rpms/yarnpkg
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:f43
rpms:epel10
rpms:epel9
rpms:f42
rpms:main
rpms:f41
rpms:epel10.1
rpms:epel8
rpms:f40
rpms:epel10.0
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:f34
rpms:f33
..
compare: rpms:f38
Branches Tags
rpms:f43
rpms:epel10
rpms:epel9
rpms:f42
rpms:main
rpms:rawhide
rpms:f41
rpms:epel10.1
rpms:epel8
rpms:f40
rpms:epel10.0
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:f35
rpms:f34
rpms:f33

No commits in common. "rawhide" and "f38" have entirely different histories.
rawhide ... f38

17 changed files with 106 additions and 330 deletions
Download patch file Download diff file Expand all files Collapse all files

11
.gitignore vendored
View file

@ -5,14 +5,3 @@
/yarnpkg-v1.22.19-bundled-20230321.tar.gz
/yarnpkg-v1.22.21-bundled-20240217.tar.gz
/yarnpkg-v1.22.21-bundled-20240219.tar.gz
/v1.22.22.tar.gz
/yarnpkg-v1.22.22-bundled-20240309.tar.gz
/yarnpkg-v1.22.22-bundled-20240704.tar.gz
/yarnpkg-v1.22.22-bundled-20241010.tar.gz
/yarnpkg-v1.22.22-bundled-20241015.tar.gz
/yarnpkg-v1.22.22-bundled-20250328.tar.gz
/yarnpkg-v1.22.22-bundled-20250604.tar.gz
/yarnpkg-v1.22.22-bundled-20250624.tar.gz
/yarnpkg-v1.22.22-bundled-20250728.tar.gz
/yarnpkg-v1.22.22-bundled-20250930.tar.gz
/yarnpkg-v1.22.22-bundled-20251203.tar.gz

6
CVE-2022-37599.patch
View file

@ -1,6 +1,6 @@
diff -rupN --no-dereference yarn-1.22.22/node_modules/loader-utils/index.js yarn-1.22.22-new/node_modules/loader-utils/index.js
--- yarn-1.22.22/node_modules/loader-utils/index.js 2025-07-28 09:42:24.000000000 +0200
+++ yarn-1.22.22-new/node_modules/loader-utils/index.js 2025-07-31 00:36:49.585249573 +0200
diff -rupN yarn-1.22.21/node_modules/loader-utils/index.js yarn-1.22.21-new/node_modules/loader-utils/index.js
--- yarn-1.22.21/node_modules/loader-utils/index.js 2024-02-16 23:35:57.000000000 +0100
+++ yarn-1.22.21-new/node_modules/loader-utils/index.js 2024-02-19 11:05:56.885775046 +0100
@@ -299,7 +299,7 @@ exports.interpolateName = function inter
var url = filename;
if(content) {

6
CVE-2023-26136.patch
View file

@ -1,6 +1,6 @@
diff -rupN --no-dereference yarn-1.22.22/node_modules/tough-cookie/lib/memstore.js yarn-1.22.22-new/node_modules/tough-cookie/lib/memstore.js
--- yarn-1.22.22/node_modules/tough-cookie/lib/memstore.js 2025-07-28 11:18:19.000000000 +0200
+++ yarn-1.22.22-new/node_modules/tough-cookie/lib/memstore.js 2025-07-31 00:36:47.884055369 +0200
diff -rupN yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js
--- yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js 2024-02-16 23:36:08.000000000 +0100
+++ yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js 2024-02-19 10:48:11.215668646 +0100
@@ -36,7 +36,7 @@ var util = require('util');
function MemoryCookieStore() {

