commit heroic-games-launcher for openSUSE:Factory

Source-Sync Mon, 30 Mar 2026 09:32:59 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package heroic-games-launcher for 
openSUSE:Factory checked in at 2026-03-30 18:30:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/heroic-games-launcher (Old)
 and      /work/SRC/openSUSE:Factory/.heroic-games-launcher.new.1999 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "heroic-games-launcher"

Mon Mar 30 18:30:18 2026 rev:9 rq:1343257 version:2.20.1

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/heroic-games-launcher/heroic-games-launcher.changes  
    2026-03-13 21:20:42.354998496 +0100
+++ 
/work/SRC/openSUSE:Factory/.heroic-games-launcher.new.1999/heroic-games-launcher.changes
    2026-03-30 18:31:28.911525462 +0200
@@ -1,0 +2,32 @@
+Fri Mar 27 22:37:58 UTC 2026 - Jonatas Gonçalves <[email protected]>
+
+- Reversing recent test changes that blocked pnpm downloads.
+  * Reinforcing that this update is to fix CVE-2026-33036: fast-xml-parser 
allows 
+    users to process XML from JS object without C/C++ based libraries or 
callbacks. 
+
+-------------------------------------------------------------------
+Wed Mar 25 01:04:06 UTC 2026 - Jonatas Gonçalves <[email protected]>
+
+- Fix pnpm usage in build environment
+  * Force usage of system pnpm binary instead of Corepack shim
+  * Disable Corepack self-bootstrap to avoid network access
+  * Fix build failure in OBS staging (pnpm attempted to download itself) 
+
+-------------------------------------------------------------------
+Tue Mar 24 22:57:36 UTC 2026 - Jonatas Gonçalves <[email protected]>
+
+- Remove packageManager explicit pnpm version 10.28.2 field from package.json
+  * Avoid pnpm self-bootstrap via Corepack, which attempted to fetch
+    pnpm from the network during build
+  * Fix build failure in OBS staging environment (no network access)
+  * Ensure system-provided pnpm is used instead 
+
+-------------------------------------------------------------------
+Mon Mar 23 03:47:49 UTC 2026 - Jonatas Gonçalves <[email protected]>
+
+- Security: fix CVE-2026-33036 fast-xml-parser DoS bypass
+  * Force fast-xml-parser to 5.5.6 via pnpm override to fix
+    entity expansion DoS bypass where numeric entities were
+    not counted against expansion limits.
+
+-------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ heroic-games-launcher.spec ++++++
--- /var/tmp/diff_new_pack.XpxTRM/_old  2026-03-30 18:32:13.113364051 +0200
+++ /var/tmp/diff_new_pack.XpxTRM/_new  2026-03-30 18:32:13.117364219 +0200
@@ -49,7 +49,7 @@
 BuildRequires:  nodejs-electron-devel
 BuildRequires:  openssl-devel
 BuildRequires:  pkgconfig
-BuildRequires:  pnpm >= 10.17.1
+BuildRequires:  pnpm = 10.32.1
 BuildRequires:  protobuf-devel
 BuildRequires:  vulkan-devel
 BuildRequires:  vulkan-helper

++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.XpxTRM/_old  2026-03-30 18:32:13.201367731 +0200
+++ /var/tmp/diff_new_pack.XpxTRM/_new  2026-03-30 18:32:13.209368065 +0200
@@ -1,5 +1,5 @@
-mtime: 1773284939
-commit: 375e4c763f7d889e366603ab888e85fffc9d532e305858d1adbe87731a3c539a
+mtime: 1774651107
+commit: 41da89a5b81465a1b1a8bc4de5cb2198dd3709176b5276a8321c4ebdffe38f5c
 url: https://src.opensuse.org/MaxxedSUSE/heroic-games-launcher
 revision: master
 

++++++ get-sources.sh ++++++
--- /var/tmp/diff_new_pack.XpxTRM/_old  2026-03-30 18:32:13.253369905 +0200
+++ /var/tmp/diff_new_pack.XpxTRM/_new  2026-03-30 18:32:13.261370240 +0200
@@ -49,7 +49,7 @@
       "electron-builder": .devDependencies["electron-builder"]
     }
 
-  | .packageManager = "[email protected]"
+  | .packageManager = "[email protected]"
 
   | .scripts.build = "electron-vite build"
   | .scripts["dist:linux"] =
@@ -92,15 +92,16 @@
         "react-router-dom": "^7.12.0",
         "fast-xml-parser": "5.3.6",
         "rollup": "4.59.0",
-        "@tootallnate/once": "3.0.1"
+        "@tootallnate/once": "3.0.1",
+        "simple-git": "^3.32.3"
       }
   )
 
-  # === CVE-2026-28292: simple-git fix ===
+  # === CVE-2026-33036: fast-xml-parser fixes ===
   | .pnpm.overrides = (
       (.pnpm.overrides // {})
       + {
-          "simple-git": "^3.32.3"
+          "fast-xml-parser": "5.5.6"
         }
     )
 ' package.json > temp.json && mv temp.json package.json

++++++ heroic-games-launcher-2.20.1.obscpio ++++++
/work/SRC/openSUSE:Factory/heroic-games-launcher/heroic-games-launcher-2.20.1.obscpio
 
/work/SRC/openSUSE:Factory/.heroic-games-launcher.new.1999/heroic-games-launcher-2.20.1.obscpio
 differ: char 387158, line 9298

++++++ pnpm-offline-store.tar.gz ++++++
/work/SRC/openSUSE:Factory/heroic-games-launcher/pnpm-offline-store.tar.gz 
/work/SRC/openSUSE:Factory/.heroic-games-launcher.new.1999/pnpm-offline-store.tar.gz
 differ: char 15, line 1

commit heroic-games-launcher for openSUSE:Factory

Reply via email to