import CS nodejs-22.13.1-1.module_el9+1194+c2cea2d5

2025-03-17 14:44:04 +00:00 · 2025-03-17 14:44:04 +00:00 · 1f056ca43e
commit 1f056ca43e
parent 8db07759c6
4 changed files with 94 additions and 169 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
-SOURCES/icu4c-75_1-data-bin-b.zip
-SOURCES/icu4c-75_1-data-bin-l.zip
-SOURCES/node-v22.4.1-stripped.tar.gz
+SOURCES/icu4c-76_1-data-bin-b.zip
+SOURCES/icu4c-76_1-data-bin-l.zip
+SOURCES/node-v22.13.1-stripped.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,3 +1,3 @@
-6c7291d88272d84fdadf1395166acd40dd12f623 SOURCES/icu4c-75_1-data-bin-b.zip
-ef164aa671780d004e304b4c789b05450e912304 SOURCES/icu4c-75_1-data-bin-l.zip
-cd053741b2f50dc3c9c54f5014a0480978f9cb16 SOURCES/node-v22.4.1-stripped.tar.gz
+d1c5586e6733b5c4790d05a76d47ad159ff31e9b SOURCES/icu4c-76_1-data-bin-b.zip
+547c6ffcb7833b1a14abd6114e0a1722144d410a SOURCES/icu4c-76_1-data-bin-l.zip
+20a992fe68e168bd5600ccc2bfe4e315b6db6e4b SOURCES/node-v22.13.1-stripped.tar.gz
--- a/SOURCES/nodejs-tarball.sh
+++ b/SOURCES/nodejs-tarball.sh
@ -3,24 +3,23 @@
 # arguments, make sure to call
 # `argbash nodejs-tarball.sh -o nodejs-tarball.sh`

-# ARG_POSITIONAL_SINGLE([version],[Node.js release version])
-# ARG_OPTIONAL_BOOLEAN([push],[],[Whether to upload to the lookaside cache],[on])
-# ARG_OPTIONAL_BOOLEAN([debug],[],[Print all commands],[off])
+# ARG_POSITIONAL_SINGLE([version],[Node.js release version],[""])
 # ARG_DEFAULTS_POS([])
 # ARG_HELP([Tool to aid in Node.js packaging of new releases])
 # ARGBASH_GO()
 # needed because of Argbash --> m4_ignore([
-### START OF CODE GENERATED BY Argbash v2.10.0 one line above ###
+### START OF CODE GENERATED BY Argbash v2.8.1 one line above ###
 # Argbash is a bash code generator used to get arguments parsing right.
 # Argbash is FREE SOFTWARE, see https://argbash.io for more info


 die()
 {
-	local _ret="${2:-1}"
-	test "${_PRINT_HELP:-no}" = yes && print_help >&2
+	local _ret=$2
+	test -n "$_ret" || _ret=1
+	test "$_PRINT_HELP" = yes && print_help >&2
 	echo "$1" >&2
-	exit "${_ret}"
+	exit ${_ret}
 }


@ -33,19 +32,15 @@ begins_with_short_option()

 # THE DEFAULTS INITIALIZATION - POSITIONALS
 _positionals=()
-_arg_version=
+_arg_version=""
 # THE DEFAULTS INITIALIZATION - OPTIONALS
-_arg_push="on"
-_arg_debug="off"


 print_help()
 {
 	printf '%s\n' "Tool to aid in Node.js packaging of new releases"
-	printf 'Usage: %s [--(no-)push] [--(no-)debug] [-h|--help] <version>\n' "$0"
-	printf '\t%s\n' "<version>: Node.js release version"
-	printf '\t%s\n' "--push, --no-push: Whether to upload to the lookaside cache (on by default)"
-	printf '\t%s\n' "--debug, --no-debug: Print all commands (off by default)"
+	printf 'Usage: %s [-h|--help] [<version>]\n' "$0"
+	printf '\t%s\n' "<version>: Node.js release version (default: '""')"
 	printf '\t%s\n' "-h, --help: Prints help"
 }

