File nodejs16.changes of Package nodejs16.28627
-------------------------------------------------------------------
Wed Apr 12 09:12:32 UTC 2023 - Adam Majer <adam.majer@suse.de> - 16.20.0
- Update to LTS version 16.20.0
* deps:
+ update undici to 5.20.0
+ update c-ares to 1.19.0
+ upgrade npm to 8.19.4 (bsc#1208744, CVE-2022-25881)
- legacy_python.patch, versioned.patch: refreshed
-------------------------------------------------------------------
Wed Feb 22 13:42:36 UTC 2023 - Adam Majer <adam.majer@suse.de>
- Update to LTS version 16.19.1:
* fixes permissions policies can be bypassed via process.mainModule
(bsc#1208481, CVE-2023-23918)
* fixes insecure loading of ICU data through ICU_DATA environment
variable (bsc#1208487, CVE-2023-23920)
* fixes OpenSSL error handling issues in nodejs crypto library
(bsc#1208483, CVE-2023-23919)
* updates undici to v5.19.1
+ Fetch API in Node.js did not protect against CRLF injection in host headers
+ Regular Expression Denial of Service in Headers in Node.js fetch API
(bsc#1208413, bsc#1208485, CVE-2023-24807, CVE-2023-23936)
-------------------------------------------------------------------
Sat Dec 31 20:54:09 UTC 2022 - Adam Majer <adam.majer@suse.de>
- Update to LTS version 16.19.0:
* dgram: add dgram send queue info
* cli: add --watch
- systemtap.patch: upstreamed, removed
- versioned.patch: refreshed
-------------------------------------------------------------------
Fri Dec 23 11:31:12 UTC 2022 - Guillaume GARDET <guillaume.gardet@opensuse.org>
- Update _constraints:
* Less RAM for aarch64 and 32-bit arm
* Use 'asimdrdm' cpu flag to use aarch64 workers where tests
are more stable
-------------------------------------------------------------------
Tue Nov 29 16:34:55 UTC 2022 - Adam Majer <adam.majer@suse.de>
- sle12_python3_compat.patch: only apply for older SLE12 codestreams
where Python 3.6 is not available. Still worlaround for bsc#1205568
-------------------------------------------------------------------
Wed Nov 23 16:51:08 UTC 2022 - Adam Majer <adam.majer@suse.de>
- Workaround bug on SLE12SP5 during source unpack (bsc#1205568)
-------------------------------------------------------------------
Mon Nov 7 09:04:49 UTC 2022 - Adam Majer <adam.majer@suse.de>
- Update to LTS versino 16.18.1:
* inspector: DNS rebinding in --inspect via invalid octal IP
(bsc#1205119, CVE-2022-43548)
- Replace node-gyp for SLE12 with python 3.4 compatible gyp
-------------------------------------------------------------------
Thu Oct 13 08:29:08 UTC 2022 - Adam Majer <adam.majer@suse.de>
- Update to LTS version 16.18.0:
* http: throw error on content-length mismatch
* stream: add ReadableByteStream.tee()
* deps: npm updated to 8.19.2
- nodejs-libpath.patch, fix_ci_tests.patch, versioned.patch: refreshed
- undici_5.8.1.patch, undici_5.8.2.patch: upstreamed and removed
- systemtap.patch: upstream regression
-------------------------------------------------------------------
Mon Sep 26 14:20:03 UTC 2022 - Adam Majer <adam.majer@suse.de>
- Update to Nodejs 16.17.1:
* deps: llhttp updated to 6.0.9
+ CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325)
+ Incorrect Parsing of Multi-line Transfer-Encoding
(CVE-2022-32215, bsc#1201327)
+ Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832)
* crypto: fix weak randomness in WebCrypto keygen
(CVE-2022-35255, bsc#1203831)
-------------------------------------------------------------------
Sat Sep 17 10:35:31 UTC 2022 - Bruno Pitrus <brunopitrus@hotmail.com>
- Skip test-fs-utimes-y2K38.js on armv6hl as well as armv7hl.
-------------------------------------------------------------------
Thu Aug 25 14:10:41 UTC 2022 - Adam Majer <adam.majer@suse.de>
- undici_5.8.1.patch, undici_5.8.2.patch: update undici to 5.8.2
(bsc#1202382, CVE-2022-35949, bsc#1202383, CVE-2022-35948)
-------------------------------------------------------------------
Tue Aug 16 14:53:04 UTC 2022 - Adam Majer <adam.majer@suse.de>
- enable crypto-policies for SLE15 SP4+ and TW (bsc#1200303)
- Update to LTS version 16.17.0:
* deps: upgrade npm to 8.15.0
* Improved interoperability of the Web Crypto API
* Updated Undici to 5.8.0 (bsc#1201710, CVE-2022-31150)
For full list of changes, see
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.17.0
- nodejs-libpath.patch, versioned.patch: refreshed patches
-------------------------------------------------------------------
Mon Jul 11 12:07:16 UTC 2022 - Adam Majer <adam.majer@suse.de>
- Update to LTS version 16.16.0:
* http: stricter Transfer-Encoding and header separator parsing
(bsc#1201325, bsc#1201326, bsc#1201327,
CVE-2022-32213, CVE-2022-32214, CVE-2022-32215)
* src: fix IPv4 validation in inspector_socket
(bsc#1201328, CVE-2022-32212)
-------------------------------------------------------------------
Thu Jun 23 13:42:03 UTC 2022 - Ferdinand Thiessen <rpm@fthiessen.de>
- Update to LTS version 16.15.1
* upgrade npm to 8.11.0 (bsc#1200517, CVE-2022-29244)
- Update to LTS version 16.15.0
* Add experimental support to the fetch API. This adds the
`--experimental-fetch` flag that installs the fetch, Request,
Response, Headers, and FormData globals.
