import nodejs-16.19.1-1.module+el8.7.0+18373+704f5cef

.gitignore

@@ -0,0 +1,6 @@
+SOURCES/cjs-module-lexer-1.2.2.tar.gz
+SOURCES/icu4c-71_1-src.tgz
+SOURCES/node-v16.19.1-stripped.tar.gz
+SOURCES/undici-5.19.1.tar.gz
+SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
+SOURCES/wasi-sdk-wasi-sdk-14.tar.gz

.nodejs.metadata

@@ -0,0 +1,6 @@
+b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
+406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
+bd54c70441a0d8933e6e78378e47501ef5639038 SOURCES/node-v16.19.1-stripped.tar.gz
+4ba08daec56f2571fc8af493b3a2628d290f9390 SOURCES/undici-5.19.1.tar.gz
+8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
+900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz

SOURCES/0001-Disable-running-gyp-on-shared-deps.patch

@@ -0,0 +1,29 @@
+From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001
+From: Zuzana Svetlikova <zsvetlik@redhat.com>
+Date: Fri, 17 Apr 2020 12:59:44 +0200
+Subject: [PATCH 1/2] Disable running gyp on shared deps
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644
+--- a/Makefile
++++ b/Makefile
+@@ -136,11 +136,11 @@ endif
+ .PHONY: test-code-cache
+ with-code-cache test-code-cache:
+ 	$(warning '$@' target is a noop)
+ 
+ out/Makefile: config.gypi common.gypi node.gyp \
+-	deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
++	deps/llhttp/llhttp.gyp \
+ 	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
+ 	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
+ 	$(PYTHON) tools/gyp_node.py -f make
+
+ # node_version.h is listed because the N-API version is taken from there
+-- 
+2.29.2
+

SOURCES/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch

@@ -0,0 +1,45 @@
+From df574e2999dc6c2c38138bd0c3ec61dfafe9c929 Mon Sep 17 00:00:00 2001
+From: Kornel <kornel@geekhood.net>
+Date: Fri, 27 Jan 2023 01:20:38 +0000
+Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim
+ whitespace
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/http-cache-semantics/index.js     | 6 +++---
+ deps/npm/node_modules/http-cache-semantics/package.json | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/deps/npm/node_modules/http-cache-semantics/index.js b/deps/npm/node_modules/http-cache-semantics/index.js
+index 4f6c2f3..39d58a7 100644
+--- a/deps/npm/node_modules/http-cache-semantics/index.js
++++ b/deps/npm/node_modules/http-cache-semantics/index.js
+@@ -79,10 +79,10 @@ function parseCacheControl(header) {
+ 
+     // TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives),
+     // the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale
+-    const parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing
++    const parts = header.trim().split(/,/);
+     for (const part of parts) {
+-        const [k, v] = part.split(/\s*=\s*/, 2);
+-        cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting
++        const [k, v] = part.split(/=/, 2);
++        cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, '');
+     }
+ 
+     return cc;
+diff --git a/deps/npm/node_modules/http-cache-semantics/package.json b/deps/npm/node_modules/http-cache-semantics/package.json
+index 897798d..79c020a 100644
+--- a/deps/npm/node_modules/http-cache-semantics/package.json
++++ b/deps/npm/node_modules/http-cache-semantics/package.json
+@@ -1,6 +1,6 @@
+ {
+     "name": "http-cache-semantics",
+-    "version": "4.1.0",
++    "version": "4.1.1",
+     "description": "Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies",
+     "repository": "https://github.com/kornelski/http-cache-semantics.git",
+     "main": "index.js",
+-- 
+2.39.2
+

SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch

@@ -0,0 +1,53 @@
+From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001
+From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
+Date: Wed, 18 Jan 2023 22:14:26 +0800
+Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
+ stack overflow (#497)
+
+In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
+the input str and initialize a sortlist configuration.
+
+However, ares_set_sortlist has not any checks about the validity of the input str.
+It is very easy to create an arbitrary length stack overflow with the unchecked
+`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
+statements in the config_sortlist call, which could potentially cause severe
+security impact in practical programs.
+
+This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
+potential stack overflows.
+
+fixes #496
+
+Fix By: @hopper-vul
+Resolves: CVE-2022-4904
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/cares/src/lib/ares_init.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
+index de5d86c..d5858f6 100644
+--- a/deps/cares/src/lib/ares_init.c
++++ b/deps/cares/src/lib/ares_init.c
+@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+       q = str;
+       while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
+         q++;
++      if (q-str >= 16)
++        return ARES_EBADSTR;
+       memcpy(ipbuf, str, q-str);
+       ipbuf[q-str] = '\0';
+       /* Find the prefix */
+@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+           const char *str2 = q+1;
+           while (*q && *q != ';' && !ISSPACE(*q))
+             q++;
++          if (q-str >= 32)
++            return ARES_EBADSTR;
+           memcpy(ipbufpfx, str, q-str);
+           ipbufpfx[q-str] = '\0';
+           str = str2;
+-- 
+2.39.2
+