12
CVE-2023-46234.patch Normal file
View file

@ -0,0 +1,12 @@
diff -rupN yarn-1.22.21/node_modules/browserify-sign/browser/verify.js yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js
--- yarn-1.22.21/node_modules/browserify-sign/browser/verify.js 2024-02-16 23:36:10.000000000 +0100
+++ yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js 2024-02-19 11:14:55.923549230 +0100
@@ -77,7 +77,7 @@ function dsaVerify (sig, hash, pub) {
function checkValue (b, q) {
if (b.cmpn(0) <= 0) throw new Error('invalid sig')
- if (b.cmp(q) >= q) throw new Error('invalid sig')
+ if (b.cmp(q) >= 0) throw new Error('invalid sig')
}
module.exports = verify

48
CVE-2024-4067.patch
View file

@ -1,48 +0,0 @@
diff -rupN --no-dereference yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200
+++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js 2025-07-31 00:36:51.203223937 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
}
function expand() {
- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
return utils.arrayify(pattern);
}
return braces(pattern, options);
diff -rupN --no-dereference yarn-1.22.22/node_modules/liftoff/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/liftoff/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/liftoff/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200
+++ yarn-1.22.22-new/node_modules/liftoff/node_modules/micromatch/index.js 2025-07-31 00:36:51.203775750 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
}
function expand() {
- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
return utils.arrayify(pattern);
}
return braces(pattern, options);
diff -rupN --no-dereference yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200
+++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js 2025-07-31 00:36:51.204199053 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
}
function expand() {
- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
return utils.arrayify(pattern);
}
return braces(pattern, options);
diff -rupN --no-dereference yarn-1.22.22/node_modules/readdirp/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/readdirp/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/readdirp/node_modules/micromatch/index.js 2025-07-28 09:42:30.000000000 +0200
+++ yarn-1.22.22-new/node_modules/readdirp/node_modules/micromatch/index.js 2025-07-31 00:36:51.204611282 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
}
function expand() {
- if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
+ if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
return utils.arrayify(pattern);
}
return braces(pattern, options);

15
CVE-2025-8262.patch
View file

@ -1,15 +0,0 @@
diff -rupN --no-dereference yarn-1.22.22/src/resolvers/exotics/hosted-git-resolver.js yarn-1.22.22-new/src/resolvers/exotics/hosted-git-resolver.js
--- yarn-1.22.22/src/resolvers/exotics/hosted-git-resolver.js 2024-03-09 22:33:28.000000000 +0100
+++ yarn-1.22.22-new/src/resolvers/exotics/hosted-git-resolver.js 2025-07-31 00:36:53.007366080 +0200
@@ -30,8 +30,9 @@ export function explodeHostedGitFragment
}
const parts = fragment
- .replace(/(.*?)#.*/, '$1') // Strip hash
- .replace(/.*:(.*)/, '$1') // Strip prefixed protocols
+ .split('#', 1)[0]
+ .split(':')
+ .pop()
.replace(/.git$/, '') // Strip the .git suffix
.split('/');

25
CVE-2025-8263.patch
View file

@ -1,25 +0,0 @@
diff -rupN yarn-1.22.22/node_modules/form-data/lib/form_data.js yarn-1.22.22-new/node_modules/form-data/lib/form_data.js
--- yarn-1.22.22/node_modules/form-data/lib/form_data.js 2025-07-28 11:18:19.000000000 +0200
+++ yarn-1.22.22-new/node_modules/form-data/lib/form_data.js 2025-07-31 00:39:06.012116839 +0200
@@ -5,6 +5,7 @@ var http = require('http');
var https = require('https');
var parseUrl = require('url').parse;
var fs = require('fs');
+var crypto = require('crypto');
var mime = require('mime-types');
var asynckit = require('asynckit');
var populate = require('./populate.js');
@@ -316,12 +317,7 @@ FormData.prototype.getBoundary = functio
FormData.prototype._generateBoundary = function() {
// This generates a 50 character boundary similar to those used by Firefox.
// They are optimized for boyer-moore parsing.
- var boundary = '--------------------------';
- for (var i = 0; i < 24; i++) {
- boundary += Math.floor(Math.random() * 10).toString(16);
- }
-
- this._boundary = boundary;
+ this._boundary = '--------------------------' + crypto.randomBytes(12).toString('hex');
};
// Note: getLengthSync DOESN'T calculate streams length

