19 changed files with 240 additions and 272 deletions
--- a/.gitignore
+++ b/.gitignore
@ -10,9 +10,3 @@
 /yarnpkg-v1.22.22-bundled-20240704.tar.gz
 /yarnpkg-v1.22.22-bundled-20241010.tar.gz
 /yarnpkg-v1.22.22-bundled-20241015.tar.gz
-/yarnpkg-v1.22.22-bundled-20250328.tar.gz
-/yarnpkg-v1.22.22-bundled-20250604.tar.gz
-/yarnpkg-v1.22.22-bundled-20250624.tar.gz
-/yarnpkg-v1.22.22-bundled-20250728.tar.gz
-/yarnpkg-v1.22.22-bundled-20250930.tar.gz
-/yarnpkg-v1.22.22-bundled-20251203.tar.gz
--- a/CVE-2022-37599.patch
+++ b/CVE-2022-37599.patch
@ -1,6 +1,6 @@
-diff -rupN --no-dereference yarn-1.22.22/node_modules/loader-utils/index.js yarn-1.22.22-new/node_modules/loader-utils/index.js
--- yarn-1.22.22/node_modules/loader-utils/index.js	2025-07-28 09:42:24.000000000 +0200
-+++ yarn-1.22.22-new/node_modules/loader-utils/index.js	2025-07-31 00:36:49.585249573 +0200
+diff -rupN yarn-1.22.21/node_modules/loader-utils/index.js yarn-1.22.21-new/node_modules/loader-utils/index.js
+--- yarn-1.22.21/node_modules/loader-utils/index.js	2024-02-16 23:35:57.000000000 +0100
+++ yarn-1.22.21-new/node_modules/loader-utils/index.js	2024-02-19 11:05:56.885775046 +0100
@@ -299,7 +299,7 @@ exports.interpolateName = function inter
 	var url = filename;
 	if(content) {
--- a/CVE-2023-26136.patch
+++ b/CVE-2023-26136.patch
@ -1,6 +1,6 @@
-diff -rupN --no-dereference yarn-1.22.22/node_modules/tough-cookie/lib/memstore.js yarn-1.22.22-new/node_modules/tough-cookie/lib/memstore.js
--- yarn-1.22.22/node_modules/tough-cookie/lib/memstore.js	2025-07-28 11:18:19.000000000 +0200
-+++ yarn-1.22.22-new/node_modules/tough-cookie/lib/memstore.js	2025-07-31 00:36:47.884055369 +0200
+diff -rupN yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js
+--- yarn-1.22.21/node_modules/tough-cookie/lib/memstore.js	2024-02-16 23:36:08.000000000 +0100
+++ yarn-1.22.21-new/node_modules/tough-cookie/lib/memstore.js	2024-02-19 10:48:11.215668646 +0100
@@ -36,7 +36,7 @@ var util = require('util');
 
 function MemoryCookieStore() {
--- a/CVE-2023-46234.patch
+++ b/CVE-2023-46234.patch
@ -0,0 +1,12 @@
+diff -rupN yarn-1.22.21/node_modules/browserify-sign/browser/verify.js yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js
+--- yarn-1.22.21/node_modules/browserify-sign/browser/verify.js	2024-02-16 23:36:10.000000000 +0100
+++ yarn-1.22.21-new/node_modules/browserify-sign/browser/verify.js	2024-02-19 11:14:55.923549230 +0100
+@@ -77,7 +77,7 @@ function dsaVerify (sig, hash, pub) {
+ 
+ function checkValue (b, q) {
+   if (b.cmpn(0) <= 0) throw new Error('invalid sig')
+-  if (b.cmp(q) >= q) throw new Error('invalid sig')
+  if (b.cmp(q) >= 0) throw new Error('invalid sig')
+ }
+ 
+ module.exports = verify
--- a/CVE-2024-37890.prebundle.patch
+++ b/CVE-2024-37890.prebundle.patch
@ -0,0 +1,16 @@
+diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock
+--- yarn-1.22.22/yarn.lock	2024-10-10 12:55:05.000000000 +0200
+++ yarn-1.22.22-new/yarn.lock	2024-10-15 14:59:01.318140933 +0200
+@@ -7809,9 +7809,9 @@ write@^0.2.1:
+     mkdirp "^0.5.1"
+ 
+ ws@^5.2.0:
+-  version "5.2.2"
+-  resolved "https://registry.yarnpkg.com/ws/-/ws-5.2.2.tgz#dffef14866b8e8dc9133582514d1befaf96e980f"
