Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package heroic-games-launcher for
openSUSE:Factory checked in at 2026-06-29 17:32:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/heroic-games-launcher (Old)
and /work/SRC/openSUSE:Factory/.heroic-games-launcher.new.11887 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "heroic-games-launcher"
Mon Jun 29 17:32:54 2026 rev:15 rq:1362434 version:2.22.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/heroic-games-launcher/heroic-games-launcher.changes
2026-06-01 18:02:40.378998558 +0200
+++
/work/SRC/openSUSE:Factory/.heroic-games-launcher.new.11887/heroic-games-launcher.changes
2026-06-29 17:34:27.110447435 +0200
@@ -1,0 +2,13 @@
+Mon Jun 29 01:53:04 UTC 2026 - Jonatas Gonçalves <[email protected]>
+
+- Fix CVEs due to vulnerable embedded dependencies:
+ * CVE-2026-13311 (bsc#1269348): shell-quote inefficient input parsing (DoS).
+ * CVE-2026-48779 (bsc#1268918): ws memory exhaustion DoS.
+ * Update embedded dependencies via pnpm overrides:
+ * Force shell-quote to 1.9.0.
+ * Force ws to 7.5.11 and 8.21.0.
+ * Refactor get-sources.sh and spec file to use root-level overrides
+ for compatibility with pnpm v11, ensuring a consistent and
+ reproducible offline build process.
+
+-------------------------------------------------------------------
Old:
----
_scmsync.obsinfo
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ heroic-games-launcher.spec ++++++
--- /var/tmp/diff_new_pack.KmRJSe/_old 2026-06-29 17:34:32.646636708 +0200
+++ /var/tmp/diff_new_pack.KmRJSe/_new 2026-06-29 17:34:32.650636845 +0200
@@ -105,9 +105,12 @@
export PNPM_IGNORE_NODE_VERSION=1
export PNPM_STORE_DIR=$PWD/.pnpm-store
+export pnpm_config_minimum_release_age=0
+export pnpm_config_trust_lockfile=true
+
export PATH=$PWD/node_modules/.bin:/usr/bin
-#pnpm config set store-dir .pnpm-store
+pnpm config set store-dir .pnpm-store
export PNPM_STORE_DIR=.pnpm-store
pnpm install --offline --store-dir .pnpm-store --frozen-lockfile
--ignore-scripts --strict-peer-dependencies=false
pnpm dist:linux %{arch_flag} --dir
++++++ get-sources.sh ++++++
--- /var/tmp/diff_new_pack.KmRJSe/_old 2026-06-29 17:34:32.822642725 +0200
+++ /var/tmp/diff_new_pack.KmRJSe/_new 2026-06-29 17:34:32.842643409 +0200
@@ -93,8 +93,8 @@
# ==========================================================
# Security / compatibility overrides
# ==========================================================
-| .pnpm.overrides = (
- (.pnpm.overrides // {})
+| .overrides = (
+ (.overrides // {})
+ {
"undici": "7.24.7",
"undici-types": "7.24.7",
@@ -103,6 +103,9 @@
"fast-xml-parser": "5.5.7",
"@xmldom/xmldom": "0.8.12",
"find-up": "5.0.0",
+ "shell-quote": "1.9.0",
+ "ws@^7.0.0": "7.5.11",
+ "ws@^8.0.0": "8.21.0"
}
)
' package.json > temp.json && mv temp.json package.json
@@ -119,7 +122,7 @@
echo "++++++++++++++++++++++++++++++++++++++++++++++"
pnpm config set store-dir .pnpm-store
-pnpm install --ignore-scripts
+pnpm install --ignore-scripts --no-frozen-lockfile
tar cJf ../pnpm-offline-store.tar.gz .pnpm-store node_modules package.json
pnpm-lock.yaml
++++++ pnpm-offline-store.tar.gz ++++++
/work/SRC/openSUSE:Factory/heroic-games-launcher/pnpm-offline-store.tar.gz
/work/SRC/openSUSE:Factory/.heroic-games-launcher.new.11887/pnpm-offline-store.tar.gz
differ: char 15, line 1