31
async-CVE-2021-43138.prebundle.patch Normal file
View file

@ -0,0 +1,31 @@
diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
--- yarn-1.22.19/yarn.lock 2023-03-21 11:58:50.508393147 +0100
+++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:59:28.850636157 +0100
@@ -498,11 +498,11 @@ async@^1.4.0:
integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo=
async@^2.1.2, async@^2.1.4:
- version "2.6.1"
- resolved "https://registry.yarnpkg.com/async/-/async-2.6.1.tgz#b245a23ca71930044ec53fa46aa00a3e87c6a610"
- integrity sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ==
+ version "2.6.4"
+ resolved "https://registry.yarnpkg.com/async/-/async-2.6.4.tgz#706b7ff6084664cd7eae713f6f965433b5504221"
+ integrity sha512-mzo5dfJYwAn29PeiJ0zvwTo04zj8HDJj0Mn8TD7sno7q12prdbnasKJHhkm2c1LgrhlJ0teaea8860oxi51mGA==
dependencies:
- lodash "^4.17.10"
+ lodash "^4.17.14"
asynckit@^0.4.0:
version "0.4.0"
@@ -5036,6 +5036,11 @@ lodash@^4.13.1, lodash@^4.17.10, lodash@
resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.10.tgz#1b7793cf7259ea38fb3661d4d38b3260af8ae4e7"
integrity sha512-UejweD1pDoXu+AD825lWwp4ZGtSwgnpZxb3JDViD7StjQz+Nb/6l093lx4OQ0foGWNRoc19mWy7BzL+UAK2iVg==
+lodash@^4.17.14:
+ version "4.17.21"
+ resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
+ integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
+
longest@^1.0.1:
version "1.0.1"
resolved "https://registry.yarnpkg.com/longest/-/longest-1.0.1.tgz#30a0b2da38f73770e8294a0d22e6625ed77d0097"

16
decode-uri-component-CVE-2022-38900.prebundle.patch Normal file
View file

@ -0,0 +1,16 @@
diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
--- yarn-1.22.19/yarn.lock 2022-05-10 19:48:34.000000000 +0200
+++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:57:26.891976168 +0100
@@ -2208,9 +2208,9 @@ decamelize@^1.0.0, decamelize@^1.1.1:
integrity sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=
decode-uri-component@^0.2.0:
- version "0.2.0"
- resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.0.tgz#eb3913333458775cb84cd1a1fae062106bb87545"
- integrity sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=
+ version "0.2.2"
+ resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.2.tgz#e69dbe25d37941171dd540e024c444cd5188e1e9"
+ integrity sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ==
dedent@0.6.0:
version "0.6.0"

16
minimatch-CVE-2022-3517.prebundle.patch Normal file
View file

@ -0,0 +1,16 @@
diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
--- yarn-1.22.19/yarn.lock 2023-03-21 12:00:04.395885047 +0100
+++ yarn-1.22.19-new/yarn.lock 2023-03-21 12:00:32.419095290 +0100
@@ -5240,9 +5240,9 @@ minimalistic-crypto-utils@^1.0.0, minima
integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo=
"minimatch@2 || 3", minimatch@^3.0.2, minimatch@^3.0.3, minimatch@^3.0.4:
- version "3.0.4"
- resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083"
- integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==
+ version "3.1.2"
+ resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
+ integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
dependencies:
brace-expansion "^1.1.7"

2
sources
View file

@ -1 +1 @@
SHA512 (yarnpkg-v1.22.22-bundled-20251203.tar.gz) = afcf0f4e3719a1d41e60b8e9a9633291161f3a7b04b67d85b3f12cfd9dce8abf9fef3f7be2eab90f3e8efa49e564342175a20ca1e305665a1d453a116b1f79d2
SHA512 (yarnpkg-v1.22.21-bundled-20240219.tar.gz) = 40a628f545f073d2013f51f244c246c96e38969a012b40dac7c1cc01f4173a594c4c509448bc52519bb7a66d7c38847d1fe99c5cd03a94373e6c45b367ab2dd5

