Bump release

Recently, Node.js changed the way node modules are installed to allow for better parallel functionality and easier unbundling of certain parts of Node.js.

Previously, Node.js was using a symlink, %{_libdir}/node_modules, which pointed to a versioned path, e.g., %{_libdir}/node_modules_22.

This has changed to using a global %{_libdir}/node_modules static shared folder for generic modules and %{_libdir}/node_modules_XX for version-specific modules.

This change is better described in the Fedora change proposal wiki: https://fedoraproject.org/wiki/Changes/NodejsNodeModulesPath.

This also needed to be reflected in nodejs-packaging macros, which forces a rebuild of dependent packages.

.gitignore

@@ -3,3 +3,16 @@
 /yarnpkg-v1.22.17-bundled.tar.gz
 /yarnpkg-v1.22.19-bundled.tar.gz
 /yarnpkg-v1.22.19-bundled-20230321.tar.gz
+/yarnpkg-v1.22.21-bundled-20240217.tar.gz
+/yarnpkg-v1.22.21-bundled-20240219.tar.gz
+/v1.22.22.tar.gz
+/yarnpkg-v1.22.22-bundled-20240309.tar.gz
+/yarnpkg-v1.22.22-bundled-20240704.tar.gz
+/yarnpkg-v1.22.22-bundled-20241010.tar.gz
+/yarnpkg-v1.22.22-bundled-20241015.tar.gz
+/yarnpkg-v1.22.22-bundled-20250328.tar.gz
+/yarnpkg-v1.22.22-bundled-20250604.tar.gz
+/yarnpkg-v1.22.22-bundled-20250624.tar.gz
+/yarnpkg-v1.22.22-bundled-20250728.tar.gz
+/yarnpkg-v1.22.22-bundled-20250930.tar.gz
+/yarnpkg-v1.22.22-bundled-20251203.tar.gz

CVE-2022-37599.patch

@@ -0,0 +1,12 @@
+diff -rupN --no-dereference yarn-1.22.22/node_modules/loader-utils/index.js yarn-1.22.22-new/node_modules/loader-utils/index.js
+--- yarn-1.22.22/node_modules/loader-utils/index.js	2025-07-28 09:42:24.000000000 +0200
++++ yarn-1.22.22-new/node_modules/loader-utils/index.js	2025-07-31 00:36:49.585249573 +0200
+@@ -299,7 +299,7 @@ exports.interpolateName = function inter
+ 	var url = filename;
+ 	if(content) {
+ 		// Match hash template
+-		url = url.replace(/\[(?:(\w+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() {
++		url = url.replace(/\[(?:([^[:\]]+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() {
+ 			return exports.getHashDigest(content, arguments[1], arguments[2], parseInt(arguments[3], 10));
+ 		}).replace(/\[emoji(?::(\d+))?\]/ig, function() {
+ 			return encodeStringToEmoji(content, arguments[1]);

CVE-2023-26136.patch

@@ -0,0 +1,25 @@
+diff -rupN --no-dereference yarn-1.22.22/node_modules/tough-cookie/lib/memstore.js yarn-1.22.22-new/node_modules/tough-cookie/lib/memstore.js
+--- yarn-1.22.22/node_modules/tough-cookie/lib/memstore.js	2025-07-28 11:18:19.000000000 +0200
++++ yarn-1.22.22-new/node_modules/tough-cookie/lib/memstore.js	2025-07-31 00:36:47.884055369 +0200
+@@ -36,7 +36,7 @@ var util = require('util');
+ 
+ function MemoryCookieStore() {
+   Store.call(this);
+-  this.idx = {};
++  this.idx = Object.create(null);
+ }
+ util.inherits(MemoryCookieStore, Store);
+ exports.MemoryCookieStore = MemoryCookieStore;
+@@ -115,10 +115,10 @@ MemoryCookieStore.prototype.findCookies
+ 
+ MemoryCookieStore.prototype.putCookie = function(cookie, cb) {
+   if (!this.idx[cookie.domain]) {
+-    this.idx[cookie.domain] = {};
++    this.idx[cookie.domain] = Object.create(null);
+   }
+   if (!this.idx[cookie.domain][cookie.path]) {
+-    this.idx[cookie.domain][cookie.path] = {};
++    this.idx[cookie.domain][cookie.path] = Object.create(null);
+   }
+   this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
+   cb(null);