SOURCES/btest402.js

@@ -0,0 +1,151 @@
+// Copyright (C) 2014 IBM Corporation and Others. All Rights Reserved.
+// This file is part of the Node.JS ICU enablement work
+// https://github.com/joyent/node/pull/7719
+// and is under the same license.
+//
+// This is a very, very, very basic test of es402
+//
+// URL: https://github.com/srl295/btest402
+// Author: Steven R. Loomis <srl@icu-project.org>
+//
+// for a complete test, see http://test262.ecmascript.org
+//
+// Usage: node btest402.js
+
+try {
+    console.log("You have console.log.");
+} catch(e) {
+    // this works on d8
+    console = { log: print };
+    console.log("Now you have console.log.");
+}
+
+function runbtest() {
+    var summary = {};
+
+    try {
+        var i = Intl;
+        summary.haveIntl = true;
+        console.log("+ Congrats, you have the Intl object.");
+    } catch(e) {
+        console.log("You don't have the Intl object: " + e);
+    }
+
+    if(summary.haveIntl) {
+        var locs = [ "en", "mt", "ja","tlh"];
+        var d = new Date(196400000);
+        for ( var n=0; n<locs.length; n++ ) {
+            var loc = locs[n];
+            var lsummary = summary[loc] = {};
+
+            console.log(loc+":");
+            var sl=null;
+            try {
+                sl = Intl.DateTimeFormat.supportedLocalesOf([loc]);
+                if( sl.length > 0 ) {
+                    lsummary.haveSlo = true;
+                }
+            } catch (e) {
+                console.log("SLO err: " + e);
+            }
+            var dstr = "ERR";
+            try {
+                lsummary.dstr = d.toLocaleString(loc,{month: "long",day:"numeric",weekday:"long",year:"numeric"});
+                console.log(" date: (supported:"+sl+") " + lsummary.dstr);
+            } catch (e) {
+                console.log(" Date Format err: " + e);
+            }
+            try {
+                new Intl.v8BreakIterator();
+                console.log(" Intl.v8BreakIterator:" +
+                            Intl.v8BreakIterator.supportedLocalesOf(loc) + " Supported, first()==" +
+                            new Intl.v8BreakIterator(loc).first() );
+                lsummary.brkOk = true;
+            } catch ( e) {
+                console.log(" Intl.v8BreakIterator error (NOT part of EcmaScript402): " + e);
+            }
+            console.log();
+        }
+    }
+
+    // print summary
+    console.log();
+    console.log("--------- Analysis ---------");
+    stxt = "";
+    if( summary.haveIntl ) {
+        console.log("* You have the 'Intl' object. Congratulations! You have the possibility of being EcmaScript 402 compliant.");
+        stxt += "Have Intl, ";
+
+        if ( !summary.en.haveSlo ) {
+            stxt += "Date:no EN, ";
+            console.log("* English isn't a supported language by the date formatter. Perhaps the data isn't installed properly?");
+        }
+        if ( !summary.tlh.haveSlo ) {
+            stxt += "Date:no 'tlh', ";
+            console.log("* Klingon isn't a supported language by the date formatter. It is without honor!");
+        }
+        // now, what is it actually saying
+        if( summary.en.dstr.indexOf("1970") == -1) {
+            stxt += "Date:bad 'en', ";
+            console.log("* the English date format text looks bad to me. Doesn't even have the year.");
+        } else {
+            if( summary.en.dstr.indexOf("Jan") == -1) {
+                stxt += "Date:bad 'en', ";
+                console.log("* The English date format text looks bad to me. Doesn't have the right month.");
+            }
+        }
+
+        if( summary.mt.dstr == summary.en.dstr ) {
+            stxt += "Date:'mt'=='en', ";
+            console.log("* The English and Maltese look the same to me. Probably a 'small' build.");
+        } else if( summary.mt.dstr.indexOf("1970") == -1) {
+            stxt += "Date:bad 'mt', ";
+            console.log("* the Maltese date format text looks bad to me. Doesn't even have the year. (This data is missing from the Chromium ICU build)");
+        } else {
+            if( summary.mt.dstr.indexOf("Jann") == -1) {
+                stxt += "Date:bad 'mt', ";
+                console.log("* The Maltese date format text looks bad to me. Doesn't have the right month. (This data is missing from the Chromium ICU build)");
+            }
+        }
+
+        if ( !summary.ja.haveSlo ) {
+            stxt += "Date:no 'ja', ";
+            console.log("* Japanese isn't a supported language by the date formatter. Could be a 'small' build.");
+        } else {
+            if( summary.ja.dstr.indexOf("1970") == -1) {
+                stxt += "Date:bad 'ja', ";
+                console.log("* the Japanese date format text looks bad to me. Doesn't even have the year.");
+            } else {
+                if( summary.ja.dstr.indexOf("日") == -1) {
+                    stxt += "Date:bad 'ja', ";
+                    console.log("* The Japanese date format text looks bad to me.");
+                }
+            }
+        }
+        if ( summary.en.brkOk ) {
+            stxt += "FYI: v8Brk:have 'en', ";
+            console.log("* You have Intl.v8BreakIterator support. (Note: not part of ES402.)");
+        }
+    } else {
+        console.log("* You don't have the 'Intl' object. You aren't EcmaScript 402 compliant.");
+        stxt += " NO Intl. ";
+    }
+
+    // 1-liner.
+    console.log();
+    console.log("----------------");
+    console.log( "SUMMARY:" +  stxt );
+}
+
+var dorun = true;
+
+try {
+    if(btest402_noautorun) {
+        dorun = false;
+    }
+} catch(e) {}
+
+if(dorun) {
+    console.log("Running btest..");
+    runbtest();
+}

