Age | Commit message (Collapse) | Author |
|
Set CVE_PRODUCT to 'node.js' for nodjs recipe
Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression
Denial of Service (ReDoS) via the function new Range, when untrusted user data is
provided as a range.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-25883
Upstream patches:
https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This release contains bug fixes only.
The following CVEs have been addressed:
CVE-2023-32002
CVE-2023-32006
CVE-2023-32559
$ git log --oneline v16.20.1..v16.20.2
dadbde963f (tag: v16.20.2) 2023-08-09, Version 16.20.2 'Gallium' (LTS)
d8ccfe9ad4 policy: handle Module.constructor and main.extensions bypass
242aaa0caa policy: disable process.binding() when enabled
40c3958a5a deps: update archs files for OpenSSL-1.1.1v
a9ac9da89a deps: fix openssl crypto clean
362d4c7494 deps: upgrade openssl sources to OpenSSL_1_1_1v
7447de2794 Working on v16.20.2
https://github.com/nodejs/node/releases/tag/v16.20.2
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Drop the gcc13.patch as it has been merged in 16.20.1
56cbc7fdda deps: V8: cherry-pick c2792e58035f
The list of the CVEs are fixed in this relase:
CVE-2023-30581
CVE-2023-30585
CVE-2023-30588
CVE-2023-30589
CVE-2023-30590
https://nodejs.org/en/blog/release/v16.20.0
https://nodejs.org/en/blog/release/v16.20.1
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
The following CVEs fixed in this version:
CVE-2023-23918
CVE-2023-23919
CVE-2023-23920
CVE-2023-23936
CVE-2023-24807
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
* 16.18.0 (npm 8.19.2) introduced a regression in git+ssh urls
- https://github.com/nodejs/node/issues/44992
- https://github.com/npm/cli/pull/5761
https://nodejs.org/ko/blog/release/v16.19.0/
License-Update: Clarify vendored OpenSSL Toolkit is OpenSSL and SSLeay
License-Update: JS Foundation -> OpenJS Foundation
https://github.com/nodejs/node/commit/e7ed56f501389978e4619ab697a812631c4061ff
Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Distutils package and pipes are deprecated and slated for removal in Python 3.13 for Nodejs 16.18
Replaced distutils with setuptools
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
|
|
* Drop Openssl legacy provider patch and install both binaries patch
which are already available in 16.x
* Refresh native binaries patch against 16.x base
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This implements an 'npm cache add' like functionality but allows to
specify the key of the data and sets metadata which are required to
find the data.
It is used to cache information as done during 'npm install'.
Keyformat and metadata are nodejs version specific.
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Fix build with mips32, found with gcc12
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Fixes
../deps/v8/src/objects/code.h:564:2: error: #error Unknown architecture.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Current nodejs version v16 does not fully support new OpenSSL, so add option
to use legacy provider.
| opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
| library: 'digital envelope routines',
| reason: 'unsupported',
| code: 'ERR_OSSL_EVP_UNSUPPORTED'
It was blindly removed by upgrade to 16.14.0 version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Remove two upstreamed patches.
Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Current nodejs version does not fully support new OpenSSL, so add option
to use legacy provider.
| opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
| library: 'digital envelope routines',
| reason: 'unsupported',
| code: 'ERR_OSSL_EVP_UNSUPPORTED'
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
* The destination file name does not need to be specified to install
if it matches the source file name (and -D is not used).
* Mode 0755 does not need to be specified to install as it is the
default.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
The rewrite of the npm shebang to use an absolute path was removed in
version 7.0.0.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
The gyp samples directory was removed in version 15.0.0.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
npm-cli.js should be symlinked only when the file is present
the file may not be available if the configure option is --without-npm
Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
"BSD" is ambiguous, use the precise licenses BSD-2-Clause and BSD-3-Clause.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
* This is new LTS release
* Add patch to fix build on mips/mips64
* Add patch to build with new c-ares 2.17+
* Enhance native binaries patch to include additional native torque use
* Drop mips-warnings.patch and python 3.10 support patch which is
already available in 16.x
* Refresh rest of patches against 16.x base
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
License-Update: Reflect new location of gtest sources
remove node-inspect from license
update Acorn to v8.4.1
Use internal openssl until nodejs is fixed to work with openssl3
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
fixes build with openssl3-native
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
This resolves openssl 3.x errors until upstream addresses them properly.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
|
|
Drop upstreamed v8-call-new-ListFormatter-createInstance.patch patch
Add a patch for ppc64/clang to drop -mminimal-toc since clang does not
have this option
License-Update: URLs updated [1] and copyright owners too [2]
[1] https://github.com/nodejs/node/commit/2d7e0b6912bd04b44ed652bc0f40bb343652d926#diff-c693279643b8cd5d248172d9c22cb7cf4ed163a3c98c8a3f69c2717edd3eacb7
[2] https://github.com/nodejs/node/commit/b57785d89bc548c4048118606919d66dff1c7eb7#diff-c693279643b8cd5d248172d9c22cb7cf4ed163a3c98c8a3f69c2717edd3eacb7
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
New build method lets mksnaphot run so thsi is no longer needed
Reported-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
