rpms/nodejs
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS nodejs-22.19.0-2.module_el9+1269+2b208c4d

Browse Source
This commit is contained in:
eabdullin 2025-09-15 09:37:08 +00:00
parent 9c73262db0
commit 19bbe31500
7 changed files with 4040 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/icu4c-76_1-data-bin-b.zip SOURCES/icu4c-77_1-data-bin-b.zip
SOURCES/icu4c-76_1-data-bin-l.zip SOURCES/icu4c-77_1-data-bin-l.zip
SOURCES/node-v22.13.1-stripped.tar.gz SOURCES/node-v22.19.0-stripped.tar.gz

6
.nodejs.metadata
View File

@ -1,3 +1,3 @@
d1c5586e6733b5c4790d05a76d47ad159ff31e9b SOURCES/icu4c-76_1-data-bin-b.zip c459faa36dedc60af6a0c6d5b9b84b6198389bf0 SOURCES/icu4c-77_1-data-bin-b.zip
547c6ffcb7833b1a14abd6114e0a1722144d410a SOURCES/icu4c-76_1-data-bin-l.zip c602459f93a43dfe7440686b46430e93a85dfc06 SOURCES/icu4c-77_1-data-bin-l.zip
20a992fe68e168bd5600ccc2bfe4e315b6db6e4b SOURCES/node-v22.13.1-stripped.tar.gz fcb143615038d08f68d1c53636bec5f7f1c95d3b SOURCES/node-v22.19.0-stripped.tar.gz

84
SOURCES/0003-fips-disable-options.patch Normal file
View File

@ -0,0 +1,84 @@
From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
From: Michael Dawson <midawson@redhat.com>
Date: Fri, 23 Feb 2024 13:43:56 +0100
Subject: [PATCH] Disable FIPS options
On RHEL, FIPS should be configured only on system level.
Additionally, the related options may cause segfault when used on RHEL.
This patch causes the option processing to end sooner
than the problematic code gets executed.
Additionally, the JS-level options to mess with FIPS settings
are similarly disabled.
Upstream report: https://github.com/nodejs/node/pull/48950
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
---
lib/crypto.js | 10 ++++++++++
lib/internal/errors.js | 6 ++++++
src/crypto/crypto_util.cc | 2 ++
3 files changed, 18 insertions(+)
diff --git a/lib/crypto.js b/lib/crypto.js
index 41adecc..b2627ac 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -36,7 +36,10 @@ const {
assertCrypto();
const {
+ // RHEL specific error
+ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
+
ERR_CRYPTO_FIPS_FORCED,
ERR_WORKER_UNSUPPORTED_OPERATION,
} = require('internal/errors').codes;
const constants = internalBinding('constants').crypto;
@@ -251,6 +254,13 @@ function getFips() {
}
function setFips(val) {
+ // in RHEL FIPS enable/disable should only be done at system level
+ if (getFips() != val) {
+ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
+ } else {
+ return;
+ }
+
if (getOptionValue('--force-fips')) {
if (val) return;
throw new ERR_CRYPTO_FIPS_FORCED();
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
index a722360..04d8a53 100644
--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
@@ -1111,6 +1111,12 @@ module.exports = {
//
// Note: Node.js specific errors must begin with the prefix ERR_
+// insert RHEL specific erro
+E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
+ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
+ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
+ Error);
+
E('ERR_ACCESS_DENIED',
function(msg, permission = '', resource = '') {
this.permission = permission;
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 5734d8f..ef9d1b1 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
/* Override FIPS settings in configuration file, if needed. */
if (per_process::cli_options->enable_fips_crypto ||
per_process::cli_options->force_fips_crypto) {
+ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
+ return false;
#if OPENSSL_VERSION_MAJOR >= 3
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
if (fips_provider == nullptr)
--
2.43.2

4
SOURCES/nodejs-tarball.sh
View File

@ -123,8 +123,8 @@ tar -zcf node-v${version}-stripped.tar.gz node-v${version}
ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g') ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g')
ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g') ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g')
rm -Rf icu4c-${ICU_MAJOR}_${ICU_MINOR}-data-bin-*.zip rm -Rf icu4c-${ICU_MAJOR}_${ICU_MINOR}-data-bin-*.zip
wget $(grep Source3 nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g") wget $(grep -w 'Source3' nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
wget $(grep Source4 nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g") wget $(grep -w 'Source4' nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
#fedpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz #fedpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz

