import nodejs-18.20.4-1.module+el9.4.0+22195+c221878e

.gitignore

@@ -1,5 +1,5 @@
 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 SOURCES/icu4c-74_2-src.tgz
-SOURCES/node-v18.20.2-stripped.tar.gz
+SOURCES/node-v18.20.4-stripped.tar.gz
 SOURCES/undici-5.28.4.tar.gz
 SOURCES/wasi-sdk-11.0-linux.tar.gz

.nodejs.metadata

@@ -1,5 +1,5 @@
 164f7f39841415284b0280a648c43bd7ea1615ac SOURCES/cjs-module-lexer-1.2.2.tar.gz
 43a8d688a3a6bc8f0f8c5e699d0ef7a905d24314 SOURCES/icu4c-74_2-src.tgz
-09d2d4e4e9984ddb4d89df02465a8fde1917a2a7 SOURCES/node-v18.20.2-stripped.tar.gz
+1865285a5bf26669d5fadbc5eb78e97f4adad612 SOURCES/node-v18.20.4-stripped.tar.gz
 d38d72bec82e3c41a4de73d6ee56d9c9eff5f403 SOURCES/undici-5.28.4.tar.gz
 ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz

SOURCES/CVE-2024-28182.patch

@@ -1,157 +0,0 @@
-Backport from upstream commits.
-https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
-https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
-
-
-diff -ur node-v18.19.1_orig/deps/nghttp2/lib/includes/nghttp2/nghttp2.h node-v18.19.1/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
---- node-v18.19.1_orig/deps/nghttp2/lib/includes/nghttp2/nghttp2.h	2024-04-15 14:38:00.000000000 +0200
-+++ node-v18.19.1/deps/nghttp2/lib/includes/nghttp2/nghttp2.h	2024-04-15 14:43:36.000000000 +0200
-@@ -440,7 +440,12 @@
-    * exhaustion on server side to send these frames forever and does
-    * not read network.
-    */
--  NGHTTP2_ERR_FLOODED = -904
-+  NGHTTP2_ERR_FLOODED = -904,
-+  /**
-+   * When a local endpoint receives too many CONTINUATION frames
-+   * following a HEADER frame.
-+   */
-+  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
- } nghttp2_error;
- 
- /**
-@@ -2775,6 +2780,17 @@
- 
- /**
-  * @function
-+ *
-+ * This function sets the maximum number of CONTINUATION frames
-+ * following an incoming HEADER frame.  If more than those frames are
-+ * received, the remote endpoint is considered to be misbehaving and
-+ * session will be closed.  The default value is 8.
-+ */
-+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
-+                                                         size_t val);
-+
-+/**
-+ * @function
-  *
-  * Initializes |*session_ptr| for client use.  The all members of
-  * |callbacks| are copied to |*session_ptr|.  Therefore |*session_ptr|
-Only in node-v18.19.1/deps/nghttp2/lib/includes/nghttp2: nghttp2.h.orig
-diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_helper.c node-v18.19.1/deps/nghttp2/lib/nghttp2_helper.c
---- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_helper.c	2024-04-15 14:38:00.000000000 +0200
-+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_helper.c	2024-04-15 14:41:10.000000000 +0200
-@@ -336,6 +336,8 @@
-            "closed";
-   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
-     return "SETTINGS frame contained more than the maximum allowed entries";
-+  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
-+    return "Too many CONTINUATION frames following a HEADER frame";
-   default:
-     return "Unknown error code";
-   }
-diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.c node-v18.19.1/deps/nghttp2/lib/nghttp2_option.c
---- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.c	2024-04-15 14:38:00.000000000 +0200
-+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_option.c	2024-04-15 14:43:36.000000000 +0200
-@@ -150,3 +150,8 @@
-   option->stream_reset_burst = burst;
-   option->stream_reset_rate = rate;
- }
-+
-+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
-+  option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
-+  option->max_continuations = val;
-+}
-diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.h node-v18.19.1/deps/nghttp2/lib/nghttp2_option.h
---- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.h	2024-04-15 14:38:00.000000000 +0200
-+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_option.h	2024-04-15 14:43:36.000000000 +0200
-@@ -71,6 +71,7 @@
-   NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
-   NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
-   NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
-+  NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
- } nghttp2_option_flag;
- 
- /**
-@@ -99,6 +100,10 @@
-    */
-   size_t max_settings;
-   /**
-+   * NGHTTP2_OPT_MAX_CONTINUATIONS
-+   */
-+  size_t max_continuations;
-+  /**
-    * Bitwise OR of nghttp2_option_flag to determine that which fields
-    * are specified.
-    */
-diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.c node-v18.19.1/deps/nghttp2/lib/nghttp2_session.c
---- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.c	2024-04-15 14:38:00.000000000 +0200
-+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_session.c	2024-04-15 14:43:36.000000000 +0200
-@@ -496,6 +496,7 @@
-   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
-   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
-   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
-+  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
- 
-   if (option) {
-     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
-@@ -584,6 +585,10 @@
-                            option->stream_reset_burst,
-                            option->stream_reset_rate);
-     }
-+
-+    if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
-+      (*session_ptr)->max_continuations = option->max_continuations;
-+    }
-   }
- 
-   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
-@@ -6778,6 +6783,8 @@
-           }
-         }
-         session_inbound_frame_reset(session);
-+
-+        session->num_continuations = 0;
-       }
-       break;
-     }
-@@ -6899,6 +6906,10 @@
-       }
- #endif /* DEBUGBUILD */
- 
-+      if (++session->num_continuations > session->max_continuations) {
-+        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
-+      }
-+
-       readlen = inbound_frame_buf_read(iframe, in, last);
-       in += readlen;
- 
-Only in node-v18.19.1/deps/nghttp2/lib: nghttp2_session.c.orig
-diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.h node-v18.19.1/deps/nghttp2/lib/nghttp2_session.h
---- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.h	2024-04-15 14:38:00.000000000 +0200
-+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_session.h	2024-04-15 14:41:10.000000000 +0200
-@@ -110,6 +110,10 @@
- #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
- #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
- 
-+/* The default max number of CONTINUATION frames following an incoming
-+   HEADER frame. */
-+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
-+
- /* Internal state when receiving incoming frame */
- typedef enum {
-   /* Receiving frame header */
-@@ -290,6 +294,12 @@
-   size_t max_send_header_block_length;
-   /* The maximum number of settings accepted per SETTINGS frame. */
-   size_t max_settings;
-+  /* The maximum number of CONTINUATION frames following an incoming
-+     HEADER frame. */
-+  size_t max_continuations;
-+  /* The number of CONTINUATION frames following an incoming HEADER
-+     frame.  This variable is reset when END_HEADERS flag is seen. */
-+  size_t num_continuations;
-   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
-   uint32_t next_stream_id;
-   /* The last stream ID this session initiated.  For client session,

