-
Notifications
You must be signed in to change notification settings - Fork 587
[LOW] Patch for nodejs CVE-2025-5889 #14065
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
[LOW] Patch for nodejs CVE-2025-5889 #14065
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we please check the test build.
From: Aninda <v-anipradhan@microsoft.com> | ||
Date: Sat, 21 Jun 2025 07:40:51 -0400 | ||
Subject: [PATCH] Address CVE-2025-5889 | ||
Upstream Patch Reference: https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Patch looks good w.r.t Upstream
@@ -6,7 +6,7 @@ Name: nodejs18 | |||
# WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package. | |||
# The version of NPM can be found inside the sources under 'deps/npm/package.json'. | |||
Version: 18.20.3 | |||
Release: 6%{?dist} | |||
Release: 7%{?dist} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test Build fails: link
Can we please check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is the build looking for a directory by name nodejs18
. nodejs18
is the package name but resides in SPECS/nodejs
directory.
I use the below command to build locally on my vm sudo make build-packages REBUILD_TOOLS=y SOURCE_URL="https://azurelinuxsrcstorage.blob.core.windows.net/sources/core" PACKAGE_BUILD_LIST="nodejs18" PACKAGE_REBUILD_LIST="nodejs18" SRPM_PACK_LIST="nodejs18" RUN_CHECK=y SRPM_FILE_SIGNATURE_HANDLING=update
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test Build Triggered: PR-14065
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-static
subpackages, etc.) have had theirRelease
tag incremented../cgmanifest.json
,./toolkit/scripts/toolchain/cgmanifest.json
,.github/workflows/cgmanifest.json
)./LICENSES-AND-NOTICES/SPECS/data/licenses.json
,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON
)*.signatures.json
filessudo make go-tidy-all
andsudo make go-test-coverage
passSummary
What does the PR accomplish, why was it needed?
Address CVE-2025-5889
Patch Modified: Yes
Astrolabe patch reference: juliangruber/brace-expansion@a5b98a4
Change Log
Does this affect the toolchain?
NO
Associated issues
Links to CVEs
Test Methodology