16
thenify-CVE-2020-7677.prebundle.patch Normal file
View file

@ -0,0 +1,16 @@
diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
--- yarn-1.22.19/yarn.lock 2023-03-21 11:57:48.181065612 +0100
+++ yarn-1.22.19-new/yarn.lock 2023-03-21 11:58:21.377228725 +0100
@@ -7212,9 +7212,9 @@ thenify-all@^1.0.0:
thenify ">= 3.1.0 < 4"
"thenify@>= 3.1.0 < 4":
- version "3.3.0"
- resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.0.tgz#e69e38a1babe969b0108207978b9f62b88604839"
- integrity sha1-5p44obq+lpsBCCB5eLn2K4hgSDk=
+ version "3.3.1"
+ resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.1.tgz#8932e686a4066038a016dd9e2ca46add9838a95f"
+ integrity sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw==
dependencies:
any-promise "^1.0.0"

30
yarn-no-commitizen.prebundle.patch
View file

@ -1,30 +0,0 @@
diff -rupN --no-dereference yarn-1.22.22/package.json yarn-1.22.22-new/package.json
--- yarn-1.22.22/package.json 2025-09-30 14:26:03.561888356 +0200
+++ yarn-1.22.22-new/package.json 2025-09-30 14:26:03.566194507 +0200
@@ -69,7 +69,6 @@
"babel-preset-flow": "^6.23.0",
"babel-preset-stage-0": "^6.0.0",
"babylon": "^6.5.0",
- "commitizen": "^2.9.6",
"cz-conventional-changelog": "^2.0.0",
"eslint": "^4.3.0",
"eslint-config-fb-strict": "^22.0.0",
@@ -131,8 +130,7 @@
"test-only": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --verbose",
"test-only-debug": "node --inspect-brk --max_old_space_size=4096 node_modules/jest/bin/jest.js --runInBand --verbose",
"test-coverage": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --coverage --verbose",
- "watch": "gulp watch",
- "commit": "git-cz"
+ "watch": "gulp watch"
},
"jest": {
"collectCoverageFrom": [
@@ -152,8 +150,5 @@
]
},
"config": {
- "commitizen": {
- "path": "./node_modules/cz-conventional-changelog"
- }
}
}