+-  integrity sha512-jaHFD6PFv6UgoIVda6qZllptQsMlDEJkTQcybzzXDYM1XO9Y8em691FGMPmM46WGyLU4z9KMgQN+qrux/nhlHA==
+  version "5.2.4"
+  resolved "https://registry.yarnpkg.com/ws/-/ws-5.2.4.tgz#c7bea9f1cfb5f410de50e70e82662e562113f9a7"
+  integrity sha512-fFCejsuC8f9kOSu9FYaOw8CdO68O3h5v0lg4p74o8JqWpwTf9tniOD+nOB78aWoVSS6WptVUmDrp/KPsMVBWFQ==
+   dependencies:
+     async-limiter "~1.0.0"
+ 
--- a/CVE-2024-4067.patch
+++ b/CVE-2024-4067.patch
@ -1,6 +1,6 @@
-diff -rupN --no-dereference yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js	2025-07-28 09:42:30.000000000 +0200
-+++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js	2025-07-31 00:36:51.203223937 +0200
+diff -rupN yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/anymatch/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
+++ yarn-1.22.22-new/node_modules/anymatch/node_modules/micromatch/index.js	2024-07-04 23:35:09.633072156 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
   }
 
@ -10,9 +10,9 @@ diff -rupN --no-dereference yarn-1.22.22/node_modules/anymatch/node_modules/micr
       return utils.arrayify(pattern);
     }
     return braces(pattern, options);
-diff -rupN --no-dereference yarn-1.22.22/node_modules/liftoff/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/liftoff/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/liftoff/node_modules/micromatch/index.js	2025-07-28 09:42:30.000000000 +0200
-+++ yarn-1.22.22-new/node_modules/liftoff/node_modules/micromatch/index.js	2025-07-31 00:36:51.203775750 +0200
+diff -rupN yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/findup-sync/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
+++ yarn-1.22.22-new/node_modules/findup-sync/node_modules/micromatch/index.js	2024-07-04 23:35:22.753040820 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
   }
 
@ -22,9 +22,9 @@ diff -rupN --no-dereference yarn-1.22.22/node_modules/liftoff/node_modules/micro
       return utils.arrayify(pattern);
     }
     return braces(pattern, options);
-diff -rupN --no-dereference yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js	2025-07-28 09:42:30.000000000 +0200
-+++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js	2025-07-31 00:36:51.204199053 +0200
+diff -rupN yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/matchdep/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
+++ yarn-1.22.22-new/node_modules/matchdep/node_modules/micromatch/index.js	2024-07-04 23:35:32.817016784 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
   }
 
@ -34,9 +34,21 @@ diff -rupN --no-dereference yarn-1.22.22/node_modules/matchdep/node_modules/micr
       return utils.arrayify(pattern);
     }
     return braces(pattern, options);
-diff -rupN --no-dereference yarn-1.22.22/node_modules/readdirp/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/readdirp/node_modules/micromatch/index.js
--- yarn-1.22.22/node_modules/readdirp/node_modules/micromatch/index.js	2025-07-28 09:42:30.000000000 +0200
-+++ yarn-1.22.22-new/node_modules/readdirp/node_modules/micromatch/index.js	2025-07-31 00:36:51.204611282 +0200
+diff -rupN yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/sane/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
+++ yarn-1.22.22-new/node_modules/sane/node_modules/micromatch/index.js	2024-07-04 23:35:41.536995958 +0200
