SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for npm4-4.9.1-5.1.x86_64.rpm :
Fri May 11 14:00:00 2018 adam.majerAATTsuse.de
- icu_61_namespacefix.patch: Fix building with ICU61.1 (bsc#1091764)

Thu Apr 5 14:00:00 2018 adam.majerAATTsuse.de
- Install license with %license, not %doc (bsc#1082318)

Wed Apr 4 14:00:00 2018 adam.majerAATTsuse.de
- Fix some node-gyp permissions

Tue Apr 3 14:00:00 2018 adam.majerAATTsuse.de
- New upstream maintenance 4.9.1:

* Security fixes:
+ Fix for \'path\' module regular expression denial of service
(bsc#1087459, CVE-2018-7158)
+ Reject spaces in HTTP Content-Length header values
(bsc#1087453, CVE-2018-7159)

* Upgrade to OpenSSL 1.0.2o

* deps: reject interior blanks in Content-Length

* deps: upgrade http-parser to v2.8.0
- fix_ci_tests.patch: refreshed

Thu Mar 22 13:00:00 2018 adam.majerAATTsuse.de
- remove any old manpage files in %pre from before update-alternatives
were used to manage symlinks to these manpages.

Tue Feb 13 13:00:00 2018 adam.majerAATTsuse.de
- Add Recommends and BuildRequire on python2 for npm. node-gyp
requires this old version of python for now. This is only needed
for binary modules.

Tue Jan 30 13:00:00 2018 roAATTsuse.de
- even on recent codestreams there is no binutils gold on s390
only on s390x

Thu Dec 21 13:00:00 2017 adam.majerAATTsuse.de
- Enable CI tests in %check target
+ fix_ci_ssl_tests.patch: Disable testing of obsolete curves
which are not enabled OpenSUSE\'s OpenSSL library
+ fix_ci_tests.patch:
- DNS queries in buildroots are failing with EAI_AGAIN
- disable test-module-loading-globalpaths.js - we have
hardcoded global paths
+ versioned.patch: call versioned node binary for tests

Sat Dec 9 13:00:00 2017 qantas94heavyAATTgmail.com
- New upstream maintenance release 4.8.7:

* deps/openssl: updated to 1.0.2n (only applies to SLE 12 SP1
and lower) (bsc#1072322)
[ CVE-2017-3738 CVE-2017-15896 ]
- Remove unnecessary curl BuildRequires

Wed Nov 29 13:00:00 2017 qantas94heavyAATTgmail.com
- Change BuildRequires from openssl-devel to libopenssl-1_0_0-devel
due to Tumbleweed/Leap 15 change to OpenSSL 1.1.0 as default

Thu Nov 16 13:00:00 2017 adam.majerAATTsuse.de
- Update nodejs.keyring based on current Release Team as found on
https://github.com/nodejs/node#release-team

Mon Nov 13 13:00:00 2017 adam.majerAATTsuse.de
- Fix permissions of node-gyp. This should be executable to allow
building of binary node modules.

Mon Nov 13 13:00:00 2017 adam.majerAATTsuse.de
- New upstream maintenance release 4.8.6:

* crypto: upgrade openssl sources to 1.0.2m
[OpenSSL Security Advisory (bsc#1066242, bsc#1056058)
CVE-2017-3735 CVE-2017-3736]

* deps: add support for more modern versions of INTL
- 0f3e69db.patch: removed, upstreamed
- icu59.patch: removed, upstreamed

Wed Oct 25 14:00:00 2017 qantas94heavyAATTgmail.com
- New upstream maintenance release 4.8.5:

* zlib: (CVE-2017-14919: only affects TW) In zlib v1.2.9, a
change was made that causes an exception to be thrown when a
raw deflate stream is initialized with windowBits set to 8.
Node.js will now gracefully set windowBits to 9 (replicating
the legacy behavior) to avoid a DOS vector.

