From 6e1e425ffbeca39381de37663431e05af7a00f56 Mon Sep 17 00:00:00 2001 From: isaacs Date: Tue, 30 May 2017 20:52:45 -0400 Subject: [PATCH 1/4] Upgrade to tar v3 Tar version 3 performs better and is more well tested than its predecessor. npm will be using this in the near future, so there is no benefit in shipping a node-gyp that uses the slower and less reliable fstream-based tar. This drops support for node 0.x, and thus should be considered a breaking semver-major change. PR-URL: https://github.com/nodejs/node-gyp/pull/1212 Reviewed-By: Refael Ackermann Reviewed-By: Ben Noordhuis Reviewed-By: Gibson Fahnestock --- lib/install.js | 38 ++++++++++++++++---------------------- package.json | 5 ++--- 2 files changed, 18 insertions(+), 25 deletions(-) diff --git a/lib/install.js b/lib/install.js index cb84972e18..8a615dfb38 100644 --- a/lib/install.js +++ b/lib/install.js @@ -20,10 +20,8 @@ var fs = require('graceful-fs') , rm = require('rimraf') , path = require('path') , crypto = require('crypto') - , zlib = require('zlib') , log = require('npmlog') , semver = require('semver') - , fstream = require('fstream') , request = require('request') , mkdir = require('mkdirp') , processRelease = require('./process-release') @@ -148,41 +146,33 @@ function install (fs, gyp, argv, callback) { var tarPath = gyp.opts.tarball var badDownload = false , extractCount = 0 - , gunzip = zlib.createGunzip() - , extracter = tar.Extract({ path: devDir, strip: 1, filter: isValid }) var contentShasums = {} var expectShasums = {} // checks if a file to be extracted from the tarball is valid. // only .h header files and the gyp files get extracted - function isValid () { - var name = this.path.substring(devDir.length + 1) - var isValid = valid(name) - if (name === '' && this.type === 'Directory') { - // the first directory entry is ok - return true - } + function isValid (path, entry) { + var isValid = valid(path) if (isValid) { - log.verbose('extracted file from tarball', name) + log.verbose('extracted file from tarball', path) extractCount++ } else { // invalid - log.silly('ignoring from tarball', name) + log.silly('ignoring from tarball', path) } return isValid } - gunzip.on('error', cb) - extracter.on('error', cb) - extracter.on('end', afterTarball) - - // download the tarball, gunzip and extract! + // download the tarball and extract! if (tarPath) { - var input = fs.createReadStream(tarPath) - input.pipe(gunzip).pipe(extracter) - return + return tar.extract({ + file: tarPath, + strip: 1, + filter: isValid, + cwd: devDir + }).then(afterTarball, cb) } try { @@ -222,7 +212,11 @@ function install (fs, gyp, argv, callback) { }) // start unzipping and untaring - req.pipe(gunzip).pipe(extracter) + res.pipe(tar.extract({ + strip: 1, + cwd: devDir, + filter: isValid + }).on('close', afterTarball).on('error', cb)) }) // invoked after the tarball has finished being extracted diff --git a/package.json b/package.json index 9279089d7b..15bbf4af4f 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,6 @@ "bin": "./bin/node-gyp.js", "main": "./lib/node-gyp.js", "dependencies": { - "fstream": "^1.0.0", "glob": "^7.0.3", "graceful-fs": "^4.1.2", "mkdirp": "^0.5.0", @@ -32,11 +31,11 @@ "request": "^2.87.0", "rimraf": "2", "semver": "~5.3.0", - "tar": "^2.0.0", + "tar": "^3.1.3", "which": "1" }, "engines": { - "node": ">= 0.8.0" + "node": ">= 4.0.0" }, "devDependencies": { "tape": "~4.2.0", From ec8505e15ff52d2fa0d2741b21fdac1a35dfded8 Mon Sep 17 00:00:00 2001 From: Pobegaylo Maksim Date: Fri, 12 Apr 2019 01:32:01 +0700 Subject: [PATCH 2/4] deps: updated tar package version to 4.4.8 PR-URL: https://github.com/nodejs/node-gyp/pull/1713 Reviewed-By: Refael Ackermann --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 15bbf4af4f..b1efd78a2b 100644 --- a/package.json +++ b/package.json @@ -31,7 +31,7 @@ "request": "^2.87.0", "rimraf": "2", "semver": "~5.3.0", - "tar": "^3.1.3", + "tar": "^4.4.8", "which": "1" }, "engines": { From 3578b2abf0da6298c867dd52b1bd15b938bc346e Mon Sep 17 00:00:00 2001 From: Refael Ackermann Date: Fri, 12 Apr 2019 10:59:57 -0400 Subject: [PATCH 3/4] deps: explicit limit on supported engines --- .gitignore | 1 + package.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 6748492014..66855599eb 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ gyp/test node_modules test/.node-gyp +package-lock.json diff --git a/package.json b/package.json index b1efd78a2b..8d113bb246 100644 --- a/package.json +++ b/package.json @@ -31,7 +31,7 @@ "request": "^2.87.0", "rimraf": "2", "semver": "~5.3.0", - "tar": "^4.4.8", + "tar": "4", "which": "1" }, "engines": { From 2bed3af888b89952f6e3fd469ef497e0314d899a Mon Sep 17 00:00:00 2001 From: Refael Ackermann Date: Fri, 12 Apr 2019 11:01:07 -0400 Subject: [PATCH 4/4] v3.8.1 proposal --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 33bbfad5de..9f4e2a20fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,15 @@ +v3.8.1 2019-04-12 +================= + +### Due to security concern this version drops support for Node.js versions < 4.0.0 + +* [[`3578b2abf0`](https://github.com/nodejs/node-gyp/commit/3578b2abf0)] - **deps**: explicit limit on supported engines (Refael Ackermann) +* [[`ec8505e15f`](https://github.com/nodejs/node-gyp/commit/ec8505e15f)] - **deps**: updated tar package version to 4.4.8 (Pobegaylo Maksim) [#1713](https://github.com/nodejs/node-gyp/pull/1713) +* [[`6e1e425ffb`](https://github.com/nodejs/node-gyp/commit/6e1e425ffb)] - **(BREAKING for node < 4)** Upgrade to tar v3 (isaacs) [#1212](https://github.com/nodejs/node-gyp/pull/1212) +* [[`e6699d13cd`](https://github.com/nodejs/node-gyp/commit/e6699d13cd)] - **test**: fix addon test for Node.js 12 and V8 7.4 (Richard Lau) [#1705](https://github.com/nodejs/node-gyp/pull/1705) +* [[`0c6bf530a0`](https://github.com/nodejs/node-gyp/commit/0c6bf530a0)] - **lib**: use print() for python version detection (GreenAddress) [#1534](https://github.com/nodejs/node-gyp/pull/1534) + + v3.8.0 2018-08-09 =================