!28 Modify minimatch version to fix install problem

From: @wang--ge 
Reviewed-by: @lyn1001 
Signed-off-by: @lyn1001

CVE-2020-7729-pre.patch

@@ -0,0 +1,49 @@
+From 3484b83a87e1f5ea689aa5aece9f9ae96151d3ff Mon Sep 17 00:00:00 2001
+From: Kyle Robinson Young <kyle@dontkry.com>
+Date: Wed, 13 Apr 2016 18:06:59 -0700
+Subject: [PATCH] Fix for readYAML error messages
+
+---
+ lib/grunt/file.js       | 2 +-
+ test/grunt/file_test.js | 8 +++++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/lib/grunt/file.js b/lib/grunt/file.js
+index 303e0ab4..f8a694e5 100644
+--- a/lib/grunt/file.js
++++ b/lib/grunt/file.js
+@@ -262,7 +262,7 @@ file.readYAML = function(filepath, options) {
+     return result;
+   } catch (e) {
+     grunt.verbose.error();
+-    throw grunt.util.error('Unable to parse "' + filepath + '" file (' + e.problem + ').', e);
++    throw grunt.util.error('Unable to parse "' + filepath + '" file (' + e.message + ').', e);
+   }
+ };
+ 
+diff --git a/test/grunt/file_test.js b/test/grunt/file_test.js
+index 91466f28..19889e61 100644
+--- a/test/grunt/file_test.js
++++ b/test/grunt/file_test.js
+@@ -452,7 +452,7 @@ exports.file = {
+     test.done();
+   },
+   'readYAML': function(test) {
+-    test.expect(3);
++    test.expect(4);
+     var obj;
+     obj = grunt.file.readYAML('test/fixtures/utf8.yaml');
+     test.deepEqual(obj, this.object, 'file should be read as utf8 by default and parsed correctly.');
+@@ -460,6 +460,12 @@ exports.file = {
+     obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml', {encoding: 'iso-8859-1'});
+     test.deepEqual(obj, this.object, 'file should be read using the specified encoding.');
+ 
++    test.throws(function() {
++      obj = grunt.file.readYAML('test/fixtures/error.yaml');
++    }, function(err) {
++      return err.message.indexOf('undefined') === -1;
++    }, 'error thrown should not contain undefined.');
++
+     grunt.file.defaultEncoding = 'iso-8859-1';
+     obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml');
+     test.deepEqual(obj, this.object, 'changing the default encoding should work.');

CVE-2020-7729.patch

@@ -0,0 +1,64 @@
+From e350cea1724eb3476464561a380fb6a64e61e4e7 Mon Sep 17 00:00:00 2001
+From: Vlad Filippov <vlad.filippov@gmail.com>
+Date: Mon, 17 Aug 2020 11:28:59 -0400
+Subject: [PATCH] Switch to use `safeLoad` for loading YML files via
+ `file.readYAML`.
+
+For previous behaviour please use the following:
+
+```
+readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad: true});
+```
+---
+ lib/grunt/file.js       | 13 +++++++++++--
+ test/grunt/file_test.js |  7 +++++--
+ 2 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/lib/grunt/file.js b/lib/grunt/file.js
+index eefeddb2..7e0e2fb7 100644
+--- a/lib/grunt/file.js
++++ b/lib/grunt/file.js
+@@ -241,12 +241,21 @@ file.readJSON = function(filepath, options) {
+ };
+ 
+ // Read a YAML file, parse its contents, return an object.
+-file.readYAML = function(filepath, options) {
++file.readYAML = function(filepath, options, yamlOptions) {
++  if (!options) { options = {}; }
++  if (!yamlOptions) { yamlOptions = {}; }
++
+   var src = file.read(filepath, options);
+   var result;
+   grunt.verbose.write('Parsing ' + filepath + '...');
+   try {
+-    result = YAML.load(src);
++    // use the recommended way of reading YAML files
++    // https://github.com/nodeca/js-yaml#safeload-string---options-
++    if (yamlOptions.unsafeLoad) {
++      result = YAML.load(src);
++    } else {
++      result = YAML.safeLoad(src);
++    }
+     grunt.verbose.ok();
+     return result;
+   } catch (e) {
+diff --git a/test/grunt/file_test.js b/test/grunt/file_test.js
+index e833fb2d..b192cad9 100644
+--- a/test/grunt/file_test.js
++++ b/test/grunt/file_test.js
+@@ -452,10 +452,13 @@ exports.file = {
+     test.done();
+   },
+   'readYAML': function(test) {
+-    test.expect(4);
++    test.expect(5);
+     var obj;
+     obj = grunt.file.readYAML('test/fixtures/utf8.yaml');
+-    test.deepEqual(obj, this.object, 'file should be read as utf8 by default and parsed correctly.');
++    test.deepEqual(obj, this.object, 'file should be safely read as utf8 by default and parsed correctly.');
++
++    obj = grunt.file.readYAML('test/fixtures/utf8.yaml', null, {unsafeLoad: true});
++    test.deepEqual(obj, this.object, 'file should be unsafely read as utf8 by default and parsed correctly.');
+ 
+     obj = grunt.file.readYAML('test/fixtures/iso-8859-1.yaml', {encoding: 'iso-8859-1'});
+     test.deepEqual(obj, this.object, 'file should be read using the specified encoding.');

