import nodejs-18.14.2-2.module+el9.2.0.z+18497+a402347c

.gitignore

@@ -1,6 +1,6 @@
 SOURCES/cjs-module-lexer-1.2.2.tar.gz
-SOURCES/icu4c-71_1-src.tgz
-SOURCES/node-v18.12.1-stripped.tar.gz
-SOURCES/undici-5.11.0.tar.gz
+SOURCES/icu4c-72_1-src.tgz
+SOURCES/node-v18.14.2-stripped.tar.gz
+SOURCES/undici-5.20.0.tar.gz
 SOURCES/wasi-sdk-11.0-linux.tar.gz
 SOURCES/wasi-sdk-14.0-linux.tar.gz

.nodejs.metadata

@@ -1,6 +1,6 @@
 b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
-406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
-20d62c96ab85808e1043376f0d889f74eb2551df SOURCES/node-v18.12.1-stripped.tar.gz
-0ea4e5cfe13969896bf41c0d2d029a621917b944 SOURCES/undici-5.11.0.tar.gz
+a97546f0119c37a3526143bc29fb573a4417ff84 SOURCES/icu4c-72_1-src.tgz
+f4cd3bd79f9ed923f8fd85ac75cc270a91cae6ea SOURCES/node-v18.14.2-stripped.tar.gz
+0b3e890fd45200fb3a2fdc14408cc51e23990480 SOURCES/undici-5.20.0.tar.gz
 ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz
 c29e21be754c26cac4bf99848c5b1f4e8564e248 SOURCES/wasi-sdk-14.0-linux.tar.gz

SOURCES/0001-Disable-running-gyp-on-shared-deps.patch

@@ -1,29 +1,18 @@
-From fe1e9d3f6d87416aa4cd8f8bee186d71a8ea2b0f Mon Sep 17 00:00:00 2001
-From: Zuzana Svetlikova <zsvetlik@redhat.com>
-Date: Fri, 17 Apr 2020 12:59:44 +0200
-Subject: [PATCH] Disable running gyp on shared deps
-
-Signed-off-by: rpm-build <rpm-build>
----
- Makefile |  2 +-
- node.gyp | 17 -----------------
- 2 files changed, 1 insertion(+), 18 deletions(-)
-
 diff --git a/Makefile b/Makefile
-index e0d756f..c90bfa7 100644
+index 9401346623..c9d3da24c5 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -147,7 +147,7 @@ with-code-cache test-code-cache:
-	$(warning '$@' target is a noop)
-
+@@ -169,7 +169,7 @@ with-code-cache test-code-cache:
+ 	$(warning '$@' target is a noop)
+ 
  out/Makefile: config.gypi common.gypi node.gyp \
 -	deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
 +	deps/llhttp/llhttp.gyp \
-	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
-	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
-	$(PYTHON) tools/gyp_node.py -f make
+ 	deps/simdutf/simdutf.gyp \
+ 	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
+ 	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
 diff --git a/node.gyp b/node.gyp
-index 6b3a6d9..5882cef 100644
+index cec24aed03..13af00f40d 100644
 --- a/node.gyp
 +++ b/node.gyp
 @@ -429,23 +429,6 @@
@@ -41,7 +30,7 @@ index 6b3a6d9..5882cef 100644
 -               'inputs': [ '<(opensslconfig)', ],
 -               'outputs': [ '<(opensslconfig_internal)', ],
 -               'action': [
--                 'python', 'tools/copyfile.py',
+-                 '<(python)', 'tools/copyfile.py',
 -                 '<(opensslconfig)',
 -                 '<(opensslconfig_internal)',
 -               ],
@@ -50,6 +39,3 @@ index 6b3a6d9..5882cef 100644
           }],
        ],
      }, # node_core_target_name
---
-2.36.1
-

SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch

@@ -0,0 +1,53 @@
+From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001
+From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
+Date: Wed, 18 Jan 2023 22:14:26 +0800
+Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
+ stack overflow (#497)
+
+In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
+the input str and initialize a sortlist configuration.
+
+However, ares_set_sortlist has not any checks about the validity of the input str.
+It is very easy to create an arbitrary length stack overflow with the unchecked
+`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
+statements in the config_sortlist call, which could potentially cause severe
+security impact in practical programs.
+
+This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
+potential stack overflows.
+
+fixes #496
+
+Fix By: @hopper-vul
+Resolves: CVE-2022-4904
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/cares/src/lib/ares_init.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
+index de5d86c..d5858f6 100644
+--- a/deps/cares/src/lib/ares_init.c
++++ b/deps/cares/src/lib/ares_init.c
+@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+       q = str;
+       while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
+         q++;
++      if (q-str >= 16)
++        return ARES_EBADSTR;
+       memcpy(ipbuf, str, q-str);
+       ipbuf[q-str] = '\0';
+       /* Find the prefix */
+@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+           const char *str2 = q+1;
+           while (*q && *q != ';' && !ISSPACE(*q))
+             q++;
++          if (q-str >= 32)
++            return ARES_EBADSTR;
+           memcpy(ipbufpfx, str, q-str);
+           ipbufpfx[q-str] = '\0';
+           str = str2;
+-- 
+2.39.2
+

