.gitignore

@@ -1,6 +1,2 @@
-SOURCES/cjs-module-lexer-1.2.2.tar.gz
+SOURCES/icu4c-67_1-src.tgz
-SOURCES/icu4c-71_1-src.tgz
+SOURCES/node-v12.22.12-stripped.tar.gz
-SOURCES/node-v16.20.2-stripped.tar.gz
-SOURCES/undici-5.20.0.tar.gz
-SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
-SOURCES/wasi-sdk-wasi-sdk-14.tar.gz

.nodejs.metadata

@@ -1,6 +1,2 @@
-b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
+6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
-406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
+49c907b1445701724914a0571bf6be62a25583af SOURCES/node-v12.22.12-stripped.tar.gz
-0024086ed6090aaea422fb2bd329f898bf924df6 SOURCES/node-v16.20.2-stripped.tar.gz
-0b3e890fd45200fb3a2fdc14408cc51e23990480 SOURCES/undici-5.20.0.tar.gz
-8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
-900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz

SOURCES/0001-Disable-running-gyp-on-shared-deps.patch

@@ -1,6 +1,6 @@
-From 6c80c1956373978489a297a630f4f50222c47775 Mon Sep 17 00:00:00 2001
+From 641730c7d1322dacd8e1020ec0753795d01200f0 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
+From: Zuzana Svetlikova <zsvetlik@redhat.com>
-Date: Tue, 30 May 2023 13:12:35 +0200
+Date: Thu, 27 Apr 2017 14:25:42 +0200
 Subject: [PATCH] Disable running gyp on shared deps
 
 Signed-off-by: rpm-build <rpm-build>
@@ -9,18 +9,18 @@ Signed-off-by: rpm-build <rpm-build>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index ef3eda2..8b52a4f 100644
+index 32a8a6c..f44f88a 100644
 --- a/Makefile
 +++ b/Makefile
-@@ -148,7 +148,7 @@ with-code-cache test-code-cache:
+@@ -141,7 +141,7 @@ test-code-cache: with-code-cache
- 	$(warning '$@' target is a noop)
+ 	echo "'test-code-cache' target is a noop"
  
  out/Makefile: config.gypi common.gypi node.gyp \
--	deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
+-	deps/uv/uv.gyp deps/http_parser/http_parser.gyp deps/zlib/zlib.gyp \
-+	deps/llhttp/llhttp.gyp \
++	deps/http_parser/http_parser.gyp \
  	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
  	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
  	$(PYTHON) tools/gyp_node.py -f make
 -- 
-2.44.0
+2.26.2
 

SOURCES/0002-disable-fips-options.patch

@@ -1,26 +0,0 @@
-From b7d979b5f7d28114050d1cdc43f39e6e83bd80d5 Mon Sep 17 00:00:00 2001
-From: Honza Horak <hhorak@redhat.com>
-Date: Thu, 12 Oct 2023 13:52:59 +0200
-Subject: [PATCH] disable fips options
-
-Signed-off-by: rpm-build <rpm-build>
----
- src/crypto/crypto_util.cc | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
-index 59ae7f8..7343396 100644
---- a/src/crypto/crypto_util.cc
-+++ b/src/crypto/crypto_util.cc
-@@ -111,6 +111,8 @@ bool ProcessFipsOptions() {
-   /* Override FIPS settings in configuration file, if needed. */
-   if (per_process::cli_options->enable_fips_crypto ||
-       per_process::cli_options->force_fips_crypto) {
-+      fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
-+      return false;
- #if OPENSSL_VERSION_MAJOR >= 3
-     OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
-     if (fips_provider == nullptr)
--- 
-2.44.0
-

SOURCES/0003-src-use-getauxval-in-node_main.cc.patch

@@ -0,0 +1,70 @@
+From 63b2d16ea3985b62be372ea1da7987dc32ddcc3b Mon Sep 17 00:00:00 2001
+From: Daniel Bevenius <daniel.bevenius@gmail.com>
+Date: Tue, 2 Jun 2020 05:33:25 +0200
+Subject: [PATCH 3/3] src: use getauxval in node_main.cc
+
+This commit suggests using getauxval in node_main.cc.
+
+The motivation for this is that getauxval was introduced in glibc 2.16
+and looking at BUILDING.md, in the 'Platform list' section, it looks
+like we now support glibc >= 2.17 and perhaps this change would be
+alright now.
+
+PR-URL: https://github.com/nodejs/node/pull/33693
+Refs: https://github.com/nodejs/node/pull/12548
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: David Carlier <devnexen@gmail.com>
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
+Reviewed-By: James M Snell <jasnell@gmail.com>
+---
+ src/node_main.cc | 18 ++----------------
+ 1 file changed, 2 insertions(+), 16 deletions(-)
+
+diff --git a/src/node_main.cc b/src/node_main.cc
+index e92c0df94297e2ece43dbdf71166e555713ef6f2..70be5b83fafcde596e65086b08305aa89702fd52 100644
+--- a/src/node_main.cc
++++ b/src/node_main.cc
+@@ -72,17 +72,11 @@ int wmain(int argc, wchar_t* wargv[]) {
+   return node::Start(argc, argv);
+ }
+ #else
+ // UNIX
+ #ifdef __linux__
+-#include <elf.h>
+-#ifdef __LP64__
+-#define Elf_auxv_t Elf64_auxv_t
+-#else
+-#define Elf_auxv_t Elf32_auxv_t
+-#endif  // __LP64__
+-extern char** environ;
++#include <sys/auxv.h>
+ #endif  // __linux__
+ #if defined(__POSIX__) && defined(NODE_SHARED_MODE)
+ #include <string.h>
+ #include <signal.h>
+ #endif
+@@ -107,19 +101,11 @@ int main(int argc, char* argv[]) {
+     sigaction(SIGPIPE, &act, nullptr);
+   }
+ #endif
+ 
+ #if defined(__linux__)
+-  char** envp = environ;
+-  while (*envp++ != nullptr) {}
+-  Elf_auxv_t* auxv = reinterpret_cast<Elf_auxv_t*>(envp);
+-  for (; auxv->a_type != AT_NULL; auxv++) {
+-    if (auxv->a_type == AT_SECURE) {
+-      node::per_process::linux_at_secure = auxv->a_un.a_val;
+-      break;
+-    }
+-  }
++  node::per_process::linux_at_secure = getauxval(AT_SECURE);
+ #endif
+   // Disable stdio buffering, it interacts poorly with printf()
+   // calls elsewhere in the program (e.g., any logging from V8.)
+   setvbuf(stdout, nullptr, _IONBF, 0);
+   setvbuf(stderr, nullptr, _IONBF, 0);
+-- 
+2.30.1
+