CVE-2024-4067.patch

@@ -0,0 +1,48 @@
+diff -rupN --no-dereference yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js	2025-07-28 09:42:30.000000000 +0200
++++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js	2025-07-31 00:36:51.203223937 +0200
+@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
+   }
+ 
+   function expand() {
+-    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
++    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
+       return utils.arrayify(pattern);
+     }
+     return braces(pattern, options);
+diff -rupN --no-dereference yarn-1.22.22/node_modules/liftoff/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/liftoff/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/liftoff/node_modules/micromatch/index.js	2025-07-28 09:42:30.000000000 +0200
++++ yarn-1.22.22-new/node_modules/liftoff/node_modules/micromatch/index.js	2025-07-31 00:36:51.203775750 +0200
+@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
+   }
+ 
+   function expand() {
+-    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
++    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
+       return utils.arrayify(pattern);
+     }
+     return braces(pattern, options);
+diff -rupN --no-dereference yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js	2025-07-28 09:42:30.000000000 +0200
++++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js	2025-07-31 00:36:51.204199053 +0200
+@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
+   }
+ 
+   function expand() {
+-    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
++    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
+       return utils.arrayify(pattern);
+     }
+     return braces(pattern, options);
+diff -rupN --no-dereference yarn-1.22.22/node_modules/readdirp/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/readdirp/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/readdirp/node_modules/micromatch/index.js	2025-07-28 09:42:30.000000000 +0200
++++ yarn-1.22.22-new/node_modules/readdirp/node_modules/micromatch/index.js	2025-07-31 00:36:51.204611282 +0200
+@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
+   }
+ 
+   function expand() {
+-    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
++    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
+       return utils.arrayify(pattern);
+     }
+     return braces(pattern, options);

CVE-2025-8262.patch

@@ -0,0 +1,15 @@
+diff -rupN --no-dereference yarn-1.22.22/src/resolvers/exotics/hosted-git-resolver.js yarn-1.22.22-new/src/resolvers/exotics/hosted-git-resolver.js
+--- yarn-1.22.22/src/resolvers/exotics/hosted-git-resolver.js	2024-03-09 22:33:28.000000000 +0100
++++ yarn-1.22.22-new/src/resolvers/exotics/hosted-git-resolver.js	2025-07-31 00:36:53.007366080 +0200
+@@ -30,8 +30,9 @@ export function explodeHostedGitFragment
+   }
+ 
+   const parts = fragment
+-    .replace(/(.*?)#.*/, '$1') // Strip hash
+-    .replace(/.*:(.*)/, '$1') // Strip prefixed protocols
++    .split('#', 1)[0]
++    .split(':')
++    .pop()
+     .replace(/.git$/, '') // Strip the .git suffix
+     .split('/');
+ 

CVE-2025-8263.patch

@@ -0,0 +1,25 @@
+diff -rupN yarn-1.22.22/node_modules/form-data/lib/form_data.js yarn-1.22.22-new/node_modules/form-data/lib/form_data.js
+--- yarn-1.22.22/node_modules/form-data/lib/form_data.js	2025-07-28 11:18:19.000000000 +0200
++++ yarn-1.22.22-new/node_modules/form-data/lib/form_data.js	2025-07-31 00:39:06.012116839 +0200
+@@ -5,6 +5,7 @@ var http = require('http');
+ var https = require('https');
+ var parseUrl = require('url').parse;
+ var fs = require('fs');
++var crypto = require('crypto');
+ var mime = require('mime-types');
+ var asynckit = require('asynckit');
+ var populate = require('./populate.js');
+@@ -316,12 +317,7 @@ FormData.prototype.getBoundary = functio
+ FormData.prototype._generateBoundary = function() {
+   // This generates a 50 character boundary similar to those used by Firefox.
+   // They are optimized for boyer-moore parsing.
+-  var boundary = '--------------------------';
+-  for (var i = 0; i < 24; i++) {
+-    boundary += Math.floor(Math.random() * 10).toString(16);
+-  }
+-
+-  this._boundary = boundary;
++  this._boundary = '--------------------------' + crypto.randomBytes(12).toString('hex');
+ };
+ 
+ // Note: getLengthSync DOESN'T calculate streams length

