import CS nodejs-20.11.1-1.module_el8+985+db5db696

.gitignore

@@ -1,6 +1,6 @@
 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 SOURCES/icu4c-73_2-src.tgz
-SOURCES/node-v20.5.1-stripped.tar.gz
-SOURCES/undici-5.22.1.tar.gz
+SOURCES/node-v20.11.1-stripped.tar.gz
+SOURCES/undici-5.28.3.tar.gz
 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
-SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
+SOURCES/wasi-sdk-wasi-sdk-16.tar.gz

.nodejs.metadata

@@ -1,6 +1,6 @@
-d879d8062a018d91b007ef6b36f7dd026654b982 SOURCES/cjs-module-lexer-1.2.2.tar.gz
+36854f5860acf4b3f8ef8a08cd4240c81c8ae013 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz
-1ecddb27a2e04a7829870f11ffcb6dbd3e859f43 SOURCES/node-v20.5.1-stripped.tar.gz
-616384b209d651b7cb7b41a8a7752eb2e923806a SOURCES/undici-5.22.1.tar.gz
+59aed60100c3d6373c218378ccc8e03eb26cc1e5 SOURCES/node-v20.11.1-stripped.tar.gz
+b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz
 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
-900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
+fbe01909bf0e8260fcc3696ec37c9f731b5e356a SOURCES/wasi-sdk-wasi-sdk-16.tar.gz

SOURCES/nodejs-fips-disable-options.patch

@@ -0,0 +1,83 @@
+From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
+From: Michael Dawson <midawson@redhat.com>
+Date: Fri, 23 Feb 2024 13:43:56 +0100
+Subject: [PATCH] Disable FIPS options
+
+On RHEL, FIPS should be configured only on system level.
+Additionally, the related options may cause segfault when used on RHEL.
+
+This patch causes the option processing to end sooner
+than the problematic code gets executed.
+Additionally, the JS-level options to mess with FIPS settings
+are similarly disabled.
+
+Upstream report: https://github.com/nodejs/node/pull/48950
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ lib/crypto.js             | 10 ++++++++++
+ lib/internal/errors.js    |  6 ++++++
+ src/crypto/crypto_util.cc |  2 ++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/lib/crypto.js b/lib/crypto.js
+index 41adecc..b2627ac 100644
+--- a/lib/crypto.js
++++ b/lib/crypto.js
+@@ -36,6 +36,9 @@ const {
+ assertCrypto();
+ 
+ const {
++  // RHEL specific error
++  ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
++
+   ERR_CRYPTO_FIPS_FORCED,
+   ERR_WORKER_UNSUPPORTED_OPERATION,
+ } = require('internal/errors').codes;
+@@ -251,6 +254,13 @@ function getFips() {
+ }
+ 
+ function setFips(val) {
++  // in RHEL FIPS enable/disable should only be done at system level
++  if (getFips() != val) {
++    throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
++  } else {
++    return;
++  }
++
+   if (getOptionValue('--force-fips')) {
+     if (val) return;
+     throw new ERR_CRYPTO_FIPS_FORCED();
+diff --git a/lib/internal/errors.js b/lib/internal/errors.js
+index a722360..04d8a53 100644
+--- a/lib/internal/errors.js
++++ b/lib/internal/errors.js
+@@ -1060,6 +1060,12 @@ module.exports = {
+ //
+ // Note: Node.js specific errors must begin with the prefix ERR_
+ 
++// insert RHEL specific erro
++E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
++  'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
++  'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
++  Error);
++
+ E('ERR_ACCESS_DENIED',
+   'Access to this API has been restricted. Permission: %s',
+   Error);
+diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
+index 5734d8f..ef9d1b1 100644
+--- a/src/crypto/crypto_util.cc
++++ b/src/crypto/crypto_util.cc
+@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
+   /* Override FIPS settings in configuration file, if needed. */
+   if (per_process::cli_options->enable_fips_crypto ||
+       per_process::cli_options->force_fips_crypto) {
++      fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
++      return false;
+ #if OPENSSL_VERSION_MAJOR >= 3
+     OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
+     if (fips_provider == nullptr)
+-- 
+2.43.2