SOURCES/0004-Fix-CVE-2024-22019.patch

@@ -1,581 +0,0 @@
-From fb8b050abf63459eb83cad4d4bf695c56db2790a Mon Sep 17 00:00:00 2001
-From: Honza Horak <hhorak@redhat.com>
-Date: Mon, 15 Apr 2024 15:21:35 +0200
-Subject: [PATCH] Fix CVE-2024-22019
-
-Resolves: RHEL-28064
-
-This is a combination of the upstream commit from v18:
-https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
-
-and necessary rebase of llhttp from 6.0.11 to 6.1.0 that has the needed
-chunk features.
-
-Original patch:
-> From 11bd886e0a4eadd7e55502758fff6486a3fa3a4e Mon Sep 17 00:00:00 2001
-> From: Paolo Insogna <paolo@cowtech.it>
-> Date: Tue, 9 Jan 2024 18:10:04 +0100
-> Subject: [PATCH] http: add maximum chunk extension size
->
-> Cherry-picked from v18 patch:
-> https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
->
-> PR-URL: https://github.com/nodejs-private/node-private/pull/520
-> Refs: https://github.com/nodejs-private/node-private/pull/518
-> CVE-ID: CVE-2024-22019
-
-Signed-off-by: rpm-build <rpm-build>
----
- deps/llhttp/.gitignore                        |   1 +
- deps/llhttp/CMakeLists.txt                    |   2 +-
- deps/llhttp/include/llhttp.h                  |   7 +-
- deps/llhttp/src/api.c                         |   7 +
- deps/llhttp/src/llhttp.c                      | 122 ++++++++++++++--
- doc/api/errors.md                             |  12 ++
- lib/_http_server.js                           |   9 ++
- src/node_http_parser.cc                       |  20 ++-
- .../test-http-chunk-extensions-limit.js       | 131 ++++++++++++++++++
- tools/update-llhttp.sh                        |   2 +-
- 10 files changed, 294 insertions(+), 19 deletions(-)
- create mode 100644 deps/llhttp/.gitignore
- create mode 100644 test/parallel/test-http-chunk-extensions-limit.js
-
-diff --git a/deps/llhttp/.gitignore b/deps/llhttp/.gitignore
-new file mode 100644
-index 0000000..98438a2
---- /dev/null
-+++ b/deps/llhttp/.gitignore
-@@ -0,0 +1 @@
-+libllhttp.pc
-diff --git a/deps/llhttp/CMakeLists.txt b/deps/llhttp/CMakeLists.txt
-index d038203..747564a 100644
---- a/deps/llhttp/CMakeLists.txt
-+++ b/deps/llhttp/CMakeLists.txt
-@@ -1,7 +1,7 @@
- cmake_minimum_required(VERSION 3.5.1)
- cmake_policy(SET CMP0069 NEW)
- 
--project(llhttp VERSION 6.0.11)
-+project(llhttp VERSION 6.1.0)
- include(GNUInstallDirs)
- 
- set(CMAKE_C_STANDARD 99)
-diff --git a/deps/llhttp/include/llhttp.h b/deps/llhttp/include/llhttp.h
-index 2da66f1..78f27ab 100644
---- a/deps/llhttp/include/llhttp.h
-+++ b/deps/llhttp/include/llhttp.h
-@@ -2,8 +2,8 @@
- #define INCLUDE_LLHTTP_H_
- 
- #define LLHTTP_VERSION_MAJOR 6
--#define LLHTTP_VERSION_MINOR 0
--#define LLHTTP_VERSION_PATCH 11
-+#define LLHTTP_VERSION_MINOR 1
-+#define LLHTTP_VERSION_PATCH 0
- 
- #ifndef LLHTTP_STRICT_MODE
- # define LLHTTP_STRICT_MODE 0
-@@ -348,6 +348,9 @@ struct llhttp_settings_s {
-    */
-   llhttp_cb      on_headers_complete;
- 
-+  /* Possible return values 0, -1, HPE_USER */
-+  llhttp_data_cb on_chunk_parameters;
-+
-   /* Possible return values 0, -1, HPE_USER */
-   llhttp_data_cb on_body;
- 
-diff --git a/deps/llhttp/src/api.c b/deps/llhttp/src/api.c
-index c4ce197..d3065b3 100644
---- a/deps/llhttp/src/api.c
-+++ b/deps/llhttp/src/api.c
-@@ -355,6 +355,13 @@ int llhttp__on_chunk_header(llhttp_t* s, const char* p, const char* endp) {
- }
- 
- 
-+int llhttp__on_chunk_parameters(llhttp_t* s, const char* p, const char* endp) {
-+  int err;
-+  SPAN_CALLBACK_MAYBE(s, on_chunk_parameters, p, endp - p);
-+  return err;
-+}
-+
-+
- int llhttp__on_chunk_complete(llhttp_t* s, const char* p, const char* endp) {
-   int err;
-   CALLBACK_MAYBE(s, on_chunk_complete);
-diff --git a/deps/llhttp/src/llhttp.c b/deps/llhttp/src/llhttp.c
-index 5e7c5d1..46f86a0 100644
---- a/deps/llhttp/src/llhttp.c
-+++ b/deps/llhttp/src/llhttp.c
-@@ -340,6 +340,8 @@ enum llparse_state_e {
-   s_n_llhttp__internal__n_invoke_is_equal_content_length,
-   s_n_llhttp__internal__n_chunk_size_almost_done,
-   s_n_llhttp__internal__n_chunk_parameters,
-+  s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters,
-+  s_n_llhttp__internal__n_chunk_parameters_ows,
-   s_n_llhttp__internal__n_chunk_size_otherwise,
-   s_n_llhttp__internal__n_chunk_size,
-   s_n_llhttp__internal__n_chunk_size_digit,
-@@ -539,6 +541,10 @@ int llhttp__on_body(
-     llhttp__internal_t* s, const unsigned char* p,
-     const unsigned char* endp);
- 
-+int llhttp__on_chunk_parameters(
-+    llhttp__internal_t* s, const unsigned char* p,
-+    const unsigned char* endp);
-+
- int llhttp__on_status(
-     llhttp__internal_t* s, const unsigned char* p,
-     const unsigned char* endp);
-@@ -1226,8 +1232,7 @@ static llparse_state_t llhttp__internal__run(
-           goto s_n_llhttp__internal__n_chunk_parameters;
-         }
-         case 2: {
--          p++;
--          goto s_n_llhttp__internal__n_chunk_size_almost_done;
-+          goto s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters;
-         }
-         default: {
-           goto s_n_llhttp__internal__n_error_10;
-@@ -1236,6 +1241,34 @@ static llparse_state_t llhttp__internal__run(
-       /* UNREACHABLE */;
-       abort();
-     }
-+    case s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters:
-+    s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters: {
-+      if (p == endp) {
-+        return s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
-+      }
-+      state->_span_pos0 = (void*) p;
-+      state->_span_cb0 = llhttp__on_chunk_parameters;
-+      goto s_n_llhttp__internal__n_chunk_parameters;
-+      /* UNREACHABLE */;
-+      abort();
-+    }
-+    case s_n_llhttp__internal__n_chunk_parameters_ows:
-+    s_n_llhttp__internal__n_chunk_parameters_ows: {
-+      if (p == endp) {
-+        return s_n_llhttp__internal__n_chunk_parameters_ows;
-+      }
-+      switch (*p) {
-+        case ' ': {
-+          p++;
-+          goto s_n_llhttp__internal__n_chunk_parameters_ows;
-+        }
-+        default: {
-+          goto s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
-+        }
-+      }
-+      /* UNREACHABLE */;
-+      abort();
-+    }
-     case s_n_llhttp__internal__n_chunk_size_otherwise:
-     s_n_llhttp__internal__n_chunk_size_otherwise: {
-       if (p == endp) {
-@@ -1246,13 +1279,9 @@ static llparse_state_t llhttp__internal__run(
-           p++;
-           goto s_n_llhttp__internal__n_chunk_size_almost_done;
-         }
--        case ' ': {
--          p++;
--          goto s_n_llhttp__internal__n_chunk_parameters;
--        }
