pyload-ng: drop js2py due to CVE-2024-28397

[ruby0b]

pyload therefore now requires python3.12+ where js2py was replaced with dukpy
GHSA-r9pp-r4xf-597r

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[emilazy]

Needs nixfmt and broken = pythonOlder "3.12"; and could perhaps use a backport to 24.05 (though that will break the package in the default package set there). Alternatively, we should probably just upgrade js2pyto a non‐vulnerable version instead.

[ruby0b]

Yeah I guess just patching js2py makes more sense, apparently this is all you need: https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape/blob/main/patch.txt
Kinda unfortunate that js2py is basically abandonware...

[emilazy]

Oh, I misread the advisory as suggesting there was a patched version of js2py. Perhaps we should instead just mark js2py with knownVulnerabilities on both unstable and 24.05.

[ruby0b]

#348943