Bug 263590 - www/node: update www/node (vulnerabilities)
Summary: www/node: update www/node (vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Joseph Mingrone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-26 15:54 UTC by John Hein
Modified: 2022-06-30 09:07 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (bhughes)


Attachments
fix armv6/armv7 patch (1.11 KB, patch)
2022-06-29 19:42 UTC, Joseph Mingrone
no flags Details | Diff
fix armv6/armv7 patch (take 2 and apply unconditionally) (2.02 KB, patch)
2022-06-29 20:12 UTC, Joseph Mingrone
no flags Details | Diff
fix armv6/armv7 patch (take 3 and only apply arm patch unconditionally, not powerpc) (1.71 KB, patch)
2022-06-29 20:20 UTC, Joseph Mingrone
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description John Hein 2022-04-26 15:54:28 UTC
node17 has documented (vuxml) vulnerabilities < 17.3.1.  The current version in www/node is 17.0.1.  I don't know what this should be updated to.  I think I would try 17.3.1 first, but I don't have a particularly good reason for that.  But the "latest" is 18.0.0 (after progressive releases in the last few months that look like they were marching toward 18.0.0 - 17.4.0, 17.5.0, ..., 17.9,0).
Comment 1 John Hein 2022-05-13 23:39:32 UTC
p.s. If you are here because www/node was installed in order to build firefox, try installing www/node16 instead.  That's the "stable" version of node at this time, and it seems to build www/firefox-esr just fine.
Comment 2 Prisma 2022-05-15 11:18:42 UTC
It seems the maintainer is not active anymore on the Node ports. Till Oct 2021 he regularly updated every node tree. But then no more.
I tried to compile newer versions on my own, but that always fails. I'm not skilled enough for that deeper technical internals.
What will be the future of FreeBSD and Node.JS? Is there a procedure to get a new maintainer care about Node.JS if the current one remains being inactive?
Comment 3 Joseph Mingrone freebsd_committer freebsd_triage 2022-06-01 02:58:12 UTC
Working on an update: https://reviews.freebsd.org/D35376
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-06-03 17:02:37 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=573dcf82344654d829bee348c5cc5ba447e0bb92

commit 573dcf82344654d829bee348c5cc5ba447e0bb92
Author:     Joseph Mingrone <jrm@FreeBSD.org>
AuthorDate: 2022-06-01 02:29:05 +0000
Commit:     Joseph Mingrone <jrm@FreeBSD.org>
CommitDate: 2022-06-03 17:01:42 +0000

    www/node: Update to 18.2.0

    https://nodejs.org/en/blog/release/v18.2.0/

    PR:             263590
    Reviewed by:    mfechner
    Approved by:    bhughes (maintainer, timeout on PR)
    Sponsored by:   The FreeBSD Foundation
    Differential Revision:  https://reviews.freebsd.org/D35376

 www/node/Makefile                                  |   5 +-
 www/node/distinfo                                  |   6 +-
 ...penssl_openssl_crypto_threads__pthread.c (gone) |  29 ----
 www/node/pkg-plist                                 | 182 +++++++--------------
 4 files changed, 63 insertions(+), 159 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-06-03 17:02:38 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=25bb8b00152f9e06ea3cba953dede66df54a5e1c

commit 25bb8b00152f9e06ea3cba953dede66df54a5e1c
Author:     Joseph Mingrone <jrm@FreeBSD.org>
AuthorDate: 2022-06-01 18:27:26 +0000
Commit:     Joseph Mingrone <jrm@FreeBSD.org>
CommitDate: 2022-06-03 17:01:42 +0000

    Mk/Uses/nodejs.mk: Handle www/node update to v18

    PR:             263590
    Sponsored by:   The FreeBSD Foundation

 Mk/Uses/nodejs.mk | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2022-06-03 17:02:39 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=620c166728b828c0c95cb40f519f4676e4d45cec

commit 620c166728b828c0c95cb40f519f4676e4d45cec
Author:     Joseph Mingrone <jrm@FreeBSD.org>
AuthorDate: 2022-06-01 18:28:50 +0000
Commit:     Joseph Mingrone <jrm@FreeBSD.org>
CommitDate: 2022-06-03 17:01:42 +0000

    www/*-node17: Rename for update of www/node to version 18

    PR:             263590
    Sponsored by:   The FreeBSD Foundation

 www/Makefile                              | 4 ++--
 www/npm-node14/Makefile                   | 2 +-
 www/npm-node16/Makefile                   | 2 +-
 www/{npm-node17 => npm-node18}/Makefile   | 4 ++--
 www/npm/Makefile                          | 2 +-
 www/yarn-node14/Makefile                  | 2 +-
 www/yarn-node16/Makefile                  | 2 +-
 www/{yarn-node17 => yarn-node18}/Makefile | 4 ++--
 www/yarn/Makefile                         | 2 +-
 9 files changed, 12 insertions(+), 12 deletions(-)
Comment 7 Robert Clausecker freebsd_committer freebsd_triage 2022-06-29 19:20:05 UTC
When you update a port that has EXTRA_PATCHES, make sure to check that these still apply!  Which they do not...