116
yarn-no-eslint.prebundle.patch
View file

@ -1,116 +0,0 @@
diff -rupN --no-dereference yarn-1.22.22/.eslintignore yarn-1.22.22-new/.eslintignore
--- yarn-1.22.22/.eslintignore 2024-03-09 22:33:28.000000000 +0100
+++ yarn-1.22.22-new/.eslintignore 1970-01-01 01:00:00.000000000 +0100
@@ -1,12 +0,0 @@
-__tests__/fixtures
-lib
-lib-legacy
-node_modules
-flow-typed
-coverage
-gulpfile.js
-scripts
-updates
-artifacts
-dist
-packages
diff -rupN --no-dereference yarn-1.22.22/.eslintrc.json yarn-1.22.22-new/.eslintrc.json
--- yarn-1.22.22/.eslintrc.json 2024-03-09 22:33:28.000000000 +0100
+++ yarn-1.22.22-new/.eslintrc.json 1970-01-01 01:00:00.000000000 +0100
@@ -1,56 +0,0 @@
-{
- "extends": "eslint-config-fb-strict",
- "env": {
- "jest": true
- },
- "plugins": [
- "flowtype",
- "yarn-internal",
- "prettier"
- ],
- "rules": {
- "yarn-internal/warn-language": "error",
- "max-len": ["error", 120],
- "prefer-arrow-callback": "off",
- "flowtype/require-valid-file-annotation": ["error", "always"],
- "flowtype/space-after-type-colon": ["error", "always"],
- "flowtype/require-return-type": ["error", "always", {"excludeArrowFunctions": true}],
- "require-await": "error",
- "no-process-exit": "error",
- "no-return-await": "error",
- "sort-keys": "off",
- "prettier/prettier": ["error", {
- "singleQuote": true,
- "trailingComma": "all",
- "bracketSpacing": false,
- "printWidth": 120,
- "parser": "flow"
- }]
- },
- "overrides": [
- {
- "files": [
- "__tests__/fixtures/**/*.js",
- "bin/*.js",
- "src/cli/index.js"
- ],
- "rules": {
- "no-console": "off"
- }
- },
- {
- "files": [
- "src/util/generate-pnp-map-api.tpl.js"
- ],
- "rules": {
- "prettier/prettier": ["error", {
- "singleQuote": true,
- "trailingComma": "es5",
- "bracketSpacing": false,
- "printWidth": 120,
- "parser": "flow"
- }]
- }
- }
- ]
-}
diff -rupN --no-dereference yarn-1.22.22/package.json yarn-1.22.22-new/package.json
--- yarn-1.22.22/package.json 2025-09-30 14:26:03.997138837 +0200
+++ yarn-1.22.22-new/package.json 2025-09-30 14:26:04.000964590 +0200
@@ -58,7 +58,6 @@
},
"devDependencies": {
"babel-core": "^6.26.0",
- "babel-eslint": "^7.2.3",
"babel-loader": "^6.2.5",
"babel-plugin-array-includes": "^2.0.3",
"babel-plugin-inline-import": "^3.0.0",
@@ -70,18 +69,6 @@
"babel-preset-stage-0": "^6.0.0",
"babylon": "^6.5.0",
"cz-conventional-changelog": "^2.0.0",
- "eslint": "^4.3.0",
- "eslint-config-fb-strict": "^22.0.0",
- "eslint-plugin-babel": "^5.0.0",
- "eslint-plugin-flowtype": "^2.35.0",
- "eslint-plugin-jasmine": "^2.6.2",
- "eslint-plugin-jest": "^21.0.0",
- "eslint-plugin-jsx-a11y": "^6.0.2",
- "eslint-plugin-prefer-object-spread": "^1.2.1",
- "eslint-plugin-prettier": "^2.1.2",
- "eslint-plugin-react": "^7.1.0",
- "eslint-plugin-relay": "^0.0.28",
- "eslint-plugin-yarn-internal": "file:scripts/eslint-rules",
"execa": "^0.11.0",
"fancy-log": "^1.3.2",
"flow-bin": "^0.66.0",
@@ -122,9 +109,7 @@
"build-win-installer": "scripts\\build-windows-installer.bat",
"changelog": "git-release-notes $(git describe --tags --abbrev=0 $(git describe --tags --abbrev=0)^)..$(git describe --tags --abbrev=0) scripts/changelog.md",
"dupe-check": "yarn jsinspect ./src",
- "lint": "eslint . && flow check",
"pkg-tests": "yarn --cwd packages/pkg-tests jest yarn.test.js",
- "prettier": "eslint src __tests__ --fix",
"release-branch": "./scripts/release-branch.sh",
"test": "yarn lint && yarn test-only",
"test-only": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --verbose",

12
yarn-update-jest.prebundle.patch
View file

@ -1,12 +0,0 @@
diff -rupN yarn-1.22.22/package.json yarn-1.22.22-new/package.json
--- yarn-1.22.22/package.json 2024-03-09 22:33:28.000000000 +0100
+++ yarn-1.22.22-new/package.json 2025-07-28 10:33:09.427716996 +0200
@@ -93,7 +93,7 @@
"gulp-newer": "^1.0.0",
"gulp-plumber": "^1.0.1",
"gulp-sourcemaps": "^2.2.0",
- "jest": "^22.4.4",
+ "jest": "^30.0.5",
"jsinspect": "^0.12.6",
"minimatch": "^3.0.4",
"mock-stdin": "^0.3.0",

2
yarnpkg-tarball.sh
View file

@ -11,9 +11,7 @@ cd yarn-$version
for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do
patch -p1 < $file
done
rm yarn.lock
yarn install
yarn autoclean --force
yarn audit fix
# Delete all binary files in node_modules
echo "Deleting binary files..."

