c9b44edd37(bsc#1198247, CVE-2021-44906) - CVE-2021-44907.patch: fix insuficient sanitation in npm dependency (bsc#1197283, CVE-2021-44907) - CVE-2022-0235.patch: fix passing of cookie data and sensitive headers to different hostnames in node-fetch-npm (bsc#1194819, CVE-2022-0235)Adam Majer2022-04-21 14:26:21 +00:00
847d392aec- fix_ci_tests.patch: fix zlib tests for z15Adam Majer2022-02-16 11:38:17 +00:00
17a6d023c1- npm-v6.14.16.tar.gz: update to npm 6.14.16 fixing * CVE-2021-23343 - ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153) * CVE-2021-23343 - node-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (bsc#1191963) * CVE-2021-32804 - node-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (bsc#1191962) * CVE-2021-3918 - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (bsc#1192696) - CVE-2021-3807.patch: node-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (bsc#1192154, CVE-2021-3807) - test_ssl_cert_fixups.patch: fixup SSL certificates in unit testsAdam Majer2022-02-16 10:39:49 +00:00
48635dbb89- CVE-2021-22930.patch: http2: fixes use after free on close in stream canceling (bsc#1188917, CVE-2021-22930)Adam Majer2021-08-04 16:38:50 +00:00
c59587fdbd- CVE-2020-8265.patch: Add a unit test for CVE-2020-8265 to make sure we don't have it broken in the future.Adam Majer2021-07-07 12:58:16 +00:00
5dcc2f76e0- CVE-2021-22884.patch: DNS rebinding in --inspect (CVE-2021-22884, bsc#1182620) - CVE-2021-22883.patch: only backport unit test to make sure we don't have regression here in the future.Adam Majer2021-02-23 17:01:57 +00:00
6be6af0b70- CVE-2020-8287.patch: HTTP Request Smuggling allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html). (bsc#1180554, CVE-2020-8287)Adam Majer2021-01-11 15:51:30 +00:00
6c5698fc9e- Update Requires: so -devel requires npm - Rely on rpmbuild to define necessary python dependenciesAdam Majer2020-11-23 16:08:19 +00:00
16371a0c7d- fix_ci_tests.patch: add support to SUSE's ECDH backport errors in SLE's opensslAdam Majer2020-10-09 09:41:15 +00:00
70ffaffd94- New upstream release 8.4.0 * HTTP2: Experimental support for the built-in http2 module has been added via the --expose-http2 flag. (#14239) * Inspector: + require() is available in the inspector console now. (#8837) + Multiple contexts, as created by the vm module, are supported now. (#14465) * N-API: New APIs for creating number values have been introduced. (#14573) * Stream: For Duplex streams, the high water mark option can now be set independently for the readable and the writable side. (#14636) * Util: util.format now supports the %o and %O specifiers for printing objects. (#14558) - Changes in release 8.3.0 * V8: The V8 engine has been upgraded to version 6.0, which has a significantly changed performance profile. (#14574) * DNS: Independent DNS resolver instances are supported now, with support for cancelling the corresponding requests. (#14518) * N-API: Multiple N-API functions for error handling have been changed to support assigning error codes. (#13988) * REPL: Autocompletion support for require() has been improved. (#14409) * Utilities: The WHATWG Encoding Standard (TextDecoder and TextEncoder) has been implemented as an experimental feature. (#13644)
Karl Cheng
2017-08-19 06:12:00 +00:00
329247211e- Modify versioned.patch: * Add support for new npx binary introduced in npm 5.3.0, versioned as /usr/bin/npx8.
Karl Cheng
2017-08-01 04:59:41 +00:00
8e2c80530eReplace the old tar.xz file
Karl Cheng
2017-07-28 01:08:33 +00:00
f4908e2974- New upstream release 8.2.1 * http: Writes no longer abort if the Socket is missing. * process, async_hooks: Avoid problems when triggerAsyncId is undefined. * zlib: Streams no longer attempt to process data when destroyed. - Changes in upstream release 8.2.0 * async_hooks: Multiple improvements to Promise support in async_hooks have been made. * build: The compiler version requirement to build Node with GCC has been raised to GCC 4.9.4. [820b011ed6] #13466 * cluster: Users now have more fine-grained control over the inspector port used by individual cluster workers. Previously, cluster workers were restricted to incrementing from the master's debug port. [dfc46e262a] #14140 * dns: + The server used for DNS queries can now use a custom port. [ebe7bb29aa] #13723 + Support for dns.resolveAny() has been added. [6e30e2558e] #13137 * npm: The npm CLI has been updated to version 5.3.0. In particular, it now comes with the npx binary, which is also shipped with Node. - Refresh versioned.patch robust solution is found. (bnc#1048299, CVE-2017-11499)
Karl Cheng
2017-07-27 13:15:52 +00:00
0e079b34db- Depend on nodejs-common that is then used to pick correctly versioned node or npm binary. This is required since 3rd party modules use /usr/bin/env node which breaks if multiple versions of NodeJS are installed at the same time and non-default version is used (for example, to compile a native module)Adam Majer2017-07-07 14:16:59 +00:00
4b9bb06bf9Regresh patch so it applies without any offset againAdam Majer2017-07-07 08:28:46 +00:00
431e0d5dd0Fix hardcoded object paths to make everything compileAdam Majer2017-07-06 15:57:15 +00:00
406e3c3762Remove obsolete paths from shipped directories and fix update-alternative prioritiesAdam Majer2017-07-06 13:51:49 +00:00