===>  Patching for node-18.2.0
===>  Applying extra patch /usr/ports/www/node/files/extra-patch-tools_v8__gypfiles_v8.gyp
1 out of 1 hunks failed--saving rejects to tools/v8_gypfiles/v8.gyp.rej
===>  FAILED Applying extra patch /usr/ports/www/node/files/extra-patch-tools_v8__gypfiles_v8.gyp
*** Error code 1

I'll go write a patch for you to fix this mess.
Comment 8 Joseph Mingrone freebsd_committer freebsd_triage 2022-06-29 19:41:48 UTC
(In reply to Robert Clausecker from comment #7)

Sorry.  I tested all option combinations, but tier 2 hardware, for me, is best effort and I missed this.  Please test the patch I am about to attach.
Comment 9 Joseph Mingrone freebsd_committer freebsd_triage 2022-06-29 19:42:13 UTC
Created attachment 234996 [details]
fix armv6/armv7 patch
Comment 10 Robert Clausecker freebsd_committer freebsd_triage 2022-06-29 19:57:59 UTC
(In reply to Joseph Mingrone from comment #8)

No problem.  You don't actually have to test on tier 2 hardware for this -- just check if the patch still applies on whatever hardware you have.  If there is a build problem, I'll pick it up during my arm builds and have a look, but making sure the patches are up to date is the least effort doable.

That said, this patch can probably moved from being an extra patch to a regular patch as it doesn't seem to hurt on other architectures.  This would make it easier to test the port in general, too.

I'm currently doing a test build.  Will take a while to finish.

If you need to have a patch tested on armv7 or arm64, you can always CC me.
Comment 11 Joseph Mingrone freebsd_committer freebsd_triage 2022-06-29 20:07:56 UTC
(In reply to Robert Clausecker from comment #10)

> If you need to have a patch tested on armv7 or arm64, you can always CC me.

Could you make both conditional patches always apply, then test on both architectures.  To be explicit, rename files/extra-patch-tools_v8__gypfiles_v8.gyp to files/patch-tools_v8__gypfiles_v8.gyp and rename files/extra-patch-common.gypi to files/patch-common.gypi and test under armv7 and aarch64.
Comment 12 Joseph Mingrone freebsd_committer freebsd_triage 2022-06-29 20:12:09 UTC
Since we'll also need to update the Makefile, I'll attach another patch.  Could you please test armv7 and aarch64 with the latest patch?
Comment 13 Joseph Mingrone freebsd_committer freebsd_triage 2022-06-29 20:12:57 UTC
Created attachment 234997 [details]
fix armv6/armv7 patch (take 2 and apply unconditionally)
Comment 14 Joseph Mingrone freebsd_committer freebsd_triage 2022-06-29 20:20:53 UTC
Created attachment 234998 [details]
fix armv6/armv7 patch (take 3 and only apply arm patch unconditionally, not powerpc)
Comment 15 Robert Clausecker freebsd_committer freebsd_triage 2022-06-30 04:19:20 UTC
(In reply to Joseph Mingrone from comment #11)

Your final patch succeeds with one warning:

====> Running Q/A tests (stage-qa)
Warning: Possible REINPLACE_CMD issues:
- - REINPLACE_CMD ran, but did not modify file contents: tools/v8_gypfiles/v8.gyp

This warning is expected as LOCALBASE expands to /usr/local.

I'd say ship it before 2022Q3 drops.
Comment 16 commit-hook freebsd_committer freebsd_triage 2022-06-30 09:07:26 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=bd97b63d8b5d81d2520c6a3b248b63e2d69be59e

commit bd97b63d8b5d81d2520c6a3b248b63e2d69be59e
Author:     Joseph Mingrone <jrm@FreeBSD.org>
AuthorDate: 2022-06-29 19:35:54 +0000
Commit:     Joseph Mingrone <jrm@FreeBSD.org>
CommitDate: 2022-06-30 09:01:15 +0000

    www/node: Fix patch on armv6 and armv7

    PR:             263590
    Reported by:    Robert Clausecker <fuz@fuz.su>
    Sponsored by:   The FreeBSD Foundation

 www/node/Makefile                                                 | 4 ----
 ...-tools_v8__gypfiles_v8.gyp => patch-tools_v8__gypfiles_v8.gyp} | 8 ++++----
 2 files changed, 4 insertions(+), 8 deletions(-)