rpms/yarnpkg
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

merge into: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:f43
rpms:epel10
rpms:epel9
rpms:f42
rpms:main
rpms:f41
rpms:epel10.1
rpms:epel8
rpms:f40
rpms:epel10.0
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:f34
rpms:f33
...
pull from: rpms:epel8
Branches Tags
rpms:f43
rpms:epel10
rpms:epel9
rpms:f42
rpms:main
rpms:rawhide
rpms:f41
rpms:epel10.1
rpms:epel8
rpms:f40
rpms:epel10.0
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:f34
rpms:f33
Sign in to create a new pull request.

4 commits
rawhide ... epel8

Author SHA1 Message Date
Sandro Mani
0d7203fc12 Sync with rawhide 2025-06-24 10:55:19 +02:00
Sandro Mani
5a3224799d Sync with rawhide 2025-06-04 11:40:18 +02:00
Sandro Mani
3d3c524e21 Sync with rawhide 2025-03-28 22:30:18 +01:00
jonathanspw
1ae3764143 initial build for epel8 2023-01-04 11:39:17 -06:00
17 changed files with 434 additions and 64 deletions
Download patch file Download diff file Expand all files Collapse all files

11
.gitignore vendored
View file

@ -2,3 +2,14 @@
/yarnpkg-v1.22.10-bundled.tar.gz
/yarnpkg-v1.22.17-bundled.tar.gz
/yarnpkg-v1.22.19-bundled.tar.gz
/yarnpkg-v1.22.19-bundled-20230321.tar.gz
/yarnpkg-v1.22.21-bundled-20240217.tar.gz
/yarnpkg-v1.22.21-bundled-20240219.tar.gz
/v1.22.22.tar.gz
/yarnpkg-v1.22.22-bundled-20240309.tar.gz
/yarnpkg-v1.22.22-bundled-20240704.tar.gz
/yarnpkg-v1.22.22-bundled-20241010.tar.gz
/yarnpkg-v1.22.22-bundled-20241015.tar.gz
/yarnpkg-v1.22.22-bundled-20250328.tar.gz
/yarnpkg-v1.22.22-bundled-20250604.tar.gz
/yarnpkg-v1.22.22-bundled-20250624.tar.gz

12
CVE-2022-37599.patch Normal file
View file

@ -0,0 +1,12 @@
diff -rupN yarn-1.22.21/node_modules/loader-utils/index.js yarn-1.22.21-new/node_modules/loader-utils/index.js
--- yarn-1.22.21/node_modules/loader-utils/index.js 2024-02-16 23:35:57.000000000 +0100
+++ yarn-1.22.21-new/node_modules/loader-utils/index.js 2024-02-19 11:05:56.885775046 +0100
@@ -299,7 +299,7 @@ exports.interpolateName = function inter
var url = filename;
if(content) {
// Match hash template
- url = url.replace(/\[(?:(\w+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() {
+ url = url.replace(/\[(?:([^[:\]]+):)?hash(?::([a-z]+\d*))?(?::(\d+))?\]/ig, function() {
return exports.getHashDigest(content, arguments[1], arguments[2], parseInt(arguments[3], 10));
}).replace(/\[emoji(?::(\d+))?\]/ig, function() {
return encodeStringToEmoji(content, arguments[1]);

25
CVE-2023-26136.patch Normal file
View file

@ -0,0 +1,25 @@
diff -rupN yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js
--- yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js 2024-02-16 23:36:08.000000000 +0100
+++ yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js 2024-02-19 10:48:11.215668646 +0100
@@ -36,7 +36,7 @@ var util = require('util');
function MemoryCookieStore() {
Store.call(this);
- this.idx = {};
+ this.idx = Object.create(null);
}
util.inherits(MemoryCookieStore, Store);
exports.MemoryCookieStore = MemoryCookieStore;
@@ -115,10 +115,10 @@ MemoryCookieStore.prototype.findCookies
MemoryCookieStore.prototype.putCookie = function(cookie, cb) {
if (!this.idx[cookie.domain]) {
- this.idx[cookie.domain] = {};
+ this.idx[cookie.domain] = Object.create(null);
}
if (!this.idx[cookie.domain][cookie.path]) {
- this.idx[cookie.domain][cookie.path] = {};
+ this.idx[cookie.domain][cookie.path] = Object.create(null);
}
this.idx[cookie.domain][cookie.path][cookie.key] = cookie;
cb(null);