60
SOURCES/test-runner.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/bash
NODE_BIN="$1"
PARENT_TEST_FOLDER="$2"
TEST_LIST_FILE="$3"
# At most 10 min per test
TIMEOUT_DURATION=600
# Exit code
FINAL_RESULT=0
ARCH=$(uname -m)
echo "Started test run:"
# Run the list of test
while IFS= read -r test_line; do
# ignore commented lines
if [[ "$test_line" =~ ^# ]]; then
continue
fi
# If test has specified ARCH which it should be skipped
# Extract it
TEST_PATH=$(echo "$test_line" | awk '{print $1}')
IGNORE_ARCHES=$(echo "$test_line" |\
awk '{for (i=2; i<=NF; i++) printf "%s ", $i; print ""}')
# Skip test for specified ARCH
for ARCH_IGNORE in $IGNORE_ARCHES; do
if [[ "$ARCH_IGNORE" == "$ARCH" ]]; then
continue 2
fi
done
# Construct test path
TEST_SCRIPT="$PARENT_TEST_FOLDER/$TEST_PATH"
if [ ! -f "$TEST_SCRIPT" ]; then
echo "Test script not found: $TEST_SCRIPT"
continue
fi
TEST_OUTPUT=$(timeout "$TIMEOUT_DURATION" "$NODE_BIN" "$TEST_SCRIPT" 2>&1)
TEST_RESULT=$?
# Handle test result
if [ $TEST_RESULT -ne 0 ]; then
FINAL_RESULT=1
if [ $TEST_RESULT -eq 124 ]; then
echo "Test timed out: $TEST_SCRIPT"
else
echo "Test failed: $TEST_SCRIPT"
fi
echo "Test failure message:"
echo "$TEST_OUTPUT"
fi
done < "$TEST_LIST_FILE"
if [ $FINAL_RESULT -eq 0 ]; then
echo "All tests succesfully passed."
fi
exit $FINAL_RESULT