-         case ';': {
-           p++;
--          goto s_n_llhttp__internal__n_chunk_parameters;
-+          goto s_n_llhttp__internal__n_chunk_parameters_ows;
-         }
-         default: {
-           goto s_n_llhttp__internal__n_error_11;
-@@ -6074,6 +6103,24 @@ static llparse_state_t llhttp__internal__run(
-     /* UNREACHABLE */;
-     abort();
-   }
-+  s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
-+    const unsigned char* start;
-+    int err;
-+
-+    start = state->_span_pos0;
-+    state->_span_pos0 = NULL;
-+    err = llhttp__on_chunk_parameters(state, start, p);
-+    if (err != 0) {
-+      state->error = err;
-+      state->error_pos = (const char*) (p + 1);
-+      state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_chunk_size_almost_done;
-+      return s_error;
-+    }
-+    p++;
-+    goto s_n_llhttp__internal__n_chunk_size_almost_done;
-+    /* UNREACHABLE */;
-+    abort();
-+  }
-   s_n_llhttp__internal__n_error_10: {
-     state->error = 0x2;
-     state->reason = "Invalid character in chunk parameters";
-@@ -8441,6 +8488,8 @@ enum llparse_state_e {
-   s_n_llhttp__internal__n_invoke_is_equal_content_length,
-   s_n_llhttp__internal__n_chunk_size_almost_done,
-   s_n_llhttp__internal__n_chunk_parameters,
-+  s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters,
-+  s_n_llhttp__internal__n_chunk_parameters_ows,
-   s_n_llhttp__internal__n_chunk_size_otherwise,
-   s_n_llhttp__internal__n_chunk_size,
-   s_n_llhttp__internal__n_chunk_size_digit,
-@@ -8635,6 +8684,10 @@ int llhttp__on_body(
-     llhttp__internal_t* s, const unsigned char* p,
-     const unsigned char* endp);
- 
-+int llhttp__on_chunk_parameters(
-+    llhttp__internal_t* s, const unsigned char* p,
-+    const unsigned char* endp);
-+
- int llhttp__on_status(
-     llhttp__internal_t* s, const unsigned char* p,
-     const unsigned char* endp);
-@@ -9299,8 +9352,7 @@ static llparse_state_t llhttp__internal__run(
-           goto s_n_llhttp__internal__n_chunk_parameters;
-         }
-         case 2: {
--          p++;
--          goto s_n_llhttp__internal__n_chunk_size_almost_done;
-+          goto s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters;
-         }
-         default: {
-           goto s_n_llhttp__internal__n_error_6;
-@@ -9309,6 +9361,34 @@ static llparse_state_t llhttp__internal__run(
-       /* UNREACHABLE */;
-       abort();
-     }
-+    case s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters:
-+    s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters: {
-+      if (p == endp) {
-+        return s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
-+      }
-+      state->_span_pos0 = (void*) p;
-+      state->_span_cb0 = llhttp__on_chunk_parameters;
-+      goto s_n_llhttp__internal__n_chunk_parameters;
-+      /* UNREACHABLE */;
-+      abort();
-+    }
-+    case s_n_llhttp__internal__n_chunk_parameters_ows:
-+    s_n_llhttp__internal__n_chunk_parameters_ows: {
-+      if (p == endp) {
-+        return s_n_llhttp__internal__n_chunk_parameters_ows;
-+      }
-+      switch (*p) {
-+        case ' ': {
-+          p++;
-+          goto s_n_llhttp__internal__n_chunk_parameters_ows;
-+        }
-+        default: {
-+          goto s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
-+        }
-+      }
-+      /* UNREACHABLE */;
-+      abort();
-+    }
-     case s_n_llhttp__internal__n_chunk_size_otherwise:
-     s_n_llhttp__internal__n_chunk_size_otherwise: {
-       if (p == endp) {
-@@ -9319,13 +9399,9 @@ static llparse_state_t llhttp__internal__run(
-           p++;
-           goto s_n_llhttp__internal__n_chunk_size_almost_done;
-         }
--        case ' ': {
--          p++;
--          goto s_n_llhttp__internal__n_chunk_parameters;
--        }
-         case ';': {
-           p++;
--          goto s_n_llhttp__internal__n_chunk_parameters;
-+          goto s_n_llhttp__internal__n_chunk_parameters_ows;
-         }
-         default: {
-           goto s_n_llhttp__internal__n_error_7;
-@@ -13951,6 +14027,24 @@ static llparse_state_t llhttp__internal__run(
-     /* UNREACHABLE */;
-     abort();
-   }
-+  s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
-+    const unsigned char* start;
-+    int err;
-+
-+    start = state->_span_pos0;
-+    state->_span_pos0 = NULL;
-+    err = llhttp__on_chunk_parameters(state, start, p);
-+    if (err != 0) {
-+      state->error = err;
-+      state->error_pos = (const char*) (p + 1);
-+      state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_chunk_size_almost_done;
-+      return s_error;
-+    }
-+    p++;
-+    goto s_n_llhttp__internal__n_chunk_size_almost_done;
-+    /* UNREACHABLE */;
-+    abort();
-+  }
-   s_n_llhttp__internal__n_error_6: {
-     state->error = 0x2;
-     state->reason = "Invalid character in chunk parameters";
-diff --git a/doc/api/errors.md b/doc/api/errors.md
-index dcf8744..a76bfe5 100644
---- a/doc/api/errors.md
-+++ b/doc/api/errors.md
-@@ -3043,6 +3043,18 @@ malconfigured clients, if more than 8 KiB of HTTP header data is received then
- HTTP parsing will abort without a request or response object being created, and
- an `Error` with this code will be emitted.
- 
-+<a id="HPE_CHUNK_EXTENSIONS_OVERFLOW"></a>
-+
-+### `HPE_CHUNK_EXTENSIONS_OVERFLOW`
-+
-+<!-- YAML
-+added: REPLACEME
-+-->
-+
-+Too much data was received for a chunk extensions. In order to protect against
-+malicious or malconfigured clients, if more than 16 KiB of data is received
-+then an `Error` with this code will be emitted.
-+
- <a id="HPE_UNEXPECTED_CONTENT_LENGTH"></a>
- 
- ### `HPE_UNEXPECTED_CONTENT_LENGTH`
-diff --git a/lib/_http_server.js b/lib/_http_server.js
-index 4e23266..325bce6 100644
---- a/lib/_http_server.js
-+++ b/lib/_http_server.js
-@@ -706,6 +706,12 @@ const requestHeaderFieldsTooLargeResponse = Buffer.from(
-   `HTTP/1.1 431 ${STATUS_CODES[431]}\r\n` +
-   'Connection: close\r\n\r\n', 'ascii'
- );
-+
-+const requestChunkExtensionsTooLargeResponse = Buffer.from(
-+  `HTTP/1.1 413 ${STATUS_CODES[413]}\r\n` +
-+  'Connection: close\r\n\r\n', 'ascii',
-+);
-+
- function socketOnError(e) {
-   // Ignore further errors
-   this.removeListener('error', socketOnError);
-@@ -719,6 +725,9 @@ function socketOnError(e) {
-         case 'HPE_HEADER_OVERFLOW':
-           response = requestHeaderFieldsTooLargeResponse;
-           break;
-+        case 'HPE_CHUNK_EXTENSIONS_OVERFLOW':
-+          response = requestChunkExtensionsTooLargeResponse;
-+          break;
-         case 'ERR_HTTP_REQUEST_TIMEOUT':