12
CVE-2023-46234.patch Normal file
View file

@ -0,0 +1,12 @@
diff -rupN yarn-1.22.21/node_modules/browserify-sign/browser/verify.js yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js
--- yarn-1.22.21/node_modules/browserify-sign/browser/verify.js 2024-02-16 23:36:10.000000000 +0100
+++ yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js 2024-02-19 11:14:55.923549230 +0100
@@ -77,7 +77,7 @@ function dsaVerify (sig, hash, pub) {
function checkValue (b, q) {
if (b.cmpn(0) <= 0) throw new Error('invalid sig')
- if (b.cmp(q) >= q) throw new Error('invalid sig')
+ if (b.cmp(q) >= 0) throw new Error('invalid sig')
}
module.exports = verify

16
CVE-2024-12905_CVE-2025-48387.prebundle.patch Normal file
View file

@ -0,0 +1,16 @@
diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock
--- yarn-1.22.22/yarn.lock 2024-10-15 15:12:52.000000000 +0200
+++ yarn-1.22.22-new/yarn.lock 2025-03-28 20:35:23.508887708 +0100
@@ -7150,9 +7150,9 @@ tapable@^0.2.7, tapable@~0.2.5:
integrity sha1-mTcqXJmb8t8WCvwNdL7U9HlIzSI=
tar-fs@^1.16.0:
- version "1.16.3"
- resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.3.tgz#966a628841da2c4010406a82167cbd5e0c72d509"
- integrity sha512-NvCeXpYx7OsmOh8zIOP/ebG55zZmxLE0etfWRbWok+q2Qo8x/vOR/IJT1taADXPe+jsiu9axDb3X4B+iIgNlKw==
+ version "1.16.5"
+ resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-1.16.5.tgz#716a323609c11182d1d3d7b5bf277d15dc128665"
+ integrity sha512-1ergVCCysmwHQNrOS+Pjm4DQ4nrGp43+Xnu4MRGjCnQu/m3hEgLNS78d5z+B8OJ1hN5EejJdCSFZE1oM6AQXAQ==
dependencies:
chownr "^1.0.1"
mkdirp "^0.5.1"

16
CVE-2024-37890.prebundle.patch Normal file
View file

@ -0,0 +1,16 @@
diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock
--- yarn-1.22.22/yarn.lock 2024-10-10 12:55:05.000000000 +0200
+++ yarn-1.22.22-new/yarn.lock 2024-10-15 14:59:01.318140933 +0200
@@ -7809,9 +7809,9 @@ write@^0.2.1:
mkdirp "^0.5.1"
ws@^5.2.0:
- version "5.2.2"
- resolved "https://registry.yarnpkg.com/ws/-/ws-5.2.2.tgz#dffef14866b8e8dc9133582514d1befaf96e980f"
- integrity sha512-jaHFD6PFv6UgoIVda6qZllptQsMlDEJkTQcybzzXDYM1XO9Y8em691FGMPmM46WGyLU4z9KMgQN+qrux/nhlHA==
+ version "5.2.4"
+ resolved "https://registry.yarnpkg.com/ws/-/ws-5.2.4.tgz#c7bea9f1cfb5f410de50e70e82662e562113f9a7"
+ integrity sha512-fFCejsuC8f9kOSu9FYaOw8CdO68O3h5v0lg4p74o8JqWpwTf9tniOD+nOB78aWoVSS6WptVUmDrp/KPsMVBWFQ==
dependencies:
async-limiter "~1.0.0"