Thu Oct 19 14:00:00 2017 adam.majerAATTsuse.de
- Replace {{node_version_major}} with RPM define %node_version_number
for simpler spec file review.
- Make sure npm program remains executable

Wed Aug 2 14:00:00 2017 adam.majerAATTsuse.de
- Fix update-alternative handling in %postun - don\'t remove
links on upgrades.

Wed Jul 12 14:00:00 2017 adam.majerAATTsuse.de
- New LTS upstream version 4.8.4

* v8: disable V8 snapshots. The hashseed embedded in the snapshot
is currently the same for all runs of the binary. This opens
node up to collision attacks which could result in a Denial
of Service. We have temporarily disabled snapshots until a more
robust solution is found (bnc#1048299, CVE-2017-11499).

* http: fixes http.get with numeric authorization options that
created/used uninitialized buffers as the authentication string

* The c-ares function ares_parse_naptr_reply(), which is used for
parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response
packet was crafted in a particular way.
(CVE-2017-1000381, bnc#1044946)

Fri Jul 7 14:00:00 2017 adam.majerAATTsuse.de
- Depend on nodejs-common that is then used to pick correctly
versioned node or npm binary. This is required since 3rd party
modules use `/usr/bin/env node` which breaks if multiple versions
of NodeJS are installed at the same time and non-default version
is used (for example, to compile a native module)

Thu Jul 6 14:00:00 2017 adam.majerAATTsuse.de
- npm_search_paths.patch: Since concurrent installations are now
possible, node manual pages are moved once again back under npm
searcheable locations only.
- versioned.patch: All files are now under versioned directoies
and names. node and npm symlinks are now managed by
update-alternatives
- node-gyp-addon-gypi.patch: Reference versioned directories only

Tue Jun 13 14:00:00 2017 adam.majerAATTsuse.de
- Fix typo in node-gyp-addon-gypi.patch patch

Tue May 30 14:00:00 2017 adam.majerAATTsuse.de
- 0f3e69db.patch, icu59.patch: GCC 7 compilation fixes for v8
backported and add missing ICU59 headers (bnc#1041283)

Tue May 23 14:00:00 2017 adam.majerAATTsuse.de
- New upstream LTS release 4.8.3

* v8: trigger OOM crash if memory allocation fails

* src: fix base64 decoding in rare edgecase

* tls:
+ fix segfault on destroy after partial read
+ keep track of stream that is closed
+ TLSSocket emits \'error\' on handshake failure
- nodejs-libpath.patch: updated

Wed Apr 5 14:00:00 2017 qantas94heavyAATTgmail.com
- New upstream maintenance release 4.8.2

* crypto: fix memory leak if certificate is revoked (#12089)
- Changes not applicable to openSUSE in 4.8.2:

* deps: upgrade zlib to 1.2.11 (#10980)
- Changes in LTS release 4.8.1

* buffer: The performance of .toJSON() is now up to 2859% faster
on average.

* IPC: Batched writes have been enabled for process IPC on
platforms that support Unix Domain Sockets. Performance gains
may be up to 40% for some workloads.

* http: Control characters are now always rejected when using
http.request().

* node: Heap statistics now support values larger than 4GB.
- Modify 8334.diff:

* Bring patch in line with upstream changes (#8334)

Sun Feb 26 13:00:00 2017 qantas94heavyAATTgmail.com
- New upstream LTS release 4.8.0

* child_process: add shell option to spawn()

* crypto: add ALPN Support

* crypto: allow adding extra certs to well-known CAs

* deps/v8: expose statistics about heap spaces

* fs: add the fs.mkdtemp() function

* process: add process.memoryUsage().external

* process: add process.cpuUsage()
- Modify 8334.diff:

* Remove merged reference counting code (#9409)