@ -57,14 +52,6 @@ parse_commandline()
 	do
 		_key="$1"
 		case "$_key" in
-			--no-push|--push)
-				_arg_push="on"
-				test "${1:0:5}" = "--no-" && _arg_push="off"
-				;;
-			--no-debug|--debug)
-				_arg_debug="on"
-				test "${1:0:5}" = "--no-" && _arg_debug="off"
-				;;
 			-h|--help)
 				print_help
 				exit 0
@ -86,9 +73,7 @@ parse_commandline()

 handle_passed_args_count()
 {
-	local _required_args_string="'version'"
-	test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
-	test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
+	test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect between 0 and 1, but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
 }


@ -115,78 +100,33 @@ assign_positional_args 1 "${_positionals[@]}"
 ### END OF CODE GENERATED BY Argbash (sortof) ### ])
 # [ <-- needed because of Argbash

-if [ $_arg_debug = 'on' ]; then
-  set -x
-fi
-
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-alias wget='wget --quiet'
-
-packages=("jq" "wget" "tar" "fedpkg" "grep" "sed" "python3-jinja2-cli" "nodejs")
-
-rpm -q ${packages[@]} >/dev/null
-if [ $? -ne 0 ]; then
-  sudo dnf -y install ${packages[@]}
-fi

 set -e

-version=$_arg_version
+echo $_arg_version

-NODE_MAJOR=$(echo $version | cut -d. -f1)
-NODE_MINOR=$(echo $version | cut -d. -f2)
-NODE_PATCH=$(echo $version | cut -d. -f3)
-
-# Treat odd-numbered major releases as pre-releases for the
-# next LTS release.
-if [[ $((NODE_MAJOR % 2)) -eq 0 ]];
-  then NODE_PKG_MAJOR=${NODE_MAJOR};
-  else NODE_PKG_MAJOR=$((NODE_MAJOR + 1));
+if [ x$_arg_version != x ]; then
+    version=$_arg_version
+else
+    version=$(rpm -q --specfile --qf='%{version}\n' nodejs.spec | head -n1)
 fi

-FEDORA_DEFAULT_RELEASE_LOW=$((NODE_PKG_MAJOR + 19))
-FEDORA_DEFAULT_RELEASE_HIGH=$((NODE_PKG_MAJOR + 20))
-
-if [[ $((NODE_PKG_MAJOR)) -eq 20 ]]
-  then RHEL_DEFAULT_RELEASE=" || 0%{?rhel} == 10"
-elif [[ $((NODE_PKG_MAJOR)) -eq 22 ]];
-  then RHEL_DEFAULT_RELEASE=" || 0%{?rhel} == 11"
-fi
-
-rm -rf node-v${version}.tar.gz \
-       node-v${version}-stripped.tar.gz \
-       node-v${version}/ \
-       wasi-sdk-* \
-       cjs-module-lexer* \
-       undici* \
-       SHASUMS256.txt
-echo Downloading node-v${version}.tar.gz
+rm -f node-v${version}.tar.gz node-v${version}-stripped.tar.gz
 wget http://nodejs.org/dist/v${version}/node-v${version}.tar.gz \
     http://nodejs.org/dist/v${version}/SHASUMS256.txt
-echo Validating sha256sum
 sha256sum -c SHASUMS256.txt --ignore-missing
-rm -f SHASUMS256.txt
 tar -zxf node-v${version}.tar.gz
-
-# Remove bundled OpenSSL
-# We will link to the system version
 rm -rf node-v${version}/deps/openssl
 tar -zcf node-v${version}-stripped.tar.gz node-v${version}