60
CVE-2024-4067.patch Normal file
View file

@ -0,0 +1,60 @@
diff -rupN yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200
+++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js 2024-07-04 23:35:09.633072156 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
}
function expand() {
- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
return utils.arrayify(pattern);
}
return braces(pattern, options);
diff -rupN yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200
+++ yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js 2024-07-04 23:35:22.753040820 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
}
function expand() {
- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
return utils.arrayify(pattern);
}
return braces(pattern, options);
diff -rupN yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200
+++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js 2024-07-04 23:35:32.817016784 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
}
function expand() {
- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
return utils.arrayify(pattern);
}
return braces(pattern, options);
diff -rupN yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200
+++ yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js 2024-07-04 23:35:41.536995958 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
}
function expand() {
- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
return utils.arrayify(pattern);
}
return braces(pattern, options);
diff -rupN yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js 2024-07-04 22:55:38.000000000 +0200
+++ yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js 2024-07-04 23:35:49.438977085 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
}
function expand() {
- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
return utils.arrayify(pattern);
}
return braces(pattern, options);

91
CVE-2024-48949.prebundle.patch Normal file
View file

@ -0,0 +1,91 @@
diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock
--- yarn-1.22.22/yarn.lock 2024-10-10 12:46:29.329322568 +0200
+++ yarn-1.22.22-new/yarn.lock 2024-10-10 12:37:38.256366136 +0200
@@ -1404,11 +1404,16 @@ bl@^1.0.0:
readable-stream "^2.3.5"
safe-buffer "^5.1.1"
-bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.1.1, bn.js@^4.4.0:
+bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.1.1:
version "4.11.8"
resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.11.8.tgz#2cde09eb5ee341f484746bb0309b3253b1b1442f"
integrity sha512-ItfYfPLkWHUjckQCk8xC+LwxgK8NYcXywGigJgSwOP8Y2iyWT4f2vsZnoOXTTbo+o5yXmIUJ4gn5538SO5S3gA==
+bn.js@^4.11.9:
+ version "4.12.0"
+ resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.12.0.tgz#775b3f278efbb9718eec7361f483fb36fbbfea88"
+ integrity sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA==
+
brace-expansion@^1.1.7:
version "1.1.11"
resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd"
@@ -1450,7 +1455,7 @@ broccoli-kitchen-sink-helpers@^0.3.1:
glob "^5.0.10"
mkdirp "^0.5.1"
-brorand@^1.0.1:
+brorand@^1.0.1, brorand@^1.1.0:
version "1.1.0"
resolved "https://registry.yarnpkg.com/brorand/-/brorand-1.1.0.tgz#12c25efe40a45e3c323eb8675a0a0ce57b22371f"
integrity sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8=
@@ -2424,17 +2429,17 @@ electron-to-chromium@^1.3.47:
integrity sha1-8VDhCyC3fZ1Br8yjEu/gw7Gn/c4=
elliptic@^6.0.0:
- version "6.4.0"
- resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.4.0.tgz#cac9af8762c85836187003c8dfe193e5e2eae5df"
- integrity sha1-ysmvh2LIWDYYcAPI3+GT5eLq5d8=
+ version "6.5.7"
+ resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.7.tgz#8ec4da2cb2939926a1b9a73619d768207e647c8b"
+ integrity sha512-ESVCtTwiA+XhY3wyh24QqRGBoP3rEdDUl3EDUUo9tft074fi19IrdpH7hLCMMP3CIj7jb3W96rn8lt/BqIlt5Q==
dependencies:
- bn.js "^4.4.0"
- brorand "^1.0.1"
+ bn.js "^4.11.9"
+ brorand "^1.1.0"
hash.js "^1.0.0"
- hmac-drbg "^1.0.0"
- inherits "^2.0.1"
- minimalistic-assert "^1.0.0"
- minimalistic-crypto-utils "^1.0.0"
+ hmac-drbg "^1.0.1"
+ inherits "^2.0.4"
+ minimalistic-assert "^1.0.1"
+ minimalistic-crypto-utils "^1.0.1"
emoji-regex@^6.5.1:
version "6.5.1"
@@ -3711,10 +3716,10 @@ heimdalljs@^0.2.0, heimdalljs@^0.2.3:
dependencies:
rsvp "~3.2.1"
-hmac-drbg@^1.0.0:
+hmac-drbg@^1.0.1:
version "1.0.1"
resolved "https://registry.yarnpkg.com/hmac-drbg/-/hmac-drbg-1.0.1.tgz#d2745701025a6c775a6c545793ed502fc0c649a1"
- integrity sha1-0nRXAQJabHdabFRXk+1QL8DGSaE=
+ integrity sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg==
dependencies:
hash.js "^1.0.3"
minimalistic-assert "^1.0.0"
@@ -3841,6 +3846,11 @@ inherits@2.0.1:
resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.1.tgz#b17d08d326b4423e568eff719f91b0b1cbdf69f1"
integrity sha1-sX0I0ya0Qj5Wjv9xn5GwscvfafE=
+inherits@^2.0.4:
+ version "2.0.4"
+ resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c"
+ integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==
+
ini@^1.3.4, ini@~1.3.0:
version "1.3.5"
resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.5.tgz#eee25f56db1c9ec6085e0c22778083f596abf927"
@@ -5234,7 +5244,7 @@ minimalistic-assert@^1.0.0, minimalistic
resolved "https://registry.yarnpkg.com/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz#2e194de044626d4a10e7f7fbc00ce73e83e4d5c7"
integrity sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==
-minimalistic-crypto-utils@^1.0.0, minimalistic-crypto-utils@^1.0.1:
+minimalistic-crypto-utils@^1.0.1:
version "1.0.1"
resolved "https://registry.yarnpkg.com/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz#f6c00c1c0b082246e5c4d99dfb8c7c083b2b582a"
integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo=