-           response = requestTimeoutResponse;
-           break;
-diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc
-index 74f3248..b92e848 100644
---- a/src/node_http_parser.cc
-+++ b/src/node_http_parser.cc
-@@ -79,6 +79,8 @@ const uint32_t kOnExecute = 5;
- const uint32_t kOnTimeout = 6;
- // Any more fields than this will be flushed into JS
- const size_t kMaxHeaderFieldsCount = 32;
-+// Maximum size of chunk extensions
-+const size_t kMaxChunkExtensionsSize = 16384;
- 
- const uint32_t kLenientNone = 0;
- const uint32_t kLenientHeaders = 1 << 0;
-@@ -206,6 +208,7 @@ class Parser : public AsyncWrap, public StreamListener {
- 
-   int on_message_begin() {
-     num_fields_ = num_values_ = 0;
-+    chunk_extensions_nread_ = 0;
-     url_.Reset();
-     status_message_.Reset();
-     header_parsing_start_time_ = uv_hrtime();
-@@ -443,9 +446,22 @@ class Parser : public AsyncWrap, public StreamListener {
-     return 0;
-   }
- 
--  // Reset nread for the next chunk
-+  int on_chunk_extension(const char* at, size_t length) {
-+    chunk_extensions_nread_ += length;
-+
-+    if (chunk_extensions_nread_ > kMaxChunkExtensionsSize) {
-+      llhttp_set_error_reason(&parser_,
-+        "HPE_CHUNK_EXTENSIONS_OVERFLOW:Chunk extensions overflow");
-+      return HPE_USER;
-+    }
-+
-+    return 0;
-+  }
-+
-+  // Reset nread for the next chunk and also reset the extensions counter
-   int on_chunk_header() {
-     header_nread_ = 0;
-+    chunk_extensions_nread_ = 0;
-     return 0;
-   }
- 
-@@ -887,6 +903,7 @@ class Parser : public AsyncWrap, public StreamListener {
-   const char* current_buffer_data_;
-   bool pending_pause_ = false;
-   uint64_t header_nread_ = 0;
-+  uint64_t chunk_extensions_nread_ = 0;
-   uint64_t max_http_header_size_;
-   uint64_t headers_timeout_;
-   uint64_t header_parsing_start_time_ = 0;
-@@ -921,6 +938,7 @@ const llhttp_settings_t Parser::settings = {
-   Proxy<DataCall, &Parser::on_header_field>::Raw,
-   Proxy<DataCall, &Parser::on_header_value>::Raw,
-   Proxy<Call, &Parser::on_headers_complete>::Raw,
-+  Proxy<DataCall, &Parser::on_chunk_extension>::Raw,
-   Proxy<DataCall, &Parser::on_body>::Raw,
-   Proxy<Call, &Parser::on_message_complete>::Raw,
-   Proxy<Call, &Parser::on_chunk_header>::Raw,
-diff --git a/test/parallel/test-http-chunk-extensions-limit.js b/test/parallel/test-http-chunk-extensions-limit.js
-new file mode 100644
-index 0000000..6868b3d
---- /dev/null
-+++ b/test/parallel/test-http-chunk-extensions-limit.js
-@@ -0,0 +1,131 @@
-+'use strict';
-+
-+const common = require('../common');
-+const http = require('http');
-+const net = require('net');
-+const assert = require('assert');
-+
-+// Verify that chunk extensions are limited in size when sent all together.
-+{
-+  const server = http.createServer((req, res) => {
-+    req.on('end', () => {
-+      res.writeHead(200, { 'Content-Type': 'text/plain' });
-+      res.end('bye');
-+    });
-+
-+    req.resume();
-+  });
-+
-+  server.listen(0, () => {
-+    const sock = net.connect(server.address().port);
-+    let data = '';
-+
-+    sock.on('data', (chunk) => data += chunk.toString('utf-8'));
-+
-+    sock.on('end', common.mustCall(function() {
-+      assert.strictEqual(data, 'HTTP/1.1 413 Payload Too Large\r\nConnection: close\r\n\r\n');
-+      server.close();
-+    }));
-+
-+    sock.end('' +
-+      'GET / HTTP/1.1\r\n' +
-+      'Host: localhost:8080\r\n' +
-+      'Transfer-Encoding: chunked\r\n\r\n' +
-+      '2;' + 'A'.repeat(20000) + '=bar\r\nAA\r\n' +
-+      '0\r\n\r\n'
-+    );
-+  });
-+}
-+
-+// Verify that chunk extensions are limited in size when sent in intervals.
-+{
-+  const server = http.createServer((req, res) => {
-+    req.on('end', () => {
-+      res.writeHead(200, { 'Content-Type': 'text/plain' });
-+      res.end('bye');
-+    });
-+
-+    req.resume();
-+  });
-+
-+  server.listen(0, () => {
-+    const sock = net.connect(server.address().port);
-+    let remaining = 20000;
-+    let data = '';
-+
-+    const interval = setInterval(
-+      () => {
-+        if (remaining > 0) {
-+          sock.write('A'.repeat(1000));
-+        } else {
-+          sock.write('=bar\r\nAA\r\n0\r\n\r\n');
-+          clearInterval(interval);
-+        }
-+
-+        remaining -= 1000;
-+      },
-+      common.platformTimeout(20),
-+    ).unref();
-+
-+    sock.on('data', (chunk) => data += chunk.toString('utf-8'));
-+
-+    sock.on('end', common.mustCall(function() {
-+      assert.strictEqual(data, 'HTTP/1.1 413 Payload Too Large\r\nConnection: close\r\n\r\n');
-+      server.close();
-+    }));
-+
-+    sock.write('' +
-+    'GET / HTTP/1.1\r\n' +
-+    'Host: localhost:8080\r\n' +
-+    'Transfer-Encoding: chunked\r\n\r\n' +
-+    '2;'
-+    );
-+  });
-+}
-+
-+// Verify the chunk extensions is correctly reset after a chunk
-+{
-+  const server = http.createServer((req, res) => {
-+    req.on('end', () => {
-+      res.writeHead(200, { 'content-type': 'text/plain', 'connection': 'close', 'date': 'now' });
-+      res.end('bye');
-+    });
-+
-+    req.resume();
-+  });
-+
-+  server.listen(0, () => {
-+    const sock = net.connect(server.address().port);
-+    let data = '';
-+
-+    sock.on('data', (chunk) => data += chunk.toString('utf-8'));
-+
-+    sock.on('end', common.mustCall(function() {
-+      assert.strictEqual(
-+        data,
-+        'HTTP/1.1 200 OK\r\n' +
-+        'content-type: text/plain\r\n' +
-+        'connection: close\r\n' +
-+        'date: now\r\n' +
-+        'Transfer-Encoding: chunked\r\n' +
-+        '\r\n' +
-+        '3\r\n' +
-+        'bye\r\n' +
-+        '0\r\n' +
-+        '\r\n',
-+      );
-+
-+      server.close();
-+    }));
-+
-+    sock.end('' +
-+      'GET / HTTP/1.1\r\n' +
-+      'Host: localhost:8080\r\n' +
-+      'Transfer-Encoding: chunked\r\n\r\n' +
-+      '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' +
-+      '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' +
-+      '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' +
-+      '0\r\n\r\n'
-+    );
-+  });
-+}
-diff --git a/tools/update-llhttp.sh b/tools/update-llhttp.sh
-index 12e2f46..a95eef1 100755
---- a/tools/update-llhttp.sh
-+++ b/tools/update-llhttp.sh
-@@ -59,5 +59,5 @@ echo ""
- echo "Please git add llhttp, commit the new version:"
- echo ""
- echo "$ git add -A deps/llhttp"
--echo "$ git commit -m \"deps: update nghttp2 to $LLHTTP_VERSION\""
-+echo "$ git commit -m \"deps: update llhttp to $LLHTTP_VERSION\""
- echo ""
--- 
-2.44.0
-