-# Record the bundled cjs-module-lexer version
-LEXER_VERSION=$(jq -r '.version' node-v${version}/deps/cjs-module-lexer/package.json)
-
-# Record the bundled undici version
-UNDICI_VERSION=$(jq -r '.version' node-v${version}/deps/undici/src/package.json)
-
+# Download the ICU binary data files
 ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g')
 ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g')
-
-# Download the ICU binary data files
 rm -Rf icu4c-${ICU_MAJOR}_${ICU_MINOR}-data-bin-*.zip
-wget $(grep Source3 packaging/nodejs.spec.j2 | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
-wget $(grep Source4 packaging/nodejs.spec.j2 | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
+wget $(grep Source3 nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
+wget $(grep Source4 nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
+
+#fedpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz

 rm -f node-v${version}.tar.gz

@ -200,7 +140,10 @@ echo "Node.js version"
 echo "========================="
 echo "${version}"
 echo
-echo "libnode shared object version"
+echo "Bundled software versions"
+echo "-------------------------"
+echo
+echo "libnode shared object version (nodejs_soversion)"
 echo "========================="
 NODE_SOVERSION=$(grep -oP '(?<=#define NODE_MODULE_VERSION )\d+' node-v${version}/src/node_version.h)
 echo "${NODE_SOVERSION}"
@ -251,6 +194,8 @@ echo $NGTCP2_VERSION
 echo
 echo "ICU"
 echo "========================="
+ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g')
+ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g')
 echo "${ICU_MAJOR}.${ICU_MINOR}"
 echo
 echo "simdutf"
@ -258,11 +203,27 @@ echo "========================="
 SIMDUTF_VERSION=$(grep -oP '(?<=#define SIMDUTF_VERSION ).*\"' node-v${version}/deps/simdutf/simdutf.h |sed -e 's/^"//' -e 's/"$//')
 echo $SIMDUTF_VERSION
 echo
+echo "ada"
+echo "========================="
+ADA_VERSION=$(grep -osP '(?<=#define ADA_VERSION ).*\"' node-v${version}/deps/ada/ada.h |sed -e 's/^"//' -e 's/"$//')
+ADA_VERSION=${ADA_VERSION:-0}
+echo "${ADA_VERSION}"
+echo
 echo "punycode"
 echo "========================="
-PUNYCODE_VERSION=$(/usr/bin/node -e "console.log(require('punycode').version)")
+PUNYCODE_VERSION=$(grep -oP "'version': '\K[^']+" ./node-v${version}/lib/punycode.js)
 echo $PUNYCODE_VERSION
 echo
+echo "npm"
+echo "========================="
+NPM_VERSION=$(jq -r .version ./node-v${version}/deps/npm/package.json)
+echo $NPM_VERSION
+echo
+echo "corepack"
+echo "========================="
+COREPACK_VERSION=$(jq -r .version ./node-v${version}/deps/corepack/package.json)
+echo $COREPACK_VERSION
+echo
 echo "uvwasi"
 echo "========================="
 UVWASI_MAJOR=$(grep -oP '(?<=#define UVWASI_VERSION_MAJOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h)
@ -271,77 +232,17 @@ UVWASI_PATCH=$(grep -oP '(?<=#define UVWASI_VERSION_PATCH )\d+' node-v${version}
 UVWASI_VERSION="${UVWASI_MAJOR}.${UVWASI_MINOR}.${UVWASI_PATCH}"
