Rebase to version 18.16.1

.gitignore

@@ -39,3 +39,7 @@
 /node-v18.14.2-stripped.tar.gz
 /icu4c-72_1-src.tgz
 /undici-5.20.0.tar.gz
+/wasi-sdk-wasi-sdk-11.tar.gz
+/wasi-sdk-wasi-sdk-14.tar.gz
+/node-v18.16.1-stripped.tar.gz
+/undici-5.21.0.tar.gz

0001-Disable-running-gyp-on-shared-deps.patch

@@ -1,4 +1,4 @@
-From 030bbedf7d79025848122081e13fe94b0324ad88 Mon Sep 17 00:00:00 2001
+From c73e0892eb1d0aa2df805618c019dc5c96b79705 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Tue, 30 May 2023 13:12:35 +0200
 Subject: [PATCH] Disable running gyp on shared deps
@@ -10,7 +10,7 @@ Signed-off-by: rpm-build <rpm-build>
  2 files changed, 1 insertion(+), 18 deletions(-)
 
 diff --git a/Makefile b/Makefile
-index 9401346..c9d3da2 100644
+index 0be0659..3c44201 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -169,7 +169,7 @@ with-code-cache test-code-cache:
@@ -19,14 +19,14 @@ index 9401346..c9d3da2 100644
  out/Makefile: config.gypi common.gypi node.gyp \
 -	deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
 +	deps/llhttp/llhttp.gyp \
- 	deps/simdutf/simdutf.gyp \
+ 	deps/simdutf/simdutf.gyp deps/ada/ada.gyp \
  	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
  	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
 diff --git a/node.gyp b/node.gyp
-index cec24ae..13af00f 100644
+index cf52281..c33b57b 100644
 --- a/node.gyp
 +++ b/node.gyp
-@@ -429,23 +429,6 @@
+@@ -430,23 +430,6 @@
                ],
              },
            ],
@@ -51,5 +51,5 @@ index cec24ae..13af00f 100644
        ],
      }, # node_core_target_name
 -- 
-2.40.1
+2.41.0
 

nodejs.spec

@@ -30,7 +30,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 3
+%global baserelease 1
 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
@@ -41,8 +41,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 18
-%global nodejs_minor 14
-%global nodejs_patch 2
+%global nodejs_minor 16
+%global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 108
@@ -69,10 +69,7 @@
 %global c_ares_version 1.19.1
 
 # llhttp - from deps/llhttp/include/llhttp.h
-%global llhttp_major 6
-%global llhttp_minor 0
-%global llhttp_patch 10
-%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
+%global llhttp_version 6.0.11
 
 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
@@ -81,10 +78,7 @@
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
 
 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_major 1
-%global nghttp2_minor 51
-%global nghttp2_patch 0
-%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
+%global nghttp2_version 1.52.0
 
 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_major 0
@@ -118,11 +112,14 @@
 %endif
 
 # simduft from deps/simdutf/simdutf.h
-%global simduft_major 2
-%global simduft_minor 0
-%global simduft_patch 7
+%global simduft_major 3
+%global simduft_minor 2
+%global simduft_patch 2
 %global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
 
+# ada from deps/ada/ada.h
+%global ada_version 1.0.4
+
 # OpenSSL minimum version
 %global openssl_minimum 1:1.1.1
 
@@ -136,22 +133,7 @@
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_major 9
-%global npm_minor 5
-%global npm_patch 0
-%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
-
-# uvwasi - from deps/uvwasi/include/uvwasi.h
-%global uvwasi_major 0
-%global uvwasi_minor 0
-%global uvwasi_patch 13
-%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
-
-# histogram_c - assumed from timestamps
-%global histogram_major 0
-%global histogram_minor 11
-%global histogram_patch 2
-%global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}
+%global npm_version 9.5.1
 
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@@ -162,6 +144,12 @@
 # Node.js 16.9.1 and later comes with an experimental package management tool
 %global corepack_version 0.10.0
 
+# uvwasi - from deps/uvwasi/include/uvwasi.h
+%global uvwasi_version 0.0.15
+
+# histogram_c - assumed from timestamps
+%global histogram_version 0.11.2
+
 Name: nodejs
 Epoch: %{nodejs_epoch}
 Version: %{nodejs_version}
@@ -200,16 +188,15 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
 Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz
 
 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.20.0.tar.gz
-# Adjustments: rm -f undici-5.20.0/lib/llhttp/llhttp*.wasm*
-Source111: undici-5.20.0.tar.gz
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.21.0.tar.gz
+# Adjustments: rm -f undici-5.21.0/lib/llhttp/llhttp*.wasm*
+Source111: undici-5.21.0.tar.gz
 # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in.
 # Version source: build/Dockerfile
 Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz
 
