File nodejs18.changes of Package nodejs18.33350

-------------------------------------------------------------------
Tue Apr  9 14:46:41 UTC 2024 - Adam Majer <adam.majer@suse.de>

- Update to 18.20.1:
  * CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session()
    leads to HTTP/2 server crash- (High) (bsc#1222244)
  * CVE-2024-27982 - HTTP Request Smuggling via Content Length
    Obfuscation- (Medium) (bsc#1222384)
  * updated dependencies:
    + llhttp version 9.2.1
    + undici version 5.28.4 (bsc#1222530, bsc#1222603, 
      CVE-2024-30260, CVE-2024-30261)

- cares_sle12_capabilities.patch: no get_random() on sle12

-------------------------------------------------------------------
Tue Apr  2 15:00:28 UTC 2024 - Adam Majer <adam.majer@suse.de>

- Update to 18.20.0:
  * Added support for import attributes
  * vm: fix V8 compilation cache support for vm.Script
- versioned.patch: refreshed

-------------------------------------------------------------------
Fri Feb 16 16:08:22 UTC 2024 - Adam Majer <adam.majer@suse.de>

- Update to 18.19.1: (security updates)
  * (CVE-2024-21892, bsc#1219992) - Code injection and privilege escalation through Linux capabilities- (High)
  * (CVE-2024-22019, bsc#1219993) - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
  * (CVE-2023-46809, bsc#1219997) - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
  * (CVE-2024-22025, bsc#1220014) - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
  * undici version 5.28.3 (CVE-2024-24758, bsc#1220017)
  * libuv version 1.48.0 (CVE-2024-24806, bsc#1220053)

-------------------------------------------------------------------
Tue Dec 19 12:23:09 UTC 2023 - Adam Majer <adam.majer@suse.de>

- sle12-node-gyp-addon-gypi.patch: added variant of node-gyp-addon-gypi.patch
  for SLE12 compatibility. node-gyp-addon-gypi.patch is for SLE15+

-------------------------------------------------------------------
Mon Dec 18 10:03:02 UTC 2023 - Adam Majer <adam.majer@suse.de> - 18.19.0

- Update to LTS version 18.19.0
  * deps: npm updates to 10.x
  * esm:
    + Leverage loaders when resolving subsequent loaders
    + import.meta.resolve unflagged
    + --experimental-default-type flag to flip module defaults

For details, see
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md

- node-gyp-addon-gypi.patch, fix_ci_tests.patch,
  versioned.patch: refreshed

-------------------------------------------------------------------
Mon Oct 16 10:09:43 UTC 2023 - Adam Majer <adam.majer@suse.de> - 18.18.2

- Security update to version 18.18.2
  * (CVE-2023-44487, bsc#1216190): nghttp2 Security Release
  * (CVE-2023-45143, bsc#1216205): undici Security Release
  * (CVE-2023-38552, bsc#1216272): Integrity checks according to policies can be circumvented
  * (CVE-2023-39333, bsc#1216273): Code injection via WebAssembly export names

-------------------------------------------------------------------
Wed Oct 11 08:54:20 UTC 2023 - Adam Majer <adam.majer@suse.de> - 18.18.1

- Update to LTS version 18.18.1
  * deps: libuv update in 18.18.0 broke webpack's thread-loader.
    This update should fix this.

-------------------------------------------------------------------
Tue Sep 19 14:05:45 UTC 2023 - Adam Majer <adam.majer@suse.de>

- Update to LTS version 18.18.0
  * build: sync libuv header change
  * deps: add missing thread-common.c in uv.gyp
  * deps: upgrade to libuv 1.46.0
  * doc: add atlowChemi to collaborators
  * esm: add `--import` flag
  * events: allow safely adding listener to abortSignal
  * fs, stream: initial `Symbol.dispose` and `Symbol.asyncDispose` support
  * net: add autoSelectFamily global getter and setter
  * url: add value argument to has and delete methods
- versioned.patch: refreshed

-------------------------------------------------------------------
Thu Aug 10 14:08:36 UTC 2023 - Adam Majer <adam.majer@suse.de>

- Update to LTS version 18.17.1 (security fixes). The following CVE
  were fixed:
  * (CVE-2023-32002, bsc#1214150): Policies can be bypassed
     via Module._load (High)
  * (CVE-2023-32006, bsc#1214156): Policies can be bypassed by
     module.constructor.createRequire (Medium)
  * (CVE-2023-32559, bsc#1214154): Policies can be bypassed via
     process.binding (Medium)

