From 1e6f218cf77429c46508b1c4610b5dec2cc3cb5aee31ef7063050bd6be17cba5 Mon Sep 17 00:00:00 2001 From: Benjamin Greiner Date: Thu, 21 Aug 2025 17:14:14 +0000 Subject: [PATCH] - Add bqplot-js.patch boo#1248431 CVE-2025-9287 CVE-2025-9288 * We need to keep most of the js lock (yarn.lock) because 0.12 is still not fully updatable with jupyterlab 4. This will hopefully change with 0.13, which is at rc stage OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:jupyter/python-bqplot?expand=0&rev=48 --- bqplot-js.patch | 23 +++++++++++++++++++++++ create_node_modules.sh | 4 ++-- node_modules.tar.xz | 4 ++-- python-bqplot.changes | 8 ++++++++ python-bqplot.spec | 5 ++--- 5 files changed, 37 insertions(+), 7 deletions(-) create mode 100644 bqplot-js.patch diff --git a/bqplot-js.patch b/bqplot-js.patch new file mode 100644 index 0000000..cdc26ea --- /dev/null +++ b/bqplot-js.patch @@ -0,0 +1,23 @@ +diff -ur a/js/package.json b/js/package.json +--- a/js/package.json 2025-05-21 19:20:26.000000000 +0200 ++++ b/js/package.json 2025-08-21 18:56:06.584707667 +0200 +@@ -35,7 +35,7 @@ + "devDependencies": { + "@jupyter-widgets/base-manager": "^1.0.0", + "@jupyter-widgets/controls": "^5", +- "@jupyterlab/builder": "^3.0.0", ++ "@jupyterlab/builder": "^4.0.0", + "@types/chai": "^4.1.7", + "@types/d3": "^5.7.2", + "@types/expect.js": "^0.3.29", +@@ -103,5 +103,9 @@ + "css/", + "lib/", + "shaders/" +- ] ++ ], ++ "resolutions": { ++ "cipher-base": "1.0.6", ++ "sha.js": "2.4.12" ++ } + } diff --git a/create_node_modules.sh b/create_node_modules.sh index e0d4569..87e4be4 100644 --- a/create_node_modules.sh +++ b/create_node_modules.sh @@ -2,10 +2,10 @@ # # Script to create node_modules.tar.xz # needs bower, webpack and webpack-cli installed +# apply bqplot-js.patch before running this script pushd js -sed -i '/builder/ s/\^3/\^4/' package.json jlpm install jlpm run build popd -tar cJf node_modules.tar.xz js/node_modules +tar cJf node_modules.tar.xz js/node_modules js/yarn.lock diff --git a/node_modules.tar.xz b/node_modules.tar.xz index 55ec682..8621823 100644 --- a/node_modules.tar.xz +++ b/node_modules.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:e5f77e199dd5799ed55bb83c7355fefd48e9cc2ea4990a9758f523a083b1d11c -size 30182476 +oid sha256:ca8e23c5ee5d8fac9526fde8498486d9f30612eb05f3e54523bbb5e48709fff7 +size 30420132 diff --git a/python-bqplot.changes b/python-bqplot.changes index eb80a18..0d9e21d 100644 --- a/python-bqplot.changes +++ b/python-bqplot.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Aug 21 17:00:29 UTC 2025 - Ben Greiner + +- Add bqplot-js.patch boo#1248431 CVE-2025-9287 CVE-2025-9288 + * We need to keep most of the js lock (yarn.lock) because 0.12 + is still not fully updatable with jupyterlab 4. This will + hopefully change with 0.13, which is at rc stage + ------------------------------------------------------------------- Sun Jul 20 16:19:08 UTC 2025 - Ben Greiner diff --git a/python-bqplot.spec b/python-bqplot.spec index ff07402..dc08d3e 100644 --- a/python-bqplot.spec +++ b/python-bqplot.spec @@ -31,6 +31,8 @@ Source0: https://github.com/bqplot/bqplot/archive/refs/tags/%{pyver}.tar. Source1: node_modules.tar.xz # Script to vendor node_modules sources Source2: create_node_modules.sh +# PATCH-FIX-OPENSUSE bqplot-js.patch boo#1248431 CVE-2025-9287 CVE-2025-9288 +Patch0: bqplot-js.patch BuildRequires: %{python_module jupyter-packaging} BuildRequires: %{python_module jupyterlab} BuildRequires: %{python_module pip} @@ -95,8 +97,6 @@ This package provides the jupyterlab extension. %prep %autosetup -p1 -n bqplot-%{pyver} -a1 -# sync with create_node_modules.sh -sed -i '/builder/ s/\^3/\^4/' js/package.json rm bqplot/install.py %build @@ -104,7 +104,6 @@ pushd js export PATH="${PATH}:node_modules/.bin" jlpm run build popd -echo "IM HERE" %pyproject_wheel %install