Fri Feb 3 13:00:00 2017 adam.majerAATTsuse.de
- New upstream LTS release 4.7.3

* deps: upgrade openssl sources to 1.0.2k
(CVE-2017-3731, CVE-2017-3732, CVE-2016-7055,
bnc#1022085, bnc#1022086, bnc#1009528)
- No changes in LTS version 4.7.2
- Adjusted 8334.diff to be inline with accepted changes
- Merge nodejs4.changes from SLE and devel project

Fri Jan 6 13:00:00 2017 qantas94heavyAATTgmail.com
- Add basic check that Node.js loads successfully to spec file

Wed Jan 4 13:00:00 2017 qantas94heavyAATTgmail.com
- New upstream LTS release 4.7.1

* build: shared library support is now working for AIX builds

* repl: passing options to the repl will no longer overwrite
defaults

* timers: recanceling a cancelled timers will no longer throw

Fri Dec 9 13:00:00 2016 qantas94heavyAATTgmail.com
- New upstream LTS version 4.7.0

* build: introduce the configure --shared option for embedders

* debugger: make listen address configurable in debugger server

* dgram: generalized send queue to handle close, fixing a
potential throw when dgram socket is closed in the
listening event handler

* http: introduce the 451 status code \"Unavailable For
Legal Reasons\"

* gtest: the test reporter now outputs tap comments as yamlish

* tls: introduce secureContext for tls.connect (useful for
caching client certificates, key, and CA certificates)

* tls: fix memory leak when writing data to TLSWrap instance
during handshake

* src: node no longer aborts when c-ares initialization fails
- Modify 8334.diff:

* ported and updated system CA store for the new node crypto code
- Refresh nodejs-libpath.patch

Thu Dec 1 13:00:00 2016 qantas94heavyAATTgmail.com
- New upstream LTS version 4.6.2

* build:
+ It is now possible to build the documentation from the release tarball.

* buffer:
+ Buffer.alloc() will no longer incorrectly return a zero filled buffer
when an encoding is passed.

* deps:
+ Upgrade npm in LTS to 2.15.11.

* repl:
+ Enable tab completion for global properties.

* url:
+ url.format() will now encode all \"#\" in search.

Wed Nov 23 13:00:00 2016 adam.majerAATTsuse.de
- Add missing conflicts to base package. It\'s not possible to have
concurrent nodejs installations.

Fri Nov 18 13:00:00 2016 adam.majerAATTsuse.de
- Package unification across various branches of NodeJS. Package
for 4.x, 6.x and current (7.x) branches of NodeJS are now
handled via GitHub repository.
- remove support-arm64-build.patch: no longer required
- remove nodejs-libpath64.patch: obsolete

Tue Nov 8 13:00:00 2016 adam.majerAATTsuse.de
- npm4 should provide versioned nodejs-npm and npm allowing
nodejs-packaging to continue to function properly in Leap 42.2
(bnc #1009011)

Wed Oct 19 14:00:00 2016 qantas94heavyAATTgmail.com
- New upstream LTS version 4.6.1

* c-ares: fix for single-byte buffer overwrite, CVE-2016-5180
more information at https://c-ares.haxx.se/adv_20160929.html
(bnc #1007728)

Tue Oct 4 14:00:00 2016 adam.majerAATTsuse.de
- npm4 now provides nodejs-npm to ease upgrades for Leap

Thu Sep 29 14:00:00 2016 adam.majerAATTsuse.de
- enable usage of system certificate store on SLE11SP4 by
requiring openssl1 (boo#1000036)
- nodejs-libpath.patch:

* adapt patch from main nodejs project so it builds on SLE11
- New upstream LTS version 4.6.0

* openssl update (not applicable for SLE12SP2, Leap 42.2 and later)
+ upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178,
CVE-2016-6306, CVE-2016-7052)
+ remove support for dynamic 3rd party engine modules

* http: Properly validate for allowable characters in input
user data. This introduces a new case where throw may occur
when configuring HTTP responses, users should already
be adopting try/catch here. (CVE-2016-5325, bnc#985201)

* tls: properly validate wildcard certificates
(CVE-2016-7099, bnc#1001652)