ab060bf694- npm_search_paths.patch: Since concurrent installations are now possible, node manual pages are moved once again back under npm searcheable locations only. - versioned.patch: All files are now under versioned directoies and names. node and npm symlinks are now managed by update-alternatives - node-gyp-addon-gypi.patch: Reference versioned directories onlyAdam Majer2017-07-06 12:34:07 +00:00
ef9f8e765e- New upstream version 8.1.3 * Stream regression fixed - The finish event will now always be emitted after the error event if one is emitted * Stream regression fixed - In object mode, readable streams can now use undefined again.Adam Majer2017-06-29 15:34:10 +00:00
ceb1101115- New upstream version 8.1.2 * Release to fix broken process.release propertiesAdam Majer2017-06-19 09:20:45 +00:00
71b430e1a6- New upstream version 8.1.1 * Child processes - stdout and stderr are now available on the error output of a failed call to the util.promisify()ed version of child_process.exec. * HTTP - A regression that broke certain scenarios in which HTTP is used together with the cluster module has been fixed. * HTTPS - The rejectUnauthorized option now works properly for unix sockets. * Readline - A change that broke npm init and other code which uses readline multiple times on the same input stream is reverted.Adam Majer2017-06-14 09:37:31 +00:00
9ea0014ccb- Don't remove all src/ directories, as that breaks npm. (boo:#1043965) - New upstream version 8.1.0 Notable changes, * Async Hooks - When one Promise leads to the creation of a new Promise, the parent Promise will be identified as the trigger * Dependencies + libuv has been updated to 1.12.0 + npm has been updated to 5.0.3 * File system + The fs.exists() function now works correctly with util.promisify() + fs.Stats times are now also available as numbers * Inspector + It is now possible to bind to a random port using --inspect=0 * Zlib + A regression in the Zlib module that made it impossible to properly subclasses zlib.Deflate and other Zlib classes has been fixed.Adam Majer2017-06-13 11:39:45 +00:00
220f4c57d7- placeholders from other NodeJS version: 0f3e69db.patch, icu59.patch.Adam Majer2017-05-31 12:46:50 +00:00
b08175ef28- Branch nodejs7 -> nodejs8, the new current and eventually LTS upstream branch. Note that the LTS lifespan for 8.x will end on December 31st, 2019 unless extended at a later date. - New upstream version 8.0.0. Notable changes * Async Hooks - now in core * Buffer + Using the --pending-deprecation flag will cause Node.js to emit a deprecation warning when using new Buffer(num) or Buffer(num). + new Buffer(num) and Buffer(num) will zero-fill new Buffer + Many Buffer methods now accept Uint8Array as input * Child Process + Argument and kill signal validations have been improved + Child Process methods accept Uint8Array as input * Console + Error events emitted when using console methods are now supressed. * Dependencies + The npm client has been updated to 5.0.0 + V8 has been updated to 5.8 with forward ABI stability to 6.0 * Domains + Native Promise instances are now Domain aware * Errors + We have started assigning static error codes to errors generated by Node.js. This has been done through multiple commits and is still a work in progress. * File System + The utility class fs.SyncWriteStream has been deprecated + The deprecated fs.read() string interface has been removed * HTTP + Improved support for userland implemented Agents + Outgoing Cookie headers are concatenated into a single string + The httpResponse.writeHeader() method has been deprecated + New methods for accessing HTTP headers have been added to OutgoingMessage * lib + All deprecation messages have been assigned static identifiers + The legacy linkedlist module has been removed * N-API + Experimental support for the new N-API API has been added * Process + Process warning output can be redirected to a file using the --redirect-warnings command-line argument + Process warnings may now include additional detail * REPL + REPL magic mode has been deprecated * src + NODE_MODULE_VERSION has been updated to 57 + Add --pending-deprecation command-line argument and NODE_PENDING_DEPRECATION environment variable + The --debug command-line argument has been deprecated. Note that using --debug will enable the new Inspector-based debug protocol as the legacy Debugger protocol previously used by Node.js has been removed. + Throw when the -c and -e command-line arguments are used at the same time + Throw when the --use-bundled-ca and --use-openssl-ca command-line arguments are used at the same time. * Stream + Stream now supports destroy() and _destroy() APIs + Stream now supports the _final() API * TLS + The rejectUnauthorized option now defaults to true + The tls.createSecurePair() API now emits runtime deprecation + A runtime deprecation will now be emitted when dhparam is less than 2048 bits * URL + The WHATWG URL implementation is now a fully-supported API * Util + Symbol keys are now displayed by default when using util.inspect() + toJSON errors will be thrown when formatting %j + Convert inspect.styles and inspect.colors to prototype-less objects + The new util.promisify() API has been added * Zlib + Support Uint8Array in Zlib convenience methods + Zlib errors now use RangeError and TypeError consistentlyAdam Majer2017-05-31 09:20:17 +00:00