+@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
+   }
+ 
+   function expand() {
+-    if (options && options.nobrace === true || !/\{.*\}/.test(pattern)) {
+    if (options && options.nobrace === true || !/\{.*?\}/.test(pattern)) {
+       return utils.arrayify(pattern);
+     }
+     return braces(pattern, options);
+diff -rupN yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js
+--- yarn-1.22.22/node_modules/test-exclude/node_modules/micromatch/index.js	2024-07-04 22:55:38.000000000 +0200
+++ yarn-1.22.22-new/node_modules/test-exclude/node_modules/micromatch/index.js	2024-07-04 23:35:49.438977085 +0200
@@ -621,7 +621,7 @@ micromatch.braces = function(pattern, op
   }
 
--- a/CVE-2024-48949.prebundle.patch
+++ b/CVE-2024-48949.prebundle.patch
@ -0,0 +1,91 @@
+diff -rupN yarn-1.22.22/yarn.lock yarn-1.22.22-new/yarn.lock
+--- yarn-1.22.22/yarn.lock	2024-10-10 12:46:29.329322568 +0200
+++ yarn-1.22.22-new/yarn.lock	2024-10-10 12:37:38.256366136 +0200
+@@ -1404,11 +1404,16 @@ bl@^1.0.0:
+     readable-stream "^2.3.5"
+     safe-buffer "^5.1.1"
+ 
+-bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.1.1, bn.js@^4.4.0:
+bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.1.1:
+   version "4.11.8"
+   resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.11.8.tgz#2cde09eb5ee341f484746bb0309b3253b1b1442f"
+   integrity sha512-ItfYfPLkWHUjckQCk8xC+LwxgK8NYcXywGigJgSwOP8Y2iyWT4f2vsZnoOXTTbo+o5yXmIUJ4gn5538SO5S3gA==
+ 
+bn.js@^4.11.9:
+  version "4.12.0"
+  resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.12.0.tgz#775b3f278efbb9718eec7361f483fb36fbbfea88"
+  integrity sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA==
+
+ brace-expansion@^1.1.7:
+   version "1.1.11"
+   resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-1.1.11.tgz#3c7fcbf529d87226f3d2f52b966ff5271eb441dd"
+@@ -1450,7 +1455,7 @@ broccoli-kitchen-sink-helpers@^0.3.1:
+     glob "^5.0.10"
+     mkdirp "^0.5.1"
+ 
+-brorand@^1.0.1:
+brorand@^1.0.1, brorand@^1.1.0:
+   version "1.1.0"
+   resolved "https://registry.yarnpkg.com/brorand/-/brorand-1.1.0.tgz#12c25efe40a45e3c323eb8675a0a0ce57b22371f"
+   integrity sha1-EsJe/kCkXjwyPrhnWgoM5XsiNx8=
+@@ -2424,17 +2429,17 @@ electron-to-chromium@^1.3.47:
+   integrity sha1-8VDhCyC3fZ1Br8yjEu/gw7Gn/c4=
+ 
+ elliptic@^6.0.0:
+-  version "6.4.0"
+-  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.4.0.tgz#cac9af8762c85836187003c8dfe193e5e2eae5df"
+-  integrity sha1-ysmvh2LIWDYYcAPI3+GT5eLq5d8=
+  version "6.5.7"
+  resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.7.tgz#8ec4da2cb2939926a1b9a73619d768207e647c8b"
+  integrity sha512-ESVCtTwiA+XhY3wyh24QqRGBoP3rEdDUl3EDUUo9tft074fi19IrdpH7hLCMMP3CIj7jb3W96rn8lt/BqIlt5Q==
+   dependencies:
+-    bn.js "^4.4.0"
+-    brorand "^1.0.1"
+    bn.js "^4.11.9"
+    brorand "^1.1.0"
+     hash.js "^1.0.0"
+-    hmac-drbg "^1.0.0"
+-    inherits "^2.0.1"
+-    minimalistic-assert "^1.0.0"
+-    minimalistic-crypto-utils "^1.0.0"
+    hmac-drbg "^1.0.1"
+    inherits "^2.0.4"
+    minimalistic-assert "^1.0.1"
+    minimalistic-crypto-utils "^1.0.1"
+ 
+ emoji-regex@^6.5.1:
+   version "6.5.1"
+@@ -3711,10 +3716,10 @@ heimdalljs@^0.2.0, heimdalljs@^0.2.3:
