diff --git a/.gitignore b/.gitignore index f1ac6cf..83a09f9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ SOURCES/cjs-module-lexer-1.2.2.tar.gz -SOURCES/icu4c-73_1-src.zip -SOURCES/node-v18.17.1-stripped.tar.gz -SOURCES/undici-5.22.1.tar.gz +SOURCES/icu4c-73_2-src.tgz +SOURCES/node-v18.18.2-stripped.tar.gz +SOURCES/undici-5.26.3.tar.gz SOURCES/wasi-sdk-11.0-linux.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index b834780..c1dee03 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,5 +1,5 @@ b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz -7ef13722e78a6a7eeda293e3bccc006651d50d83 SOURCES/icu4c-73_1-src.zip -0638f527de54888935ae3ef469eb1f01cf3d3475 SOURCES/node-v18.17.1-stripped.tar.gz -bcb2ceaa999c98df652d4fd5e571294cd560013b SOURCES/undici-5.22.1.tar.gz +3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz +d30d3f7338020a16a5e2417b6c6def016b2852d8 SOURCES/node-v18.18.2-stripped.tar.gz +edb9aa7012424bfe24514b5ea5b99ef3733651ab SOURCES/undici-5.26.3.tar.gz ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz diff --git a/SOURCES/nodejs-tarball.sh b/SOURCES/nodejs-tarball.sh index 6a94b29..f59d5c2 100755 --- a/SOURCES/nodejs-tarball.sh +++ b/SOURCES/nodejs-tarball.sh @@ -120,10 +120,10 @@ rm -rf node-v${version}/deps/openssl tar -zcf node-v${version}-stripped.tar.gz node-v${version} # Download the matching version of ICU -rm -f icu4c*-src.zip icu.md5 +rm -f icu4c*-src.tgz icu.md5 ICUMD5=$(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].md5') wget $(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].url') -ICUTARBALL=$(ls -1 icu4c*-src.zip) +ICUTARBALL=$(ls -1 icu4c*-src.tgz) echo "$ICUMD5 $ICUTARBALL" > icu.md5 md5sum -c icu.md5 rm -f icu.md5 SHASUMS256.txt diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 9145ba4..2714ef3 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -29,7 +29,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 1 +%global baserelease 2 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -40,8 +40,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 18 -%global nodejs_minor 17 -%global nodejs_patch 1 +%global nodejs_minor 18 +%global nodejs_patch 2 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 108 @@ -74,7 +74,7 @@ %global libuv_version 1.44.2 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h -%global nghttp2_version 1.52.0 +%global nghttp2_version 1.57.0 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %global nghttp3_major 0 @@ -90,7 +90,7 @@ # ICU - from tools/icu/current_ver.dep %global icu_major 73 -%global icu_minor 1 +%global icu_minor 2 %global icu_version %{icu_major}.%{icu_minor} %global icudatadir %{nodejs_datadir}/icudata @@ -110,11 +110,11 @@ # simduft from deps/simdutf/simdutf.h %global simduft_major 3 %global simduft_minor 2 -%global simduft_patch 12 +%global simduft_patch 14 %global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch} # ada from deps/ada/ada.h -%global ada_version 2.5.0 +%global ada_version 2.6.0 # OpenSSL minimum version %global openssl_minimum 1:1.1.1 @@ -126,7 +126,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 9.6.7 +%global npm_version 9.8.1 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -138,7 +138,7 @@ %global uvwasi_version 0.0.18 # histogram_c - assumed from timestamps -%global histogram_version 0.11.2 +%global histogram_version 0.11.8 Name: nodejs Epoch: %{nodejs_epoch} @@ -157,7 +157,7 @@ ExclusiveArch: %{nodejs_arches} Source0: node-v%{nodejs_version}-stripped.tar.gz Source1: npmrc Source2: btest402.js -Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-src.zip +Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-src.tgz Source100: %{name}-tarball.sh # The native module Requires generator remains in the nodejs SRPM, so it knows @@ -181,10 +181,10 @@ Source101: cjs-module-lexer-1.2.2.tar.gz Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.22.1.tar.gz -# Adjustments: rm -f undici-5.22.1/lib/llhttp/llhttp*.wasm +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.26.3.tar.gz +# Adjustments: rm -f undici-5.26.3/lib/llhttp/llhttp*.wasm # Build uses alpine image, see alpine for sources for wasi-sdk -Source102: undici-5.22.1.tar.gz +Source102: undici-5.26.3.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch @@ -440,7 +440,7 @@ make BUILDTYPE=Release %{?_smp_mflags} # Extract the ICU data and convert it to the appropriate endianness pushd deps/ -unzip -a %{SOURCE3} +tar xzf %{SOURCE3} pushd icu/source @@ -628,6 +628,14 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %changelog +* Sun Oct 15 2023 Zuzana Svetlikova - 1:18.18.2-2 +- Bump nghttp too + +* Sat Oct 14 2023 Zuzana Svetlikova - 1:18.18.2-1 +- Rebase to 18.18.2 (Security release) +- Switch icu from zip to tgz +- Fixes #2228925, CVE-2023-45143, CVE-2023-44487, CVE-2023-38552, CVE-2023-39333 + * Wed Aug 23 2023 Jan Staněk - 1:18.17.1-1 - Rebase to version 18.17.1 Resolves: rhbz#2228940