21
CVE-2025-6545_6547.prebundle.patch Normal file
View file

@ -0,0 +1,21 @@
diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock
--- yarn-1.22.22/yarn.lock 2024-03-09 22:33:28.000000000 +0100
+++ yarn-1.22.22-new/yarn.lock 2025-06-24 10:24:15.448061691 +0200
@@ -5905,17 +5905,6 @@ path-type@^1.0.0:
pify "^2.0.0"
pinkie-promise "^2.0.0"
-pbkdf2@^3.0.3:
- version "3.0.16"
- resolved "https://registry.yarnpkg.com/pbkdf2/-/pbkdf2-3.0.16.tgz#7404208ec6b01b62d85bf83853a8064f8d9c2a5c"
- integrity sha512-y4CXP3thSxqf7c0qmOF+9UeOTrifiVTIM+u7NWlq+PRsHbr7r7dpCmvzrZxa96JJUNi0Y5w9VqG5ZNeCVMoDcA==
- dependencies:
- create-hash "^1.1.2"
- create-hmac "^1.1.4"
- ripemd160 "^2.0.1"
- safe-buffer "^5.0.1"
- sha.js "^2.4.8"
-
peek-stream@^1.1.0:
version "1.1.3"
resolved "https://registry.yarnpkg.com/peek-stream/-/peek-stream-1.1.3.tgz#3b35d84b7ccbbd262fff31dc10da56856ead6d67"