* Broken x32 support is removed
* crypto: Add KeyObject.prototype.equals method
* esm: support https remotely and http locally under flag
* module: unflag esm jso
- rebased: nodejs-libpath.patch, npm_search_paths.patch, versioned.patch
-------------------------------------------------------------------
Wed Apr 13 12:55:22 UTC 2022 - Adam Majer <adam.majer@suse.de>
- update to LTS release 16.14.2:
* deps: upgrade openssl sources to OpenSSL_1_1_1n
- fix_ci_tests.patch: refreshed
-------------------------------------------------------------------
Wed Mar 16 11:01:02 UTC 2022 - Adam Majer <adam.majer@suse.de>
- update to LTS release 16.14.1:
* deps: upgrade npm to 8.5.0
* http2: fix memory leak on nghttp2 hd threshold
- 42342.patch: upstreamed, dropped
- versioned.patch: refreshed
-------------------------------------------------------------------
Tue Mar 15 13:29:20 UTC 2022 - Adam Majer <adam.majer@suse.de>
- 42342.patch: fix expired certificates in unit tests
-------------------------------------------------------------------
Thu Feb 17 12:31:36 UTC 2022 - Adam Majer <adam.majer@suse.de>
- update to LTS release 16.14.0:
* deps: upgrade npm to 8.1.4
* child_process: add support for URL to cp.fork
* fs: accept URL as argument for fs.rm and fs.rmSync
* lib:
+ make AbortSignal cloneable/transferable
+ add AbortSignal.timeout
+ add reason to AbortSignal
+ add unsubscribe method to non-active DC channels
* process: add getActiveResourcesInfo()
* src:
+ add x509.fingerprint512 to crypto module
+ add flags for controlling process behavior
* stream:
+ add map and filter methods to readable
+ deprecate thenable support
* timers: add experimental scheduler api
* util:
+ add numericSeparator to util.inspect
+ always visualize cause property in errors during inspection
+ pass through the inspect function to custom inspect functions
npm_search_paths.patch, versioned.patch: refreshed
-------------------------------------------------------------------
Fri Jan 28 16:09:53 UTC 2022 - Adam Majer <adam.majer@suse.de>
- Add buildtime version check to determine if we need patched
openssl Requires: or already in upstream. (bsc#1192489)
-------------------------------------------------------------------
Tue Jan 18 08:29:18 UTC 2022 - Adam Majer <adam.majer@suse.de>
- rsa-pss-revert.patch: dropped, since openssl updated with needed
functionality
-------------------------------------------------------------------
Tue Jan 11 18:48:04 UTC 2022 - Adam Majer <adam.majer@suse.de>
- update to 16.13.2:
Security update fixing the following issues:
* Improper handling of URI Subject Alternative Names (Medium)
(CVE-2021-44531, bsc#1194511)
* Certificate Verification Bypass via String Injection (Medium)
(CVE-2021-44532, bsc#1194512)
* Incorrect handling of certificate subject and issuer fields (Medium)
(CVE-2021-44533, bsc#1194513)
* Prototype pollution via console.table properties (Low)
(CVE-2022-21824, bsc#1194514)
-------------------------------------------------------------------
Wed Jan 5 20:50:19 UTC 2022 - Adam Majer <adam.majer@suse.de>
- fix_ci_tests.patch: fix tests on s390x
-------------------------------------------------------------------
Tue Jan 4 12:17:19 UTC 2022 - Adam Majer <adam.majer@suse.de>
- rsa-pss-revert.patch: temporarily revert functionality requiring
newer openssl
-------------------------------------------------------------------
Tue Dec 7 16:42:18 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Update to 16.13.1:
* deps: upgrade npm to 8.1.2
* lib: fix regular expression to detect `/` and `\`
- 40670.patch: upstreamed
- fix_ci_tests.patch: refreshed
-------------------------------------------------------------------
Thu Nov 25 12:21:25 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
- Fix CXXFLAGS in Tumbleweed - boo#1192824
-------------------------------------------------------------------
Tue Nov 9 10:43:16 UTC 2021 - Adam Majer <adam.majer@suse.de>
- BR python 3.6+
-------------------------------------------------------------------
Sat Nov 6 14:13:02 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Update to 16.13.0:
* Experimental ESM Loader Hooks API
https://github.com/nodejs/node/pull/37468
* deps: upgrade npm to 8.1.0 (npm team)
* vm: add support for import assertions in dynamic imports
- Changes in 16.11.1:
* deps: update llhttp to 6.0.4
- HTTP Request Smuggling due to spaced in headers
(bsc#1191601, CVE-2021-22959)
- HTTP Request Smuggling when parsing the body
(bsc#1191602, CVE-2021-22960)
- Changes in 16.11.0:
* deps: update nghttp2 to v1.45.1
- Changes in 16.10.0:
* crypto: add rsa-pss keygen parameters
* fs: make open and close stream override optional when unused
* http: limit requests per connection
The maximum number of requests a socket can handle before closing
keep alive connection can be set with server.maxRequestsPerSocket.