SOURCES/0004-always-available-fips-options.patch

@@ -0,0 +1,622 @@
+From 7bc4111b770ada25cdd6e1b938ca7a914617ea53 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
+Date: Tue, 25 Aug 2020 14:04:54 +0200
+Subject: [PATCH] crypto: make FIPS related options always awailable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There is no reason to hide FIPS functionality behind build flags.
+OpenSSL always provide the information about FIPS availability via
+`FIPS_mode()` function.
+
+This makes the user experience more consistent, because the OpenSSL
+library is always queried and the `crypto.getFips()` always returns
+OpenSSL settings.
+
+Fixes #34903
+
+PR-URL: https://github.com/nodejs/node/pull/36341
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Michael Dawson <midawson@redhat.com>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ doc/api/cli.md                                |  8 +--
+ lib/crypto.js                                 | 22 ++----
+ node.gypi                                     |  3 -
+ src/node.cc                                   |  6 +-
+ src/node_config.cc                            |  2 -
+ src/node_crypto.cc                            | 45 +++++++-----
+ src/node_options.cc                           |  2 -
+ src/node_options.h                            |  2 -
+ test/parallel/test-cli-node-print-help.js     |  7 +-
+ test/parallel/test-crypto-fips.js             | 71 +++++++++----------
+ ...rocess-env-allowed-flags-are-documented.js | 11 +--
+ 11 files changed, 74 insertions(+), 105 deletions(-)
+
+diff --git a/doc/api/cli.md b/doc/api/cli.md
+index 86635f267b..6f14fa6810 100644
+--- a/doc/api/cli.md
++++ b/doc/api/cli.md
+@@ -183,8 +183,8 @@ code from strings throw an exception instead. This does not affect the Node.js
+ added: v6.0.0
+ -->
+ 
+-Enable FIPS-compliant crypto at startup. (Requires Node.js to be built with
+-`./configure --openssl-fips`.)
++Enable FIPS-compliant crypto at startup. (Requires Node.js to be built
++against FIPS-compatible OpenSSL.)
+ 
+ ### `--enable-source-maps`
+ <!-- YAML
+@@ -550,8 +550,8 @@ added: v6.9.0
+ -->
+ 
+ Load an OpenSSL configuration file on startup. Among other uses, this can be
+-used to enable FIPS-compliant crypto if Node.js is built with
+-`./configure --openssl-fips`.
++used to enable FIPS-compliant crypto if Node.js is built
++against FIPS-enabled OpenSSL.
+ 
+ ### `--pending-deprecation`
+ <!-- YAML
+diff --git a/lib/crypto.js b/lib/crypto.js
+index b2bcc4d0a4..93d5e21fa0 100644
+--- a/lib/crypto.js
++++ b/lib/crypto.js
+@@ -37,12 +37,10 @@ assertCrypto();
+ 
+ const {
+   ERR_CRYPTO_FIPS_FORCED,
+-  ERR_CRYPTO_FIPS_UNAVAILABLE
+ } = require('internal/errors').codes;
+ const constants = internalBinding('constants').crypto;
+ const { getOptionValue } = require('internal/options');
+ const pendingDeprecation = getOptionValue('--pending-deprecation');
+-const { fipsMode } = internalBinding('config');
+ const fipsForced = getOptionValue('--force-fips');
+ const {
+   getFipsCrypto,
+@@ -191,10 +189,8 @@ module.exports = {
+   sign: signOneShot,
+   setEngine,
+   timingSafeEqual,
+-  getFips: !fipsMode ? getFipsDisabled :
+-    fipsForced ? getFipsForced : getFipsCrypto,
+-  setFips: !fipsMode ? setFipsDisabled :
+-    fipsForced ? setFipsForced : setFipsCrypto,
++  getFips: fipsForced ? getFipsForced : getFipsCrypto,
++  setFips: fipsForced ? setFipsForced : setFipsCrypto,
+   verify: verifyOneShot,
+ 
+   // Classes
+@@ -213,19 +209,11 @@ module.exports = {
+   Verify
+ };
+ 
+-function setFipsDisabled() {
+-  throw new ERR_CRYPTO_FIPS_UNAVAILABLE();
+-}
+-
+ function setFipsForced(val) {
+   if (val) return;
+   throw new ERR_CRYPTO_FIPS_FORCED();
+ }
+ 
+-function getFipsDisabled() {
+-  return 0;
+-}
+-
+ function getFipsForced() {
+   return 1;
+ }
+@@ -247,10 +235,8 @@ ObjectDefineProperties(module.exports, {
+   },
+   // crypto.fips is deprecated. DEP0093. Use crypto.getFips()/crypto.setFips()
+   fips: {
+-    get: !fipsMode ? getFipsDisabled :
+-      fipsForced ? getFipsForced : getFipsCrypto,
+-    set: !fipsMode ? setFipsDisabled :
+-      fipsForced ? setFipsForced : setFipsCrypto
++    get: fipsForced ? getFipsForced : getFipsCrypto,
++    set: fipsForced ? setFipsForced : setFipsCrypto
+   },
+   DEFAULT_ENCODING: {
+     enumerable: false,
+diff --git a/node.gypi b/node.gypi
+index 116c1c7149..34f385f652 100644
+--- a/node.gypi
++++ b/node.gypi
+@@ -320,9 +320,6 @@
+     [ 'node_use_openssl=="true"', {
+       'defines': [ 'HAVE_OPENSSL=1' ],
+       'conditions': [
+-        ['openssl_fips != "" or openssl_is_fips=="true"', {
+-          'defines': [ 'NODE_FIPS_MODE' ],
+-        }],
+         [ 'node_shared_openssl=="false"', {
+           'dependencies': [
+             './deps/openssl/openssl.gyp:openssl',
+diff --git a/src/node.cc b/src/node.cc
+index 46e8f74cc2..0a5c3ee8ee 100644
+--- a/src/node.cc
++++ b/src/node.cc
+@@ -964,11 +964,11 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
+     if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
+       crypto::UseExtraCaCerts(extra_ca_certs);
+   }
+-#ifdef NODE_FIPS_MODE
+   // In the case of FIPS builds we should make sure
+   // the random source is properly initialized first.
+-  OPENSSL_init();
+-#endif  // NODE_FIPS_MODE
++  if (FIPS_mode()) {
++    OPENSSL_init();
++  }
+   // V8 on Windows doesn't have a good source of entropy. Seed it from
+   // OpenSSL's pool.
+   V8::SetEntropySource(crypto::EntropySource);
+diff --git a/src/node_config.cc b/src/node_config.cc
+index 6ee3164a13..e229eee765 100644
+--- a/src/node_config.cc
++++ b/src/node_config.cc
+@@ -42,9 +42,7 @@ static void Initialize(Local<Object> target,
+   READONLY_FALSE_PROPERTY(target, "hasOpenSSL");
+ #endif  // HAVE_OPENSSL
+ 
+-#ifdef NODE_FIPS_MODE
+   READONLY_TRUE_PROPERTY(target, "fipsMode");
+-#endif
+ 
+ #ifdef NODE_HAVE_I18N_SUPPORT
+ 
+diff --git a/src/node_crypto.cc b/src/node_crypto.cc
+index 764dcb8720..f142e625ef 100644
+--- a/src/node_crypto.cc
++++ b/src/node_crypto.cc
+@@ -50,6 +50,11 @@
+ #include <openssl/hmac.h>
+ #include <openssl/rand.h>
+ #include <openssl/pkcs12.h>
++// The FIPS-related functions are only available
++// when the OpenSSL itself was compiled with FIPS support.
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif // OPENSSL_FIPS
+ 
+ #include <cerrno>
+ #include <climits>  // INT_MAX
+@@ -97,6 +102,7 @@ using v8::Signature;
+ using v8::String;
+ using v8::Uint32;
+ using v8::Undefined;
++using v8::TryCatch;
+ using v8::Value;
+ 
+ #ifdef OPENSSL_NO_OCB
+@@ -3595,12 +3601,10 @@ void CipherBase::Init(const char* cipher_type,
+   HandleScope scope(env()->isolate());
+   MarkPopErrorOnReturn mark_pop_error_on_return;
+ 
+-#ifdef NODE_FIPS_MODE
+   if (FIPS_mode()) {
+     return env()->ThrowError(
+         "crypto.createCipher() is not supported in FIPS mode.");
+   }
+-#endif  // NODE_FIPS_MODE
+ 
+   const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type);
+   if (cipher == nullptr)
+@@ -3786,13 +3790,11 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len,
+       return false;
+     }
+ 
+-#ifdef NODE_FIPS_MODE
+     // TODO(tniessen) Support CCM decryption in FIPS mode
+     if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) {
+       env()->ThrowError("CCM decryption not supported in FIPS mode");
+       return false;
+     }
+-#endif
+ 
+     // Tell OpenSSL about the desired length.
+     if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len,
+@@ -4712,7 +4714,6 @@ static AllocatedBuffer Node_SignFinal(Environment* env,
+ }
+ 
+ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
+-#ifdef NODE_FIPS_MODE
+   /* Validate DSA2 parameters from FIPS 186-4 */
+   if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) {
+     DSA* dsa = EVP_PKEY_get0_DSA(key);
+@@ -4728,7 +4729,6 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
+            (L == 2048 && N == 256) ||
+            (L == 3072 && N == 256);
+   }
+-#endif  // NODE_FIPS_MODE
+ 
+   return true;
+ }
+@@ -6889,7 +6889,6 @@ void InitCryptoOnce() {
+   settings = nullptr;
+ #endif
+ 
+-#ifdef NODE_FIPS_MODE
+   /* Override FIPS settings in cnf file, if needed. */
+   unsigned long err = 0;  // NOLINT(runtime/int)
+   if (per_process::cli_options->enable_fips_crypto ||
+@@ -6899,12 +6898,10 @@ void InitCryptoOnce() {
+     }
+   }
+   if (0 != err) {
+-    fprintf(stderr,
+-            "openssl fips failed: %s\n",
+-            ERR_error_string(err, nullptr));
+-    UNREACHABLE();
++      auto* isolate = Isolate::GetCurrent();
++      auto* env = Environment::GetCurrent(isolate);
++      return ThrowCryptoError(env, err);
+   }
+-#endif  // NODE_FIPS_MODE
+ 
+ 
+   // Turn off compression. Saves memory and protects against CRIME attacks.
+@@ -6950,7 +6947,6 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) {
+ }
+ #endif  // !OPENSSL_NO_ENGINE
+ 
+-#ifdef NODE_FIPS_MODE
+ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
+   args.GetReturnValue().Set(FIPS_mode() ? 1 : 0);
+ }
+@@ -6968,17 +6964,33 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
+     return ThrowCryptoError(env, err);
+   }
+ }
+-#endif /* NODE_FIPS_MODE */
++
++void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) {
++#ifdef OPENSSL_FIPS
++  const auto enabled = FIPS_selftest() ? 1 : 0;
++#else  // OPENSSL_FIPS
++  const auto enabled = 0;
++#endif  // OPENSSL_FIPS
++
++  args.GetReturnValue().Set(enabled);
++}
+ 
+ 
+ void Initialize(Local<Object> target,
+                 Local<Value> unused,
+                 Local<Context> context,
+                 void* priv) {