* buffer: Zero-fill excess bytes in new Buffer objects created
with Buffer.concat()

Fri Aug 26 14:00:00 2016 adam.majerAATTsuse.de
- New upstream LTS version 4.5.0 (bnc#997405)

* buffer:
+ backport new buffer constructor APIs to v4.x
+ backport --zero-fill-buffers cli option
+ ignore negative allocation lengths

* build
+ add Intel Vtune profiling support

* repl
+ copying tabs shouldn\'t trigger completion

* src
+ add node::FreeEnvironment public API

* test
+ run v8 tests from node tree

* V8
+ Add post mortem data to improve object inspection and
function\'s context variables inspection

* upgrade libuv to 1.9.1

* upgrade npm to 2.15.9
- 8334.diff

* use system CA store instead of one provided by Node
- Refresh patches

Wed Aug 10 14:00:00 2016 adam.majerAATTsuse.de
- use system OpenSSL with Leap 42.2 and SLE12:SP2
- simplify source code integrity check
+ use GPG service instead of explicit BR
+ add empty checksum so GPG service is run - it\'s not detached signature
like it thinks it is.

Mon Jul 4 14:00:00 2016 adam.majerAATTsuse.de
- rename patches to have a .patch suffix, for consistancy
- npm_search_paths.patch:
Change defaultPrefix to /usr/local if it is detected to be
/usr. This is in attempt to prevent globally installed npm-managed
packages from installing into the zypper managed prefix.
- refreshed patches support-arm64-build.patch
- use upstream .xz instead of .gz tarball

Fri Jul 1 14:00:00 2016 adam.majerAATTsuse.de
- New upstream version 4.4.7

* debugger:
+ All properties of an array (aside from length) can now be printed
in the repl

* Upgrade npm to 2.15.8 (Rebecca Turner)

* Fix for a bug that became more prevalent with the stream changes
that landed in v4.4.5. (Anna Henningsen). \'reset awaitDrain after manual
.resume()\'

* V8:
+ Fix for a bug in crankshaft that was causing crashes on arm64
(Myles Borins)
+ Add missing classes to postmortem info such as JSMap and JSSet
(evan.lucas)
- Add upstream release keyring
- Verify upstream sources during %prep

Mon Jun 27 14:00:00 2016 adam.majerAATTsuse.de
- Use build flags to enable/disable gdb usage instead of
configure script. Easier to find and change in future.
- Fix paths, and have to fix lots of paths because they
are all more or less hardcoded relative paths.
- Renumber patches allowing upstream patches to be inserted
before our own.

Fri Jun 24 14:00:00 2016 adam.majerAATTsuse.de
- New upstream version 4.4.6
+ fix buffer overflow vulnerability discovered in v8
(CVE-2016-1669)

Thu Jun 16 14:00:00 2016 adam.majerAATTsuse.de
- Change detection of library paths from runtime to compile time.
nodejs-libpath.patch, nodejs-libpath64.patch

Wed Jun 15 14:00:00 2016 adam.majerAATTsuse.de
- This package is in response to FATE#320396 and ECO#317945
and references bnc#958943
It\'s to be part of Web and Scripting Module
- Use build conditional for intree_openssl
- Fix permissions of some supplies javascript files - they are
not executables
- General cleanup of the package

Wed Jun 15 14:00:00 2016 adam.majerAATTsuse.de
- Tighten dependencies so we don\'t end up with mixed versions
installed.

Tue Jun 14 14:00:00 2016 adam.majerAATTsuse.de
- Dedup manpages
- Conflict with other providers of NodeJS packages. This is
important if we want to provide NodeJS v6.x branch along with
v4.x branch

Mon Jun 6 14:00:00 2016 adam.majerAATTsuse.de
- \'New\' package of 4.x LTS branch of NodeJS, based on v6.2.1
from Tumbleweed
- Fix search paths to actually look where modules are installed


  
ICM