31
async-CVE-2021-43138.prebundle.patch Normal file
View file

@ -0,0 +1,31 @@
diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
--- yarn-1.22.19/yarn.lock 2023-03-21 11:58:50.508393147 +0100
+++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:59:28.850636157 +0100
@@ -498,11 +498,11 @@ async@^1.4.0:
integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo=
async@^2.1.2, async@^2.1.4:
- version "2.6.1"
- resolved "https://registry.yarnpkg.com/async/-/async-2.6.1.tgz#b245a23ca71930044ec53fa46aa00a3e87c6a610"
- integrity sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ==
+ version "2.6.4"
+ resolved "https://registry.yarnpkg.com/async/-/async-2.6.4.tgz#706b7ff6084664cd7eae713f6f965433b5504221"
+ integrity sha512-mzo5dfJYwAn29PeiJ0zvwTo04zj8HDJj0Mn8TD7sno7q12prdbnasKJHhkm2c1LgrhlJ0teaea8860oxi51mGA==
dependencies:
- lodash "^4.17.10"
+ lodash "^4.17.14"
asynckit@^0.4.0:
version "0.4.0"
@@ -5036,6 +5036,11 @@ lodash@^4.13.1, lodash@^4.17.10, lodash@
resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.10.tgz#1b7793cf7259ea38fb3661d4d38b3260af8ae4e7"
integrity sha512-UejweD1pDoXu+AD825lWwp4ZGtSwgnpZxb3JDViD7StjQz+Nb/6l093lx4OQ0foGWNRoc19mWy7BzL+UAK2iVg==
+lodash@^4.17.14:
+ version "4.17.21"
+ resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
+ integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
+
longest@^1.0.1:
version "1.0.1"
resolved "https://registry.yarnpkg.com/longest/-/longest-1.0.1.tgz#30a0b2da38f73770e8294a0d22e6625ed77d0097"

16
decode-uri-component-CVE-2022-38900.prebundle.patch Normal file
View file

@ -0,0 +1,16 @@
diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
--- yarn-1.22.19/yarn.lock 2022-05-10 19:48:34.000000000 +0200
+++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:57:26.891976168 +0100
@@ -2208,9 +2208,9 @@ decamelize@^1.0.0, decamelize@^1.1.1:
integrity sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=
decode-uri-component@^0.2.0:
- version "0.2.0"
- resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.0.tgz#eb3913333458775cb84cd1a1fae062106bb87545"
- integrity sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=
+ version "0.2.2"
+ resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.2.tgz#e69dbe25d37941171dd540e024c444cd5188e1e9"
+ integrity sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ==
dedent@0.6.0:
version "0.6.0"

39
glob-parent-CVE-2021-35065.patch
View file

@ -1,39 +0,0 @@
diff -rupN --no-dereference yarn-1.22.19/node_modules/glob-parent/index.js yarn-1.22.19-new/node_modules/glob-parent/index.js
--- yarn-1.22.19/node_modules/glob-parent/index.js 2022-12-15 10:13:44.000000000 +0100
+++ yarn-1.22.19-new/node_modules/glob-parent/index.js 2023-01-04 00:11:24.718113215 +0100
@@ -10,7 +10,7 @@ module.exports = function globParent(str
if (isWin32 && str.indexOf('/') < 0) str = str.split('\\').join('/');
// special case for strings ending in enclosure containing path separator
- if (/[\{\[].*[\/]*.*[\}\]]$/.test(str)) str += '/';
+ if (isEnclosure(str)) str += '/';
// preserves full path in case of trailing path separator
str += 'a';
@@ -22,3 +22,26 @@ module.exports = function globParent(str
// remove escape chars and return result
return str.replace(/\\([\*\?\|\[\]\(\)\{\}])/g, '$1');
};
+
+function isEnclosure(str) {
+ var lastChar = str.slice(-1)
+
+ var enclosureStart;
+ switch (lastChar) {
+ case '}':
+ enclosureStart = '{';
+ break;
+ case ']':
+ enclosureStart = '[';
+ break;
+ default:
+ return false;
+ }
+
+ var foundIndex = str.indexOf(enclosureStart);
+ if (foundIndex < 0) {
+ return false;
+ }
+
+ return str.slice(foundIndex + 1, -1).includes('/');
+}

16
minimatch-CVE-2022-3517.prebundle.patch Normal file
View file

@ -0,0 +1,16 @@
diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
--- yarn-1.22.19/yarn.lock 2023-03-21 12:00:04.395885047 +0100
+++ yarn-1.22.19-new/yarn.lock 2023-03-21 12:00:32.419095290 +0100
@@ -5240,9 +5240,9 @@ minimalistic-crypto-utils@^1.0.0, minima
integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo=
"minimatch@2 || 3", minimatch@^3.0.2, minimatch@^3.0.3, minimatch@^3.0.4:
- version "3.0.4"
- resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083"
- integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==
+ version "3.1.2"
+ resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
+ integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
dependencies:
brace-expansion "^1.1.7"