+   dependencies:
+     rsvp "~3.2.1"
+ 
+-hmac-drbg@^1.0.0:
+hmac-drbg@^1.0.1:
+   version "1.0.1"
+   resolved "https://registry.yarnpkg.com/hmac-drbg/-/hmac-drbg-1.0.1.tgz#d2745701025a6c775a6c545793ed502fc0c649a1"
+-  integrity sha1-0nRXAQJabHdabFRXk+1QL8DGSaE=
+  integrity sha512-Tti3gMqLdZfhOQY1Mzf/AanLiqh1WTiJgEj26ZuYQ9fbkLomzGchCws4FyrSd4VkpBfiNhaE1On+lOz894jvXg==
+   dependencies:
+     hash.js "^1.0.3"
+     minimalistic-assert "^1.0.0"
+@@ -3841,6 +3846,11 @@ inherits@2.0.1:
+   resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.1.tgz#b17d08d326b4423e568eff719f91b0b1cbdf69f1"
+   integrity sha1-sX0I0ya0Qj5Wjv9xn5GwscvfafE=
+ 
+inherits@^2.0.4:
+  version "2.0.4"
+  resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c"
+  integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==
+
+ ini@^1.3.4, ini@~1.3.0:
+   version "1.3.5"
+   resolved "https://registry.yarnpkg.com/ini/-/ini-1.3.5.tgz#eee25f56db1c9ec6085e0c22778083f596abf927"
+@@ -5234,7 +5244,7 @@ minimalistic-assert@^1.0.0, minimalistic
+   resolved "https://registry.yarnpkg.com/minimalistic-assert/-/minimalistic-assert-1.0.1.tgz#2e194de044626d4a10e7f7fbc00ce73e83e4d5c7"
+   integrity sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==
+ 
+-minimalistic-crypto-utils@^1.0.0, minimalistic-crypto-utils@^1.0.1:
+minimalistic-crypto-utils@^1.0.1:
+   version "1.0.1"
+   resolved "https://registry.yarnpkg.com/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz#f6c00c1c0b082246e5c4d99dfb8c7c083b2b582a"
+   integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo=
--- a/CVE-2025-8262.patch
+++ b/CVE-2025-8262.patch
@ -1,15 +0,0 @@
-diff -rupN --no-dereference yarn-1.22.22/src/resolvers/exotics/hosted-git-resolver.js yarn-1.22.22-new/src/resolvers/exotics/hosted-git-resolver.js
--- yarn-1.22.22/src/resolvers/exotics/hosted-git-resolver.js	2024-03-09 22:33:28.000000000 +0100
-+++ yarn-1.22.22-new/src/resolvers/exotics/hosted-git-resolver.js	2025-07-31 00:36:53.007366080 +0200
-@@ -30,8 +30,9 @@ export function explodeHostedGitFragment
-   }
- 
-   const parts = fragment
-    .replace(/(.*?)#.*/, '$1') // Strip hash
-    .replace(/.*:(.*)/, '$1') // Strip prefixed protocols
-+    .split('#', 1)[0]
-+    .split(':')
-+    .pop()
-     .replace(/.git$/, '') // Strip the .git suffix
-     .split('/');
- 
--- a/CVE-2025-8263.patch
+++ b/CVE-2025-8263.patch
@ -1,25 +0,0 @@
-diff -rupN yarn-1.22.22/node_modules/form-data/lib/form_data.js yarn-1.22.22-new/node_modules/form-data/lib/form_data.js
--- yarn-1.22.22/node_modules/form-data/lib/form_data.js	2025-07-28 11:18:19.000000000 +0200
-+++ yarn-1.22.22-new/node_modules/form-data/lib/form_data.js	2025-07-31 00:39:06.012116839 +0200
-@@ -5,6 +5,7 @@ var http = require('http');
- var https = require('https');
- var parseUrl = require('url').parse;
- var fs = require('fs');
-+var crypto = require('crypto');
- var mime = require('mime-types');
- var asynckit = require('asynckit');
- var populate = require('./populate.js');
-@@ -316,12 +317,7 @@ FormData.prototype.getBoundary = functio
- FormData.prototype._generateBoundary = function() {
-   // This generates a 50 character boundary similar to those used by Firefox.
-   // They are optimized for boyer-moore parsing.