SOURCES/nodejs-tarball.sh

@@ -135,67 +135,109 @@ rm -f node-v${version}.tar.gz
 set +e
 
 # Determine the bundled versions of the various packages
+echo "Included software versions"
+echo "-------------------------"
+echo
+echo "Node.js version"
+echo "========================="
+echo "${version}"
+echo
 echo "Bundled software versions"
 echo "-------------------------"
 echo
-echo "libnode shared object version"
+echo "libnode shared object version (nodejs_soversion)"
 echo "========================="
-grep "define NODE_MODULE_VERSION" node-v${version}/src/node_version.h
+NODE_SOVERSION=$(grep -oP '(?<=#define NODE_MODULE_VERSION )\d+' node-v${version}/src/node_version.h)
+echo "${NODE_SOVERSION}"
 echo
 echo "V8"
 echo "========================="
-grep "define V8_MAJOR_VERSION" node-v${version}/deps/v8/include/v8-version.h
-grep "define V8_MINOR_VERSION" node-v${version}/deps/v8/include/v8-version.h
-grep "define V8_BUILD_NUMBER" node-v${version}/deps/v8/include/v8-version.h
-grep "define V8_PATCH_LEVEL" node-v${version}/deps/v8/include/v8-version.h
+V8_MAJOR=$(grep -oP '(?<=#define V8_MAJOR_VERSION )\d+' node-v${version}/deps/v8/include/v8-version.h)
+V8_MINOR=$(grep -oP '(?<=#define V8_MINOR_VERSION )\d+' node-v${version}/deps/v8/include/v8-version.h)
+V8_BUILD=$(grep -oP '(?<=#define V8_BUILD_NUMBER )\d+' node-v${version}/deps/v8/include/v8-version.h)
+V8_PATCH=$(grep -oP '(?<=#define V8_PATCH_LEVEL )\d+' node-v${version}/deps/v8/include/v8-version.h)
+echo "${V8_MAJOR}.${V8_MINOR}.${V8_BUILD}.${V8_PATCH}"
 echo
 echo "c-ares"
 echo "========================="
-grep "define ARES_VERSION_MAJOR" node-v${version}/deps/cares/include/ares_version.h
-grep "define ARES_VERSION_MINOR" node-v${version}/deps/cares/include/ares_version.h
-grep "define ARES_VERSION_PATCH" node-v${version}/deps/cares/include/ares_version.h
+C_ARES_VERSION=$(grep -oP '(?<=#define ARES_VERSION_STR ).*\"' node-v${version}/deps/cares/include/ares_version.h |sed -e 's/^"//' -e 's/"$//')
+echo $C_ARES_VERSION
 echo
 echo "llhttp"
 echo "========================="
-grep "define LLHTTP_VERSION_MAJOR" node-v${version}/deps/llhttp/include/llhttp.h
-grep "define LLHTTP_VERSION_MINOR" node-v${version}/deps/llhttp/include/llhttp.h
-grep "define LLHTTP_VERSION_PATCH" node-v${version}/deps/llhttp/include/llhttp.h
+LLHTTP_MAJOR=$(grep -oP '(?<=#define LLHTTP_VERSION_MAJOR )\d+' node-v${version}/deps/llhttp/include/llhttp.h)
+LLHTTP_MINOR=$(grep -oP '(?<=#define LLHTTP_VERSION_MINOR )\d+' node-v${version}/deps/llhttp/include/llhttp.h)
+LLHTTP_PATCH=$(grep -oP '(?<=#define LLHTTP_VERSION_PATCH )\d+' node-v${version}/deps/llhttp/include/llhttp.h)
+LLHTTP_VERSION="${LLHTTP_MAJOR}.${LLHTTP_MINOR}.${LLHTTP_PATCH}"
+echo $LLHTTP_VERSION
 echo
 echo "libuv"
 echo "========================="
-grep "define UV_VERSION_MAJOR" node-v${version}/deps/uv/include/uv/version.h
-grep "define UV_VERSION_MINOR" node-v${version}/deps/uv/include/uv/version.h
-grep "define UV_VERSION_PATCH" node-v${version}/deps/uv/include/uv/version.h
+UV_MAJOR=$(grep -oP '(?<=#define UV_VERSION_MAJOR )\d+' node-v${version}/deps/uv/include/uv/version.h)
+UV_MINOR=$(grep -oP '(?<=#define UV_VERSION_MINOR )\d+' node-v${version}/deps/uv/include/uv/version.h)
+UV_PATCH=$(grep -oP '(?<=#define UV_VERSION_PATCH )\d+' node-v${version}/deps/uv/include/uv/version.h)