2G is too much for qemu-mips and perhaps also for real mips devices
as we use qemu-usermode during build to run host pieces like mksnapshot
they fail, reducing the allocation range helps
Fixes
| LD_LIBRARY_PATH=/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/lib.host:/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1
/out/Release/lib.target:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH; cd ../tools/v8_gypfiles; mkdir -p /mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/obj.target/v
8_snapshot/geni; "/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/v8-qemu-wrapper.sh" "/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/nod
e-v14.16.1/out/Release/mksnapshot" --turbo_instruction_scheduling "--target_os=linux" "--target_arch=mips" --startup_src "/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/ou
t/Release/obj.target/v8_snapshot/geni/snapshot.cc" --embedded_variant Default --embedded_src "/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/obj.target/v8_snap
shot/geni/embedded.S" --no-native-code-counters
|
| #
| # Fatal process OOM in CodeRange setup: allocate virtual memory
| #
|
| /mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/v8-qemu-wrapper.sh: line 7: 2292880 Trace/breakpoint trap (core dumped) PSEUDO_UNLOAD=1 qemu-mips -r 3.2.0 -
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
So far, we have been trying to build nodejs-native and use the native
host binaries from there, which has worked out ok but always changes
when major upgrade is done, since more binaries or places are required
to be captured. This patch changes this approach to use qemu-user to run
these binaries under during cross build. This lets them run closer to
upstream build process and also removes dependency on nodejs-native
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
backport relevant v8 patch to fix the build issue
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
This is latest maintained LTS release
Forward patches and drop backported patch
License-Update: Update copyright year and drop license of
deps/http_parser as this component is removed in this version
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Commit 836912ab changed the logic in this recipe to stop looking for
"ppc64le". This caused the ppc64le systems used by me to stop working.
There wasn't much in the commit message on why this change occurred but
ppc64le is definitely still needed.
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Fixes :
- CVE-2021-22883
- CVE-2021-22884
- CVE-2021-23840
Signed-off-by: Clément Péron <peron.clem@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Uprev nodejs in order to fix CVE-2020-8277.
This CVE allows an attacker to trigger a DNS request for a host
of their choice, which could trigger a Denial of Service in
nodejs versions < 12.19.1.
See https://nvd.nist.gov/vuln/detail/CVE-2020-8277 for details.
CVE: CVE-2020-8277
Signed-off-by: Stacy Gaikovaia <Stacy.Gaikovaia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
This perhaps is last release in 12.x LTS
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Backport a patch from upstream to take care of build failure e.g.
| ../deps/v8/src/codegen/arm/cpu-arm.cc:38:16: error: write to reserved register 'R7'
| asm volatile("svc 0\n"
| ^
| 1 error generated.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Drop already upstreamed patches
use builtin uv, it does not build without it
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Remove soon-to-be removed getAllFieldPositions
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Andrej Valek <andrej.valek@siemens.com>
|
|
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
dtrace and etw are hardly used for embedded usecase
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Fixes install errors when icu packageconfig is disabled
Signed-off-by: Jaga <jagadheesan_duraisamy@comcast.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Use system brotli via PACKAGECONFIG by default. So far,
nodejs had been built using its embedded copy of brotli,
which we generally try to avoid, for the known reasons
(independent updates, cve & license checks, etc).
The nodejs patches to enable this have been submitted.
brotli is in meta-oe, so enabling this by default should
not be a problem.
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
During the python3 / nodejs update, the dependencies weren't updated, so
using system-gyp ends up trying to use the python2 version of system-
gyp, which will of course fail.
Fixing this to depend on the python3 version of gyp still doesn't
doesn't make things work, though:
ERROR: nodejs-native-12.14.1-r0 do_configure: Execution of '.../nodejs-native/12.14.1-r0/temp/run.do_configure.26054' failed with exit code 1:
gyp: Error importing pymod_do_mainmodule (ForEachFormat): No module named 'ForEachFormat' while loading dependencies of .../nodejs-native/12.14.1-r0/node-v12.14.1/node.gyp while trying to load .../nodejs-native/12.14.1-r0/node-v12.14.1/node.gyp
Error running GYP
The reason is commit fff922afee6e ("deps,build: compute torque_outputs in v8.gyp")
in NodeJS v12, where they modified their bundled version of gyp to
become incompatible with the upstream version of gyp by adding extra /
unusual search paths to gyp.
Since I'm not sure how to deal with that when using system-gyp, and because
the original intention for using system-gyp was to make the previous nodejs
version compatible with python3 by ultimately switching to the python3 version
of system-gyp which isn't necessary anymore, and given nobody else seems to
be using this PACKAGECONFIG, just drop it.
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
|
|
Fixes
../deps/v8/src/runtime/runtime-utils.h:129:11: error: base operand of '->' has non-pointer type 'v8::internal::Object'
129 | return y->ptr() | (static_cast<ObjectPair>(x->ptr()) << 32);
| ^~
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Martin Jansa <Martin.Jansa@gmail.com>
Cc: Guillaume Burel <guillaume.burel@stormshield.eu>
|