async-CVE-2021-43138.prebundle.patch

@@ -1,31 +0,0 @@
-diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
---- yarn-1.22.19/yarn.lock	2023-03-21 11:58:50.508393147 +0100
-+++ yarn-1.22.19-new/yarn.lock	2023-03-21 11:59:28.850636157 +0100
-@@ -498,11 +498,11 @@ async@^1.4.0:
-   integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo=
- 
- async@^2.1.2, async@^2.1.4:
--  version "2.6.1"
--  resolved "https://registry.yarnpkg.com/async/-/async-2.6.1.tgz#b245a23ca71930044ec53fa46aa00a3e87c6a610"
--  integrity sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ==
-+  version "2.6.4"
-+  resolved "https://registry.yarnpkg.com/async/-/async-2.6.4.tgz#706b7ff6084664cd7eae713f6f965433b5504221"
-+  integrity sha512-mzo5dfJYwAn29PeiJ0zvwTo04zj8HDJj0Mn8TD7sno7q12prdbnasKJHhkm2c1LgrhlJ0teaea8860oxi51mGA==
-   dependencies:
--    lodash "^4.17.10"
-+    lodash "^4.17.14"
- 
- asynckit@^0.4.0:
-   version "0.4.0"
-@@ -5036,6 +5036,11 @@ lodash@^4.13.1, lodash@^4.17.10, lodash@
-   resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.10.tgz#1b7793cf7259ea38fb3661d4d38b3260af8ae4e7"
-   integrity sha512-UejweD1pDoXu+AD825lWwp4ZGtSwgnpZxb3JDViD7StjQz+Nb/6l093lx4OQ0foGWNRoc19mWy7BzL+UAK2iVg==
- 
-+lodash@^4.17.14:
-+  version "4.17.21"
-+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
-+  integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
-+
- longest@^1.0.1:
-   version "1.0.1"
-   resolved "https://registry.yarnpkg.com/longest/-/longest-1.0.1.tgz#30a0b2da38f73770e8294a0d22e6625ed77d0097"

decode-uri-component-CVE-2022-38900.prebundle.patch

@@ -1,16 +0,0 @@
-diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
---- yarn-1.22.19/yarn.lock	2022-05-10 19:48:34.000000000 +0200
-+++ yarn-1.22.19-new/yarn.lock	2023-03-21 11:57:26.891976168 +0100
-@@ -2208,9 +2208,9 @@ decamelize@^1.0.0, decamelize@^1.1.1:
-   integrity sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=
- 
- decode-uri-component@^0.2.0:
--  version "0.2.0"
--  resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.0.tgz#eb3913333458775cb84cd1a1fae062106bb87545"
--  integrity sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=
-+  version "0.2.2"
-+  resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.2.tgz#e69dbe25d37941171dd540e024c444cd5188e1e9"
-+  integrity sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ==
- 
- dedent@0.6.0:
-   version "0.6.0"

glob-parent-CVE-2021-35065.patch

@@ -1,39 +0,0 @@
-diff -rupN --no-dereference yarn-1.22.19/node_modules/glob-parent/index.js yarn-1.22.19-new/node_modules/glob-parent/index.js
---- yarn-1.22.19/node_modules/glob-parent/index.js	2022-12-15 10:13:44.000000000 +0100
-+++ yarn-1.22.19-new/node_modules/glob-parent/index.js	2023-01-04 00:11:24.718113215 +0100
-@@ -10,7 +10,7 @@ module.exports = function globParent(str
- 	if (isWin32 && str.indexOf('/') < 0) str = str.split('\\').join('/');
- 
- 	// special case for strings ending in enclosure containing path separator
--	if (/[\{\[].*[\/]*.*[\}\]]$/.test(str)) str += '/';
-+	if (isEnclosure(str)) str += '/';
- 
- 	// preserves full path in case of trailing path separator
- 	str += 'a';
-@@ -22,3 +22,26 @@ module.exports = function globParent(str
- 	// remove escape chars and return result
- 	return str.replace(/\\([\*\?\|\[\]\(\)\{\}])/g, '$1');
- };
-+
-+function isEnclosure(str) {
-+  var lastChar = str.slice(-1)
-+
-+  var enclosureStart;
-+  switch (lastChar) {
-+    case '}':
-+      enclosureStart = '{';
-+      break;
-+    case ']':
-+      enclosureStart = '[';
-+      break;
-+    default:
-+      return false;
-+  }
-+
-+  var foundIndex = str.indexOf(enclosureStart);
-+  if (foundIndex < 0) {
-+    return false;
-+  }
-+
-+  return str.slice(foundIndex + 1, -1).includes('/');
-+}