CVE-2022-0436.patch

@@ -0,0 +1,84 @@
+From aad3d4521c3098fb255fb2db8f2e1d691a033665 Mon Sep 17 00:00:00 2001
+From: Vlad Filippov <vlad.filippov@gmail.com>
+Date: Sun, 10 Apr 2022 23:16:06 -0400
+Subject: [PATCH] Update dependencies, tests...
+
+
+diff --git a/lib/grunt/file.js b/lib/grunt/file.js
+index 863617f..f0a2d6e 100644
+--- a/lib/grunt/file.js
++++ b/lib/grunt/file.js
+@@ -303,8 +303,11 @@ file.write = function(filepath, contents, options) {
+ // Read a file, optionally processing its content, then write the output.
+ // Or read a directory, recursively creating directories, reading files,
+ // processing content, writing output.
++// Handles symlinks by coping them as files or directories.
+ file.copy = function copy(srcpath, destpath, options) {
+-  if (file.isDir(srcpath)) {
++  if (file._isSymbolicLink(srcpath)) {
++    file._copySymbolicLink(srcpath, destpath);
++  } else if (file.isDir(srcpath)) {
+     // Copy a directory, recursively.
+     // Explicitly create new dest directory.
+     file.mkdir(destpath);
+@@ -452,6 +455,24 @@ file.isPathCwd = function() {
+   }
+ };
+ 
++file._isSymbolicLink = function() {
++  var filepath = path.join.apply(path, arguments);
++  return fs.lstatSync(filepath).isSymbolicLink();
++};
++
++file._copySymbolicLink = function(srcpath, destpath) {
++  var destdir = path.join(destpath, '..');
++  var fileBase = path.basename(srcpath);
++  // Use the correct relative path for the symlink
++  if (!grunt.file.isPathAbsolute(srcpath)) {
++    srcpath = path.relative(destdir, srcpath) || '.';
++  }
++  file.mkdir(destdir);
++  var mode = grunt.file.isDir(srcpath) ? 'dir' : 'file';
++  var destpath = path.join(destpath, fileBase);
++  return fs.symlinkSync(srcpath, destpath, mode);
++};
++
+ // Test to see if a filepath is contained within the CWD.
+ file.isPathInCwd = function() {
+   var filepath = path.join.apply(path, arguments);
+diff --git a/test/grunt/file_test.js b/test/grunt/file_test.js
+index 5110f04..41f1c2d 100644
+--- a/test/grunt/file_test.js
++++ b/test/grunt/file_test.js
+@@ -888,5 +888,28 @@ exports.file = {
+       test.ok(grunt.file.isPathInCwd(path.resolve('deep')), 'subdirectory is in cwd');
+       test.done();
+     },
++    'symbolicLinkCopy': function(test) {
++      test.expect(4);
++      var srcfile = new Tempdir();
++      fs.symlinkSync(path.resolve('test/fixtures/octocat.png'), path.join(srcfile.path, 'octocat.png'), 'file');
++      // test symlink copy for files
++      var destdir = new Tempdir();
++      grunt.file.copy(path.join(srcfile.path, 'octocat.png'), destdir.path);
++      test.ok(fs.lstatSync(path.join(srcfile.path, 'octocat.png')).isSymbolicLink());
++      test.ok(fs.lstatSync(path.join(destdir.path, 'octocat.png')).isSymbolicLink());
++
++      // test symlink copy for directories
++      var srcdir = new Tempdir();
++      var destdir = new Tempdir();
++      var fixtures = path.resolve('test/fixtures');
++      var symlinkSource = path.join(srcdir.path, path.basename(fixtures));
++      console.log('symlinkSource', symlinkSource);
++      fs.symlinkSync(fixtures, symlinkSource, 'dir');
++
++      grunt.file.copy(symlinkSource, destdir.path);
++      test.ok(fs.lstatSync(symlinkSource).isSymbolicLink());
++      test.ok(fs.lstatSync(path.join(destdir.path, path.basename(fixtures))).isSymbolicLink());
++      test.done();
++    },
+   }
+ };
+-- 
+2.27.0
+