-  var boundary = '--------------------------';
-  for (var i = 0; i < 24; i++) {
-    boundary += Math.floor(Math.random() * 10).toString(16);
-  }
-
-  this._boundary = boundary;
-+  this._boundary = '--------------------------' + crypto.randomBytes(12).toString('hex');
- };
- 
- // Note: getLengthSync DOESN'T calculate streams length
--- a/async-CVE-2021-43138.prebundle.patch
+++ b/async-CVE-2021-43138.prebundle.patch
@ -0,0 +1,31 @@
+diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
+--- yarn-1.22.19/yarn.lock	2023-03-21 11:58:50.508393147 +0100
+++ yarn-1.22.19-new/yarn.lock	2023-03-21 11:59:28.850636157 +0100
+@@ -498,11 +498,11 @@ async@^1.4.0:
+   integrity sha1-7GphrlZIDAw8skHJVhjiCJL5Zyo=
+ 
+ async@^2.1.2, async@^2.1.4:
+-  version "2.6.1"
+-  resolved "https://registry.yarnpkg.com/async/-/async-2.6.1.tgz#b245a23ca71930044ec53fa46aa00a3e87c6a610"
+-  integrity sha512-fNEiL2+AZt6AlAw/29Cr0UDe4sRAHCpEHh54WMz+Bb7QfNcFw4h3loofyJpLeQs4Yx7yuqu/2dLgM5hKOs6HlQ==
+  version "2.6.4"
+  resolved "https://registry.yarnpkg.com/async/-/async-2.6.4.tgz#706b7ff6084664cd7eae713f6f965433b5504221"
+  integrity sha512-mzo5dfJYwAn29PeiJ0zvwTo04zj8HDJj0Mn8TD7sno7q12prdbnasKJHhkm2c1LgrhlJ0teaea8860oxi51mGA==
+   dependencies:
+-    lodash "^4.17.10"
+    lodash "^4.17.14"
+ 
+ asynckit@^0.4.0:
+   version "0.4.0"
+@@ -5036,6 +5036,11 @@ lodash@^4.13.1, lodash@^4.17.10, lodash@
+   resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.10.tgz#1b7793cf7259ea38fb3661d4d38b3260af8ae4e7"
+   integrity sha512-UejweD1pDoXu+AD825lWwp4ZGtSwgnpZxb3JDViD7StjQz+Nb/6l093lx4OQ0foGWNRoc19mWy7BzL+UAK2iVg==
+ 
+lodash@^4.17.14:
+  version "4.17.21"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz#679591c564c3bffaae8454cf0b3df370c3d6911c"
+  integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
+
+ longest@^1.0.1:
+   version "1.0.1"
+   resolved "https://registry.yarnpkg.com/longest/-/longest-1.0.1.tgz#30a0b2da38f73770e8294a0d22e6625ed77d0097"
--- a/decode-uri-component-CVE-2022-38900.prebundle.patch
+++ b/decode-uri-component-CVE-2022-38900.prebundle.patch
@ -0,0 +1,16 @@
+diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
+--- yarn-1.22.19/yarn.lock	2022-05-10 19:48:34.000000000 +0200
+++ yarn-1.22.19-new/yarn.lock	2023-03-21 11:57:26.891976168 +0100
+@@ -2208,9 +2208,9 @@ decamelize@^1.0.0, decamelize@^1.1.1:
+   integrity sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=
+ 
+ decode-uri-component@^0.2.0:
+-  version "0.2.0"
+-  resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.0.tgz#eb3913333458775cb84cd1a1fae062106bb87545"
+-  integrity sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=
+  version "0.2.2"
+  resolved "https://registry.yarnpkg.com/decode-uri-component/-/decode-uri-component-0.2.2.tgz#e69dbe25d37941171dd540e024c444cd5188e1e9"
+  integrity sha512-FqUYQ+8o158GyGTrMFJms9qh3CqTKvAqgqsTnkLI8sKu0028orqBhxNMFkFen0zGyg6epACD32pjVk58ngIErQ==
+ 
+ dedent@0.6.0:
+   version "0.6.0"
--- a/minimatch-CVE-2022-3517.prebundle.patch
+++ b/minimatch-CVE-2022-3517.prebundle.patch
@ -0,0 +1,16 @@
+diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
+--- yarn-1.22.19/yarn.lock	2023-03-21 12:00:04.395885047 +0100
+++ yarn-1.22.19-new/yarn.lock	2023-03-21 12:00:32.419095290 +0100
+@@ -5240,9 +5240,9 @@ minimalistic-crypto-utils@^1.0.0, minima
+   integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo=
+ 
+ "minimatch@2 || 3", minimatch@^3.0.2, minimatch@^3.0.3, minimatch@^3.0.4:
+-  version "3.0.4"
+-  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083"
+-  integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==
+  version "3.1.2"
+  resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