SPECS/nodejs.spec

@@ -29,7 +29,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 2 
+%global baserelease 1
 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
@@ -41,7 +41,7 @@
 %global nodejs_epoch 1
 %global nodejs_major 18
 %global nodejs_minor 20
-%global nodejs_patch 2
+%global nodejs_patch 4
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 108
@@ -65,7 +65,7 @@
 
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
-%global c_ares_version 1.27.0
+%global c_ares_version 1.28.1
 
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_version 6.1.1
@@ -74,7 +74,7 @@
 %global libuv_version 1.44.2
 
 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_version 1.57.0
+%global nghttp2_version 1.61.0
 
 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_major 0
@@ -83,9 +83,9 @@
 %global nghttp3_version %{nghttp3_major}.%{nghttp3_minor}.%{nghttp3_patch}
 
 # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
-%global ngtcp2_major 0
-%global ngtcp2_minor 8
-%global ngtcp2_patch 1
+%global ngtcp2_major 1
+%global ngtcp2_minor 3
+%global ngtcp2_patch 0
 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
 
 # ICU - from tools/icu/current_ver.dep
@@ -108,13 +108,13 @@
 %endif
 
 # simduft from deps/simdutf/simdutf.h
-%global simduft_major 4
-%global simduft_minor 0
-%global simduft_patch 8
+%global simduft_major 5
+%global simduft_minor 2
+%global simduft_patch 4
 %global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
 
 # ada from deps/ada/ada.h
-%global ada_version 2.7.6
+%global ada_version 2.7.8
 
 # OpenSSL minimum version
 %global openssl_minimum 1:1.1.1
@@ -126,7 +126,7 @@
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 10.5.0
+%global npm_version 10.7.0
 
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@@ -189,7 +189,6 @@ Source102: undici-5.28.4.tar.gz
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch3: nodejs-fips-disable-options.patch
-Patch4: CVE-2024-28182.patch
 
 BuildRequires: make
 BuildRequires: python3-devel
@@ -531,9 +530,9 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \
     -executable -type f \
     -exec chmod -x {} \;
 
-# Remove powwershell files form npm
-# it isn't useful for linux systems
-# is caused problems - it creates /usr/bin/pwsh requirement
+# NPM bundle dep contain powershell files
+# These files are not useful for linux
+# systems and create /usr/bin/pwsh requirement, so the files are deleted
 find %{buildroot}%{_prefix}/lib/node_modules/npm/bin/*.ps1 -executable -type f -exec rm {} \;
 
 # The above command is a little overzealous. Add a few permissions back.
@@ -634,7 +633,14 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
 
 
 %changelog
-* Mon Apr 15 2024 Filip Janus <fjanus@redhat.com> - 1:18.20.2-2
+* Mon Aug 05 2024 Honza Horak <hhorak@redhat.com> - 1:18.20.4-1
+- Update to 18.20.4
+  Fixes: CVE-2024-22020 CVE-2024-28863
+
+* Mon Apr 22 2024 Filip Janus <fjanus@redhat.com> - 1:18.20.2-2
+- Removes .ps1 files
+
+* Mon Apr 15 2024 Filip Janus <fjanus@redhat.com> - 1:18.20.2-1
 - Rebase to 18.20.2
 - Fixes: CVE-2024-27983, CVE-2024-28182, CVE-2024-27982, CVE-2024-25629