minimatch-CVE-2022-3517.prebundle.patch

@@ -1,16 +0,0 @@
-diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
---- yarn-1.22.19/yarn.lock	2023-03-21 12:00:04.395885047 +0100
-+++ yarn-1.22.19-new/yarn.lock	2023-03-21 12:00:32.419095290 +0100
-@@ -5240,9 +5240,9 @@ minimalistic-crypto-utils@^1.0.0, minima
-   integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo=
- 
- "minimatch@2 || 3", minimatch@^3.0.2, minimatch@^3.0.3, minimatch@^3.0.4:
--  version "3.0.4"
--  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083"
--  integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==
-+  version "3.1.2"
-+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
-+  integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
-   dependencies:
-     brace-expansion "^1.1.7"
- 

sources

@@ -1 +1 @@
-SHA512 (yarnpkg-v1.22.19-bundled-20230321.tar.gz) = 0ac081346a3c8006d535736c62b874ea50f7295fa3beeda7b1773564309f20c3eca72061bca8307c26b19d27fcbce0256019ee5baf54c01e6658d2fa815dae22
+SHA512 (yarnpkg-v1.22.22-bundled-20251203.tar.gz) = afcf0f4e3719a1d41e60b8e9a9633291161f3a7b04b67d85b3f12cfd9dce8abf9fef3f7be2eab90f3e8efa49e564342175a20ca1e305665a1d453a116b1f79d2

thenify-CVE-2020-7677.prebundle.patch

@@ -1,16 +0,0 @@
-diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
---- yarn-1.22.19/yarn.lock	2023-03-21 11:57:48.181065612 +0100
-+++ yarn-1.22.19-new/yarn.lock	2023-03-21 11:58:21.377228725 +0100
-@@ -7212,9 +7212,9 @@ thenify-all@^1.0.0:
-     thenify ">= 3.1.0 < 4"
- 
- "thenify@>= 3.1.0 < 4":
--  version "3.3.0"
--  resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.0.tgz#e69e38a1babe969b0108207978b9f62b88604839"
--  integrity sha1-5p44obq+lpsBCCB5eLn2K4hgSDk=
-+  version "3.3.1"
-+  resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.1.tgz#8932e686a4066038a016dd9e2ca46add9838a95f"
-+  integrity sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw==
-   dependencies:
-     any-promise "^1.0.0"
- 

yarn-no-commitizen.prebundle.patch

@@ -0,0 +1,30 @@
+diff -rupN --no-dereference yarn-1.22.22/package.json yarn-1.22.22-new/package.json
+--- yarn-1.22.22/package.json	2025-09-30 14:26:03.561888356 +0200
++++ yarn-1.22.22-new/package.json	2025-09-30 14:26:03.566194507 +0200
+@@ -69,7 +69,6 @@
+     "babel-preset-flow": "^6.23.0",
+     "babel-preset-stage-0": "^6.0.0",
+     "babylon": "^6.5.0",
+-    "commitizen": "^2.9.6",
+     "cz-conventional-changelog": "^2.0.0",
+     "eslint": "^4.3.0",
+     "eslint-config-fb-strict": "^22.0.0",
+@@ -131,8 +130,7 @@
+     "test-only": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --verbose",
+     "test-only-debug": "node --inspect-brk --max_old_space_size=4096 node_modules/jest/bin/jest.js --runInBand --verbose",
+     "test-coverage": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --coverage --verbose",
+-    "watch": "gulp watch",
+-    "commit": "git-cz"
++    "watch": "gulp watch"
+   },
+   "jest": {
+     "collectCoverageFrom": [
+@@ -152,8 +150,5 @@
+     ]
+   },
+   "config": {
+-    "commitizen": {
+-      "path": "./node_modules/cz-conventional-changelog"
+-    }
+   }
+ }

