnpkg-v1.22.22-bundled-20250624.tar.gz diff --git a/CVE-2022-37599.patch b/CVE-2022-37599.patch new file mode 100644 index 0000000..7636ff8 --- /dev/null +++ b/CVE-2022-37599.patch @@ -0,0 +1,12 @@ +diff -rupN yarn-1.22.21/node_modules/loader-utils/index.js yarn-1.22.21-new/node_modules/loader-utils/index.js +--- yarn-1.22.21/node_modules/loader-utils/index.js 2024-02-16 23:35:57.000000000 +0100 ++++ yarn-1.22.21-new/node_modules/loader-utils/index.js 2024-02-19 11:05:56.885775046 +0100 +@@ -299,7 +299,7 @@ exports.interpolateName = function inter + var url = filename; + if(content) { + // Match hash template +- url = url.replace(/\[(?:(\w+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() { ++ url = url.replace(/\[(?:([^[:\]]+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() { + return exports.getHashDigest(content, arguments[1], arguments[2], parseInt(arguments[3], 10)); + }).replace(/\[emoji(?::(\d+))?\]/ig, function() { + return encodeStringToEmoji(content, arguments[1]); diff --git a/CVE-2023-26136.patch b/CVE-2023-26136.patch new file mode 100644 index 0000000..3300cce --- /dev/null +++ b/CVE-2023-26136.patch @@ -0,0 +1,25 @@ +diff -rupN yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js +--- yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js 2024-02-16 23:36:08.000000000 +0100 ++++ yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js 2024-02-19 10:48:11.215668646 +0100 +@@ -36,7 +36,7 @@ var util = require('util'); + + function MemoryCookieStore() { + Store.call(this); +- this.idx = {}; ++ this.idx = Object.create(null); + } + util.inherits(MemoryCookieStore, Store); + exports.MemoryCookieStore = MemoryCookieStore; +@@ -115,10 +115,10 @@ MemoryCookieStore.prototype.findCookies + + MemoryCookieStore.prototype.putCookie = function(cookie, cb) { + if (!this.idx[cookie.domain]) { +- this.idx[cookie.domain] = {}; ++ this.idx[cookie.domain] = Object.create(null); + } + if (!this.idx[cookie.domain][cookie.path]) { +- this.idx[cookie.domain][cookie.path] = {}; ++ this.idx[cookie.domain][cookie.path] = Object.create(null); + } + this.idx[cookie.domain][cookie.path][cookie.key] = cookie; + cb(null); diff --git a/CVE-2023-46234.patch b/CVE-2023-46234.patch new file mode 100644 index 0000000..0820ae6 --- /dev/null +++ b/CVE-2023-46234.patch @@ -0,0 +1,12 @@ +diff -rupN yarn-1.22.21/node_modules/browserify-sign/browser/verify.js yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js +--- yarn-1.22.21/node_modules/browserify-sign/browser/verify.js 2024-02-16 23:36:10.000000000 +0100 ++++ yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js 2024-02-19 11:14:55.923549230 +0100 +@@ -77,7 +77,7 @@ function dsaVerify (sig, hash, pub) { + + function checkValue (b, q) { + if (b.cmpn(0) <= 0) throw new Error('invalid sig') +- if (b.cmp(q) >= q) throw new Error('invalid sig') ++ if (b.cmp(q) >= 0) throw new Error('invalid sig') + } + + module.exports = verify diff --git a/CVE-2024-12905_CVE-2025-48387.prebundle.patch b/CVE-2024-12905_CVE-2025-48387.prebundle.patch new file mode 100644 index 0000000..78e2ee8 --- /dev/null +++ b/CVE-2024-12905_CVE-2025-48387.prebundle.patch @@ -0,0 +1,16 @@ +diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock +--- yarn-1.22.22/yarn.lock 2024-10-15 15:12:52.000000000 +0200 ++++ yarn-1.22.22-new/yarn.lock 2025-03-28 20:35:23.508887708 +0100 +@@ -7150,9 +7150,9 @@ tapable@^0.2.7, tapable@~0.2.5: + integrity sha1-mTcqXJmb8t8WCvwNdL7U9HlIzSI= + + tar-fs@^1.16.0: +- version "1.16.3" +- resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.3.tgz#966a628841da2c4010406a82167cbd5e0c72d509" +- integrity sha512-NvCeXpYx7OsmOh8zIOP/ebG55zZmxLE0etfWRbWok+q2Qo8x/vOR/IJT1taADXPe+jsiu9axDb3X4B+iIgNlKw== ++ version "1.16.5" ++ resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.5.tgz#716a323609c11182d1d3d7b5bf277d15dc128665" ++ integrity sha512-1ergVCCysmwHQNrOS+Pjm4DQ4nrGp43+Xnu4MRGjCnQu/m3hEgLNS78d5z+B8OJ1hN5EejJdCSFZE1oM6AQXAQ== + dependencies: + chownr "^1.0.1" + mkdirp "^0.5.1" diff --git a/CVE-2024-37890.prebundle.patch b/CVE-2024-37890.prebundle.patch new file mode 100644 index 0000000..5376f36 --- /dev/null +++ b/CVE-2024-37890.prebundle.patch @@ -0,0 +1,16 @@ +diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock +--- yarn-1.22.22/yarn.lock 2024-10-10 12:55:05.000000000 +0200 ++++ yarn-1.22.22-new/yarn.lock 2024-10-15 14:59:01.318140933 +0200 +@@ -7809,9 +7809,9 @@ write@^0.2.1: + mkdirp "^0.5.1" + + ws@^5.2.0: +- version "5.2.2" +- resolved "https://registry.yarnpkg.com/ws/-/ws-5.2.2.tgz#dffef14866b8e8dc9133582514d1befaf96e980f" +- integrity sha512-jaHFD6PFv6UgoIVda6qZllptQsMlDEJkTQcybzzXDYM1XO9Y8em691FGMPmM46WGyLU4z9KMgQN+qrux/nhlHA== ++ version "5.2.4" ++ resolved "https://registry.yarnpkg.com/ws/-/ws-5.2.4.tgz#c7bea9f1cfb5f410de50e70e82662e562113f9a7" ++ integrity sha512-fFCejsuC8f9kOSu9FYaOw8CdO68O3h5v0lg4p74o8JqWpwTf9tniOD+nOB78aWoVSS6WptVUmDrp/KPsMVBWFQ== + dependencies: + async-limiter "~1.0.0" + diff --git a/CVE-2024-4067.patch b/CVE-2024-4067.patch new file mode 100644 index 0000000..d56082e --- /dev/null +++ b/CVE-2024-4067.patch @@ -0,0 +1,60 @@ +diff -rupN yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js 2024-07-04 23:35:09.633072156 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); +diff -rupN yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js 2024-07-04 23:35:22.753040820 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); +diff -rupN yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js 2024-07-04 23:35:32.817016784 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); +diff -rupN yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js 2024-07-04 23:35:41.536995958 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); +diff -rupN yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js +--- yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200 ++++ yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js 2024-07-04 23:35:49.438977085 +0200 +@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op + } + + function expand() { +- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) { ++ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) { + return utils.arrayify(pattern); + } + return braces(pattern, options); diff --git a/CVE-2024-48949.prebundle.patch b/CVE-2024-48949.prebundle.patch new file mode 100644 index 0000000..247f3cc --- /dev/null +++ b/CVE-2024-48949.prebundle.patch @@ -0,0 +1,91 @@ +diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock +--- yarn-1.22.22/yarn.lock 2024-10-10 12:46:29.329322568 +0200 ++++ yarn-1.22.22-new/yarn.lock 2024-10-10 12:37:38.256366136 +0200 +@@ -1404,11 +1404,16 @@ bl@^1.0.0: + readable-stream "^2.3.5" + safe-buffer "^5.1.1" + +-bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.1.1, bn.js@^4.4.0: ++bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.1.1: + version "4.11.8" + resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.11.8.tgz#2cde09eb5ee341f484746bb0309b3253b1b1442f" + integrity sha512-ItfYfPLkWHUjckQCk8xC+LwxgK8NYcXywGigJgSwOP8Y2iyWT4f2vsZnoOXTTbo+o5yXmIUJ4gn5538SO5S3gA== + ++bn.js@^4.11.9: ++ version "4.12.0" ++ resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.12.0.tgz#775b3f278efbb9718eec7361f483fb36fbbfea88" ++ integrity sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA== ++ + brace-expansion@^1.1.7: + version "1.1.11" + resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd" +@@ -1450,7 +1455,7 @@ broccoli-kitchen-sink-helpers@^0.3.1: + glob "^5.0.10" + mkdirp "^0.5.1" + +-brorand@^1.0.1: ++brorand@^1.0.1, brorand@^1.1.0: + version "1.1.0" + resolved "https://registry.yarnpkg.com/brorand/-/brorand-1.1.0.tgz#12c25efe40a45e3c323eb8675a0a0ce57b22371f" + integrity sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8= +@@ -2424,17 +2429,17 @@ electron-to-chromium@^1.3.47: + integrity sha1-8VDhCyC3fZ1Br8yjEu/gw7Gn/c4= + + elliptic@^6.0.0: +- version "6.4.0" +- resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.4.0.tgz#cac9af8762c85836187003c8dfe193e5e2eae5df" +- integrity sha1-ysmvh2LIWDYYcAPI3+GT5eLq5d8= ++ version "6.5.7" ++ resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.7.tgz#8ec4da2cb2939926a1b9a73619d768207e647c8b" ++ integrity sha512-ESVCtTwiA+XhY3wyh24QqRGBoP3rEdDUl3EDUUo9tft074fi19IrdpH7hLCMMP3CIj7jb3W96rn8lt/BqIlt5Q== + dependencies: +- bn.js "^4.4.0" +- brorand "^1.0.1" ++ bn.js "^4.11.9" ++ brorand "^1.1.0" + hash.js "^1.0.0" +- hmac-drbg "^1.0.0" +- inherits "^2.0.1" +- minimalistic-assert "^1.0.0" +- minimalistic-crypto-utils "^1.0.0" ++ hmac-drbg "^1.0.1" ++ inherits "^2.0.4" ++ minimalistic-assert "^1.0.1" ++ minimalistic-crypto-utils "^1.0.1" + + emoji-regex@^6.5.1: + version "6.5.1" +@@ -3711,10 +3716,10 @@ heimdalljs@^0.2.0, heimdalljs@^0.2.3: + dependencies: + rsvp "~3.2.1" + +-hmac-drbg@^1.0.0: ++hmac-drbg@^1.0.1: + version "1.0.1" + resolved "https://registry.yarnpkg.com/hmac-drbg/-/hmac-drbg-1.0.1.tgz#d2745701025a6c775a6c545793ed502fc0c649a1" +- integrity sha1-0nRXAQJabHdabFRXk+1QL8DGSaE= ++ integrity sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg== + dependencies: + hash.js "^1.0.3" + minimalistic-assert "^1.0.0" +@@ -3841,6 +3846,11 @@ inherits@2.0.1: + resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.1.tgz#b17d08d326b4423e568eff719f91b0b1cbdf69f1" + integrity sha1-sX0I0ya0Qj5Wjv9xn5GwscvfafE= + ++inherits@^2.0.4: ++ version "2.0.4" ++ resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c" ++ integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ== ++ + ini@^1.3.4, ini@~1.3.0: + version "1.3.5" + resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.5.tgz#eee25f56db1c9ec6085e0c22778083f596abf927" +@@ -5234,7 +5244,7 @@ minimalistic-assert@^1.0.0, minimalistic + resolved "https://registry.yarnpkg.com/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz#2e194de044626d4a10e7f7fbc00ce73e83e4d5c7" + integrity sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A== + +-minimalistic-crypto-utils@^1.0.0, minimalistic-crypto-utils@^1.0.1: ++minimalistic-crypto-utils@^1.0.1: + version "1.0.1" + resolved "https://registry.yarnpkg.com/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz#f6c00c1c0b082246e5c4d99dfb8c7c083b2b582a" + integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo= diff --git a/CVE-2025-6545_6547.prebundle.patch b/CVE-2025-6545_6547.prebundle.patch new file mode 100644 index 0000000..e586613 --- /dev/null +++ b/CVE-2025-6545_6547.prebundle.patch @@ -0,0 +1,21 @@ +diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock +--- yarn-1.22.22/yarn.lock 2024-03-09 22:33:28.000000000 +0100 ++++ yarn-1.22.22-new/yarn.lock 2025-06-24 10:24:15.448061691 +0200 +@@ -5905,17 +5905,6 @@ path-type@^1.0.0: + pify "^2.0.0" + pinkie-promise "^2.0.0" + +-pbkdf2@^3.0.3: +- version "3.0.16" +- resolved "https://registry.yarnpkg.com/pbkdf2/-/pbkdf2-3.0.16.tgz#7404208ec6b01b62d85bf83853a8064f8d9c2a5c" +- integrity sha512-y4CXP3thSxqf7c0qmOF+9UeOTrifiVTIM+u7NWlq+PRsHbr7r7dpCmvzrZxa96JJUNi0Y5w9VqG5ZNeCVMoDcA== +- dependencies: +- create-hash "^1.1.2" +- create-hmac "^1.1.4" +- ripemd160 "^2.0.1" +- safe-buffer "^5.0.1" +- sha.js "^2.4.8" +- + peek-stream@^1.1.0: + version "1.1.3" + resolved "https://registry.yarnpkg.com/peek-stream/-/peek-stream-1.1.3.tgz#3b35d84b7ccbbd262fff31dc10da56856ead6d67" diff --git a/async-CVE-2021-43138.prebundle.patch b/async-CVE-2021-43138.prebundle.patch new file mode 100644 index 0000000..f426b87 --- /dev/null +++ b/async-CVE-2021-43138.prebundle.patch @@ -0,0 +1,31 @@ +diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock +--- yarn-1.22.19/yarn.lock 2023-03-21 11:58:50.508393147 +0100 ++++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:59:28.850636157 +0100 +@@ -498,11 +498,11 @@ async@^1.4.0: + integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo= + + async@^2.1.2, async@^2.1.4: +- version "2.6.1" +- resolved "https://registry.yarnpkg.com/async/-/async-2.6.1.tgz#b245a23ca71930044ec53fa46aa00a3e87c6a610" +- integrity sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ== ++ version "2.6.4" ++ resolved "https://registry.yarnpkg.com/async/-/async-2.6.4.tgz#706b7ff6084664cd7eae713f6f965433b5504221" ++ integrity sha512-mzo5dfJYwAn29PeiJ0zvwTo04zj8HDJj0Mn8TD7sno7q12prdbnasKJHhkm2c1LgrhlJ0teaea8860oxi51mGA== + dependencies: +- lodash "^4.17.10" ++ lodash "^4.17.14" + + asynckit@^0.4.0: + version "0.4.0" +@@ -5036,6 +5036,11 @@ lodash@^4.13.1, lodash@^4.17.10, lodash@ + resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.10.tgz#1b7793cf7259ea38fb3661d4d38b3260af8ae4e7" + integrity sha512-UejweD1pDoXu+AD825lWwp4ZGtSwgnpZxb3JDViD7StjQz+Nb/6l093lx4OQ0foGWNRoc19mWy7BzL+UAK2iVg== + ++lodash@^4.17.14: ++ version "4.17.21" ++ resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c" ++ integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg== ++ + longest@^1.0.1: + version "1.0.1" + resolved "https://registry.yarnpkg.com/longest/-/longest-1.0.1.tgz#30a0b2da38f73770e8294a0d22e6625ed77d0097" diff --git a/decode-uri-component-CVE-2022-38900.prebundle.patch b/decode-uri-component-CVE-2022-38900.prebundle.patch new file mode 100644 index 0000000..0364a0a --- /dev/null +++ b/decode-uri-component-CVE-2022-38900.prebundle.patch @@ -0,0 +1,16 @@ +diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock +--- yarn-1.22.19/yarn.lock 2022-05-10 19:48:34.000000000 +0200 ++++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:57:26.891976168 +0100 +@@ -2208,9 +2208,9 @@ decamelize@^1.0.0, decamelize@^1.1.1: + integrity