- Changes included in LTS version 18.17.0:
  * dns: expose getDefaultResultOrder
  * events: add getMaxListeners method
  * fs:
    + add support for mode flag to specify the copy behavior
    + add recursive option to readdir and opendir
    + add support for mode flag to specify the copy behavior
    + implement byob mode for readableWebStream()
  * http:
    + prevent writing to the body when not allowed by HTTP spec
    + remove internal error in assignSocket
    + add highWaterMark opt in http.createServer
  * lib:
    + add webstreams to Duplex.from()
    + implement AbortSignal.any()
  * module:
    + change default resolver to not throw on unknown scheme
  * node-api:
    + define version 9
    + deprecate napi_module_register
  * stream:
    + preserve object mode in compose
    + add setter & getter for default highWaterMark
  * test_runner:
    + add shorthands to `test`
    + support combining coverage reports
    + execute before hook on test
    + expose reporter for use in run api
  * tools: update LICENSE and license-builder.sh
  * url: implement URL.canParse
  * wasi: no longer require flag to enable wasi

- npm_search_paths.patch,fix_ci_tests.patch,versioned.patch: refreshed

-------------------------------------------------------------------
Wed Jun 21 11:24:39 UTC 2023 - Adam Majer <adam.majer@suse.de>

- Update to version 18.16.1 (security fixes only). The following
  CVEs are fixed in this release:
  * (CVE-2023-30581, bsc#1212574): mainModule.__proto__ Bypass
    Experimental Policy Mechanism (High)
  * (CVE-2023-30585, bsc#1212579): Privilege escalation via
    Malicious Registry Key manipulation during Node.js
    installer repair process (Medium)
  * (CVE-2023-30588, bsc#1212581): Process interuption due to invalid
    Public Key information in x509 certificates (Medium)
  * (CVE-2023-30589, bsc#1212582): HTTP Request Smuggling via
    Empty headers separated by CR (Medium)
  * (CVE-2023-30590, bsc#1212583): DiffieHellman does not
    generate keys after setting a private key (Medium)

  * c-ares security issues:
    + CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
      (bsc#1211604)
    + CVE-2023-31147 Moderate. Insufficient randomness in generation
      of DNS query IDs (bsc#1211605)
    + CVE-2023-31130. Moderate. Buffer Underwrite in
      ares_inet_net_pton() (bsc#1211606)
    + CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE
      during cross compilation (bsc#1211607)

- fix_ci_tests.patch: increase default timeout on unit tests
  to 20min from 2min. This seems to have lead to build failures
  on some platforms, like s390x in Factory. (bsc#1211407)

-------------------------------------------------------------------
Thu Apr 13 13:49:59 UTC 2023 - Adam Majer <adam.majer@suse.de>

- Update to NodeJS 18.16.0 LTS version
  * Add initial support for single executable applications
  * Replace url parser with Ada
  * buffer: add Buffer.copyBytesFrom

- refreshed patches: versioned.patch linker_lto_jobs.patch

-------------------------------------------------------------------
Mon Mar 13 16:43:33 UTC 2023 - Adam Majer <adam.majer@suse.de>

- relax Requires to Suggests for alts on TW

-------------------------------------------------------------------
Wed Mar  8 13:01:06 UTC 2023 - Adam Majer <adam.majer@suse.de> - 18.15.0

- Update to NodeJS 18.15.0 LTS version:
  * test_runner:
    + add initial code coverate support
    + add reporters
  * fs: add statfs()
  * buffer: add isAscii()

- s390.patch, sysctl.patch: upstreamed and removed

-------------------------------------------------------------------
Thu Feb 23 10:41:38 UTC 2023 - Adam Majer <adam.majer@suse.de>

- node-gyp_7.1.2.tar.xz: added dependencies so they don't conflict with
  npm dependencies.

-------------------------------------------------------------------
Wed Feb 22 13:59:45 UTC 2023 - Adam Majer <adam.majer@suse.de>

- Update to NodeJS 18.14.2 LTS:
  * deps: upgrade npm to 9.5.0 (bsc#1208744, CVE-2022-25881)
  * deps: update undici to 5.20.0

- Changes in version 18.14.1:
  * fixes permissions policies can be bypassed via process.mainModule
    (bsc#1208481, CVE-2023-23918)
  * fixes insecure loading of ICU data through ICU_DATA environment
    variable (bsc#1208487, CVE-2023-23920)
  * fixes OpenSSL error handling issues in nodejs crypto library
    (bsc#1208483, CVE-2023-23919)
  * updates undici to v5.19.1
    + Fetch API in Node.js did not protect against CRLF injection in host headers
    + Regular Expression Denial of Service in Headers in Node.js fetch API
    (bsc#1208413, bsc#1208485, CVE-2023-24807, CVE-2023-23936)

- versioned.patch: refreshed
- sysctl.patch: unit test fixes

-------------------------------------------------------------------
Fri Feb  3 11:43:02 UTC 2023 - Adam Majer <adam.majer@suse.de>

- Update to NodeJS 18.14.0 LTS:
  * deps:
    + update npm to 9.2.0
  * http:
    + join authorization headers
    + improved timeout defaults handling
  * stream:
    + implement finished() for ReadableStream and WritableStream

- refreshed patches: linker_lto_jobs.patch, npm_search_paths.patch,
  versioned.patch

-------------------------------------------------------------------
Wed Feb  1 07:58:26 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>

- Do not use pkg_vcmp to decide BuildDependencies: this works based
  on 'installed packages' which is not interpreted correctly by the
  scheduler. Rather switch to boolean dependencies.

