Accepting request 1300838 from devel:languages:python:jupyter

- Add bqplot-js.patch boo#1248431 CVE-2025-9287 CVE-2025-9288 * We need to keep most of the js lock (yarn.lock) because 0.12 is still not fully updatable with jupyterlab 4. This will hopefully change with 0.13, which is at rc stage OBS-URL: https://build.opensuse.org/request/show/1300838 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-bqplot?expand=0&rev=18
2025-08-22 15:47:36 +00:00
parent 6f0c433a00 1e6f218cf7
commit a5ed557473
5 changed files with 37 additions and 7 deletions
--- a/bqplot-js.patch
+++ b/bqplot-js.patch
@@ -0,0 +1,23 @@
+diff -ur a/js/package.json b/js/package.json
+--- a/js/package.json	2025-05-21 19:20:26.000000000 +0200
+++ b/js/package.json	2025-08-21 18:56:06.584707667 +0200
+@@ -35,7 +35,7 @@
+   "devDependencies": {
+     "@jupyter-widgets/base-manager": "^1.0.0",
+     "@jupyter-widgets/controls": "^5",
+-    "@jupyterlab/builder": "^3.0.0",
+    "@jupyterlab/builder": "^4.0.0",
+     "@types/chai": "^4.1.7",
+     "@types/d3": "^5.7.2",
+     "@types/expect.js": "^0.3.29",
+@@ -103,5 +103,9 @@
+     "css/",
+     "lib/",
+     "shaders/"
+-  ]
+  ],
+  "resolutions": {
+    "cipher-base": "1.0.6",
+    "sha.js": "2.4.12"
+  }
+ }
--- a/create_node_modules.sh
+++ b/create_node_modules.sh
@@ -2,10 +2,10 @@
 #
 # Script to create node_modules.tar.xz
 # needs bower, webpack and webpack-cli installed
+# apply bqplot-js.patch before running this script

 pushd js
-sed -i '/builder/ s/\^3/\^4/' package.json
 jlpm install
 jlpm run build
 popd
-tar cJf node_modules.tar.xz js/node_modules
+tar cJf node_modules.tar.xz js/node_modules js/yarn.lock
--- a/node_modules.tar.xz
+++ b/node_modules.tar.xz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:e5f77e199dd5799ed55bb83c7355fefd48e9cc2ea4990a9758f523a083b1d11c
-size 30182476
+oid sha256:ca8e23c5ee5d8fac9526fde8498486d9f30612eb05f3e54523bbb5e48709fff7
+size 30420132
--- a/python-bqplot.changes
+++ b/python-bqplot.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Aug 21 17:00:29 UTC 2025 - Ben Greiner <code@bnavigator.de>
+
+- Add bqplot-js.patch boo#1248431 CVE-2025-9287 CVE-2025-9288
+  * We need to keep most of the js lock (yarn.lock) because 0.12
+    is still not fully updatable with jupyterlab 4. This will
+    hopefully change with 0.13, which is at rc stage
+
 -------------------------------------------------------------------
 Sun Jul 20 16:19:08 UTC 2025 - Ben Greiner <code@bnavigator.de>

--- a/python-bqplot.spec
+++ b/python-bqplot.spec
@@ -31,6 +31,8 @@ Source0:        https://github.com/bqplot/bqplot/archive/refs/tags/%{pyver}.tar.
 Source1:        node_modules.tar.xz
 # Script to vendor node_modules sources
 Source2:        create_node_modules.sh
+# PATCH-FIX-OPENSUSE bqplot-js.patch boo#1248431 CVE-2025-9287 CVE-2025-9288
+Patch0:         bqplot-js.patch
 BuildRequires:  %{python_module jupyter-packaging}
 BuildRequires:  %{python_module jupyterlab}
 BuildRequires:  %{python_module pip}
@@ -95,8 +97,6 @@ This package provides the jupyterlab extension.

 %prep
 %autosetup -p1 -n bqplot-%{pyver} -a1
-# sync with create_node_modules.sh
-sed -i '/builder/ s/\^3/\^4/' js/package.json
 rm bqplot/install.py

 %build
@@ -104,7 +104,6 @@ pushd js
 export PATH="${PATH}:node_modules/.bin"
 jlpm run build
 popd
-echo "IM HERE"
 %pyproject_wheel

 %install