yarn-no-eslint.prebundle.patch

@@ -0,0 +1,116 @@
+diff -rupN --no-dereference yarn-1.22.22/.eslintignore yarn-1.22.22-new/.eslintignore
+--- yarn-1.22.22/.eslintignore	2024-03-09 22:33:28.000000000 +0100
++++ yarn-1.22.22-new/.eslintignore	1970-01-01 01:00:00.000000000 +0100
+@@ -1,12 +0,0 @@
+-__tests__/fixtures
+-lib
+-lib-legacy
+-node_modules
+-flow-typed
+-coverage
+-gulpfile.js
+-scripts
+-updates
+-artifacts
+-dist
+-packages
+diff -rupN --no-dereference yarn-1.22.22/.eslintrc.json yarn-1.22.22-new/.eslintrc.json
+--- yarn-1.22.22/.eslintrc.json	2024-03-09 22:33:28.000000000 +0100
++++ yarn-1.22.22-new/.eslintrc.json	1970-01-01 01:00:00.000000000 +0100
+@@ -1,56 +0,0 @@
+-{
+-  "extends": "eslint-config-fb-strict",
+-  "env": {
+-    "jest": true
+-  },
+-  "plugins": [
+-    "flowtype",
+-    "yarn-internal",
+-    "prettier"
+-  ],
+-  "rules": {
+-    "yarn-internal/warn-language": "error",
+-    "max-len": ["error", 120],
+-    "prefer-arrow-callback": "off",
+-    "flowtype/require-valid-file-annotation": ["error", "always"],
+-    "flowtype/space-after-type-colon": ["error", "always"],
+-    "flowtype/require-return-type": ["error", "always", {"excludeArrowFunctions": true}],
+-    "require-await": "error",
+-    "no-process-exit": "error",
+-    "no-return-await": "error",
+-    "sort-keys": "off",
+-    "prettier/prettier": ["error", {
+-      "singleQuote": true,
+-      "trailingComma": "all",
+-      "bracketSpacing": false,
+-      "printWidth": 120,
+-      "parser": "flow"
+-    }]
+-  },
+-  "overrides": [
+-    {
+-      "files": [
+-        "__tests__/fixtures/**/*.js",
+-        "bin/*.js",
+-        "src/cli/index.js"
+-      ],
+-      "rules": {
+-        "no-console": "off"
+-      }
+-    },
+-    {
+-      "files": [
+-        "src/util/generate-pnp-map-api.tpl.js"
+-      ],
+-      "rules": {
+-        "prettier/prettier": ["error", {
+-          "singleQuote": true,
+-          "trailingComma": "es5",
+-          "bracketSpacing": false,
+-          "printWidth": 120,
+-          "parser": "flow"
+-        }]
+-      }
+-    }
+-  ]
+-}
+diff -rupN --no-dereference yarn-1.22.22/package.json yarn-1.22.22-new/package.json
+--- yarn-1.22.22/package.json	2025-09-30 14:26:03.997138837 +0200
++++ yarn-1.22.22-new/package.json	2025-09-30 14:26:04.000964590 +0200
+@@ -58,7 +58,6 @@
+   },
+   "devDependencies": {
+     "babel-core": "^6.26.0",
+-    "babel-eslint": "^7.2.3",
+     "babel-loader": "^6.2.5",
+     "babel-plugin-array-includes": "^2.0.3",
+     "babel-plugin-inline-import": "^3.0.0",
+@@ -70,18 +69,6 @@
+     "babel-preset-stage-0": "^6.0.0",
+     "babylon": "^6.5.0",
+     "cz-conventional-changelog": "^2.0.0",
+-    "eslint": "^4.3.0",
+-    "eslint-config-fb-strict": "^22.0.0",
+-    "eslint-plugin-babel": "^5.0.0",
+-    "eslint-plugin-flowtype": "^2.35.0",
+-    "eslint-plugin-jasmine": "^2.6.2",
+-    "eslint-plugin-jest": "^21.0.0",
+-    "eslint-plugin-jsx-a11y": "^6.0.2",
+-    "eslint-plugin-prefer-object-spread": "^1.2.1",
+-    "eslint-plugin-prettier": "^2.1.2",
+-    "eslint-plugin-react": "^7.1.0",
+-    "eslint-plugin-relay": "^0.0.28",
+-    "eslint-plugin-yarn-internal": "file:scripts/eslint-rules",
+     "execa": "^0.11.0",
+     "fancy-log": "^1.3.2",
+     "flow-bin": "^0.66.0",
+@@ -122,9 +109,7 @@
+     "build-win-installer": "scripts\\build-windows-installer.bat",
+     "changelog": "git-release-notes $(git describe --tags --abbrev=0 $(git describe --tags --abbrev=0)^)..$(git describe --tags --abbrev=0) scripts/changelog.md",
+     "dupe-check": "yarn jsinspect ./src",
+-    "lint": "eslint . && flow check",
+     "pkg-tests": "yarn --cwd packages/pkg-tests jest yarn.test.js",
+-    "prettier": "eslint src __tests__ --fix",
+     "release-branch": "./scripts/release-branch.sh",
+     "test": "yarn lint && yarn test-only",
+     "test-only": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --verbose",

