Use more recent version for libyaml (#5455)

florelis · JohnMcPMS · web-flow · commit cefeec71e5b4 · 2025-05-13T10:45:27.000-07:00
We have a Component Governance alert for libyaml. There is no release of libyaml with this issue fixed, so the guidance was to apply the patch manually, and that's what I did when moving to vcpkg, but that doesn't play nicely with CG because it can't determine that the patch to fix the vulnerability was applied. Instead of manually patching, this PR uses a more recent commit of libyaml (without an official release), which already has the changes we want. It uses the same commit from the last time we did a subtree update in #4583 --------- Co-authored-by: JohnMcPMS <johnmcp@microsoft.com>
diff --git a/cgmanifest.json b/cgmanifest.json
@@ -42,7 +42,7 @@
         "type": "git",
         "git": {
           "repositoryUrl": "https://github.com/yaml/libyaml.git",
-          "commitHash": "2c891fc7a770e8ba2fec34fc6b545c672beb37e6"
+          "commitHash": "840b65c40675e2d06bf40405ad3f12dec7f35923"
         }
       }
     }
diff --git a/src/VcpkgPortOverlay/CreatePortOverlay.ps1 b/src/VcpkgPortOverlay/CreatePortOverlay.ps1
@@ -99,6 +99,21 @@ function Select-DirectoryInPatch
     return $result
 }
 
+<#
+    When updating a portfile, we look for a section that looks like this:
+
+        vcpkg_from_github(
+            OUT_SOURCE_PATH SOURCE_PATH
+            REPO <user/repo>
+            REF <commith hash>
+            SHA512 <code .tar.gz hash>
+            HEAD_REF master
+            PATCHES
+                patch-1.patch
+                patch-2.patch
+        )
+#>
+
 # Adds a patch to a portfile.cmake
 function Add-PatchToPortFile
 {
@@ -109,22 +124,7 @@ function Add-PatchToPortFile
         [string]$PatchName
     )
 
-    <#
-        We're looking for a section that looks like this:
-
-            vcpkg_from_github(
-                OUT_SOURCE_PATH SOURCE_PATH
-                REPO <user/repo>
-                REF <commith hash>
-                SHA512 <hash>
-                HEAD_REF master
-                PATCHES
-                    patch-1.patch
-                    patch-2.patch
-            )
-
-        We look for the line that says "PATCHES" and add the new patch before the closing parenthesis
-    #>
+    # Look for the line that says "PATCHES" and add the new patch before the closing parenthesis
 
     $portFilePath = Join-Path $OverlayRoot $Port "portfile.cmake"
     $originalPortFile = Get-Content $portFilePath
@@ -179,8 +179,57 @@ function Add-PatchToPort
     Add-PatchToPortFile -Port $Port -PatchName $PatchName
 }
 
+# Sets the value of an existing function parameter.
+# For example, REF in vcpkg_from_github
+function Set-ParameterInPortFile
+{
+    param(
+        [Parameter(Mandatory)]
+        [string]$Port,
+        [Parameter(Mandatory)]
+        [string]$ParameterName,
+        [Parameter(Mandatory)]
+        [string]$CurrentValuePattern,
+        [Parameter(Mandatory)]
+        [string]$NewValue
+    )
+
+    $portFilePath = Join-Path $OverlayRoot $Port 'portfile.cmake'
+    $originalPortFile = Get-Content $portFilePath
+
+    # Explanation for the regex:
+    # '(?<=)' - lookbehind without matching
+    # '^ +'   - the parameter is only preceeded by spaces (and followed by a single space)
+    # '(?=)'  - lookahead without matching
+    # ' |$'   - the parameter may be the end of the line, or be followed by something else after a space (e.g. a comment)
+    $regex = "(?<=^ +$ParameterName )$CurrentValuePattern(?= |$)"
+
+    $modifiedPortFile = $originalPortFile -replace $regex, $NewValue
+    $modifiedPortFile | Out-File $portFilePath
+}
+
+# Updates the source commit used for a port.
+# Takes the commit hash, and the hash of the archive with the code that vcpkg will download.
+function Update-PortSource
+{
+    param(
+        [Parameter(Mandatory)]
+        [string]$Port,
+        [Parameter(Mandatory)]
+        [string]$Commit,
+        [Parameter(Mandatory)]
+        [string]$SourceHash
+    )
+
+    $portDir = Join-Path $OverlayRoot $Port
+
+    Set-ParameterInPortFile $Port -ParameterName 'REF' -CurrentValuePattern '[0-9a-f]{40}' -NewValue $Commit
+    Set-ParameterInPortFile $Port -ParameterName 'SHA512' -CurrentValuePattern '[0-9a-f]{128}' -NewValue $SourceHash
+}
+
+
 New-PortOverlay cpprestsdk
-Add-PatchToPort cpprestsdk -PatchRepo "microsoft/winget-cli" -PatchCommit "888b4ed8f4f7d25cb05a47210e083fe29348163b" -PatchName "add-server-certificate-validation.patch" -PatchRoot "src/cpprestsdk/cpprestsdk"
+Add-PatchToPort cpprestsdk -PatchRepo 'microsoft/winget-cli' -PatchCommit '888b4ed8f4f7d25cb05a47210e083fe29348163b' -PatchName 'add-server-certificate-validation.patch' -PatchRoot 'src/cpprestsdk/cpprestsdk'
 
