The following CVEs fixed in this version:
CVE-2023-23918
CVE-2023-23919
CVE-2023-23920
CVE-2023-23936
CVE-2023-24807
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Distutils package and pipes are deprecated and slated for removal in Python 3.13 for Nodejs 16.18
Replaced distutils with setuptools
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
* Drop Openssl legacy provider patch and install both binaries patch
which are already available in 16.x
* Refresh native binaries patch against 16.x base
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This implements an 'npm cache add' like functionality but allows to
specify the key of the data and sets metadata which are required to
find the data.
It is used to cache information as done during 'npm install'.
Keyformat and metadata are nodejs version specific.
Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Current nodejs version v16 does not fully support new OpenSSL, so add option
to use legacy provider.
| opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
| library: 'digital envelope routines',
| reason: 'unsupported',
| code: 'ERR_OSSL_EVP_UNSUPPORTED'
It was blindly removed by upgrade to 16.14.0 version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Current nodejs version does not fully support new OpenSSL, so add option
to use legacy provider.
| opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
| library: 'digital envelope routines',
| reason: 'unsupported',
| code: 'ERR_OSSL_EVP_UNSUPPORTED'
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* The destination file name does not need to be specified to install
if it matches the source file name (and -D is not used).
* Mode 0755 does not need to be specified to install as it is the
default.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The rewrite of the npm shebang to use an absolute path was removed in
version 7.0.0.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
npm-cli.js should be symlinked only when the file is present
the file may not be available if the configure option is --without-npm
Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
"BSD" is ambiguous, use the precise licenses BSD-2-Clause and BSD-3-Clause.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* This is new LTS release
* Add patch to fix build on mips/mips64
* Add patch to build with new c-ares 2.17+
* Enhance native binaries patch to include additional native torque use
* Drop mips-warnings.patch and python 3.10 support patch which is
already available in 16.x
* Refresh rest of patches against 16.x base
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Reflect new location of gtest sources
remove node-inspect from license
update Acorn to v8.4.1
Use internal openssl until nodejs is fixed to work with openssl3
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This resolves openssl 3.x errors until upstream addresses them properly.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2G is too much for qemu-mips and perhaps also for real mips devices
as we use qemu-usermode during build to run host pieces like mksnapshot
they fail, reducing the allocation range helps
Fixes
| LD_LIBRARY_PATH=/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/lib.host:/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1
/out/Release/lib.target:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH; cd ../tools/v8_gypfiles; mkdir -p /mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/obj.target/v
8_snapshot/geni; "/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/v8-qemu-wrapper.sh" "/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/nod
e-v14.16.1/out/Release/mksnapshot" --turbo_instruction_scheduling "--target_os=linux" "--target_arch=mips" --startup_src "/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/ou
t/Release/obj.target/v8_snapshot/geni/snapshot.cc" --embedded_variant Default --embedded_src "/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/obj.target/v8_snap
shot/geni/embedded.S" --no-native-code-counters
|
| #
| # Fatal process OOM in CodeRange setup: allocate virtual memory
| #
|
| /mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/v8-qemu-wrapper.sh: line 7: 2292880 Trace/breakpoint trap (core dumped) PSEUDO_UNLOAD=1 qemu-mips -r 3.2.0 -
Signed-off-by: Khem Raj <raj.khem@gmail.com>
So far, we have been trying to build nodejs-native and use the native
host binaries from there, which has worked out ok but always changes
when major upgrade is done, since more binaries or places are required
to be captured. This patch changes this approach to use qemu-user to run
these binaries under during cross build. This lets them run closer to
upstream build process and also removes dependency on nodejs-native
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is latest maintained LTS release
Forward patches and drop backported patch
License-Update: Update copyright year and drop license of
deps/http_parser as this component is removed in this version
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Commit 836912ab changed the logic in this recipe to stop looking for
"ppc64le". This caused the ppc64le systems used by me to stop working.
There wasn't much in the commit message on why this change occurred but
ppc64le is definitely still needed.
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Uprev nodejs in order to fix CVE-2020-8277.
This CVE allows an attacker to trigger a DNS request for a host
of their choice, which could trigger a Denial of Service in
nodejs versions < 12.19.1.
See https://nvd.nist.gov/vuln/detail/CVE-2020-8277 for details.
CVE: CVE-2020-8277
Signed-off-by: Stacy Gaikovaia <Stacy.Gaikovaia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Backport a patch from upstream to take care of build failure e.g.
| ../deps/v8/src/codegen/arm/cpu-arm.cc:38:16: error: write to reserved register 'R7'
| asm volatile("svc 0\n"
| ^
| 1 error generated.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Use system brotli via PACKAGECONFIG by default. So far,
nodejs had been built using its embedded copy of brotli,
which we generally try to avoid, for the known reasons
(independent updates, cve & license checks, etc).
The nodejs patches to enable this have been submitted.
brotli is in meta-oe, so enabling this by default should
not be a problem.
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
During the python3 / nodejs update, the dependencies weren't updated, so
using system-gyp ends up trying to use the python2 version of system-
gyp, which will of course fail.
Fixing this to depend on the python3 version of gyp still doesn't
doesn't make things work, though:
ERROR: nodejs-native-12.14.1-r0 do_configure: Execution of '.../nodejs-native/12.14.1-r0/temp/run.do_configure.26054' failed with exit code 1:
gyp: Error importing pymod_do_mainmodule (ForEachFormat): No module named 'ForEachFormat' while loading dependencies of .../nodejs-native/12.14.1-r0/node-v12.14.1/node.gyp while trying to load .../nodejs-native/12.14.1-r0/node-v12.14.1/node.gyp
Error running GYP
The reason is commit fff922afee6e ("deps,build: compute torque_outputs in v8.gyp")
in NodeJS v12, where they modified their bundled version of gyp to
become incompatible with the upstream version of gyp by adding extra /
unusual search paths to gyp.
Since I'm not sure how to deal with that when using system-gyp, and because
the original intention for using system-gyp was to make the previous nodejs
version compatible with python3 by ultimately switching to the python3 version
of system-gyp which isn't necessary anymore, and given nobody else seems to
be using this PACKAGECONFIG, just drop it.
Signed-off-by: André Draszik <andre.draszik@jci.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Polampalli, Archana
Khem Raj
Tim Orling
Enrico Scholz
Andrej Valek
Zoltán Böszörményi
Peter Kjellerstedt
Nisha Parrakat
Ross Burton
Martin Jansa
Alexander Kanavin
Andrew Geissler
Clément Péron
Sean Nyekjaer
Stacy Gaikovaia
Jaga
André Draszik