------------------------------------------------------------------
Wed Jan 25 12:01:18 UTC 2023 - Adam Majer <adam.majer@suse.de>

- Again use openssl-3, if available.
- _constraints: reset aarch64 memory requirements back to original
  otherwise some unit tests can fail
- s390.patch: fix unit test on s390 with patched zlib

-------------------------------------------------------------------
Mon Jan 16 14:57:58 UTC 2023 - Adam Majer <adam.majer@suse.de>

- Update to NodejJS 18.13.0 LTS:
  * build: disable v8 snapshot compression by default
  * crypto: update root certificates
  * deps: update ICU to 72.1
  * doc:
    + add doc-only deprecation for headers/trailers setters
    + add Rafael to the tsc
    + deprecate use of invalid ports in url.parse
    + deprecate url.parse()
  * lib: drop fetch experimental warning
  * net: add autoSelectFamily and autoSelectFamilyAttemptTimeout options
  * src:
    + add uvwasi version
    + add initial shadow realm support
  * test_runner:
    + add t.after() hook
    + don't use a symbol for runHook()
  * tls:
    + add "ca" property to certificate object
  * util:
    + add fast path for utf8 encoding
    + improve textdecoder decode performance
    + add MIME utilities

- new_python3.patch, icu721_fixes.patch: upstreamed, removed

-------------------------------------------------------------------
Fri Dec 23 11:31:12 UTC 2022 - Guillaume GARDET <guillaume.gardet@opensuse.org>

- Update _constraints:
  * Less RAM for aarch64 and 32-bit arm
  * Use 'asimdrdm' cpu flag to use aarch64 workers where tests
    are more stable

-------------------------------------------------------------------
Thu Nov 10 08:18:42 UTC 2022 - Adam Majer <adam.majer@suse.de>

- icu721_fixes.patch: fixes compatibility with ICU 72.1 (bsc#1205236)

-------------------------------------------------------------------
Mon Nov  7 14:00:54 UTC 2022 - Adam Majer <adam.majer@suse.de>

- Fix migration to openssl-3 (bsc#1205042)

-------------------------------------------------------------------
Mon Nov  7 09:05:07 UTC 2022 - Adam Majer <adam.majer@suse.de>

- Update to NodeJS 18.12.1 LTS:
  * inspector: DNS rebinding in --inspect via invalid octal IP
    (bsc#1205119, CVE-2022-43548)

-------------------------------------------------------------------
Fri Oct 28 10:31:50 UTC 2022 - Adam Majer <adam.majer@suse.de>

- Update to NodeJS 18.12.0 LTS:
  * Running in 'watch' mode using node --watch restarts the process
    when an imported file is changed.
  * fs: add FileHandle.prototype.readLines
  * http: add writeEarlyHints function to ServerResponse
  * http2: make early hints generic
  * util: add default value option to parsearg

-------------------------------------------------------------------
Mon Oct 17 13:02:52 UTC 2022 - Adam Majer <adam.majer@suse.de>

- Update to NodeJS 18.11.0:
  * added experimental watch mode -- running in 'watch' mode using
    node --watch restarts the process when an imported file is changed
  * fs: add FileHandle.prototype.readLines
  * http: add writeEarlyHints function to ServerResponse
  * http2: make early hints generic
  * lib: refactor transferable AbortSignal
  * src: add detailed embedder process initialization API
  * util: add default value option to parsearg

- legacy_python.patch, versioned.patch: updated

-------------------------------------------------------------------
Wed Oct 12 08:14:29 UTC 2022 - Adam Majer <adam.majer@suse.de>

- qemu_timeouts_arches.patch: set timeouts on riscv5 to 7x normal

-------------------------------------------------------------------
Fri Oct  7 08:05:59 UTC 2022 - Dirk Müller <dmueller@suse.com>

- skip more tests for riscv64/qemu emulation

-------------------------------------------------------------------
Thu Sep 29 13:58:09 UTC 2022 - Adam Majer <adam.majer@suse.de>

- Update to NodeJS 18.10.0:
  * deps: upgrade npm to 8.19.2
  * http: throw error on content-length mismatch
  * stream: add ReadableByteStream.tee()

