security update to node-16.17.1, from maintainer Volker Schlecht

plus I added a patch to the configure script to prevent it from picking up a non-default Python version at build time HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (Medium) (improper fix for CVE-2022-32215) CVE-2022-32213 bypass via obs-fold mechanic (Medium) (CVE-2022-32213) HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium) (CVE-2022-35256) Weak randomness in WebCrypto keygen (High) (CVE-2022-35255)
2022-09-23 19:28:50 +00:00 · 2022-09-23 19:28:50 +00:00 · bd3af7ea70
commit bd3af7ea70
parent 292fef7fa1
4 changed files with 22 additions and 7 deletions
--- a/lang/node/Makefile
+++ b/lang/node/Makefile
@ -5,7 +5,7 @@ USE_WXNEEDED =		Yes

 COMMENT = JavaScript runtime built on Chrome's V8 JavaScript engine

-NODE_VERSION =		v16.17.0
+NODE_VERSION =		v16.17.1
 PLEDGE_VER =		1.1.2
 DISTFILES =		node-pledge-{}${PLEDGE_VER}.tar.gz:0 \
 			${DISTNAME}-headers.tar.xz \
--- a/lang/node/distinfo
+++ b/lang/node/distinfo
@ -1,6 +1,6 @@
 SHA256 (node-pledge-1.1.2.tar.gz) = zY/JcbZ32mmtqWXXNn3/9aTh7Y3F6fAAaADDA8SYwEk=
-SHA256 (node-v16.17.0-headers.tar.xz) = 0xXvroZshZyLkmnoSb/zGRQkf/8Bp4KFAwNpsM+M6RA=
-SHA256 (node-v16.17.0.tar.xz) = HSjChWheRGmFkhvJY1ZcqcDF9P2pdV5InAaAjql5VkU=
+SHA256 (node-v16.17.1-headers.tar.xz) = VUyNG0sW4PTAc7nffEnIk3FqOlM/JaxkbyNhn1zO598=
+SHA256 (node-v16.17.1.tar.xz) = ZyH+tBUtVtLGs1jOOXq9Wn8drwnuLiXFAhubTT+GozA=
 SIZE (node-pledge-1.1.2.tar.gz) = 3155
-SIZE (node-v16.17.0-headers.tar.xz) = 385884
-SIZE (node-v16.17.0.tar.xz) = 35664964
+SIZE (node-v16.17.1-headers.tar.xz) = 386032
+SIZE (node-v16.17.1.tar.xz) = 35661452
--- a/lang/node/patches/patch-configure
+++ b/lang/node/patches/patch-configure
@ -0,0 +1,15 @@
+Index: configure
+--- configure.orig
+++ configure
+@@ -4,11 +4,6 @@
+ # Note that the mix of single and double quotes is intentional,
+ # as is the fact that the ] goes on a new line.
+ _=[ 'exec' '/bin/sh' '-c' '''
+-command -v python3.10 >/dev/null && exec python3.10 "$0" "$@"
+-command -v python3.9 >/dev/null && exec python3.9 "$0" "$@"
+-command -v python3.8 >/dev/null && exec python3.8 "$0" "$@"
+-command -v python3.7 >/dev/null && exec python3.7 "$0" "$@"
+-command -v python3.6 >/dev/null && exec python3.6 "$0" "$@"
+ command -v python3 >/dev/null && exec python3 "$0" "$@"
+ exec python "$0" "$@"
+ ''' "$0" "$@"
--- a/lang/node/patches/patch-node_gyp
+++ b/lang/node/patches/patch-node_gyp
@ -10,7 +10,7 @@ Index: node.gyp
         'deps/histogram/histogram.gyp:histogram',
         'deps/uvwasi/uvwasi.gyp:uvwasi',
       ],
-@@ -1130,8 +1130,8 @@
+@@ -1132,8 +1132,8 @@
 
       'dependencies': [
         '<(node_lib_target_name)',
@ -21,7 +21,7 @@ Index: node.gyp
         'deps/histogram/histogram.gyp:histogram',
         'deps/uvwasi/uvwasi.gyp:uvwasi',
         'node_dtrace_header',
-@@ -1205,6 +1205,10 @@
+@@ -1207,6 +1207,10 @@
         }],
         ['OS=="solaris"', {
           'ldflags': [ '-I<(SHARED_INTERMEDIATE_DIR)' ]