SPECS/nodejs.spec

@@ -29,7 +29,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 2
 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
@@ -40,8 +40,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 18
-%global nodejs_minor 12
-%global nodejs_patch 1
+%global nodejs_minor 14
+%global nodejs_patch 2
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 108
@@ -57,7 +57,7 @@
 %global v8_major 10
 %global v8_minor 2
 %global v8_build 154
-%global v8_patch 15
+%global v8_patch 26
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME
 %global v8_abi %{v8_major}.%{v8_minor}
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@@ -71,10 +71,10 @@
 %global llhttp_version 6.0.10
 
 # libuv - from deps/uv/include/uv/version.h
-%global libuv_version 1.43.0
+%global libuv_version 1.44.2
 
 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_version 1.47.0
+%global nghttp2_version 1.51.0
 
 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_major 0
@@ -89,7 +89,7 @@
 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
 
 # ICU - from tools/icu/current_ver.dep
-%global icu_major 71
+%global icu_major 72
 %global icu_minor 1
 %global icu_version %{icu_major}.%{icu_minor}
 
@@ -107,6 +107,12 @@
 %global icu_flag full-icu
 %endif
 
+# simduft from deps/simdutf/simdutf.h
+%global simduft_major 2
+%global simduft_minor 0
+%global simduft_patch 7
+%global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
+
 # OpenSSL minimum version
 %global openssl_minimum 1:1.1.1
 
@@ -117,7 +123,7 @@
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 8.19.2
+%global npm_version 9.5.0
 
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@@ -126,7 +132,7 @@
 %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
-%global uvwasi_version 0.0.13
+%global uvwasi_version 0.0.14
 
 # histogram_c - assumed from timestamps
 %global histogram_version 0.11.2
@@ -169,15 +175,16 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
 Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
 
 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.11.0.tar.gz
-# Adjustments: rm -f undici-5.11.0/lib/llhttp/llhttp*.wasm
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.20.0.tar.gz
+# Adjustments: rm -f undici-5.20.0/lib/llhttp/llhttp*.wasm
 # wasi-sdk version can be found in Dockerfile
 # https://github.com/nodejs/undici/blob/v5.8.2/build/Dockerfile
-Source102: undici-5.11.0.tar.gz
+Source102: undici-5.20.0.tar.gz
 Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-14.0-linux.tar.gz
 
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
+Patch2: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
 
 BuildRequires: make
 BuildRequires: python3-devel
@@ -276,6 +283,7 @@ Provides: bundled(icu) = %{icu_version}
 # or there's no option to built it as a shared dependency, so we bundle them
 Provides: bundled(uvwasi) = %{uvwasi_version}
 Provides: bundled(histogram) = %{histogram_version}
+Provides: bundled(simduft) = %{simduft_version}
 
 # Make sure we keep NPM up to date when we update Node.js
 Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
@@ -578,6 +586,8 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
 %doc %{_mandir}/man5/package-json.5*
 %doc %{_mandir}/man5/package-lock-json.5*
 %doc %{_mandir}/man5/npm-shrinkwrap-json.5*
+%doc %{_mandir}/man5/npm-global.5.*
+%doc %{_mandir}/man5/npm-json.5.*
 %doc %{_mandir}/man7/config.7*
 %doc %{_mandir}/man7/dependency-selectors.7*
 %doc %{_mandir}/man7/developers.7*
@@ -602,6 +612,16 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
 * Wed Mar 29 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 18.10.0-3
 - Rebuilt for MSVSphere 9.1.
 
+* Tue Mar 21 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.14.2-2
+- Provide simduft
+- Resolves: #2159389
+
+* Mon Mar 20 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.14.2-1
+- Rebase to 18.14.2
+- Resolves: #2159389
+- Resolves: CVE-2022-25881, CVE-2022-4904, CVE-2023-23936, CVE-2023-24807
+- Resolves: CVE-2023-23918, CVE-2023-23919, CVE-2023-23920
+
 * Wed Nov 16 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.12.1-1
 - Rebase + CVEs
 - Resolves: #2142809