- openssl3_fixups.patch: upstreamed and removed

-------------------------------------------------------------------
Mon Sep 26 13:13:39 UTC 2022 - Adam Majer <adam.majer@suse.de>

- Update to Nodejs 18.9.1:
  * deps: llhttp updated to 6.0.10
    + CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325)
    + Incorrect Parsing of Multi-line Transfer-Encoding
      (CVE-2022-32215, bsc#1201327)
    + Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832)
  * crypto: fix weak randomness in WebCrypto keygen
    (CVE-2022-35255, bsc#1203831)

-------------------------------------------------------------------
Sat Sep 17 10:35:31 UTC 2022 - Bruno Pitrus <brunopitrus@hotmail.com>

- Skip test-fs-utimes-y2K38.js on armv6hl as well as armv7hl.

-------------------------------------------------------------------
Thu Sep 15 15:00:25 UTC 2022 - Adam Majer <adam.majer@suse.de>

- Update to Nodejs 18.9.0:
  * lib - add diagnostics channel for process and worker
  * os - add machine method
  * report - expose report public native apis
  * src - expose environment RequestInterrupt api
  * vm - include vm context in the embedded snapshot

- Changes in 18.8.0:
  * bootstrap: implement run-time user-land snapshots via
    --build-snapshot and --snapshot-blob. See
  * crypto:
    + allow zero-length IKM in HKDF and in webcrypto PBKDF2
    + allow zero-length secret KeyObject
  * deps: upgrade npm to 8.18.0
  * http: make idle http parser count configurable
  * net: add local family
  * src: print source map error source on demand
  * tls: pass a valid socket on tlsClientError

- dns.patch: upstreamed, removed
- nodejs-libpath.patch, versioned.patch: refreshed
- fix_ci_tests.patch: partially upstreamed
- openssl3_fixups.patch: fix unit tests with openssl 1.1.1
- new_python3.patch: enable python 3.11 as valid interpreter

-------------------------------------------------------------------
Thu Aug 18 10:41:57 UTC 2022 - Adam Majer <adam.majer@suse.de>

- Update to Nodejs 18.7.0:
  * events: add CustomEvent
  * http: add drop request event for http server
  * lib: improved diagnostics_channel subscribe/unsubscribe
  * util: add tokens to parseArgs

- enable crypto policy ciphers for TW and SLE15 SP4+ (bsc#1200303)

-------------------------------------------------------------------
Sun Jul 31 15:37:05 UTC 2022 - Adam Majer <adam.majer@suse.de>

- dns.patch: fix regression
  https://github.com/nodejs/node/issues/44003

-------------------------------------------------------------------
Sun Jul 24 09:47:19 UTC 2022 - Adam Majer <adam.majer@suse.de>

- Update to Nodejs 18.6.0:
  * Experimental ESM Loader Hooks API. For details see,
    https://nodejs.org/api/esm.html
  * dns: export error code constants from dns/promises
  * esm: add chaining to loaders
  * http: add diagnostics channel for http client
  * http: add perf_hooks detail for http request and client
  * module: add isBuiltIn method
  * net: add drop event for net server
  * test_runner: expose describe and it
  * v8: add v8.startupSnapshot utils

  For details, see
  https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.6.0

-------------------------------------------------------------------
Mon Jul 11 12:00:48 UTC 2022 - Adam Majer <adam.majer@suse.de>

- Update to Nodejs 18.5.0:
  * http: stricter Transfer-Encoding and header separator parsing
    (bsc#1201325, bsc#1201326, bsc#1201327,
     CVE-2022-32213, CVE-2022-32214, CVE-2022-32215)
  * src: fix IPv4 validation in inspector_socket
    (bsc#1201328, CVE-2022-32212)
  For details, see
  https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.5.0

-------------------------------------------------------------------
Tue Jun 28 13:06:23 UTC 2022 - Adam Majer <adam.majer@suse.de>

- Update to Nodejs 18.4.0. For detailed changes see,
  https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.4.0
- refreshed: versioned.patch, linker_lto_jobs.patch, nodejs-libpath.patch

-------------------------------------------------------------------
Thu May 19 15:01:09 UTC 2022 - Adam Majer <adam.majer@suse.de>

- Initial packaging of Nodejs 18.2.0. For detailed changes
  since previous versions, see

  https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V18.md#18.2.0

  Patches carried over from nodejs17:
  legacy_python.patch node-gyp-addon-gypi.patch openssl_binary_detection.patch
test-skip-y2038-on-32bit-time_t.patch cares_public_headers.patch
rsa-pss-revert.patch linker_lto_jobs.patch versioned.patch fix_ci_tests.patch
manual_configure.patch npm_search_paths.patch  skip_no_console.patch
flaky_test_rerun.patch nodejs-libpath.patch  sle12_python3_compat.patch

openSUSE Build Service is sponsored by