Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-bqplot for openSUSE:Factory
checked in at 2025-08-22 17:47:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-bqplot (Old)
and /work/SRC/openSUSE:Factory/.python-bqplot.new.29662 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-bqplot"
Fri Aug 22 17:47:36 2025 rev:18 rq:1300838 version:unknown
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-bqplot/python-bqplot.changes
2025-07-21 20:01:39.782488339 +0200
+++ /work/SRC/openSUSE:Factory/.python-bqplot.new.29662/python-bqplot.changes
2025-08-22 17:48:37.073995676 +0200
@@ -1,0 +2,8 @@
+Thu Aug 21 17:00:29 UTC 2025 - Ben Greiner <c...@bnavigator.de>
+
+- Add bqplot-js.patch boo#1248431 CVE-2025-9287 CVE-2025-9288
+ * We need to keep most of the js lock (yarn.lock) because 0.12
+ is still not fully updatable with jupyterlab 4. This will
+ hopefully change with 0.13, which is at rc stage
+
+-------------------------------------------------------------------
New:
----
bqplot-js.patch
----------(New B)----------
New:
- Add bqplot-js.patch boo#1248431 CVE-2025-9287 CVE-2025-9288
* We need to keep most of the js lock (yarn.lock) because 0.12
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-bqplot.spec ++++++
--- /var/tmp/diff_new_pack.tMNaX4/_old 2025-08-22 17:48:38.070036671 +0200
+++ /var/tmp/diff_new_pack.tMNaX4/_new 2025-08-22 17:48:38.074036835 +0200
@@ -31,6 +31,8 @@
Source1: node_modules.tar.xz
# Script to vendor node_modules sources
Source2: create_node_modules.sh
+# PATCH-FIX-OPENSUSE bqplot-js.patch boo#1248431 CVE-2025-9287 CVE-2025-9288
+Patch0: bqplot-js.patch
BuildRequires: %{python_module jupyter-packaging}
BuildRequires: %{python_module jupyterlab}
BuildRequires: %{python_module pip}
@@ -95,8 +97,6 @@
%prep
%autosetup -p1 -n bqplot-%{pyver} -a1
-# sync with create_node_modules.sh
-sed -i '/builder/ s/\^3/\^4/' js/package.json
rm bqplot/install.py
%build
@@ -104,7 +104,6 @@
export PATH="${PATH}:node_modules/.bin"
jlpm run build
popd
-echo "IM HERE"
%pyproject_wheel
%install
++++++ bqplot-js.patch ++++++
diff -ur a/js/package.json b/js/package.json
--- a/js/package.json 2025-05-21 19:20:26.000000000 +0200
+++ b/js/package.json 2025-08-21 18:56:06.584707667 +0200
@@ -35,7 +35,7 @@
"devDependencies": {
"@jupyter-widgets/base-manager": "^1.0.0",
"@jupyter-widgets/controls": "^5",
- "@jupyterlab/builder": "^3.0.0",
+ "@jupyterlab/builder": "^4.0.0",
"@types/chai": "^4.1.7",
"@types/d3": "^5.7.2",
"@types/expect.js": "^0.3.29",
@@ -103,5 +103,9 @@
"css/",
"lib/",
"shaders/"
- ]
+ ],
+ "resolutions": {
+ "cipher-base": "1.0.6",
+ "sha.js": "2.4.12"
+ }
}
++++++ create_node_modules.sh ++++++
--- /var/tmp/diff_new_pack.tMNaX4/_old 2025-08-22 17:48:38.118038646 +0200
+++ /var/tmp/diff_new_pack.tMNaX4/_new 2025-08-22 17:48:38.118038646 +0200
@@ -2,11 +2,11 @@
#
# Script to create node_modules.tar.xz
# needs bower, webpack and webpack-cli installed
+# apply bqplot-js.patch before running this script
pushd js
-sed -i '/builder/ s/\^3/\^4/' package.json
jlpm install
jlpm run build
popd
-tar cJf node_modules.tar.xz js/node_modules
+tar cJf node_modules.tar.xz js/node_modules js/yarn.lock
++++++ node_modules.tar.xz ++++++
/work/SRC/openSUSE:Factory/python-bqplot/node_modules.tar.xz
/work/SRC/openSUSE:Factory/.python-bqplot.new.29662/node_modules.tar.xz differ:
char 15, line 1