nodejs-grunt.spec

@@ -1,11 +1,15 @@
 %global enable_tests 1
 Name:                nodejs-grunt
 Version:             1.0.1
-Release:             1
+Release:             6
 Summary:             Grunt is a JavaScript library used for automation and running tasks
 License:             MIT
 URL:                 https://github.com/gruntjs/grunt
 Source0:             https://github.com/gruntjs/grunt/archive/v%{version}/grunt-%{version}.tar.gz
+Patch0:              CVE-2020-7729-pre.patch
+Patch1:              CVE-2020-7729.patch
+# https://github.com/gruntjs/grunt/commit/aad3d45
+Patch2:              CVE-2022-0436.patch
 BuildArch:           noarch
 ExclusiveArch:       %{nodejs_arches} noarch
 BuildRequires:       nodejs-packaging
@@ -14,7 +18,7 @@ BuildRequires:       npm(coffee-script) npm(dateformat) npm(eventemitter2) npm(e
 BuildRequires:       npm(findup-sync) npm(glob) npm(grunt-cli) npm(grunt-known-options)
 BuildRequires:       npm(grunt-legacy-log) npm(grunt-legacy-util) npm(iconv-lite) npm(js-yaml)
 BuildRequires:       npm(minimatch) npm(nopt) npm(path-is-absolute) npm(rimraf) npm(difflet)
-BuildRequires:       npm(grunt-contrib-nodeunit) npm(grunt-contrib-watch) npm(semver) npm(shelljs)
+BuildRequires:       npm(grunt-contrib-nodeunit) npm(semver) npm(shelljs)
 BuildRequires:       npm(temporary) npm(through2)
 %endif
 %description
@@ -25,13 +29,13 @@ your job becomes. After you've configured it, a task runner can do most
 of that mundane work for you with basically zero effort.
 
 %prep
-%autosetup -n grunt-%{version}
+%autosetup -n grunt-%{version} -p1
 %nodejs_fixdep coffee-script '^1.3'
 %nodejs_fixdep dateformat '*'
-%nodejs_fixdep eventemitter2 '~0.4'
+%nodejs_fixdep eventemitter2 '^6.4.5'
 %nodejs_fixdep findup-sync '~0.3'
 %nodejs_fixdep glob '~6.0.3'
-%nodejs_fixdep minimatch '~3.0.0'
+%nodejs_fixdep minimatch '^3.0.0'
 %nodejs_fixdep nopt '^3.0.6'
 %nodejs_fixdep rimraf '^2.0'
 %nodejs_fixdep js-yaml '^3.5.0'
@@ -56,5 +60,20 @@ grunt nodeunit:all
 %{nodejs_sitelib}/grunt
 
 %changelog
+* Sat Sep 02 2023 Ge Wang <wang__ge@126.com> - 1.0.1-6
+- Modify minimatch version to fix install problem
+
+* Fri Jul 01 2022 baizhonggui <baizhonggui@h-partners.com> - 1.0.1-5
+- Modify eventemitter version to 6.4.5 to compat latest eventemitter
+
+* Mon May 09 2022 wangkai <wangkai385@h-partners.com> - 1.0.1-4
+- Remove BuildRequires npm(grunt-contrib-watch)
+
+* Thu Apr 21 2022 wangkai <wangkai385@h-partners.com> - 1.0.1-3
+- Fix CVE-2022-0436
+
+* Wed Feb 23 2022 yaoxin <yaoxin30@huawei.com> - 1.0.1-2
+- Fix CVE-2020-7729
+
 * Thu Aug 20 2020 Anan Fu <fuanan3@huawei.com> - 1.0.1-1
 - package init