164 Commits

Author SHA1 Message Date
Gyorgy Sarvari
d2894888c9 nodejs: fix CVE_PRODUCT
The CVE_PRODUCT is set with a weak default assignment in the cve-check.bbclass,
which means that when the recipe uses +=, it overrides the original weak adefault
value instead of appending to it.

Set all applicable values in CVE_PRODUCT variable explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2025-12-22 20:56:37 +01:00
akash hadke
198cf66134 meta-oe: Remove True option to getVar calls
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.

Signed-off-by: Akash Hadke <akash.hadke27@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2025-01-22 19:12:54 -05:00
Archana Polampalli
3eb9002ce7 nodejs: fix CVE-2023-46809
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-06-02 15:10:59 -04:00
Archana Polampalli
17db7e96c4 nodejs: fix CVE-2024-22025
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-06-02 15:09:02 -04:00
Archana Polampalli
7b468c6f83 nodejs: fix CVE-2024-22019
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-06-02 15:08:41 -04:00
virendra thakur
1915dcb8e8 nodejs: Set CVE_PRODUCT to "node.js"
Set CVE_PRODUCT to 'node.js' for nodjs recipe

Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2024-02-28 08:18:18 -05:00
Polampalli, Archana
d3ee870fb0 nodejs: fix CVE-2022-25883
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression
Denial of Service (ReDoS) via the function new Range, when untrusted user data is
provided as a range.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-25883

Upstream patches:
717534ee35

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-09-04 11:59:59 -04:00
Polampalli, Archana
529620141e nodejs: upgrade 16.20.1 -> 16.20.2
This release contains bug fixes only.
The following CVEs have been addressed:

CVE-2023-32002
CVE-2023-32006
CVE-2023-32559

$ git log --oneline v16.20.1..v16.20.2
dadbde963f (tag: v16.20.2) 2023-08-09, Version 16.20.2 'Gallium' (LTS)
d8ccfe9ad4 policy: handle Module.constructor and main.extensions bypass
242aaa0caa policy: disable process.binding() when enabled
40c3958a5a  deps: update archs files for OpenSSL-1.1.1v
a9ac9da89a deps: fix openssl crypto clean
362d4c7494 deps: upgrade openssl sources to OpenSSL_1_1_1v
7447de2794 Working on v16.20.2

https://github.com/nodejs/node/releases/tag/v16.20.2

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-08-11 10:32:04 -04:00
Polampalli, Archana
8814f25902 nodejs: upgrade 16.19.1 -> 16.20.1
Drop the gcc13.patch as it has been merged in 16.20.1
    56cbc7fdda deps: V8: cherry-pick c2792e58035f

The list of the CVEs are fixed in this relase:

    CVE-2023-30581
    CVE-2023-30585
    CVE-2023-30588
    CVE-2023-30589
    CVE-2023-30590

https://nodejs.org/en/blog/release/v16.20.0
https://nodejs.org/en/blog/release/v16.20.1

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-07-16 15:30:53 -04:00
Khem Raj
4cc7363978 nodejs: Fix build with gcc13
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-05-19 09:46:38 -04:00
Polampalli, Archana
9cf4ebeb3d nodejs: Upgrade 16.19.0 -> 16.19.1
The following CVEs fixed in this version:
     CVE-2023-23918
     CVE-2023-23919
     CVE-2023-23920
     CVE-2023-23936
     CVE-2023-24807

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-03-13 08:58:37 -04:00
Tim Orling
278ec081a6 nodejs: upgrade 16.18.1 -> 16.19.0
* 16.18.0 (npm 8.19.2) introduced a regression in git+ssh urls
  - https://github.com/nodejs/node/issues/44992
  - https://github.com/npm/cli/pull/5761

https://nodejs.org/ko/blog/release/v16.19.0/

License-Update: Clarify vendored OpenSSL Toolkit is OpenSSL and SSLeay
License-Update: JS Foundation -> OpenJS Foundation

e7ed56f501

Signed-off-by: Tim Orling <tim.orling@konsulko.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2023-02-04 12:16:38 -05:00
Archana Polampalli
1c7063e57d Nodejs: Fixed python3 DeprecationWarning
Distutils package and pipes are deprecated and slated for removal in Python 3.13 for Nodejs 16.18
Replaced distutils with setuptools

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
2022-12-20 10:00:29 -05:00
Archana Polampalli
08b6b6846a Nodejs - Upgrade to 16.18.1
* Drop Openssl legacy provider patch and install both binaries patch
  which are already available in 16.x
* Refresh native binaries patch against 16.x base

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2022-11-19 11:19:11 -05:00
Enrico Scholz
035d9c61e8 nodejs-oe-cache-native: initial checkin
This implements an 'npm cache add' like functionality but allows to
specify the key of the data and sets metadata which are required to
find the data.

It is used to cache information as done during 'npm install'.

Keyformat and metadata are nodejs version specific.

