Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package heroic-games-launcher for 
openSUSE:Factory checked in at 2026-06-29 17:32:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/heroic-games-launcher (Old)
 and      /work/SRC/openSUSE:Factory/.heroic-games-launcher.new.11887 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "heroic-games-launcher"

Mon Jun 29 17:32:54 2026 rev:15 rq:1362434 version:2.22.0

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/heroic-games-launcher/heroic-games-launcher.changes  
    2026-06-01 18:02:40.378998558 +0200
+++ 
/work/SRC/openSUSE:Factory/.heroic-games-launcher.new.11887/heroic-games-launcher.changes
   2026-06-29 17:34:27.110447435 +0200
@@ -1,0 +2,13 @@
+Mon Jun 29 01:53:04 UTC 2026 - Jonatas Gonçalves <[email protected]>
+
+- Fix CVEs due to vulnerable embedded dependencies:
+  * CVE-2026-13311 (bsc#1269348): shell-quote inefficient input parsing (DoS).
+  * CVE-2026-48779 (bsc#1268918): ws memory exhaustion DoS.
+  * Update embedded dependencies via pnpm overrides:
+  * Force shell-quote to 1.9.0.
+  * Force ws to 7.5.11 and 8.21.0.
+  * Refactor get-sources.sh and spec file to use root-level overrides
+    for compatibility with pnpm v11, ensuring a consistent and
+    reproducible offline build process. 
+
+-------------------------------------------------------------------

Old:
----
  _scmsync.obsinfo

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ heroic-games-launcher.spec ++++++
--- /var/tmp/diff_new_pack.KmRJSe/_old  2026-06-29 17:34:32.646636708 +0200
+++ /var/tmp/diff_new_pack.KmRJSe/_new  2026-06-29 17:34:32.650636845 +0200
@@ -105,9 +105,12 @@
 export PNPM_IGNORE_NODE_VERSION=1
 export PNPM_STORE_DIR=$PWD/.pnpm-store
 
+export pnpm_config_minimum_release_age=0
+export pnpm_config_trust_lockfile=true
+
 export PATH=$PWD/node_modules/.bin:/usr/bin
 
-#pnpm config set store-dir .pnpm-store
+pnpm config set store-dir .pnpm-store
 export PNPM_STORE_DIR=.pnpm-store
 pnpm install --offline --store-dir .pnpm-store --frozen-lockfile 
--ignore-scripts --strict-peer-dependencies=false
 pnpm dist:linux %{arch_flag} --dir

++++++ get-sources.sh ++++++
--- /var/tmp/diff_new_pack.KmRJSe/_old  2026-06-29 17:34:32.822642725 +0200
+++ /var/tmp/diff_new_pack.KmRJSe/_new  2026-06-29 17:34:32.842643409 +0200
@@ -93,8 +93,8 @@
 # ==========================================================
 # Security / compatibility overrides
 # ==========================================================
-| .pnpm.overrides = (
-    (.pnpm.overrides // {})
+| .overrides = (
+    (.overrides // {})
     + {
         "undici": "7.24.7",
         "undici-types": "7.24.7",
@@ -103,6 +103,9 @@
         "fast-xml-parser": "5.5.7",
         "@xmldom/xmldom": "0.8.12",
         "find-up": "5.0.0",
+        "shell-quote": "1.9.0",
+        "ws@^7.0.0": "7.5.11",
+        "ws@^8.0.0": "8.21.0"
       }
   )
 ' package.json > temp.json && mv temp.json package.json
@@ -119,7 +122,7 @@
 echo "++++++++++++++++++++++++++++++++++++++++++++++"
 
 pnpm config set store-dir .pnpm-store
-pnpm install --ignore-scripts
+pnpm install --ignore-scripts --no-frozen-lockfile
 
 tar cJf ../pnpm-offline-store.tar.gz .pnpm-store node_modules package.json 
pnpm-lock.yaml
 

++++++ pnpm-offline-store.tar.gz ++++++
/work/SRC/openSUSE:Factory/heroic-games-launcher/pnpm-offline-store.tar.gz 
/work/SRC/openSUSE:Factory/.heroic-games-launcher.new.11887/pnpm-offline-store.tar.gz
 differ: char 15, line 1

Reply via email to