+LIBUV_VERSION="${UV_MAJOR}.${UV_MINOR}.${UV_PATCH}"
+echo $LIBUV_VERSION
 echo
 echo "nghttp2"
 echo "========================="
-grep "define NGHTTP2_VERSION " node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
+NGHTTP2_VERSION=$(grep -oP '(?<=#define NGHTTP2_VERSION ).*\"' node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h |sed -e 's/^"//' -e 's/"$//')
+echo $NGHTTP2_VERSION
 echo
 echo "nghttp3"
 echo "========================="
-grep "define NGHTTP3_VERSION " node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
+NGHTTP3_VERSION=$(grep -oP '(?<=#define NGHTTP3_VERSION ).*\"' node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h |sed -e 's/^"//' -e 's/"$//')
+echo $NGHTTP3_VERSION
 echo
 echo "ngtcp2"
 echo "========================="
-grep "define NGTCP2_VERSION " node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
+NGTCP2_VERSION=$(grep -oP '(?<=#define NGTCP2_VERSION ).*\"' node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h |sed -e 's/^"//' -e 's/"$//')
+echo $NGTCP2_VERSION
 echo
 echo "ICU"
 echo "========================="
-grep "url" node-v${version}/tools/icu/current_ver.dep
+ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g')
+ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g')
+echo "${ICU_MAJOR}.${ICU_MINOR}"
+echo
+echo "simdutf"
+echo "========================="
+SIMDUTF_VERSION=$(grep -oP '(?<=#define SIMDUTF_VERSION ).*\"' node-v${version}/deps/simdutf/simdutf.h |sed -e 's/^"//' -e 's/"$//')
+echo $SIMDUTF_VERSION
+echo
+echo "ada"
+echo "========================="
+ADA_VERSION=$(grep -osP '(?<=#define ADA_VERSION ).*\"' node-v${version}/deps/ada/ada.h |sed -e 's/^"//' -e 's/"$//')
+ADA_VERSION=${ADA_VERSION:-0}
+echo "${ADA_VERSION}"
 echo
 echo "punycode"
 echo "========================="
-grep "'version'" node-v${version}/lib/punycode.js
-echo
-echo "uvwasi"
-echo "========================="
-grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h
-grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h
-grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h
+PUNYCODE_VERSION=$(grep -oP "'version': '\K[^']+" ./node-v${version}/lib/punycode.js)
+echo $PUNYCODE_VERSION
 echo
 echo "npm"
 echo "========================="
-grep "\"version\":" node-v${version}/deps/npm/package.json
+NPM_VERSION=$(jq -r .version ./node-v${version}/deps/npm/package.json)
+echo $NPM_VERSION
+echo
+echo "corepack"
+echo "========================="
+COREPACK_VERSION=$(jq -r .version ./node-v${version}/deps/corepack/package.json)
+echo $COREPACK_VERSION
+echo
+echo "uvwasi"
+echo "========================="
+UVWASI_MAJOR=$(grep -oP '(?<=#define UVWASI_VERSION_MAJOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h)
+UVWASI_MINOR=$(grep -oP '(?<=#define UVWASI_VERSION_MINOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h)
+UVWASI_PATCH=$(grep -oP '(?<=#define UVWASI_VERSION_PATCH )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h)
+UVWASI_VERSION="${UVWASI_MAJOR}.${UVWASI_MINOR}.${UVWASI_PATCH}"
+echo $UVWASI_VERSION
+echo
+echo "histogram_c"
+echo "========================="
+HISTOGRAM_VERSION=$(grep -oP '(?<=#define HDR_HISTOGRAM_VERSION ).*\"' node-v${version}/deps/histogram/include/hdr/hdr_histogram_version.h|sed -e 's/^"//' -e 's/"$//')
+echo $HISTOGRAM_VERSION
 echo
 echo "Make sure these versions match what is in the RPM spec file"
 