Signed-off-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-09-15 08:17:25 -04:00
Khem Raj
5a52bffde1 nodejs: Upgrade to 16.14.2
Fix build with mips32, found with gcc12

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-04-20 10:58:01 -07:00
Khem Raj
454017a8d4 nodejs: Disable for powerpc
Fixes
../deps/v8/src/objects/code.h:564:2: error: #error Unknown architecture.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-03-14 09:16:04 -07:00
Andrej Valek
93ec055d83 nodejs: add option to use openssl legacy providers again
Current nodejs version v16 does not fully support new OpenSSL, so add option
to use legacy provider.

|   opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
|   library: 'digital envelope routines',
|   reason: 'unsupported',
|   code: 'ERR_OSSL_EVP_UNSUPPORTED'

It was blindly removed by upgrade to 16.14.0 version

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-03-09 07:37:42 -08:00
Zoltán Böszörményi
f8a274732f nodejs: Upgrade to 16.14.0
Remove two upstreamed patches.

Signed-off-by: Zoltán Böszörményi <zboszor@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-03-03 08:50:19 -08:00
Andrej Valek
6c258bd830 nodejs: add option to use openssl legacy providers
Current nodejs version does not fully support new OpenSSL, so add option
to use legacy provider.

|   opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
|   library: 'digital envelope routines',
|   reason: 'unsupported',
|   code: 'ERR_OSSL_EVP_UNSUPPORTED'

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-02-20 17:14:10 -08:00
Peter Kjellerstedt
3670d61546 nodejs: A little clean up
* The destination file name does not need to be specified to install
  if it matches the source file name (and -D is not used).
* Mode 0755 does not need to be specified to install as it is the
  default.

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-01-18 09:01:51 -08:00
Peter Kjellerstedt
a7fd038743 nodejs: Drop workaround for an absolute path in the npm shebang
The rewrite of the npm shebang to use an absolute path was removed in
version 7.0.0.

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-01-18 09:01:51 -08:00
Peter Kjellerstedt
4229bddf42 nodejs: Drop workaround for a Python 2 dependency
The gyp samples directory was removed in version 15.0.0.

Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-01-18 09:01:51 -08:00
Nisha Parrakat
1bdbdf3a7e nodejs_16.11.1.bb: only handle npm if configured
npm-cli.js should be symlinked only when the file is present
the file may not be available if the configure option is --without-npm

Signed-off-by: Nisha Parrakat <nishaparrakat@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-01-12 09:35:18 -08:00
Ross Burton
4004a2279e nodejs: set precise BSD license
"BSD" is ambiguous, use the precise licenses BSD-2-Clause and BSD-3-Clause.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-11-18 11:07:10 -08:00
Martin Jansa
dc01472dd9 nodejs: fix build without scrypt
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-11-01 05:45:17 -07:00
Khem Raj
354eca1043 nodejs: Upgrade to 16.11.1
* This is new LTS release
* Add patch to fix build on mips/mips64
* Add patch to build with new c-ares 2.17+
* Enhance native binaries patch to include additional native torque use
* Drop mips-warnings.patch and python 3.10 support patch which is
  already available in 16.x
* Refresh rest of patches against 16.x base

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-10-20 15:48:54 -07:00
Khem Raj
246b20b92c nodejs: Upgrade to 14.18.1
License-Update: Reflect new location of gtest sources
                remove node-inspect from license
		update Acorn to v8.4.1

Use internal openssl until nodejs is fixed to work with openssl3

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-10-17 16:15:21 -07:00
Khem Raj
ed3392fdb2 nodejs: add -fpermissive BUILD_CXXFLAGS
fixes build with openssl3-native

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-10-16 08:25:21 -07:00
Alexander Kanavin
e8214b76e4 nodejs: add a python 3.10 compatibility patch
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-10-14 07:16:58 -07:00
Alexander Kanavin
01d24acb40 nodejs: use -fpermissive
This resolves openssl 3.x errors until upstream addresses them properly.

Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-10-14 07:16:58 -07:00
Martin Jansa
c61dc077bb Convert to new override syntax
This is the result of automated script (0.9.1) conversion:

oe-core/scripts/contrib/convert-overrides.py .

converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2021-08-03 10:21:25 -07:00
Khem Raj
94e54c209d nodejs: Update to 14.17.1
Drop upstreamed v8-call-new-ListFormatter-createInstance.patch patch
Add a patch for ppc64/clang to drop -mminimal-toc since clang does not
have this option

License-Update: URLs updated [1] and copyright owners too [2]

[1] 2d7e0b6912 (diff-c693279643b8cd5d248172d9c22cb7cf4ed163a3c98c8a3f69c2717edd3eacb7)
[2] b57785d89b (diff-c693279643b8cd5d248172d9c22cb7cf4ed163a3c98c8a3f69c2717edd3eacb7)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-06-18 08:33:07 -07:00
Khem Raj
440f11c497 nodejs: Enable snapshot
New build method lets mksnaphot run so thsi is no longer needed