3837
SOURCES/test-should-pass.txt Normal file
View File

File diff suppressed because it is too large Load Diff

67
SPECS/nodejs.spec
View File

@ -57,8 +57,8 @@
# than a Fedora release lifecycle. # than a Fedora release lifecycle.
%global nodejs_epoch 1 %global nodejs_epoch 1
%global nodejs_major 22 %global nodejs_major 22
%global nodejs_minor 13 %global nodejs_minor 19
%global nodejs_patch 1 %global nodejs_patch 0
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 127 %global nodejs_soversion 127
%global nodejs_abi %{nodejs_soversion} %global nodejs_abi %{nodejs_soversion}
@ -81,17 +81,17 @@
%global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} %global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
# zlib - from deps/zlib/zlib.h # zlib - from deps/zlib/zlib.h
%global zlib_version 1.3.0.1-motley %global zlib_version 1.3.1
# c-ares - from deps/cares/include/ares_version.h # c-ares - from deps/cares/include/ares_version.h
# https://github.com/nodejs/node/pull/9332 # https://github.com/nodejs/node/pull/9332
%global c_ares_version 1.34.4 %global c_ares_version 1.34.5
# llhttp - from deps/llhttp/include/llhttp.h # llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_version 9.2.1 %global llhttp_version 9.3.0
# libuv - from deps/uv/include/uv/version.h # libuv - from deps/uv/include/uv/version.h
%global libuv_version 1.49.2 %global libuv_version 1.51.0
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
%global nghttp2_version 1.64.0 %global nghttp2_version 1.64.0
@ -100,10 +100,10 @@
%global nghttp3_version 1.6.0 %global nghttp3_version 1.6.0
# ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
%global ngtcp2_version 1.9.1 %global ngtcp2_version 1.11.0
# ICU - from tools/icu/current_ver.dep # ICU - from tools/icu/current_ver.dep
%global icu_major 76 %global icu_major 77
%global icu_minor 1 %global icu_minor 1
%global icu_version %{icu_major}.%{icu_minor} %global icu_version %{icu_major}.%{icu_minor}
@ -112,7 +112,7 @@
# " this line just fixes syntax highlighting for vim that is confused by the above and continues literal # " this line just fixes syntax highlighting for vim that is confused by the above and continues literal
# simdutf from deps/simdutf/simdutf.h # simdutf from deps/simdutf/simdutf.h
%global simdutf_version 5.6.4 %global simdutf_version 6.4.2
# OpenSSL minimum version # OpenSSL minimum version
%global openssl11_minimum 1:1.1.1 %global openssl11_minimum 1:1.1.1
@ -125,7 +125,7 @@
# npm - from deps/npm/package.json # npm - from deps/npm/package.json
%global npm_epoch 1 %global npm_epoch 1
%global npm_version 10.9.2 %global npm_version 10.9.3
# In order to avoid needing to keep incrementing the release version for the # In order to avoid needing to keep incrementing the release version for the
# main package forever, we will just construct one for npm that is guaranteed # main package forever, we will just construct one for npm that is guaranteed
@ -142,7 +142,7 @@
%global histogram_version 0.11.8 %global histogram_version 0.11.8
# sqlite - from deps/sqlite/sqlite3.h # sqlite - from deps/sqlite/sqlite3.h
%global sqlite_version 3.47.2 %global sqlite_version 3.50.4
Name: nodejs Name: nodejs
@ -170,8 +170,11 @@ Source200: nodejs-tarball.sh
Source201: npmrc.builtin.in Source201: npmrc.builtin.in
Source202: nodejs.pc.in Source202: nodejs.pc.in
Source203: v8.pc.in Source203: v8.pc.in
Source300: test-runner.sh
Source301: test-should-pass.txt
Patch: 0001-Remove-unused-OpenSSL-config.patch Patch: 0001-Remove-unused-OpenSSL-config.patch
Patch: 0003-fips-disable-options.patch
%global pkgname nodejs %global pkgname nodejs
@ -319,7 +322,7 @@ Provides: bundled(simdutf) = %{simdutf_version}
# Upstream has added a new URL parser that has no option to build as a shared # Upstream has added a new URL parser that has no option to build as a shared
# library (19.7.0+) # library (19.7.0+)
Provides: bundled(ada) = 2.8.0 Provides: bundled(ada) = 2.9.2
# undici and cjs-module-lexer ship with pre-built WASM binaries. # undici and cjs-module-lexer ship with pre-built WASM binaries.
@ -570,7 +573,8 @@ export PATH="${cwd}/.bin:$PATH"
--with-intl=small-icu \ --with-intl=small-icu \
--with-icu-default-data-dir=%{icudatadir} \ --with-icu-default-data-dir=%{icudatadir} \
--without-corepack \ --without-corepack \
--openssl-use-def-ca-store --openssl-use-def-ca-store \
--use-prefix-to-find-headers
%ninja_build -C out/Release %ninja_build -C out/Release
@ -766,6 +770,13 @@ sed -e 's#@PREFIX@#%{_prefix}#g' \
%check %check
#run unit test that should pass from list
LD_LIBRARY_PATH=%{buildroot}%{_libdir} \
bash %{SOURCE300} \
%{buildroot}/%{_bindir}/node-%{nodejs_pkg_major} \
%{_builddir}/node-v%{nodejs_version}/test/ \
%{SOURCE301}
# Fail the build if the versions don't match # Fail the build if the versions don't match
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node-%{nodejs_pkg_major} -e "require('assert').equal(process.versions.node, '%{nodejs_version}')" LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node-%{nodejs_pkg_major} -e "require('assert').equal(process.versions.node, '%{nodejs_version}')"
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node-%{nodejs_pkg_major} -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')" LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node-%{nodejs_pkg_major} -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')"
@ -886,9 +897,33 @@ end
%changelog %changelog
* Mon Feb 24 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.13.1-2 * Fri Aug 29 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.19.0-1
- Remove lua pretransaction script from spec file - Update to 22.19.0
Resolves: RHEL-81122 Resolves: RHEL-100426
* Mon Jul 21 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.16.0-2
- Patch fix for CVE-2025-6965
Resolves: RHEL-103853
* Tue May 20 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.16.0-1
- Update to 22.16.0
Resolves: RHEL-92870 RHEL-89599 RHEL-92058
* Thu Apr 24 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.15.0-1
- Update to 22.15.0
- Drop upstream patches
* Tue Apr 22 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.13.1-4
- Patch fix for sqlite CVE-2025-31498
Resolves: RHEL-87320
* Mon Apr 14 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.13.1-3
- Update c-ares to newest version with fix for CVE-2025-31498
Resolves: RHEL-86587
* Mon Mar 03 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.13.1-2
- Remove obsolete lua pretransaction script from spec file
Resolves: RHEL-81119
- Disable npm update notifications for users - Disable npm update notifications for users
Resolves: RHEL-81079 Resolves: RHEL-81079