SOURCES/nodejs-tarball.sh

@@ -0,0 +1,203 @@
+#!/bin/sh
+# Uses Argbash to generate command argument parsing. To update
+# arguments, make sure to call
+# `argbash nodejs-tarball.sh -o nodejs-tarball.sh`
+
+# ARG_POSITIONAL_SINGLE([version],[Node.js release version],[""])
+# ARG_DEFAULTS_POS([])
+# ARG_HELP([Tool to aid in Node.js packaging of new releases])
+# ARGBASH_GO()
+# needed because of Argbash --> m4_ignore([
+### START OF CODE GENERATED BY Argbash v2.8.1 one line above ###
+# Argbash is a bash code generator used to get arguments parsing right.
+# Argbash is FREE SOFTWARE, see https://argbash.io for more info
+
+
+die()
+{
+	local _ret=$2
+	test -n "$_ret" || _ret=1
+	test "$_PRINT_HELP" = yes && print_help >&2
+	echo "$1" >&2
+	exit ${_ret}
+}
+
+
+begins_with_short_option()
+{
+	local first_option all_short_options='h'
+	first_option="${1:0:1}"
+	test "$all_short_options" = "${all_short_options/$first_option/}" && return 1 || return 0
+}
+
+# THE DEFAULTS INITIALIZATION - POSITIONALS
+_positionals=()
+_arg_version=""
+# THE DEFAULTS INITIALIZATION - OPTIONALS
+
+
+print_help()
+{
+	printf '%s\n' "Tool to aid in Node.js packaging of new releases"
+	printf 'Usage: %s [-h|--help] [<version>]\n' "$0"
+	printf '\t%s\n' "<version>: Node.js release version (default: '""')"
+	printf '\t%s\n' "-h, --help: Prints help"
+}
+
+
+parse_commandline()
+{
+	_positionals_count=0
+	while test $# -gt 0
+	do
+		_key="$1"
+		case "$_key" in
+			-h|--help)
+				print_help
+				exit 0
+				;;
+			-h*)
+				print_help
+				exit 0
+				;;
+			*)
+				_last_positional="$1"
+				_positionals+=("$_last_positional")
+				_positionals_count=$((_positionals_count + 1))
+				;;
+		esac
+		shift
+	done
+}
+
+
+handle_passed_args_count()
+{
+	test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect between 0 and 1, but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
+}
+
+
+assign_positional_args()
+{
+	local _positional_name _shift_for=$1
+	_positional_names="_arg_version "
+
+	shift "$_shift_for"
+	for _positional_name in ${_positional_names}
+	do
+		test $# -gt 0 || break
+		eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
+		shift
+	done
+}
+
+parse_commandline "$@"
+handle_passed_args_count
+assign_positional_args 1 "${_positionals[@]}"
+
+# OTHER STUFF GENERATED BY Argbash
+
+### END OF CODE GENERATED BY Argbash (sortof) ### ])
+# [ <-- needed because of Argbash
+
+
+set -e
+
+echo $_arg_version
+
+if [ x$_arg_version != x ]; then
+    version=$_arg_version
+else
+    version=$(rpm -q --specfile --qf='%{version}\n' nodejs.spec | head -n1)
+fi
+
+rm -f node-v${version}.tar.gz node-v${version}-stripped.tar.gz
+wget http://nodejs.org/dist/v${version}/node-v${version}.tar.gz \
+     http://nodejs.org/dist/v${version}/SHASUMS256.txt
+sha256sum -c SHASUMS256.txt --ignore-missing
+tar -zxf node-v${version}.tar.gz
+rm -rf node-v${version}/deps/openssl
+tar -zcf node-v${version}-stripped.tar.gz node-v${version}
+
+# Download the matching version of ICU
+rm -f icu4c*-src.tgz icu.md5
+ICUMD5=$(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].md5')
+wget $(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].url')