 echo $UVWASI_VERSION
 echo
-echo "npm"
+echo "histogram_c"
 echo "========================="
-NPM_VERSION=$(jq -r .version ./node-v${version}/deps/npm/package.json)
-echo $NPM_VERSION
+HISTOGRAM_VERSION=$(grep -oP '(?<=#define HDR_HISTOGRAM_VERSION ).*\"' node-v${version}/deps/histogram/include/hdr/hdr_histogram_version.h|sed -e 's/^"//' -e 's/"$//')
+echo $HISTOGRAM_VERSION
 echo
-echo "zlib"
+echo "sqlite"
 echo "========================="
-ZLIB_VERSION=$(grep -oP '(?<=#define ZLIB_VERSION ).*\"' node-v${version}/deps/zlib/zlib.h |sed -e 's/^"//' -e 's/"$//')
-echo $ZLIB_VERSION
+SQLITE_VERSION="$(grep -osP '(?<=#define SQLITE_VERSION ).*\"' node-v${version}/deps/sqlite/sqlite3.h |sed -e 's/^\s*"//' -e 's/"\s*$//')"
+echo "${SQLITE_VERSION}"
 echo
-echo "cjs-module-lexer"
-echo "========================="
-echo "${LEXER_VERSION}"
-echo
-echo "undici"
-echo "========================="
-echo "${UNDICI_VERSION}"
-echo
-echo "ada"
-echo "========================="
-ADA_VERSION=$(grep -osP '(?<=#define ADA_VERSION ).*\"' node-v${version}/deps/ada/ada.h |sed -e 's/^"//' -e 's/"$//')
-ADA_VERSION=${ADA_VERSION:-0}
-echo "${ADA_VERSION}"
-echo
-echo "Applying versions to spec template"
-
-# Get the list of patches we need to add to the specfile
-readarray -t patchlist < <(git ls-files |grep '^[0-9]\{4\}-.*\.patch')
-json_patchlist=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${patchlist[@]}")
-
-IFS='' read -r -d '' template_json <<EOF
-{
-    "NODE_PKG_MAJOR": $NODE_PKG_MAJOR,
-    "NODE_MAJOR": $NODE_MAJOR,
-    "NODE_MINOR": $NODE_MINOR,
-    "NODE_PATCH": $NODE_PATCH,
-    "FEDORA_DEFAULT_RELEASE_LOW": $FEDORA_DEFAULT_RELEASE_LOW,
-    "FEDORA_DEFAULT_RELEASE_HIGH": $FEDORA_DEFAULT_RELEASE_HIGH,
-	"RHEL_DEFAULT_RELEASE": "$RHEL_DEFAULT_RELEASE",
-    "NODE_SOVERSION": $NODE_SOVERSION,
-    "V8_MAJOR": $V8_MAJOR,
-    "V8_MINOR": $V8_MINOR,
-    "V8_BUILD": $V8_BUILD,
-    "V8_PATCH": $V8_PATCH,
-    "C_ARES_VERSION": $C_ARES_VERSION,
-    "LLHTTP_VERSION": $LLHTTP_VERSION,
-    "LIBUV_VERSION": $LIBUV_VERSION,
-    "NGHTTP2_VERSION": $NGHTTP2_VERSION,
-    "NGHTTP3_VERSION": $NGHTTP3_VERSION,
-    "NGTCP2_VERSION": $NGTCP2_VERSION,
-    "ICU_MAJOR": $ICU_MAJOR,
-    "ICU_MINOR": $ICU_MINOR,
-    "SIMDUTF_VERSION": $SIMDUTF_VERSION,
-    "PUNYCODE_VERSION": $PUNYCODE_VERSION,
-    "UVWASI_VERSION": $UVWASI_VERSION,
-    "NPM_VERSION": $NPM_VERSION,
-    "ZLIB_VERSION": $ZLIB_VERSION,
-    "LEXER_VERSION": $LEXER_VERSION,
-    "UNDICI_VERSION": $UNDICI_VERSION,
-    "ADA_VERSION": $ADA_VERSION,
-	"PATCHES": $json_patchlist
-}
-EOF
-
-echo ${template_json} | jinja2 ${SCRIPT_DIR}/packaging/nodejs.spec.j2 \
-    > ${SCRIPT_DIR}/nodejs${NODE_PKG_MAJOR}.spec
-
-if [ $_arg_push = 'on' ]; then
-  fedpkg new-sources node-v${version}-stripped.tar.gz \
-                     icu4c-${ICU_MAJOR}_${ICU_MINOR}-data-bin-*.zip
-fi
+echo "Make sure these versions match what is in the RPM spec file"