yarn-update-jest.prebundle.patch

@@ -0,0 +1,12 @@
+diff -rupN yarn-1.22.22/package.json yarn-1.22.22-new/package.json
+--- yarn-1.22.22/package.json	2024-03-09 22:33:28.000000000 +0100
++++ yarn-1.22.22-new/package.json	2025-07-28 10:33:09.427716996 +0200
+@@ -93,7 +93,7 @@
+     "gulp-newer": "^1.0.0",
+     "gulp-plumber": "^1.0.1",
+     "gulp-sourcemaps": "^2.2.0",
+-    "jest": "^22.4.4",
++    "jest": "^30.0.5",
+     "jsinspect": "^0.12.6",
+     "minimatch": "^3.0.4",
+     "mock-stdin": "^0.3.0",

yarnpkg-tarball.sh

@@ -2,15 +2,21 @@
 
 version=$(rpm -q --specfile --qf='%{version}\n' yarnpkg.spec | head -n1)
 timestamp=$(date +%Y%m%d)
-rm -f v$version.tar.gz
+if [ ! -e v$version.tar.gz ]; then
 wget https://github.com/yarnpkg/yarn/archive/v$version.tar.gz
+fi
+rm -rf yarn-$version
 tar -zxf v$version.tar.gz
 cd yarn-$version
 for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do
 patch -p1 < $file
 done
-sed -i s'|"eslint-plugin-babel": "^5.0.0",|"eslint-plugin-babel": "^4.1.1",|' package.json
-npm install
-npm audit fix
+rm yarn.lock
+yarn install
+yarn autoclean --force
+yarn audit fix
+# Delete all binary files in node_modules
+echo "Deleting binary files..."
+find node_modules -type f -not -name '*.js' -exec file {} \; | grep ELF | awk -F':' '{print $1}' | xargs rm
 cd ..
 tar -zcf yarnpkg-v$version-bundled-$timestamp.tar.gz yarn-$version

yarnpkg.spec

@@ -1,7 +1,5 @@
+%global debug_package %{nil}
 %global npm_name yarn
-# name yarn would probably confict with cmdtest and hadoop-yarn
-# https://bugzilla.redhat.com/show_bug.cgi?id=1507312
-%global old_name nodejs-yarn
 
 %{?nodejs_find_provides_and_requires}
 
@@ -10,42 +8,40 @@
 # don't require bundled modules
 %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$
 
-%global bundledate 20230321
+%global bundledate 20251203
 
 Name:           yarnpkg
-Version:        1.22.19
-Release:        5%{?dist}
+Version:        1.22.22
+Release:        14%{?dist}
 Summary:        Fast, reliable, and secure dependency management.
+License:        BSD-2-Clause
 URL:            https://github.com/yarnpkg/yarn
 # we need tarball with node_modules
 Source0:        %{name}-v%{version}-bundled-%{bundledate}.tar.gz
 Source1:        yarnpkg-tarball.sh
-License:        BSD
 
 # These are applied by yarnpkg-tarball.sh
-# async-CVE-2021-43138.prebundle.patch
-# minimatch-CVE-2022-3517.prebundle.patch
-# thenify-CVE-2020-7677.prebundle.patch
-# decode-uri-component-CVE-2022-38900.prebundle.patch
+# yarn-update-jest.prebundle.patch
+# yarn-no-commitizen.prebundle.patch
+# yarn-no-eslint.prebundle.patch
 