+ICUTARBALL=$(ls -1 icu4c*-src.tgz)
+echo "$ICUMD5  $ICUTARBALL" > icu.md5
+md5sum -c icu.md5
+rm -f icu.md5 SHASUMS256.txt
+
+#fedpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz
+
+rm -f node-v${version}.tar.gz
+
+set +e
+
+# Determine the bundled versions of the various packages
+echo "Bundled software versions"
+echo "-------------------------"
+echo
+echo "libnode shared object version"
+echo "========================="
+grep "define NODE_MODULE_VERSION" node-v${version}/src/node_version.h
+echo
+echo "V8"
+echo "========================="
+grep "define V8_MAJOR_VERSION" node-v${version}/deps/v8/include/v8-version.h
+grep "define V8_MINOR_VERSION" node-v${version}/deps/v8/include/v8-version.h
+grep "define V8_BUILD_NUMBER" node-v${version}/deps/v8/include/v8-version.h
+grep "define V8_PATCH_LEVEL" node-v${version}/deps/v8/include/v8-version.h
+echo
+echo "c-ares"
+echo "========================="
+grep "define ARES_VERSION_MAJOR" node-v${version}/deps/cares/include/ares_version.h
+grep "define ARES_VERSION_MINOR" node-v${version}/deps/cares/include/ares_version.h
+grep "define ARES_VERSION_PATCH" node-v${version}/deps/cares/include/ares_version.h
+echo
+echo "llhttp"
+echo "========================="
+grep "define LLHTTP_VERSION_MAJOR" node-v${version}/deps/llhttp/include/llhttp.h
+grep "define LLHTTP_VERSION_MINOR" node-v${version}/deps/llhttp/include/llhttp.h
+grep "define LLHTTP_VERSION_PATCH" node-v${version}/deps/llhttp/include/llhttp.h
+echo
+echo "libuv"
+echo "========================="
+grep "define UV_VERSION_MAJOR" node-v${version}/deps/uv/include/uv/version.h
+grep "define UV_VERSION_MINOR" node-v${version}/deps/uv/include/uv/version.h
+grep "define UV_VERSION_PATCH" node-v${version}/deps/uv/include/uv/version.h
+echo
+echo "nghttp2"
+echo "========================="
+grep "define NGHTTP2_VERSION " node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
+echo
+echo "nghttp3"
+echo "========================="
+grep "define NGHTTP3_VERSION " node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
+echo
+echo "ngtcp2"
+echo "========================="
+grep "define NGTCP2_VERSION " node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
+echo
+echo "ICU"
+echo "========================="
+grep "url" node-v${version}/tools/icu/current_ver.dep
+echo
+echo "punycode"
+echo "========================="
+grep "'version'" node-v${version}/lib/punycode.js
+echo
+echo "uvwasi"
+echo "========================="
+grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h
+grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h
+grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h
+echo
+echo "npm"
+echo "========================="
+grep "\"version\":" node-v${version}/deps/npm/package.json
+echo
+echo "Make sure these versions match what is in the RPM spec file"
+
+rm -rf node-v${version}
+# ] <-- needed because of Argbash

SOURCES/nodejs_native.attr

@@ -0,0 +1,2 @@
+%__nodejs_native_requires %{_rpmconfigdir}/nodejs_native.req
+%__nodejs_native_path ^/usr/lib.*/node_modules/.*\\.node$

SOURCES/npmrc

@@ -0,0 +1,2 @@
+prefix=/usr/local
+python=/usr/bin/python3