+  integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
+   dependencies:
+     brace-expansion "^1.1.7"
+ 
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (yarnpkg-v1.22.22-bundled-20251203.tar.gz) = afcf0f4e3719a1d41e60b8e9a9633291161f3a7b04b67d85b3f12cfd9dce8abf9fef3f7be2eab90f3e8efa49e564342175a20ca1e305665a1d453a116b1f79d2
+SHA512 (yarnpkg-v1.22.22-bundled-20241015.tar.gz) = 1db1a751f34858daf7f530d8f28dd2377ec4e7e996bd74a4c8e70e21b54777824396979d9c0585f857e367c8b03ebf70fab686be71add4f450eb91e61071dc9e
--- a/thenify-CVE-2020-7677.prebundle.patch
+++ b/thenify-CVE-2020-7677.prebundle.patch
@ -0,0 +1,16 @@
+diff -rupN '--exclude=node_modules' yarn-1.22.19/yarn.lock yarn-1.22.19-new/yarn.lock
+--- yarn-1.22.19/yarn.lock	2023-03-21 11:57:48.181065612 +0100
+++ yarn-1.22.19-new/yarn.lock	2023-03-21 11:58:21.377228725 +0100
+@@ -7212,9 +7212,9 @@ thenify-all@^1.0.0:
+     thenify ">= 3.1.0 < 4"
+ 
+ "thenify@>= 3.1.0 < 4":
+-  version "3.3.0"
+-  resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.0.tgz#e69e38a1babe969b0108207978b9f62b88604839"
+-  integrity sha1-5p44obq+lpsBCCB5eLn2K4hgSDk=
+  version "3.3.1"
+  resolved "https://registry.yarnpkg.com/thenify/-/thenify-3.3.1.tgz#8932e686a4066038a016dd9e2ca46add9838a95f"
+  integrity sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw==
+   dependencies:
+     any-promise "^1.0.0"
+ 
--- a/yarn-no-commitizen.prebundle.patch
+++ b/yarn-no-commitizen.prebundle.patch
@ -1,30 +0,0 @@
-diff -rupN --no-dereference yarn-1.22.22/package.json yarn-1.22.22-new/package.json
--- yarn-1.22.22/package.json	2025-09-30 14:26:03.561888356 +0200
-+++ yarn-1.22.22-new/package.json	2025-09-30 14:26:03.566194507 +0200
-@@ -69,7 +69,6 @@
-     "babel-preset-flow": "^6.23.0",
-     "babel-preset-stage-0": "^6.0.0",
-     "babylon": "^6.5.0",
-    "commitizen": "^2.9.6",
-     "cz-conventional-changelog": "^2.0.0",
-     "eslint": "^4.3.0",
-     "eslint-config-fb-strict": "^22.0.0",
-@@ -131,8 +130,7 @@
-     "test-only": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --verbose",
-     "test-only-debug": "node --inspect-brk --max_old_space_size=4096 node_modules/jest/bin/jest.js --runInBand --verbose",
-     "test-coverage": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --coverage --verbose",
-    "watch": "gulp watch",
-    "commit": "git-cz"
-+    "watch": "gulp watch"
-   },
-   "jest": {
-     "collectCoverageFrom": [
-@@ -152,8 +150,5 @@
-     ]
-   },
-   "config": {
-    "commitizen": {
-      "path": "./node_modules/cz-conventional-changelog"
-    }
-   }
- }
--- a/yarn-no-eslint.prebundle.patch
+++ b/yarn-no-eslint.prebundle.patch
@ -1,116 +0,0 @@
-diff -rupN --no-dereference yarn-1.22.22/.eslintignore yarn-1.22.22-new/.eslintignore
--- yarn-1.22.22/.eslintignore	2024-03-09 22:33:28.000000000 +0100
-+++ yarn-1.22.22-new/.eslintignore	1970-01-01 01:00:00.000000000 +0100
-@@ -1,12 +0,0 @@
-__tests__/fixtures
-lib
-lib-legacy
-node_modules
-flow-typed
-coverage
-gulpfile.js
-scripts
-updates
-artifacts
-dist
-packages
-diff -rupN --no-dereference yarn-1.22.22/.eslintrc.json yarn-1.22.22-new/.eslintrc.json
--- yarn-1.22.22/.eslintrc.json	2024-03-09 22:33:28.000000000 +0100
-+++ yarn-1.22.22-new/.eslintrc.json	1970-01-01 01:00:00.000000000 +0100
-@@ -1,56 +0,0 @@
-{
-  "extends": "eslint-config-fb-strict",
-  "env": {
-    "jest": true
-  },
-  "plugins": [
-    "flowtype",
-    "yarn-internal",
-    "prettier"
-  ],
-  "rules": {
-    "yarn-internal/warn-language": "error",
-    "max-len": ["error", 120],
-    "prefer-arrow-callback": "off",
-    "flowtype/require-valid-file-annotation": ["error", "always"],
