Friday, July 08, 2022

[security] update lang/node to 16.16.0

Index: Makefile
===================================================================
RCS file: /cvs/ports/lang/node/Makefile,v
retrieving revision 1.104
diff -u -p -r1.104 Makefile
--- Makefile 26 Jun 2022 13:59:50 -0000 1.104
+++ Makefile 8 Jul 2022 09:21:48 -0000
@@ -5,7 +5,7 @@ USE_WXNEEDED = Yes

COMMENT = JavaScript runtime built on Chrome's V8 JavaScript engine

-NODE_VERSION = v16.15.1
+NODE_VERSION = v16.16.0
PLEDGE_VER = 1.1.2
DISTFILES = node-pledge-{}${PLEDGE_VER}.tar.gz:0 \
${DISTNAME}-headers.tar.xz \
@@ -13,8 +13,6 @@ DISTFILES = node-pledge-{}${PLEDGE_VER}

DISTNAME = node-${NODE_VERSION}
PKGNAME = ${DISTNAME:S/v//g}
-
-EPOCH = 0

MASTER_SITES0 = https://github.com/qbit/node-pledge/archive/

Index: distinfo
===================================================================
RCS file: /cvs/ports/lang/node/distinfo,v
retrieving revision 1.61
diff -u -p -r1.61 distinfo
--- distinfo 8 Jun 2022 21:14:29 -0000 1.61
+++ distinfo 8 Jul 2022 09:21:48 -0000
@@ -1,6 +1,6 @@
SHA256 (node-pledge-1.1.2.tar.gz) = zY/JcbZ32mmtqWXXNn3/9aTh7Y3F6fAAaADDA8SYwEk=
-SHA256 (node-v16.15.1-headers.tar.xz) = NVNlHmMe5SxxfMlc8EVoPquAdBjKx9VbthjQp/HP4uE=
-SHA256 (node-v16.15.1.tar.xz) = 1OmdPB9pcREJpnUlVxBY5gCc3bwijn1yO4+0pFQWm30=
+SHA256 (node-v16.16.0-headers.tar.xz) = 1GO652HX/ed2Vk0lASGQ3x4rheK5NIDq9BMSYzGXP7w=
+SHA256 (node-v16.16.0.tar.xz) = FFFR7/Oyql6+czhACcUicag3QK5oepPJjGKM19UnNus=
SIZE (node-pledge-1.1.2.tar.gz) = 3155
-SIZE (node-v16.15.1-headers.tar.xz) = 385424
-SIZE (node-v16.15.1.tar.xz) = 34618208
+SIZE (node-v16.16.0-headers.tar.xz) = 385396
+SIZE (node-v16.16.0.tar.xz) = 35039712
Attached patch updates lang/node to 16.16.0

This contains fixes for:

CVE-2022-32212 (High)
CVE-2022-32213 (Medium)
CVE-2022-32214 (Medium)
CVE-2022-32215 (Medium)

https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/

v16.16.0 seems like a candidate for a backport to -stable for security
reasons. I don't have a -stable system that could build node, but I also
don't see any change between the current node version and this one that
should give us any trouble, the needed fix for the devel/electron build
process withstanding.

This time there's no npm update included, hence no PLIST churn for a change.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)