-# Backport fix for CVE-2021-35065 for bundled glob-parent
-Patch1:         glob-parent-CVE-2021-35065.patch
+Patch0:         CVE-2023-26136.patch
+Patch1:         CVE-2022-37599.patch
+Patch2:         CVE-2024-4067.patch
+# https://github.com/yarnpkg/yarn/commit/97731871e674bf93bcbf29e9d3258da8685f3076.patch
+Patch3:         CVE-2025-8262.patch
+# https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0
+Patch4:         CVE-2025-8263.patch
 
-BuildArch:      noarch
-ExclusiveArch:  %{nodejs_arches} noarch
+ExclusiveArch:  %{nodejs_arches}
 
 BuildRequires:  nodejs-packaging
-%if 0%{?fedora} >= 37
+%if 0%{?fedora}
 BuildRequires:  nodejs-npm
 %else
 BuildRequires:  npm
 %endif
 
-# Package was renamed when Fedora 33 was rawhide
-# Don't remove this before Fedora 35
-Obsoletes:      %{old_name} < 1.22.4-1
-Provides:       %{old_name} = %{version}-%{release}
-
 %description
 Fast, reliable, and secure dependency management.
 
@@ -58,8 +54,6 @@ Fast, reliable, and secure dependency management.
 # use build script
 npm run build
 
-# remove build dependencies from node_modules
-npm prune --production
 
 %install
 mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
@@ -70,7 +64,6 @@ cp -pr package.json lib bin node_modules \
 mkdir -p %{buildroot}%{_bindir}
 ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarnpkg
 ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarn
-ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/%{old_name}
 
 # Fix the shebang in yarn.js because brp-mangle-shebangs fails to detect this properly (rhbz#1998924)
 sed -e "s|^#!/usr/bin/env node$|#!/usr/bin/node|" \
@@ -81,12 +74,12 @@ find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \
     -ipath '*/test/*' -type f -executable \
     -exec chmod -x '{}' +
 
+
 %if 0%{?enable_tests}
 %check
 %nodejs_symlink_deps --check
 if [[ $(%{buildroot}%{_bindir}/yarnpkg --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi
 if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi
-if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi
 %endif
 
 
@@ -95,10 +88,71 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec
 %license LICENSE
 %{_bindir}/yarnpkg
 %{_bindir}/yarn
-%{_bindir}/%{old_name}
 %{nodejs_sitelib}/%{npm_name}/
 
+
 %changelog
+* Wed Dec 03 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-14
+- Bump release
+
+* Wed Dec 03 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-13
+- Refresh bundle, fixes CVE-2025-64756
+
+* Tue Sep 30 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-12
+- Regenerate bundle, fixes CVE-2025-59343
+- Patch out eslint and commitizen devDependencies to reduce dependencies
+
+* Wed Jul 30 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-11
+- Refresh bundle
+- Drop patches obsoleted by new bundle
+- Add yarn-update-jest.prebundle.patch to update jest and avoid some vulerable dependencies
+- Apply fixes for CVE-2025-8262 and CVE-2025-8263
+
+* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Tue Jun 24 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-9
+- Add CVE-2025-6545_6547.prebundle.patch and regenerate bundle. Fixes CVE-2025-6545 and CVE-2025-6547.
+
+* Wed Jun 04 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-8
+- Refresh bundle tarball for CVE-2025-48387
+
+* Fri Mar 28 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-7
+- Fix CVE-2024-12905
+
+* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Tue Oct 15 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-5
+- Update bundled ws (CVE-2024-37890)
+
+* Thu Oct 10 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-4
+- Update bundled elliptic (CVE-2024-48949)
+
+* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Thu Jul 04 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-2
+- Backport patch for CVE-2024-4067
+
+* Sat Mar 09 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-1
+- Update to 1.22.22
+
+* Mon Feb 19 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-2
+- Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234
+
+* Fri Feb 16 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-1
+- Update to 1.22.21
+
+* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed May 03 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-6
+- Rebuild (nodejs20)
+
 * Tue Mar 21 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-5
 - Add patch for CVE-2022-38900, proper fixes for CVE-2021-43138, CVE-2022-3517,
   CVE-2020-7677