Reported-by: Kory Maincent <kory.maincent@bootlin.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-04-23 21:41:26 -07:00
Khem Raj
37e0b6152c nodejs: Fix build with clang for x86 target
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-04-21 08:27:01 -07:00
Khem Raj
2f365001e2 nodejs: Fix build on mips
2G is too much for qemu-mips and perhaps also for real mips devices
as we use qemu-usermode during build to run host pieces like mksnapshot
they fail,  reducing the allocation range helps

Fixes
|   LD_LIBRARY_PATH=/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/lib.host:/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1
/out/Release/lib.target:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH; cd ../tools/v8_gypfiles; mkdir -p /mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/obj.target/v
8_snapshot/geni; "/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/v8-qemu-wrapper.sh" "/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/nod
e-v14.16.1/out/Release/mksnapshot" --turbo_instruction_scheduling "--target_os=linux" "--target_arch=mips" --startup_src "/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/ou
t/Release/obj.target/v8_snapshot/geni/snapshot.cc" --embedded_variant Default --embedded_src "/mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/obj.target/v8_snap
shot/geni/embedded.S" --no-native-code-counters
|
| #
| # Fatal process OOM in CodeRange setup: allocate virtual memory
| #
|
| /mnt/b/yoe/master/build/tmp/work/mips32r2-yoe-linux/nodejs/14.16.1-r0/node-v14.16.1/out/Release/v8-qemu-wrapper.sh: line 7: 2292880 Trace/breakpoint trap   (core dumped) PSEUDO_UNLOAD=1 qemu-mips -r 3.2.0 -

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-04-21 08:27:01 -07:00
Khem Raj
f52863f02c nodejs: Use qemu usermode to run target binaries during build
So far, we have been trying to build nodejs-native and use the native
host binaries from there, which has worked out ok but always changes
when major upgrade is done, since more binaries or places are required
to be captured. This patch changes this approach to use qemu-user to run
these binaries under during cross build. This lets them run closer to
upstream build process and also removes dependency on nodejs-native

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-04-21 08:27:01 -07:00
Khem Raj
3f61a4c881 nodejs: Fix build with icu-69
backport relevant v8 patch to fix the build issue

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-04-21 08:27:01 -07:00
Khem Raj
3cb00800f5 nodejs: Update to 14.16.1
This is latest maintained LTS release
Forward patches and drop backported patch

License-Update: Update  copyright year and drop license of
deps/http_parser as this component is  removed in this version

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-04-21 08:27:01 -07:00
Andrew Geissler
649fb54245 nodejs: ppc64le machine support
Commit 836912ab changed the logic in this recipe to stop looking for
"ppc64le". This caused the ppc64le systems used by me to stop working.
There wasn't much in the commit message on why this change occurred but
ppc64le is definitely still needed.

Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-04-02 02:03:57 -07:00
Clément Péron
02feb1d932 nodejs: 12.20.2 -> 12.21.0
Fixes :
 - CVE-2021-22883
 - CVE-2021-22884
 - CVE-2021-23840

Signed-off-by: Clément Péron <peron.clem@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-03-30 09:04:34 -07:00
Khem Raj
836912ab9f nodejs: Set correct nodejs arch for ppc64le
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-03-12 17:22:09 -08:00
Sean Nyekjaer
6322c63987 nodejs: 12.20.1 -> 12.20.2
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-02-20 10:40:53 -08:00
Sean Nyekjaer
cde1019804 nodejs: 12.19.1 -> 12.20.1
Signed-off-by: Sean Nyekjaer <sean@geanix.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-01-07 22:57:45 -08:00
Stacy Gaikovaia
a440154082 nodejs: 12.19.0 -> 12.19.1
Uprev nodejs in order to fix CVE-2020-8277.
This CVE allows an attacker to trigger a DNS request for a host
of their choice, which could trigger a Denial of Service in
nodejs versions < 12.19.1.

See https://nvd.nist.gov/vuln/detail/CVE-2020-8277 for details.

CVE: CVE-2020-8277
Signed-off-by: Stacy Gaikovaia <Stacy.Gaikovaia@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-12-15 21:29:34 -08:00
Khem Raj
a10f894a8e nodejs: Update to 12.19.0
This perhaps is last release in 12.x LTS

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-11-02 09:00:52 -08:00
Khem Raj
45a2dfdd0f nodejs: Fix arm32/thumb builds with clang
Backport a patch from upstream to take care of build failure e.g.

| ../deps/v8/src/codegen/arm/cpu-arm.cc:38:16: error: write to reserved register 'R7'
|   asm volatile("svc 0\n"
|                ^
| 1 error generated.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-11-02 09:00:52 -08:00
Khem Raj
bda3ee6276 nodejs: Upgrade to 12.18.3
Drop already upstreamed patches
use builtin uv, it does not build without it

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-08-13 22:37:48 -07:00
Khem Raj
7910f2b645 nodejs: Fix build with icu 67.1
Remove soon-to-be removed getAllFieldPositions

Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cc: Andrej Valek <andrej.valek@siemens.com>
2020-05-06 23:20:29 -07:00
Khem Raj
db0075f503 nodejs: Fix -Wc++11-narrowing on mips
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-04-15 23:10:02 -07:00