++  Environment* env = Environment::GetCurrent(context);
++
+   static uv_once_t init_once = UV_ONCE_INIT;
++  TryCatch try_catch{env->isolate()};
+   uv_once(&init_once, InitCryptoOnce);
+ 
+-  Environment* env = Environment::GetCurrent(context);
++  if (try_catch.HasCaught() && !try_catch.HasTerminated()) {
++    try_catch.ReThrow();
++    return;
++  }
++
+   SecureContext::Initialize(env, target);
+   target->Set(env->context(),
+             FIXED_ONE_BYTE_STRING(env->isolate(), "KeyObjectHandle"),
+@@ -7007,10 +7019,9 @@ void Initialize(Local<Object> target,
+   env->SetMethod(target, "setEngine", SetEngine);
+ #endif  // !OPENSSL_NO_ENGINE
+ 
+-#ifdef NODE_FIPS_MODE
+   env->SetMethodNoSideEffect(target, "getFipsCrypto", GetFipsCrypto);
+   env->SetMethod(target, "setFipsCrypto", SetFipsCrypto);
+-#endif
++  env->SetMethodNoSideEffect(target, "testFipsCrypto", TestFipsCrypto);
+ 
+   env->SetMethod(target, "pbkdf2", PBKDF2);
+   env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA);
+diff --git a/src/node_options.cc b/src/node_options.cc
+index 0240b2ef58..d1230da1ad 100644
+--- a/src/node_options.cc
++++ b/src/node_options.cc
+@@ -729,7 +729,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
+             &PerProcessOptions::ssl_openssl_cert_store);
+   Implies("--use-openssl-ca", "[ssl_openssl_cert_store]");
+   ImpliesNot("--use-bundled-ca", "[ssl_openssl_cert_store]");
+-#if NODE_FIPS_MODE
+   AddOption("--enable-fips",
+             "enable FIPS crypto at startup",
+             &PerProcessOptions::enable_fips_crypto,
+@@ -738,7 +737,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
+             "force FIPS crypto (cannot be disabled)",
+             &PerProcessOptions::force_fips_crypto,
+             kAllowedInEnvironment);
+-#endif
+ #endif
+   AddOption("--use-largepages",
+             "Map the Node.js static code to large pages. Options are "
+diff --git a/src/node_options.h b/src/node_options.h
+index aa138c6970..f5e1e7da57 100644
+--- a/src/node_options.h
++++ b/src/node_options.h
+@@ -236,10 +236,8 @@ class PerProcessOptions : public Options {
+ #endif
+   bool use_openssl_ca = false;
+   bool use_bundled_ca = false;
+-#if NODE_FIPS_MODE
+   bool enable_fips_crypto = false;
+   bool force_fips_crypto = false;
+-#endif
+ #endif
+ 
+   // Per-process because reports can be triggered outside a known V8 context.
+diff --git a/test/parallel/test-cli-node-print-help.js b/test/parallel/test-cli-node-print-help.js
+index e115124b04..ed58bf085c 100644
+--- a/test/parallel/test-cli-node-print-help.js
++++ b/test/parallel/test-cli-node-print-help.js
+@@ -8,8 +8,6 @@ const common = require('../common');
+ 
+ const assert = require('assert');
+ const { exec } = require('child_process');
+-const { internalBinding } = require('internal/test/binding');
+-const { fipsMode } = internalBinding('config');
+ let stdOut;
+ 
+ 
+@@ -29,9 +27,8 @@ function validateNodePrintHelp() {
+   const cliHelpOptions = [
+     { compileConstant: HAVE_OPENSSL,
+       flags: [ '--openssl-config=...', '--tls-cipher-list=...',
+-               '--use-bundled-ca', '--use-openssl-ca' ] },
+-    { compileConstant: fipsMode,
+-      flags: [ '--enable-fips', '--force-fips' ] },
++               '--use-bundled-ca', '--use-openssl-ca',
++               '--enable-fips', '--force-fips' ] },
+     { compileConstant: NODE_HAVE_I18N_SUPPORT,
+       flags: [ '--icu-data-dir=...', 'NODE_ICU_DATA' ] },
+     { compileConstant: HAVE_INSPECTOR,
+diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
+index eae3134402..a1ed645184 100644
+--- a/test/parallel/test-crypto-fips.js
++++ b/test/parallel/test-crypto-fips.js
+@@ -9,27 +9,20 @@ const spawnSync = require('child_process').spawnSync;
+ const path = require('path');
+ const fixtures = require('../common/fixtures');
+ const { internalBinding } = require('internal/test/binding');
+-const { fipsMode } = internalBinding('config');
++const { testFipsCrypto } = internalBinding('crypto');
+ 
+ const FIPS_ENABLED = 1;
+ const FIPS_DISABLED = 0;
+-const FIPS_ERROR_STRING =
+-  'Error [ERR_CRYPTO_FIPS_UNAVAILABLE]: Cannot set FIPS mode in a ' +
+-  'non-FIPS build.';
+ const FIPS_ERROR_STRING2 =
+   'Error [ERR_CRYPTO_FIPS_FORCED]: Cannot set FIPS mode, it was forced with ' +
+   '--force-fips at startup.';
+-const OPTION_ERROR_STRING = 'bad option';
++const FIPS_UNSUPPORTED_ERROR_STRING = 'fips mode not supported';
+ 
+ const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf');
+ const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf');
+ 
+ let num_children_ok = 0;
+ 
+-function compiledWithFips() {
+-  return fipsMode ? true : false;
+-}
+-
+ function sharedOpenSSL() {
+   return process.config.variables.node_shared_openssl;
+ }
+@@ -75,17 +68,17 @@ testHelper(
+ 
+ // --enable-fips should turn FIPS mode on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+ // --force-fips should turn FIPS mode on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+@@ -106,7 +99,7 @@ if (!sharedOpenSSL()) {
+   testHelper(
+     'stdout',
+     [`--openssl-config=${CNF_FIPS_ON}`],
+-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
++    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
+     'require("crypto").getFips()',
+     process.env);
+ 
+@@ -114,7 +107,7 @@ if (!sharedOpenSSL()) {
+   testHelper(
+     'stdout',
+     [],
+-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
++    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
+     'require("crypto").getFips()',
+     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON }));
+ 
+@@ -122,7 +115,7 @@ if (!sharedOpenSSL()) {
+   testHelper(
+     'stdout',
+     [`--openssl-config=${CNF_FIPS_ON}`],
+-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
++    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
+     'require("crypto").getFips()',
+     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
+ }
+@@ -136,50 +129,50 @@ testHelper(
+ 
+ // --enable-fips should take precedence over OpenSSL config file
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+ // OPENSSL_CONF should _not_ make a difference to --enable-fips
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
+ 
+ // --force-fips should take precedence over OpenSSL config file
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+ // Using OPENSSL_CONF should not make a difference to --force-fips
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
+ 
+ // setFipsCrypto should be able to turn FIPS mode on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   [],
+-  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").getFips())',
+   process.env);
+ 
+ // setFipsCrypto should be able to turn FIPS mode on and off
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   [],
+-  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
++  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").setFips(false),' +
+   'require("crypto").getFips())',
+@@ -187,27 +180,27 @@ testHelper(
+ 
+ // setFipsCrypto takes precedence over OpenSSL config file, FIPS on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   [`--openssl-config=${CNF_FIPS_OFF}`],
+-  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").getFips())',
+   process.env);
+ 
+ // setFipsCrypto takes precedence over OpenSSL config file, FIPS off
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  'stdout',
+   [`--openssl-config=${CNF_FIPS_ON}`],
+-  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
++  FIPS_DISABLED,
+   '(require("crypto").setFips(false),' +
+   'require("crypto").getFips())',
+   process.env);
+ 
+ // --enable-fips does not prevent use of setFipsCrypto API
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips'],
+-  compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(false),' +
+   'require("crypto").getFips())',
+   process.env);
+@@ -216,15 +209,15 @@ testHelper(
+ testHelper(
+   'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").setFips(false)',
+   process.env);
+ 
+ // --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").getFips())',
+   process.env);
+@@ -233,7 +226,7 @@ testHelper(
+ testHelper(
+   'stderr',
+   ['--force-fips', '--enable-fips'],
+-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").setFips(false)',
+   process.env);
+ 
+@@ -241,6 +234,6 @@ testHelper(
+ testHelper(
+   'stderr',
+   ['--enable-fips', '--force-fips'],
+-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").setFips(false)',
+   process.env);
+diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
+index 0e0af9471c..af10809634 100644
+--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
+@@ -44,17 +44,8 @@ const conditionalOpts = [
+   { include: common.hasCrypto,
+     filter: (opt) => {
+       return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca',
+-              '--use-openssl-ca' ].includes(opt);
++              '--use-openssl-ca', '--enable-fips', '--force-fips' ].includes(opt);
+     } },
+-  {
+-    // We are using openssl_is_fips from the configuration because it could be
+-    // the case that OpenSSL is FIPS compatible but fips has not been enabled
+-    // (starting node with --enable-fips). If we use common.hasFipsCrypto
+-    // that would only tells us if fips has been enabled, but in this case we
+-    // want to check options which will be available regardless of whether fips
+-    // is enabled at runtime or not.
+-    include: process.config.variables.openssl_is_fips,
+-    filter: (opt) => opt.includes('-fips') },
+   { include: common.hasIntl,
+     filter: (opt) => opt === '--icu-data-dir' },
+   { include: process.features.inspector,
+-- 
+2.31.1
+