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
-Patch2: 0002-deps-update-c-ares-to-1.19.1.patch
 
 BuildRequires: make
 BuildRequires: python3-devel
@@ -310,6 +297,7 @@ Provides: bundled(uvwasi) = %{uvwasi_version}
 Provides: bundled(histogram) = %{histogram_version}
 Provides: bundled(corepack) = %{corepack_version}
 Provides: bundled(simduft) = %{simduft_version}
+Provides: bundled(ada) = %{ada_version}
 
 # Make sure we keep NPM up to date when we update Node.js
 %if 0%{?rhel} < 8
@@ -403,6 +391,22 @@ rm -rf deps/v8/third_party/jinja2
 rm -rf tools/inspector_protocol/jinja2
 
 # Replace any instances of unversioned python' with python3
+# check for correct versions of dependencies we are bundling
+check_wasm_dep() {
+  local -r name="$1" source="$2" packagejson="$3"
+  local -r expected_version="$(jq -r '.version' "${packagejson}")"
+
+  if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then
+    printf '%s version matches\n' "${name}" >&2
+  else
+    printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2
+    return 1
+  fi
+}
+
+check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json
+check_wasm_dep undici           '%{SOURCE111}' deps/undici/src/package.json
+
 %if %{with python3_fixup}
 pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
 find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python3~" {} \;
@@ -673,7 +677,7 @@ end
 %{_rpmconfigdir}/fileattrs/nodejs_native.attr
 %{_rpmconfigdir}/nodejs_native.req
 %license LICENSE
-%doc AUTHORS CHANGELOG.md onboarding.md GOVERNANCE.md README.md
+%doc CHANGELOG.md onboarding.md GOVERNANCE.md README.md
 %doc %{_mandir}/man1/node.1*
 
 
@@ -729,6 +733,11 @@ end
 
 
 %changelog
+* Wed Jul 12 2023 Jan Staněk <jstanek@redhat.com> - 1:18.16.1-1
+- Rebase to 18.16.1
+  Resolves: rhbz#2188290 rhbz#2166926
+  Resolves: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
+
 * Tue May 30 2023 Jan Staněk <jstanek@redhat.com> - 1:18.14.2-3
 - Update bundled c-ares to 1.19.1
   Resolves: CVE-2022-4904

sources

@@ -1,6 +1,6 @@
-SHA512 (node-v18.14.2-stripped.tar.gz) = 484bf91004dec6b3e60f5f01ac994a888425f68f649c80893786806e4f48e68d63f5be1e22d1ec6f57ff99edf85fecd33d86b159e3684ce89f7583d34d9e3a48
+SHA512 (node-v18.16.1-stripped.tar.gz) = 8548e92504760c8ea3b5d8bf1e745b7577668bd249786247fcbfeafd519c308b7f3974d6692cc98c124482a3e5d6867d4c6e2ad829ada4ec6b7b1b0114194911
 SHA512 (icu4c-72_1-src.tgz) = 848c341b37c0ff077e34a95d92c6200d5aaddd0ee5e06134101a74e04deb08256a5e817c8aefab020986abe810b7827dd7b2169a60dacd250c298870518dcae8
-SHA512 (undici-5.20.0.tar.gz) = 75a4c164081bbc8114aceeb48680db003cb014d7f92f157d03e9a36c775606a4bede5dbba236ba1722a651ab91968cb192eeae671ec1024f826c4b452d4e20ff
+SHA512 (undici-5.21.0.tar.gz) = 69097b92f7aac8f47207e6e76074b2676ecee8ecbadf8c35e7295cdf550e881e32bce9f0123f612d7a1cb5e7a2c5de798550f5e097ac053e4257e61d025db7d8
 SHA512 (cjs-module-lexer-1.2.2.tar.gz) = e2134c4541efec2f32d5fa5fd5151511a599ecd08e85fbfc8d56cbd0f3b2a404a9b1c072a601e4237e229ed12859abf6f52201ee0f55fcd0e43f49d0017e7cd1
 SHA512 (wasi-sdk-wasi-sdk-11.tar.gz) = cb37f357b09431a3efad26141d83dce63232a35b536d9a7bd341d4d9627a0a3d4bd4d57504b6e3dab421942d2c168a96da2a6be889aab3f9a2852fc5a3200d3c
 SHA512 (wasi-sdk-wasi-sdk-14.tar.gz) = 4fecb3d9c04b91eb2388a9e51d49fbff6f22b81f9945a07ecdbfe479c96dad1e3b673b8bee24842b0dae5294129a9cb35dcf8e5ecf45437a6d01fb6e0fd13645