 rm -rf node-v${version}
 # ] <-- needed because of Argbash
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -32,6 +32,9 @@
 %bcond_with bundled_zlib
 %endif

+# System SQLite is too old in any RHEL <= 10
+%bcond_without bundled_sqlite
+
 # LTO is currently broken on Node.js builds
 %define _lto_cflags %{nil}

@ -43,7 +46,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 4
+%global baserelease 1

 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}

@ -54,7 +57,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 22
-%global nodejs_minor 4
+%global nodejs_minor 13
 %global nodejs_patch 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 127
@ -82,25 +85,25 @@

 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
-%global c_ares_version 1.31.0
+%global c_ares_version 1.34.4

 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_version 9.2.1

 # libuv - from deps/uv/include/uv/version.h
-%global libuv_version 1.48.0
+%global libuv_version 1.49.2

 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_version 1.62.1
+%global nghttp2_version 1.64.0

 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
-%global nghttp3_version 0.7.0
+%global nghttp3_version 1.6.0

 # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
-%global ngtcp2_version 1.3.0
+%global ngtcp2_version 1.9.1

 # ICU - from tools/icu/current_ver.dep
-%global icu_major 75
+%global icu_major 76
 %global icu_minor 1
 %global icu_version %{icu_major}.%{icu_minor}

@ -109,7 +112,7 @@
 # " this line just fixes syntax highlighting for vim that is confused by the above and continues literal

 # simdutf from deps/simdutf/simdutf.h
-%global simdutf_version 5.2.8
+%global simdutf_version 5.6.4

 # OpenSSL minimum version
 %global openssl11_minimum 1:1.1.1
@ -122,7 +125,7 @@

 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 10.8.1
+%global npm_version 10.9.2

 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@ -136,7 +139,10 @@
 %global uvwasi_version 0.0.21

 # histogram_c - assumed from timestamps
-%global histogram_version 0.9.7
+%global histogram_version 0.11.8
+
+# sqlite - from deps/sqlite/sqlite3.h
+%global sqlite_version 3.47.2


 Name: nodejs
@ -160,7 +166,7 @@ Source2: btest402.js
 # The binary data that icu-small can use to get icu-full capability
 Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-b.zip
 Source4: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-l.zip
-Source200: nodejs-sources.sh
+Source200: nodejs-tarball.sh
 Source201: npmrc.builtin.in
 Source202: nodejs.pc.in
 Source203: v8.pc.in
@ -331,6 +337,11 @@ BuildRequires: nodejs-undici
 Requires: nodejs-undici
 %endif

+%if %{with bundled_sqlite}
+Provides: bundled(sqlite) = %{sqlite_version}
+%else
+BuildRequires: pkgconfig(sqlite3) >= 3.45
+%endif



@ -409,7 +420,7 @@ package to save space if non-English locales are not needed.
 Summary: v8 - development headers
 Epoch: %{v8_epoch}
 Version: %{v8_version}
-Release: %{v8_release}
+Release: %{v8_release}%{?dist}
 Requires: %{pkgname}-devel%{?_isa} = %{nodejs_envr}
 Requires: %{pkgname}-libs%{?_isa} = %{nodejs_envr}
 Provides: v8-devel = %{v8_epoch}:%{v8_version}-%{v8_release}
@ -488,6 +499,10 @@ rm -rf deps/cjs-module-lexer
 rm -rf deps/undici
 %endif

+%if %{without bundled_sqlite}
+rm -rf deps/sqlite
+%endif
+
 # Replace any instances of unversioned python with python3
 pfiles=( $(grep -rl python) )
 %py3_shebang_fix ${pfiles[@]}
@ -551,6 +566,7 @@ export PATH="${cwd}/.bin:$PATH"
           %{!?with_bundled_undici:--shared-builtin-undici/undici-path %{nodejs_private_sitelib}/undici/loader.js} \
           --shared-brotli \
           %{!?with_bundled_libuv:--shared-libuv} \
+           %{!?with_bundled_sqlite:--shared-sqlite} \
           --with-intl=small-icu \
           --with-icu-default-data-dir=%{icudatadir} \
           --without-corepack \
@ -878,5 +894,13 @@ end


 %changelog
+* Thu Jan 30 2025 Jan Staněk <jstanek@redhat.com> - 1:22.13.1-1
+- Update to version 22.13.1
+  Fixes CVE-2025-23083 CVE-2025-23085 CVE-2025-22150
+  Resolves: RHEL-76354
+
+* Mon Nov 04 2024 Jan Staněk <jstanek@redhat.com> - 1:22.11.0-1
+- Update to version 22.11.0
+
 * Thu Aug 15 2024 Filip Janus <fjanus@redhat.com> - 22.4.1-4
 - Initial import of nodeJS 22