2
sources
View file

@ -1 +1 @@
SHA512 (yarnpkg-v1.22.19-bundled.tar.gz) = bc5bb744bf157812e5342b75e520007ce1df1a43b790d68523a7646ac5cd166bb8201cf58faab4efdce6eda0764ff256d69940c4cb2173a891c436e3db51a07d
SHA512 (yarnpkg-v1.22.22-bundled-20250624.tar.gz) = 4bea09a02ad6bc3d7c0a275e01118af9ad198bc7d07af7c41eab11c89a75f233d9180a7dc6d111ee4a923716050830dccf593ae0bc240d1de5c3fd08fb575f9c

16
thenify-CVE-2020-7677.prebundle.patch Normal file
View file

@ -0,0 +1,16 @@
diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
--- yarn-1.22.19/yarn.lock 2023-03-21 11:57:48.181065612 +0100
+++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:58:21.377228725 +0100
@@ -7212,9 +7212,9 @@ thenify-all@^1.0.0:
thenify ">= 3.1.0 < 4"
"thenify@>= 3.1.0 < 4":
- version "3.3.0"
- resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.0.tgz#e69e38a1babe969b0108207978b9f62b88604839"
- integrity sha1-5p44obq+lpsBCCB5eLn2K4hgSDk=
+ version "3.3.1"
+ resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.1.tgz#8932e686a4066038a016dd9e2ca46add9838a95f"
+ integrity sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw==
dependencies:
any-promise "^1.0.0"

16
yarnpkg-tarball.sh Normal file → Executable file
View file

@ -1,8 +1,20 @@
#!/bin/sh
version=$(rpm -q --specfile --qf='%{version}\n' yarnpkg.spec | head -n1)
timestamp=$(date +%Y%m%d)
if [ ! -e v$version.tar.gz ]; then
wget https://github.com/yarnpkg/yarn/archive/v$version.tar.gz
fi
rm -rf yarn-$version
tar -zxf v$version.tar.gz
cd yarn-$version
sed -i s'|"eslint-plugin-babel": "^5.0.0",|"eslint-plugin-babel": "^4.1.1",|' package.json
npm install && cd .. && tar -zcf yarnpkg-v$version-bundled.tar.gz yarn-$version
for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do
patch -p1 < $file
done
yarn install
yarn audit fix
# Delete all binary files in node_modules
echo "Deleting binary files..."
find node_modules -type f -not -name '*.js' -exec file {} \; | grep ELF | awk -F':' '{print $1}' | xargs rm
cd ..
tar -zcf yarnpkg-v$version-bundled-$timestamp.tar.gz yarn-$version