sha1-9lNNFRSCabIDUue+4m9QH5oZEpA= + + decode-uri-component@^0.2.0: +- version "0.2.0" +- resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.0.tgz#eb3913333458775cb84cd1a1fae062106bb87545" +- integrity sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU= ++ version "0.2.2" ++ resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.2.tgz#e69dbe25d37941171dd540e024c444cd5188e1e9" ++ integrity sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ== + + dedent@0.6.0: + version "0.6.0" diff --git a/glob-parent-CVE-2021-35065.patch b/glob-parent-CVE-2021-35065.patch deleted file mode 100644 index c7b1fb1..0000000 --- a/glob-parent-CVE-2021-35065.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -rupN --no-dereference yarn-1.22.19/node_modules/glob-parent/index.js yarn-1.22.19-new/node_modules/glob-parent/index.js ---- yarn-1.22.19/node_modules/glob-parent/index.js 2022-12-15 10:13:44.000000000 +0100 -+++ yarn-1.22.19-new/node_modules/glob-parent/index.js 2023-01-04 00:11:24.718113215 +0100 -@@ -10,7 +10,7 @@ module.exports = function globParent(str - if (isWin32 && str.indexOf('/') < 0) str = str.split('\\').join('/'); - - // special case for strings ending in enclosure containing path separator -- if (/[\{\[].*[\/]*.*[\}\]]$/.test(str)) str += '/'; -+ if (isEnclosure(str)) str += '/'; - - // preserves full path in case of trailing path separator - str += 'a'; -@@ -22,3 +22,26 @@ module.exports = function globParent(str - // remove escape chars and return result - return str.replace(/\\([\*\?\|\[\]\(\)\{\}])/g, '$1'); - }; -+ -+function isEnclosure(str) { -+ var lastChar = str.slice(-1) -+ -+ var enclosureStart; -+ switch (lastChar) { -+ case '}': -+ enclosureStart = '{'; -+ break; -+ case ']': -+ enclosureStart = '['; -+ break; -+ default: -+ return false; -+ } -+ -+ var foundIndex = str.indexOf(enclosureStart); -+ if (foundIndex < 0) { -+ return false; -+ } -+ -+ return str.slice(foundIndex + 1, -1).includes('/'); -+} diff --git a/minimatch-CVE-2022-3517.prebundle.patch b/minimatch-CVE-2022-3517.prebundle.patch new file mode 100644 index 0000000..3238222 --- /dev/null +++ b/minimatch-CVE-2022-3517.prebundle.patch @@ -0,0 +1,16 @@ +diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock +--- yarn-1.22.19/yarn.lock 2023-03-21 12:00:04.395885047 +0100 ++++ yarn-1.22.19-new/yarn.lock 2023-03-21 12:00:32.419095290 +0100 +@@ -5240,9 +5240,9 @@ minimalistic-crypto-utils@^1.0.0, minima + integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo= + + "minimatch@2 || 3", minimatch@^3.0.2, minimatch@^3.0.3, minimatch@^3.0.4: +- version "3.0.4" +- resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083" +- integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA== ++ version "3.1.2" ++ resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b" ++ integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw== + dependencies: + brace-expansion "^1.1.7" + diff --git a/sources b/sources index 8d40ec4..333edd5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (yarnpkg-v1.22.19-bundled.tar.gz) = bc5bb744bf157812e5342b75e520007ce1df1a43b790d68523a7646ac5cd166bb8201cf58faab4efdce6eda0764ff256d69940c4cb2173a891c436e3db51a07d +SHA512 (yarnpkg-v1.22.22-bundled-20250624.tar.gz) = 4bea09a02ad6bc3d7c0a275e01118af9ad198bc7d07af7c41eab11c89a75f233d9180a7dc6d111ee4a923716050830dccf593ae0bc240d1de5c3fd08fb575f9c