-    "flowtype/space-after-type-colon": ["error", "always"],
-    "flowtype/require-return-type": ["error", "always", {"excludeArrowFunctions": true}],
-    "require-await": "error",
-    "no-process-exit": "error",
-    "no-return-await": "error",
-    "sort-keys": "off",
-    "prettier/prettier": ["error", {
-      "singleQuote": true,
-      "trailingComma": "all",
-      "bracketSpacing": false,
-      "printWidth": 120,
-      "parser": "flow"
-    }]
-  },
-  "overrides": [
-    {
-      "files": [
-        "__tests__/fixtures/**/*.js",
-        "bin/*.js",
-        "src/cli/index.js"
-      ],
-      "rules": {
-        "no-console": "off"
-      }
-    },
-    {
-      "files": [
-        "src/util/generate-pnp-map-api.tpl.js"
-      ],
-      "rules": {
-        "prettier/prettier": ["error", {
-          "singleQuote": true,
-          "trailingComma": "es5",
-          "bracketSpacing": false,
-          "printWidth": 120,
-          "parser": "flow"
-        }]
-      }
-    }
-  ]
-}
-diff -rupN --no-dereference yarn-1.22.22/package.json yarn-1.22.22-new/package.json
--- yarn-1.22.22/package.json	2025-09-30 14:26:03.997138837 +0200
-+++ yarn-1.22.22-new/package.json	2025-09-30 14:26:04.000964590 +0200
-@@ -58,7 +58,6 @@
-   },
-   "devDependencies": {
-     "babel-core": "^6.26.0",
-    "babel-eslint": "^7.2.3",
-     "babel-loader": "^6.2.5",
-     "babel-plugin-array-includes": "^2.0.3",
-     "babel-plugin-inline-import": "^3.0.0",
-@@ -70,18 +69,6 @@
-     "babel-preset-stage-0": "^6.0.0",
-     "babylon": "^6.5.0",
-     "cz-conventional-changelog": "^2.0.0",
-    "eslint": "^4.3.0",
-    "eslint-config-fb-strict": "^22.0.0",
-    "eslint-plugin-babel": "^5.0.0",
-    "eslint-plugin-flowtype": "^2.35.0",
-    "eslint-plugin-jasmine": "^2.6.2",
-    "eslint-plugin-jest": "^21.0.0",
-    "eslint-plugin-jsx-a11y": "^6.0.2",
-    "eslint-plugin-prefer-object-spread": "^1.2.1",
-    "eslint-plugin-prettier": "^2.1.2",
-    "eslint-plugin-react": "^7.1.0",
-    "eslint-plugin-relay": "^0.0.28",
-    "eslint-plugin-yarn-internal": "file:scripts/eslint-rules",
-     "execa": "^0.11.0",
-     "fancy-log": "^1.3.2",
-     "flow-bin": "^0.66.0",
-@@ -122,9 +109,7 @@
-     "build-win-installer": "scripts\\build-windows-installer.bat",
-     "changelog": "git-release-notes $(git describe --tags --abbrev=0 $(git describe --tags --abbrev=0)^)..$(git describe --tags --abbrev=0) scripts/changelog.md",
-     "dupe-check": "yarn jsinspect ./src",
-    "lint": "eslint . && flow check",
-     "pkg-tests": "yarn --cwd packages/pkg-tests jest yarn.test.js",
-    "prettier": "eslint src __tests__ --fix",
-     "release-branch": "./scripts/release-branch.sh",
-     "test": "yarn lint && yarn test-only",
-     "test-only": "node --max_old_space_size=4096 node_modules/jest/bin/jest.js --verbose",
--- a/yarn-update-jest.prebundle.patch
+++ b/yarn-update-jest.prebundle.patch
@ -1,12 +0,0 @@
-diff -rupN yarn-1.22.22/package.json yarn-1.22.22-new/package.json
--- yarn-1.22.22/package.json	2024-03-09 22:33:28.000000000 +0100
-+++ yarn-1.22.22-new/package.json	2025-07-28 10:33:09.427716996 +0200
-@@ -93,7 +93,7 @@
-     "gulp-newer": "^1.0.0",
-     "gulp-plumber": "^1.0.1",
-     "gulp-sourcemaps": "^2.2.0",
-    "jest": "^22.4.4",
-+    "jest": "^30.0.5",
-     "jsinspect": "^0.12.6",
-     "minimatch": "^3.0.4",
-     "mock-stdin": "^0.3.0",
--- a/yarnpkg-tarball.sh
+++ b/yarnpkg-tarball.sh
@ -11,9 +11,7 @@ cd yarn-$version
 for file in $(ls -1 ../*.prebundle.patch 2>/dev/null); do
 patch -p1 < $file
 done
-rm yarn.lock
 yarn install
-yarn autoclean --force
 yarn audit fix
 # Delete all binary files in node_modules
 echo "Deleting binary files..."
