Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package heroic-games-launcher for
openSUSE:Factory checked in at 2026-04-07 16:33:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/heroic-games-launcher (Old)
and /work/SRC/openSUSE:Factory/.heroic-games-launcher.new.21863 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "heroic-games-launcher"
Tue Apr 7 16:33:50 2026 rev:10 rq:1344822 version:2.20.1
Changes:
--------
---
/work/SRC/openSUSE:Factory/heroic-games-launcher/heroic-games-launcher.changes
2026-03-30 18:31:28.911525462 +0200
+++
/work/SRC/openSUSE:Factory/.heroic-games-launcher.new.21863/heroic-games-launcher.changes
2026-04-07 16:49:32.826123533 +0200
@@ -1,0 +2,24 @@
+Tue Apr 7 00:20:33 UTC 2026 - Jonatas Gonçalves <[email protected]>
+
+- Fix CVE-2026-34601: update @xmldom/xmldom to >= 0.9.9
+ * Prevents XML injection via unsafe CDATA serialization
+ * Added pnpm override to enforce patched version
+- Improve build robustness in OBS:
+ * Force usage of system pnpm (disable corepack and self-bootstrap)
+ * Use fully offline pnpm workflow (--offline, --frozen-lockfile)
+ * Avoid any network access during build
+ * Drop strict pnpm version pinning from BuildRequires
+ to prevent version skew between Factory and Tumbleweed
+ (always uses system-provided pnpm)
+
+-------------------------------------------------------------------
+Sat Apr 4 14:07:10 UTC 2026 - mhurron <[email protected]>
+
+- Specify version of electron-builder.
+ * Updates to pnpm caused dependencies to not be handled correctly in
+ electron-builder versions <26.8.1. Issue was sovled in v26.8.1
+ Ref: https://github.com/electron-userland/electron-builder/pull/9618
+ Ref: https://github.com/pnpm/pnpm/issues/10601
+ Fixes bug #1261170
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ heroic-games-launcher.spec ++++++
--- /var/tmp/diff_new_pack.HS2qnV/_old 2026-04-07 16:49:55.311053848 +0200
+++ /var/tmp/diff_new_pack.HS2qnV/_new 2026-04-07 16:49:55.315054013 +0200
@@ -49,7 +49,7 @@
BuildRequires: nodejs-electron-devel
BuildRequires: openssl-devel
BuildRequires: pkgconfig
-BuildRequires: pnpm = 10.32.1
+BuildRequires: pnpm
BuildRequires: protobuf-devel
BuildRequires: vulkan-devel
BuildRequires: vulkan-helper
@@ -86,6 +86,12 @@
%build
# Remove precompiled binaries to build from source
rm public/bin/%{bin_subdir}/linux/vulkan-helper
+rm -rf $HOME/.local/share/pnpm
+
+export PNPM_HOME=/usr
+export PNPM_SKIP_PATH_CHECK=1
+export PNPM_NO_SELF_UPDATE=1
+export PNPM_USE_RUNNING_PNPM=1
# Build Heroic Games Launcher
export HOME=%{_builddir}/%{name}-%{version}
@@ -93,9 +99,19 @@
export npm_config_nodedir="/usr/include/electron"
export ELECTRON_BUILDER_DISABLE_DOWNLOAD=true
export ELECTRON_MIRROR="file://"
-export PATH=$PWD/node_modules/.bin:$PATH
-pnpm config set store-dir .pnpm-store
+# PNPM OFFLINE HARD MODE
+export COREPACK_ENABLE=0
+export COREPACK_ENABLE_STRICT=0
+export COREPACK_HOME=/dev/null
+export PNPM_DISABLE_SELF_UPDATE_CHECK=1
+export PNPM_IGNORE_NODE_VERSION=1
+export PNPM_STORE_DIR=$PWD/.pnpm-store
+
+export PATH=$PWD/node_modules/.bin:/usr/bin
+
+#pnpm config set store-dir .pnpm-store
+export PNPM_STORE_DIR=.pnpm-store
pnpm install --store-dir .pnpm-store --frozen-lockfile --ignore-scripts
--strict-peer-dependencies=false --offline
pnpm dist:linux %{arch_flag} --dir
++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.HS2qnV/_old 2026-04-07 16:49:55.375056497 +0200
+++ /var/tmp/diff_new_pack.HS2qnV/_new 2026-04-07 16:49:55.379056663 +0200
@@ -1,5 +1,5 @@
-mtime: 1774651107
-commit: 41da89a5b81465a1b1a8bc4de5cb2198dd3709176b5276a8321c4ebdffe38f5c
+mtime: 1775526045
+commit: d620667238f4daf2c0000602c9f045c9c7e60b68101e38722eeaf973ded3d356
url: https://src.opensuse.org/MaxxedSUSE/heroic-games-launcher
revision: master
++++++ get-sources.sh ++++++
--- /var/tmp/diff_new_pack.HS2qnV/_old 2026-04-07 16:49:55.411057988 +0200
+++ /var/tmp/diff_new_pack.HS2qnV/_new 2026-04-07 16:49:55.415058153 +0200
@@ -44,13 +44,13 @@
| with_entries(select(.key != "electron" and .key != "electron-builder"))
)
+ | del(.packageManager)
+
| .devDependencies = {
"electron": .devDependencies["electron"],
- "electron-builder": .devDependencies["electron-builder"]
+ "electron-builder": "^26.8.2"
}
- | .packageManager = "[email protected]"
-
| .scripts.build = "electron-vite build"
| .scripts["dist:linux"] =
"pnpm run build && electron-builder --linux --dir
-c.electronDist=/usr/lib64/electron/ -c.electronVersion=$(cat
/usr/lib64/electron/version)"
@@ -93,15 +93,16 @@
"fast-xml-parser": "5.3.6",
"rollup": "4.59.0",
"@tootallnate/once": "3.0.1",
- "simple-git": "^3.32.3"
+ "simple-git": "^3.32.3",
+ "fast-xml-parser": "5.5.6"
}
)
- # === CVE-2026-33036: fast-xml-parser fixes ===
+ # === CVE-2026-34601: xmldom CDATA injection ===
| .pnpm.overrides = (
(.pnpm.overrides // {})
+ {
- "fast-xml-parser": "5.5.6"
+ "@xmldom/xmldom": "^0.9.9"
}
)
' package.json > temp.json && mv temp.json package.json
++++++ heroic-games-launcher-2.20.1.obscpio ++++++
/work/SRC/openSUSE:Factory/heroic-games-launcher/heroic-games-launcher-2.20.1.obscpio
/work/SRC/openSUSE:Factory/.heroic-games-launcher.new.21863/heroic-games-launcher-2.20.1.obscpio
differ: char 38707, line 886
++++++ pnpm-offline-store.tar.gz ++++++
/work/SRC/openSUSE:Factory/heroic-games-launcher/pnpm-offline-store.tar.gz
/work/SRC/openSUSE:Factory/.heroic-games-launcher.new.21863/pnpm-offline-store.tar.gz
differ: char 15, line 1