SOURCES/0005-src-ensure-to-close-stream-when-destroying-session.patch

@@ -1,42 +0,0 @@
-From 2df9af7073929ab94b6dda040df08bc3ff7d8ab1 Mon Sep 17 00:00:00 2001
-From: RafaelGSS <rafael.nunu@hotmail.com>
-Date: Tue, 26 Mar 2024 15:55:13 -0300
-Subject: [PATCH] src: ensure to close stream when destroying session
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Co-Authored-By: Anna Henningsen <anna@addaleax.net>
-PR-URL: https://github.com/nodejs-private/node-private/pull/561
-Fixes: https://hackerone.com/reports/2319584
-Reviewed-By: Michael Dawson <midawson@redhat.com>
-Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
-Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
-Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
-CVE-ID: CVE-2024-27983
-Signed-off-by: Jan Staněk <jstanek@redhat.com>
-Signed-off-by: rpm-build <rpm-build>
----
- src/node_http2.cc | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/src/node_http2.cc b/src/node_http2.cc
-index 53216dc..9a6d63d 100644
---- a/src/node_http2.cc
-+++ b/src/node_http2.cc
-@@ -529,6 +529,12 @@ Http2Session::Http2Session(Http2State* http2_state,
- Http2Session::~Http2Session() {
-   CHECK(!is_in_scope());
-   Debug(this, "freeing nghttp2 session");
-+  // Ensure that all `Http2Stream` instances and the memory they hold
-+  // on to are destroyed before the nghttp2 session is.
-+  for (const auto& [id, stream] : streams_) {
-+    stream->Detach();
-+  }
-+  streams_.clear();
-   // Explicitly reset session_ so the subsequent
-   // current_nghttp2_memory_ check passes.
-   session_.reset();
--- 
-2.44.0
-

SOURCES/0006-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch

@@ -1,112 +0,0 @@
-From 132ad9e8a8f8e246e59744a7fed995ed396f6cb4 Mon Sep 17 00:00:00 2001
-From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
-Date: Sat, 9 Mar 2024 16:26:42 +0900
-Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Jan Staněk <jstanek@redhat.com>
-Fixes: CVE-2024-28182
-Signed-off-by: rpm-build <rpm-build>
----
- deps/nghttp2/lib/includes/nghttp2/nghttp2.h |  7 ++++++-
- deps/nghttp2/lib/nghttp2_helper.c           |  2 ++
- deps/nghttp2/lib/nghttp2_session.c          |  7 +++++++
- deps/nghttp2/lib/nghttp2_session.h          | 10 ++++++++++
- 4 files changed, 25 insertions(+), 1 deletion(-)
-
-diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
-index fa22081..b394bde 100644
---- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
-+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
-@@ -440,7 +440,12 @@ typedef enum {
-    * exhaustion on server side to send these frames forever and does
-    * not read network.
-    */
--  NGHTTP2_ERR_FLOODED = -904
-+  NGHTTP2_ERR_FLOODED = -904,
-+  /**
-+   * When a local endpoint receives too many CONTINUATION frames
-+   * following a HEADER frame.
-+   */
-+  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
- } nghttp2_error;
- 
- /**
-diff --git a/deps/nghttp2/lib/nghttp2_helper.c b/deps/nghttp2/lib/nghttp2_helper.c
-index 93dd475..b3563d9 100644
---- a/deps/nghttp2/lib/nghttp2_helper.c
-+++ b/deps/nghttp2/lib/nghttp2_helper.c
-@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
-            "closed";
-   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
-     return "SETTINGS frame contained more than the maximum allowed entries";
-+  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
-+    return "Too many CONTINUATION frames following a HEADER frame";
-   default:
-     return "Unknown error code";
-   }
-diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
-index ec5024d..8e4d2e7 100644
---- a/deps/nghttp2/lib/nghttp2_session.c
-+++ b/deps/nghttp2/lib/nghttp2_session.c
-@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,
-   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
-   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
-   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
-+  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
- 
-   if (option) {
-     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
-@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
-           }
-         }
-         session_inbound_frame_reset(session);
-+
-+        session->num_continuations = 0;
-       }
-       break;
-     }
-@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
-       }
- #endif /* DEBUGBUILD */
- 
-+      if (++session->num_continuations > session->max_continuations) {
-+        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
-+      }
-+
-       readlen = inbound_frame_buf_read(iframe, in, last);
-       in += readlen;
- 
-diff --git a/deps/nghttp2/lib/nghttp2_session.h b/deps/nghttp2/lib/nghttp2_session.h
-index b119329..ef8f7b2 100644
---- a/deps/nghttp2/lib/nghttp2_session.h
-+++ b/deps/nghttp2/lib/nghttp2_session.h
-@@ -110,6 +110,10 @@ typedef struct {
- #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
- #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
- 
-+/* The default max number of CONTINUATION frames following an incoming
-+   HEADER frame. */
-+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
-+
- /* Internal state when receiving incoming frame */
- typedef enum {
-   /* Receiving frame header */
-@@ -290,6 +294,12 @@ struct nghttp2_session {
-   size_t max_send_header_block_length;
-   /* The maximum number of settings accepted per SETTINGS frame. */
-   size_t max_settings;
-+  /* The maximum number of CONTINUATION frames following an incoming
-+     HEADER frame. */
-+  size_t max_continuations;
-+  /* The number of CONTINUATION frames following an incoming HEADER
-+     frame.  This variable is reset when END_HEADERS flag is seen. */
-+  size_t num_continuations;
-   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
-   uint32_t next_stream_id;
-   /* The last stream ID this session initiated.  For client session,
--- 
-2.44.0
-