--- a/yarnpkg.spec
+++ b/yarnpkg.spec
@ -8,11 +8,11 @@
 # don't require bundled modules
 %global __requires_exclude_from ^(%{nodejs_sitelib}/yarn/lib/.*|%{nodejs_sitelib}/yarn/bin/yarn(|\\.cmd|\\.ps1|pkg.*))$

-%global bundledate 20251203
+%global bundledate 20241015

 Name:           yarnpkg
 Version:        1.22.22
-Release:        14%{?dist}
+Release:        5%{?dist}
 Summary:        Fast, reliable, and secure dependency management.
 License:        BSD-2-Clause
 URL:            https://github.com/yarnpkg/yarn
@ -21,26 +21,23 @@ Source0:        %{name}-v%{version}-bundled-%{bundledate}.tar.gz
 Source1:        yarnpkg-tarball.sh

 # These are applied by yarnpkg-tarball.sh
-# yarn-update-jest.prebundle.patch
-# yarn-no-commitizen.prebundle.patch
-# yarn-no-eslint.prebundle.patch
+# async-CVE-2021-43138.prebundle.patch
+# minimatch-CVE-2022-3517.prebundle.patch
+# thenify-CVE-2020-7677.prebundle.patch
+# decode-uri-component-CVE-2022-38900.prebundle.patch
+# CVE-2024-48949.prebundle.patch
+# CVE-2024-37890.prebundle.patch

 Patch0:         CVE-2023-26136.patch
 Patch1:         CVE-2022-37599.patch
-Patch2:         CVE-2024-4067.patch
-# https://github.com/yarnpkg/yarn/commit/97731871e674bf93bcbf29e9d3258da8685f3076.patch
-Patch3:         CVE-2025-8262.patch
-# https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0
-Patch4:         CVE-2025-8263.patch
+Patch2:         CVE-2023-46234.patch
+Patch3:         CVE-2024-4067.patch
+

 ExclusiveArch:  %{nodejs_arches}

 BuildRequires:  nodejs-packaging
-%if 0%{?fedora}
 BuildRequires:  nodejs-npm
-%else
-BuildRequires:  npm
-%endif

 %description
 Fast, reliable, and secure dependency management.
@ -74,7 +71,6 @@ find %{buildroot}%{nodejs_sitelib}/%{npm_name}/node_modules \
    -ipath '*/test/*' -type f -executable \
    -exec chmod -x '{}' +

-
 %if 0%{?enable_tests}
 %check
 %nodejs_symlink_deps --check
@ -90,39 +86,7 @@ if [[ $(%{buildroot}%{_bindir}/yarn --version) == %{version} ]] ; then echo PASS
 %{_bindir}/yarn
 %{nodejs_sitelib}/%{npm_name}/

-
 %changelog
-* Wed Dec 03 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-14
- Bump release
-
-* Wed Dec 03 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-13
- Refresh bundle, fixes CVE-2025-64756
-
-* Tue Sep 30 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-12
- Regenerate bundle, fixes CVE-2025-59343
- Patch out eslint and commitizen devDependencies to reduce dependencies
-
-* Wed Jul 30 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-11
- Refresh bundle
- Drop patches obsoleted by new bundle
- Add yarn-update-jest.prebundle.patch to update jest and avoid some vulerable dependencies
- Apply fixes for CVE-2025-8262 and CVE-2025-8263
-
-* Fri Jul 25 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Tue Jun 24 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-9
- Add CVE-2025-6545_6547.prebundle.patch and regenerate bundle. Fixes CVE-2025-6545 and CVE-2025-6547.
-
-* Wed Jun 04 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-8
- Refresh bundle tarball for CVE-2025-48387
-
-* Fri Mar 28 2025 Sandro Mani <manisandro@gmail.com> - 1.22.22-7
- Fix CVE-2024-12905
-
-* Sun Jan 19 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.22-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
 * Tue Oct 15 2024 Sandro Mani <manisandro@gmail.com> - 1.22.22-5
 - Update bundled ws (CVE-2024-37890)