* src: add --no-global-search-paths cli option
* stream: add signal support to pipeline generators
- Changes in 16.9.0:
* Added support for corepack
* crypto: add RSA-PSS params to asymmetricKeyDetails
* module: support pattern trailers
* stream: add stream.compose
- Changes in 16.8.0:
* doc: deprecate type coercion for dns.lookup options
* stream: add stream.Duplex.from utility and isDisturbed helper
* util: expose toUSVString
- Changes in 16.7.0:
* fs: experimental: add recursive cp method
- refreshed: fix_ci_tests.patch, flaky_test_rerun.patch,
nodejs-libpath.patch, sle12_python3_compat.patch,
versioned.patch, node_modules.tar.xz
-------------------------------------------------------------------
Tue Nov 2 14:40:41 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
- Add 40670.patch: test: fix test-datetime-change-notify after
daylight change.
-------------------------------------------------------------------
Fri Oct 15 19:57:42 UTC 2021 - Bernhard Voelker <mail@bernhard-voelker.de>
- test-skip-y2038-on-32bit-time_t.patch: Add patch to skip the test
'test/parallel/test-fs-utimes-y2K38.js' which fails with a FP
on platforms with 32-bit time_t.
- nodejs16.spec: Reference it.
-------------------------------------------------------------------
Thu Aug 12 13:51:48 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Update to 16.6.2:
* CVE-2021-3672/CVE-2021-22931: Improper handling of untypical
characters in domain names (bsc#1189370, bsc#1188881)
* CVE-2021-22940: Use after free on close http2 on stream canceling
(bsc#1189368)
* CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter
(bsc#1189369)
* deps: upgrade npm to 7.20.3
* deps: revert ABI-breaking change from V8 9.2
* module: fix ERR_REQUIRE_ESM error for null frames
- cares_public_headers.patch: don't use private headers
-------------------------------------------------------------------
Mon Aug 2 13:02:58 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Update to 16.6.0:
http2: fixes use after free on close http2 on stream canceling
(bsc#1188917, CVE-2021-22930)
-------------------------------------------------------------------
Thu Jul 22 12:18:32 UTC 2021 - Adam Majer <adam.majer@suse.de>
- legacy_python.patch: fix building with python 3.4 in SLE-12
-------------------------------------------------------------------
Wed Jul 21 21:57:54 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Update to 16.5.0:
* deps: upgrade npm to 7.19.1
* fs: allow empty string for temp directory prefix
* Node.js now exposes an experimental implementation of the
Web Streams API
-------------------------------------------------------------------
Fri Jul 2 15:17:09 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Update to 16.4.1:
deps: libuv upgrade - Out of bounds read (Medium)
(bsc#1187973, CVE-2021-22918)
-------------------------------------------------------------------
Thu Jul 1 13:34:05 UTC 2021 - Adam Majer <adam.majer@suse.de>
- node-gyp_7.1.2.tar.xz: for SLE-12, use latest node-gyp that
is compatible with python 3.4
-------------------------------------------------------------------
Wed Jun 23 12:57:04 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Update to 16.4.0:
* async_hooks: stabilize part of AsyncLocalStorage
* deps:
+ upgrade npm to 7.18.1
+ update V8 to 9.1.269.36
* dns: allow --dns-result-order to change default dns verbatim
-------------------------------------------------------------------
Mon Jun 21 05:01:32 UTC 2021 - Andreas Schneider <asn@cryptomilk.org>
- Allow building for Fedora in the OBS
-------------------------------------------------------------------
Fri Jun 4 20:59:13 UTC 2021 - Dirk Müller <dmueller@suse.com>
- update to 16.3.0:
* add -C alias for --conditions flag
* add workspaces support to npm install commands
-------------------------------------------------------------------
Mon May 31 16:27:44 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Use libalternatives instead of update-alternatives
-------------------------------------------------------------------
Thu May 20 14:56:23 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream version 16.2.0:
* async_hooks: use new v8::Context PromiseHook API
* deps: npm updated to 7.13.0
* lib: support setting process.env.TZ on windows
* module: add support for URL to import.meta.resolve
* process: add 'worker' event
* util: add util.types.isKeyObject and util.types.isCryptoKey
-------------------------------------------------------------------
Wed May 5 11:21:13 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream version 16.1.0
fs: allow no-params fsPromises fileHandle read
-------------------------------------------------------------------
Tue May 4 12:00:35 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstrean version 16.0.0:
For complete list of changes since 15.x, please see
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.0.0
-------------------------------------------------------------------
Wed Mar 17 12:05:50 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Import staging 16.x