 New-PortOverlay libyaml
-Add-PatchToPort libyaml -PatchRepo "yaml/libyaml" -PatchCommit "51843fe48257c6b7b6e70cdec1db634f64a40818" -PatchName "fix-parser-nesting.patch"
+Update-PortSource libyaml -Commit '840b65c40675e2d06bf40405ad3f12dec7f35923' -SourceHash 'de85560312d53a007a2ddf1fe403676bbd34620480b1ba446b8c16bb366524ba7a6ed08f6316dd783bf980d9e26603a9efc82f134eb0235917b3be1d3eb4b302'
diff --git a/src/VcpkgPortOverlay/README.md b/src/VcpkgPortOverlay/README.md
@@ -1,20 +1,21 @@
 # Overlay ports
 
-This directory contains an overlay for vcpkg ports, for cases where we need to apply local patches.
-In all cases, most of the recipe is taken from the [official vcpkg registry](https://github.com/Microsoft/vcpkg), and we only add a patch.
+This directory contains an overlay for vcpkg ports, for cases where we need local modifications to a port.
+In all cases, most of the recipe is taken from the [official vcpkg registry](https://github.com/Microsoft/vcpkg), and we only make small changes.
 
 The whole directory can be re-created with `.\CreatePortOverlay.ps1`
 
 ## cpprestsdk
 
 We add support for certificate pinning.
 
-Patch file: `add-server-certificate-validation.patch`
-Source for the change: https://github.com/microsoft/winget-cli/commit/888b4ed8f4f7d25cb05a47210e083fe29348163b
+Changes:
+* Add patch file: `add-server-certificate-validation.patch`
+  Patch source: https://github.com/microsoft/winget-cli/commit/888b4ed8f4f7d25cb05a47210e083fe29348163b
 
 ## libyaml
 
-We apply a patch for a vulnerability.
+We use an unreleased version that fixes a vulnerability.
 
-Patch file: `fix-parser-nesting.patch`
-Source for the change: https://github.com/yaml/libyaml/commit/51843fe48257c6b7b6e70cdec1db634f64a40818
+Changes:
+* New source commit: https://github.com/yaml/libyaml/commit/840b65c40675e2d06bf40405ad3f12dec7f35923
diff --git a/src/VcpkgPortOverlay/libyaml/fix-parser-nesting.patch b/src/VcpkgPortOverlay/libyaml/fix-parser-nesting.patch
diff --git a/src/VcpkgPortOverlay/libyaml/portfile.cmake b/src/VcpkgPortOverlay/libyaml/portfile.cmake
@@ -5,13 +5,12 @@ endif()
 vcpkg_from_github(
     OUT_SOURCE_PATH SOURCE_PATH
     REPO yaml/libyaml
-    REF 2c891fc7a770e8ba2fec34fc6b545c672beb37e6 # 0.2.5
-    SHA512 7cdde7b48c937777b851747f7e0b9a74cb7da30173e09305dad931ef83c3fcee3e125e721166690fe6a0987ba897564500530e5518e4b66b1c9b1db8900bf320
+    REF 840b65c40675e2d06bf40405ad3f12dec7f35923 # Unreleased
+    SHA512 de85560312d53a007a2ddf1fe403676bbd34620480b1ba446b8c16bb366524ba7a6ed08f6316dd783bf980d9e26603a9efc82f134eb0235917b3be1d3eb4b302
     HEAD_REF master
     PATCHES
         ${PATCHES}
         export-pkgconfig.patch
-        fix-parser-nesting.patch
 )
 
 vcpkg_cmake_configure(

Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@`
`42`	`42`	`"type": "git",`
`43`	`43`	`"git": {`
`44`	`44`	`"repositoryUrl": "https://github.com/yaml/libyaml.git",`
`45`		`- "commitHash": "2c891fc7a770e8ba2fec34fc6b545c672beb37e6"`
	`45`	`+ "commitHash": "840b65c40675e2d06bf40405ad3f12dec7f35923"`
`46`	`46`	`}`
`47`	`47`	`}`
`48`	`48`	`}`