SOURCES/0007-Add-nghttp2_option_set_max_continuations.patch

@@ -1,94 +0,0 @@
-From 625b03149d2ec68cdbcfe3f2801d6f0420d917cb Mon Sep 17 00:00:00 2001
-From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
-Date: Sat, 9 Mar 2024 16:48:10 +0900
-Subject: [PATCH] Add nghttp2_option_set_max_continuations
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Jan Staněk <jstanek@redhat.com>
-Related: CVE-2024-28182
-Signed-off-by: rpm-build <rpm-build>
----
- deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
- deps/nghttp2/lib/nghttp2_option.c           |  5 +++++
- deps/nghttp2/lib/nghttp2_option.h           |  5 +++++
- deps/nghttp2/lib/nghttp2_session.c          |  4 ++++
- 4 files changed, 25 insertions(+)
-
-diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
-index b394bde..4d3339b 100644
---- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
-+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
-@@ -2778,6 +2778,17 @@ NGHTTP2_EXTERN void
- nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
-                                            uint64_t burst, uint64_t rate);
- 
-+/**
-+ * @function
-+ *
-+ * This function sets the maximum number of CONTINUATION frames
-+ * following an incoming HEADER frame.  If more than those frames are
-+ * received, the remote endpoint is considered to be misbehaving and
-+ * session will be closed.  The default value is 8.
-+ */
-+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
-+                                                         size_t val);
-+
- /**
-  * @function
-  *
-diff --git a/deps/nghttp2/lib/nghttp2_option.c b/deps/nghttp2/lib/nghttp2_option.c
-index 43d4e95..53144b9 100644
---- a/deps/nghttp2/lib/nghttp2_option.c
-+++ b/deps/nghttp2/lib/nghttp2_option.c
-@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
-   option->stream_reset_burst = burst;
-   option->stream_reset_rate = rate;
- }
-+
-+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
-+  option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
-+  option->max_continuations = val;
-+}
-diff --git a/deps/nghttp2/lib/nghttp2_option.h b/deps/nghttp2/lib/nghttp2_option.h
-index 2259e18..c89cb97 100644
---- a/deps/nghttp2/lib/nghttp2_option.h
-+++ b/deps/nghttp2/lib/nghttp2_option.h
-@@ -71,6 +71,7 @@ typedef enum {
-   NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
-   NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
-   NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
-+  NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
- } nghttp2_option_flag;
- 
- /**
-@@ -98,6 +99,10 @@ struct nghttp2_option {
-    * NGHTTP2_OPT_MAX_SETTINGS
-    */
-   size_t max_settings;
-+  /**
-+   * NGHTTP2_OPT_MAX_CONTINUATIONS
-+   */
-+  size_t max_continuations;
-   /**
-    * Bitwise OR of nghttp2_option_flag to determine that which fields
-    * are specified.
-diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
-index 8e4d2e7..ced7517 100644
---- a/deps/nghttp2/lib/nghttp2_session.c
-+++ b/deps/nghttp2/lib/nghttp2_session.c
-@@ -585,6 +585,10 @@ static int session_new(nghttp2_session **session_ptr,
-                            option->stream_reset_burst,
-                            option->stream_reset_rate);
-     }
-+
-+    if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
-+      (*session_ptr)->max_continuations = option->max_continuations;
-+    }
-   }
- 
-   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
--- 
-2.44.0
-

SOURCES/0009-Address-CVE-2024-25629.patch

@@ -1,39 +0,0 @@
-From ec80a9196e2aedfd617d05964725f113000a41ea Mon Sep 17 00:00:00 2001
-From: Brad House <brad@brad-house.com>
-Date: Thu, 22 Feb 2024 16:23:33 -0500
-Subject: [PATCH] Address CVE-2024-25629
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Original commit title: Merge pull request from GHSA-mg26-v6qh-x48q
-
-Signed-off-by: Jan Staněk <jstanek@redhat.com>
-Fixes: CVE-2024-25629
-Signed-off-by: rpm-build <rpm-build>
----
- deps/cares/src/lib/ares__read_line.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/deps/cares/src/lib/ares__read_line.c b/deps/cares/src/lib/ares__read_line.c
-index c62ad2a..16627e4 100644
---- a/deps/cares/src/lib/ares__read_line.c
-+++ b/deps/cares/src/lib/ares__read_line.c
-@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
-       if (!fgets(*buf + offset, bytestoread, fp))
-         return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
-       len = offset + strlen(*buf + offset);
-+
-+      /* Probably means there was an embedded NULL as the first character in
-+      * the line, throw away line */
-+      if (len == 0) {
-+        offset = 0;
-+        continue;
-+      }
-+
-       if ((*buf)[len - 1] == '\n')
-         {
-           (*buf)[len - 1] = 0;
--- 
-2.44.0
-

SOURCES/nodejs-tarball.sh

@@ -128,7 +128,7 @@ echo "$ICUMD5  $ICUTARBALL" > icu.md5
 md5sum -c icu.md5
 rm -f icu.md5 SHASUMS256.txt
 
-#fedpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz
+rhpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz
 
 rm -f node-v${version}.tar.gz
 
@@ -155,6 +155,12 @@ grep "define ARES_VERSION_MAJOR" node-v${version}/deps/cares/include/ares_versio
 grep "define ARES_VERSION_MINOR" node-v${version}/deps/cares/include/ares_version.h
 grep "define ARES_VERSION_PATCH" node-v${version}/deps/cares/include/ares_version.h
 echo
+echo "http-parser"
+echo "========================="
+grep "define HTTP_PARSER_VERSION_MAJOR" node-v${version}/deps/http_parser/http_parser.h
+grep "define HTTP_PARSER_VERSION_MINOR" node-v${version}/deps/http_parser/http_parser.h
+grep "define HTTP_PARSER_VERSION_PATCH" node-v${version}/deps/http_parser/http_parser.h
+echo
 echo "llhttp"
 echo "========================="
 grep "define LLHTTP_VERSION_MAJOR" node-v${version}/deps/llhttp/include/llhttp.h
@@ -171,14 +177,6 @@ echo "nghttp2"
 echo "========================="
 grep "define NGHTTP2_VERSION " node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
 echo
-echo "nghttp3"
-echo "========================="
-grep "define NGHTTP3_VERSION " node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
-echo
-echo "ngtcp2"
-echo "========================="
-grep "define NGTCP2_VERSION " node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
-echo
 echo "ICU"
 echo "========================="
 grep "url" node-v${version}/tools/icu/current_ver.dep
@@ -187,15 +185,19 @@ echo "punycode"
 echo "========================="
 grep "'version'" node-v${version}/lib/punycode.js
 echo
+echo "npm"
+echo "========================="
+grep "\"version\":" node-v${version}/deps/npm/package.json
+echo
 echo "uvwasi"
 echo "========================="
 grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h
 echo
-echo "npm"
+echo "brotli"
 echo "========================="
-grep "\"version\":" node-v${version}/deps/npm/package.json
+grep "#define BROTLI_VERSION" node-v${version}/deps/brotli/c/common/version.h
 echo
 echo "Make sure these versions match what is in the RPM spec file"
 

SOURCES/npmrc.builtin.in

@@ -1,5 +0,0 @@
-# This is the distibution-level configuration file for npm.
-# To configure NPM on a system level, use the globalconfig below (defaults to @SYSCONFDIR@/npmrc).
-# vim:set filetype=dosini:
-
-globalconfig=@SYSCONFDIR@/npmrc