diff --git a/thenify-CVE-2020-7677.prebundle.patch b/thenify-CVE-2020-7677.prebundle.patch new file mode 100644 index 0000000..ac40234 --- /dev/null +++ b/thenify-CVE-2020-7677.prebundle.patch @@ -0,0 +1,16 @@ +diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock +--- yarn-1.22.19/yarn.lock 2023-03-21 11:57:48.181065612 +0100 ++++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:58:21.377228725 +0100 +@@ -7212,9 +7212,9 @@ thenify-all@^1.0.0: + thenify ">= 3.1.0 < 4" + + "thenify@>= 3.1.0 < 4": +- version "3.3.0" +- resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.0.tgz#e69e38a1babe969b0108207978b9f62b88604839" +- integrity sha1-5p44obq+lpsBCCB5eLn2K4hgSDk= ++ version "3.3.1" ++ resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.1.tgz#8932e686a4066038a016dd9e2ca46add9838a95f" ++ integrity sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw== + dependencies: + any-promise "^1.0.0" + diff --git a/yarnpkg-tarball.sh b/yarnpkg-tarball.sh old mode 100644 new mode 100755 index 821f3f4..b0dba21 --- a/yarnpkg-tarball.sh +++ b/yarnpkg-tarball.sh @@ -1,8 +1,20 @@ #!/bin/sh version=$(rpm -q --specfile --qf='%{version}\n' yarnpkg.spec | head -n1) +timestamp=$(date +%Y%m%d) +if [ ! -e v$version.tar.gz ]; then wget https://github.com/yarnpkg/yarn/archive/v$version.tar.gz +fi +rm -rf yarn-$version tar -zxf v$version.tar.gz cd yarn-$version -sed -i s'|"eslint-plugin-babel": "^5.0.0",|"eslint-plugin-babel": "^4.1.1",|' package.json -npm install && cd .. && tar -zcf yarnpkg-v$version-bundled.tar.gz yarn-$version +for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do +patch -p1 < $file +done +yarn install +yarn audit fix +# Delete all binary files in node_modules +echo "Deleting binary files..." +find node_modules -type f -not -name '*.js' -exec file {} \; | grep ELF | awk -F':' '{print $1}' | xargs rm +cd .. +tar -zcf yarnpkg-v$version-bundled-$timestamp.tar.gz yarn-$version diff --git a/yarnpkg.spec b/yarnpkg.spec index 31bd798..07fbe58 100644 --- a/yarnpkg.spec +++ b/yarnpkg.spec @@ -1,7 +1,5 @@ +%global debug_package %{nil} %global npm_name yarn -# name yarn would probably confict with cmdtest and hadoop-yarn -# https://bugzilla.redhat.com/show_bug.cgi?id=1507312 -%global old_name nodejs-yarn %{?nodejs_find_provides_and_requires} @@ -10,34 +8,43 @@ # don't require bundled modules %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$ +%global bundledate 20250624 + Name: yarnpkg -Version: 1.22.19 -Release: 2%{?dist} +Version: 1.22.22 +Release: 9%{?dist} Summary: Fast, reliable, and secure dependency management. +License: BSD-2-Clause URL: https://github.com/yarnpkg/yarn # we need tarball with node_modules -Source0: %{name}-v%{version}-bundled.tar.gz +Source0: %{name}-v%{version}-bundled-%{bundledate}.tar.gz Source1: yarnpkg-tarball.sh -License: BSD -# Backport fix for CVE-2021-35065 for bundled glob-parent -Patch1: glob-parent-CVE-2021-35065.patch +# These are applied by yarnpkg-tarball.sh +# async-CVE-2021-43138.prebundle.patch +# minimatch-CVE-2022-3517.prebundle.patch +# thenify-CVE-2020-7677.prebundle.patch +# decode-uri-component-CVE-2022-38900.prebundle.patch +# CVE-2024-48949.prebundle.patch +# CVE-2024-37890.prebundle.patch +# CVE-2024-12905.prebundle.patch +# CVE-2025-6545_6547.prebundle.patch -BuildArch: noarch -ExclusiveArch: %{nodejs_arches} noarch +Patch0: CVE-2023-26136.patch +Patch1: CVE-2022-37599.patch +Patch2: CVE-2023-46234.patch +Patch3: CVE-2024-4067.patch + + +ExclusiveArch: %{nodejs_arches} BuildRequires: nodejs-packaging -%if 0%{?fedora} > 37 +%if 0%{?fedora} BuildRequires: nodejs-npm %else BuildRequires: npm %endif -# Package was renamed when Fedora 33 was rawhide -# Don't remove this before Fedora 35 -Obsoletes: %{old_name} < 1.22.4-1 -Provides: %{old_name} = %{version}-%{release} - %description Fast, reliable, and secure dependency management. @@ -50,8 +57,6 @@ Fast, reliable, and secure dependency management. # use build script npm run build -# remove build dependencies from node_modules -npm prune --production %install mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name} @@ -62,7 +67,6 @@ cp -pr package.json lib bin node_modules \ mkdir -p %{buildroot}%{_bindir} ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarnpkg ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarn -ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/%{old_name} # Fix the shebang in yarn.js because brp-mangle-shebangs fails to detect this properly (rhbz#1998924) sed -e "s|^#!/usr/bin/env node$|#!/usr/bin/node|" \ @@ -78,7 +82,6 @@ find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \ %nodejs_symlink_deps --check if [[ $(%{buildroot}%{_bindir}/yarnpkg --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi -if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi %endif @@ -87,10 +90,61 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec %license LICENSE %{_bindir}/yarnpkg %{_bindir}/yarn -%{_bindir}/%{old_name} %{nodejs_sitelib}/%{npm_name}/ %changelog +* Tue Jun 24 2025 Sandro Mani - 1.22.22-9 +- Add CVE-2025-6545_6547.prebundle.patch and regenerate bundle. Fixes CVE-2025-6545 and CVE-2025-6547. + +* Wed Jun 04 2025 Sandro Mani - 1.22.22-8 +- Refresh bundle tarball for CVE-2025-48387 + +* Fri Mar 28 2025 Sandro Mani - 1.22.22-7 +- Fix CVE-2024-12905 + +* Sun Jan 19 2025 Fedora Release Engineering - 1.22.22-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Tue Oct 15 2024 Sandro Mani - 1.22.22-5 +- Update bundled ws (CVE-2024-37890) + +* Thu Oct 10 2024 Sandro Mani - 1.22.22-4 +- Update bundled elliptic (CVE-2024-48949) + +* Sat Jul 20 2024 Fedora Release Engineering - 1.22.22-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Thu Jul 04 2024 Sandro Mani - 1.22.22-2 +- Backport patch for CVE-2024-4067 + +* Sat Mar 09 2024 Sandro Mani - 1.22.22-1 +- Update to 1.22.22 + +* Mon Feb 19 2024 Sandro Mani - 1.22.21-2 +- Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234 + +* Fri Feb 16 2024 Sandro Mani - 1.22.21-1 +- Update to 1.22.21 + +* Sat Jan 27 2024 Fedora Release Engineering - 1.22.19-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sat Jul 22 2023 Fedora Release Engineering - 1.22.19-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed May 03 2023 Sandro Mani - 1.22.19-6 +- Rebuild (nodejs20) + +* Tue Mar 21 2023 Sandro Mani - 1.22.19-5 +- Add patch for CVE-2022-38900, proper fixes for CVE-2021-43138, CVE-2022-3517, + CVE-2020-7677 + +* Sat Jan 21 2023 Fedora Release Engineering - 1.22.19-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Jan 11 2023 Sandro Mani - 1.22.19-3 +- Add patches for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677 + * Tue Jan 03 2023 Sandro Mani - 1.22.19-2 - Backport fix for CVE-2021-35065 for bundled glob-parent