72
yarnpkg.spec
View file

@ -8,11 +8,11 @@
# don't require bundled modules
%global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$
%global bundledate 20251203
%global bundledate 20240219
Name: yarnpkg
Version: 1.22.22
Release: 14%{?dist}
Version: 1.22.21
Release: 2%{?dist}
Summary: Fast, reliable, and secure dependency management.
License: BSD-2-Clause
URL: https://github.com/yarnpkg/yarn
@ -21,26 +21,18 @@ Source0: %{name}-v%{version}-bundled-%{bundledate}.tar.gz
Source1: yarnpkg-tarball.sh
# These are applied by yarnpkg-tarball.sh
# yarn-update-jest.prebundle.patch
# yarn-no-commitizen.prebundle.patch
# yarn-no-eslint.prebundle.patch
# async-CVE-2021-43138.prebundle.patch
# minimatch-CVE-2022-3517.prebundle.patch
# thenify-CVE-2020-7677.prebundle.patch
# decode-uri-component-CVE-2022-38900.prebundle.patch
Patch0: CVE-2023-26136.patch
Patch1: CVE-2022-37599.patch
Patch2: CVE-2024-4067.patch
# https://github.com/yarnpkg/yarn/commit/97731871e674bf93bcbf29e9d3258da8685f3076.patch
Patch3: CVE-2025-8262.patch
# https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0
Patch4: CVE-2025-8263.patch
Patch2: CVE-2023-46234.patch
ExclusiveArch: %{nodejs_arches}
BuildRequires: nodejs-packaging
%if 0%{?fedora}
BuildRequires: nodejs-npm
%else
BuildRequires: npm
%endif
%description
Fast, reliable, and secure dependency management.
@ -74,7 +66,6 @@ find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \
-ipath '*/test/*' -type f -executable \
-exec chmod -x '{}' +
%if 0%{?enable_tests}
%check
%nodejs_symlink_deps --check
@ -90,54 +81,7 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS
%{_bindir}/yarn
%{nodejs_sitelib}/%{npm_name}/
%changelog
* Wed Dec 03 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-14
- Bump release
* Wed Dec 03 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-13
- Refresh bundle, fixes CVE-2025-64756
* Tue Sep 30 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-12
- Regenerate bundle, fixes CVE-2025-59343
- Patch out eslint and commitizen devDependencies to reduce dependencies
* Wed Jul 30 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-11
- Refresh bundle
- Drop patches obsoleted by new bundle
- Add yarn-update-jest.prebundle.patch to update jest and avoid some vulerable dependencies
- Apply fixes for CVE-2025-8262 and CVE-2025-8263
* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
* Tue Jun 24 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-9
- Add CVE-2025-6545_6547.prebundle.patch and regenerate bundle. Fixes CVE-2025-6545 and CVE-2025-6547.
* Wed Jun 04 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-8
- Refresh bundle tarball for CVE-2025-48387
* Fri Mar 28 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-7
- Fix CVE-2024-12905
* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
* Tue Oct 15 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-5
- Update bundled ws (CVE-2024-37890)
* Thu Oct 10 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-4
- Update bundled elliptic (CVE-2024-48949)
* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Thu Jul 04 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-2
- Backport patch for CVE-2024-4067
* Sat Mar 09 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-1
- Update to 1.22.22
* Mon Feb 19 2024 Sandro Mani <manisandro@gmail.com> - 1.22.21-2
- Backport patches for CVE-2022-37599, CVE-2023-26136, CVE-2023-46234