98
yarnpkg.spec
View file

@ -1,7 +1,5 @@
%global debug_package %{nil}
%global npm_name yarn
# name yarn would probably confict with cmdtest and hadoop-yarn
# https://bugzilla.redhat.com/show_bug.cgi?id=1507312
%global old_name nodejs-yarn
%{?nodejs_find_provides_and_requires}
@ -10,34 +8,43 @@
# don't require bundled modules
%global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$
%global bundledate 20250624
Name: yarnpkg
Version: 1.22.19
Release: 2%{?dist}
Version: 1.22.22
Release: 9%{?dist}
Summary: Fast, reliable, and secure dependency management.
License: BSD-2-Clause
URL: https://github.com/yarnpkg/yarn
# we need tarball with node_modules
Source0: %{name}-v%{version}-bundled.tar.gz
Source0: %{name}-v%{version}-bundled-%{bundledate}.tar.gz
Source1: yarnpkg-tarball.sh
License: BSD
# Backport fix for CVE-2021-35065 for bundled glob-parent
Patch1: glob-parent-CVE-2021-35065.patch
# These are applied by yarnpkg-tarball.sh
# async-CVE-2021-43138.prebundle.patch
# minimatch-CVE-2022-3517.prebundle.patch
# thenify-CVE-2020-7677.prebundle.patch
# decode-uri-component-CVE-2022-38900.prebundle.patch
# CVE-2024-48949.prebundle.patch
# CVE-2024-37890.prebundle.patch
# CVE-2024-12905.prebundle.patch
# CVE-2025-6545_6547.prebundle.patch
BuildArch: noarch
ExclusiveArch: %{nodejs_arches} noarch
Patch0: CVE-2023-26136.patch
Patch1: CVE-2022-37599.patch
Patch2: CVE-2023-46234.patch
Patch3: CVE-2024-4067.patch
ExclusiveArch: %{nodejs_arches}
BuildRequires: nodejs-packaging
%if 0%{?fedora} > 37
%if 0%{?fedora}
BuildRequires: nodejs-npm
%else
BuildRequires: npm
%endif
# Package was renamed when Fedora 33 was rawhide
# Don't remove this before Fedora 35
Obsoletes: %{old_name} < 1.22.4-1
Provides: %{old_name} = %{version}-%{release}
%description
Fast, reliable, and secure dependency management.
@ -50,8 +57,6 @@ Fast, reliable, and secure dependency management.
# use build script
npm run build
# remove build dependencies from node_modules
npm prune --production
%install
mkdir -p %{buildroot}%{nodejs_sitelib}/%{npm_name}
@ -62,7 +67,6 @@ cp -pr package.json lib bin node_modules \
mkdir -p %{buildroot}%{_bindir}
ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarnpkg
ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/yarn
ln -sfr %{buildroot}%{nodejs_sitelib}/%{npm_name}/bin/yarn.js %{buildroot}%{_bindir}/%{old_name}
# Fix the shebang in yarn.js because brp-mangle-shebangs fails to detect this properly (rhbz#1998924)
sed -e "s|^#!/usr/bin/env node$|#!/usr/bin/node|" \
@ -78,7 +82,6 @@ find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \
%nodejs_symlink_deps --check
if [[ $(%{buildroot}%{_bindir}/yarnpkg --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi
if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi
if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then echo PASS; else echo FAIL && exit 1; fi
%endif
@ -87,10 +90,61 @@ if [[ $(%{buildroot}%{_bindir}/%{old_name} --version) == %{version} ]] ; then ec
%license LICENSE
%{_bindir}/yarnpkg
%{_bindir}/yarn
%{_bindir}/%{old_name}
%{nodejs_sitelib}/%{npm_name}/
%changelog
* Tue Jun 24 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-9
- Add CVE-2025-6545_6547.prebundle.patch and regenerate bundle. Fixes CVE-2025-6545 and CVE-2025-6547.
* Wed Jun 04 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-8
- Refresh bundle tarball for CVE-2025-48387
* Fri Mar 28 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-7
- Fix CVE-2024-12905
* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Tue Oct 15 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-5
- Update bundled ws (CVE-2024-37890)
* Thu Oct 10 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-4
- Update bundled elliptic (CVE-2024-48949)
* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Thu Jul 04 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-2
- Backport patch for CVE-2024-4067
* Sat Mar 09 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-1
- Update to 1.22.22
* Mon Feb 19 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-2
- Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234
* Fri Feb 16 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-1
- Update to 1.22.21
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed May 03 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-6
- Rebuild (nodejs20)
* Tue Mar 21 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-5
- Add patch for CVE-2022-38900, proper fixes for CVE-2021-43138, CVE-2022-3517,
CVE-2020-7677
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.19-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Jan 11 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-3
- Add patches for CVE-2021-43138, CVE-2022-3517, CVE-2020-7677
* Tue Jan 03 2023 Sandro Mani <manisandro@gmail.com> - 1.22.19-2
- Backport fix for CVE-2021-35065 for bundled glob-parent