SPECS/nodejs.spec

@@ -44,7 +44,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 20
-%global nodejs_minor 5
+%global nodejs_minor 11
 %global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -69,7 +69,7 @@
 
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
-%global c_ares_version 1.19.1
+%global c_ares_version 1.20.1
 
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_version 8.1.1
@@ -78,7 +78,7 @@
 %global libuv_version 1.46.0
 
 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_version 1.55.1
+%global nghttp2_version 1.58.0
 
 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_version 0.7.0
@@ -106,10 +106,10 @@
 %endif
 
 # simduft from deps/simdutf/simdutf.h
-%global simduft_version 3.2.14
+%global simduft_version 4.0.4
 
 # ada from deps/ada/ada.h
-%global ada_version 2.5.1
+%global ada_version 2.7.4
 
 # OpenSSL minimum version
 %global openssl_minimum 1:1.1.1
@@ -122,7 +122,7 @@
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 9.8.0
+%global npm_version 10.2.4
 
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@@ -132,10 +132,10 @@
 
 # Node.js 16.9.1 and later comes with an experimental package management tool
 # corepack - from deps/corepack/package.json
-%global corepack_version 0.19.0
+%global corepack_version 0.23.0
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
-%global uvwasi_version 0.0.18
+%global uvwasi_version 0.0.19
 
 # histogram_c - from deps/histogram/include/hdr/hdr_histogram_version.h
 %global histogram_version 0.11.8
@@ -177,19 +177,21 @@ Source8: npmrc.builtin.in
 # Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm
 Source101: cjs-module-lexer-1.2.2.tar.gz
 # The WASM blob was made using wasi-sdk v11; compiler libraries are linked in.
-# Version source: Makefile
+# Version source (cjs-module-lexer tarball): Makefile
 Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz
 
 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.22.1.tar.gz
-# Adjustments: rm -f undici-5.21.0/lib/llhttp/llhttp*.wasm*
-Source111: undici-5.22.1.tar.gz
-# The WASM blob was made using wasi-sdk v14; compiler libraries are linked in.
-# Version source: build/Dockerfile
-Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz
+# Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm*
+Source111: undici-5.28.3.tar.gz
+# The WASM blob was made using wasi-sdk v16; compiler libraries are linked in.
+# Version source: deps/undici/src/lib/llhttp/wasm_build_env.txt
+# Also check (undici tarball): lib/llhttp/wasm_build_env.txt
+Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-16/wasi-sdk-wasi-sdk-16.tar.gz
 
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
+Patch3: nodejs-fips-disable-options.patch
 
 BuildRequires: make
 BuildRequires: python3-devel
@@ -432,7 +434,7 @@ export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cfl
 export LDFLAGS="%{build_ldflags}"
 
 %{__python3} configure.py --prefix=%{_prefix} --verbose \
-           --shared-openssl \
+           --shared-openssl --openssl-conf-name=openssl_conf \
            --shared-zlib \
            --shared-brotli \
            %{!?with_bundled:--shared-libuv} \
@@ -452,7 +454,7 @@ make BUILDTYPE=Release %{?_smp_mflags}
 
 # Extract the ICU data and convert it to the appropriate endianness
 pushd deps/
-tar xfz %SOURCE3
+tar xfz %{SOURCE3}
 
 pushd icu/source
 
@@ -720,6 +722,25 @@ end
 
 
 %changelog
+* Wed Feb 21 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:20.11.1-1
+- Rebase to version 20.11.1
+- Fixes: CVE-2024-21892 CVE-2024-21896 CVE-2024-22017 CVE-2024-22019 (high)
+- Fixes: CVE-2023-46809 CVE-2024-21890 CVE-2024-21891 (medium)
+
+* Fri Jan 19 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:20.11.0-1
+- Rebase to version 20.11.0
+- Resolves: RHEL-21434
+
+* Thu Nov 09 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.9.0-1
+- Rebase to LTS
+- Resolves: RHEL-16159
+
+* Wed Oct 18 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.8.1-1
+- Update node and nghttp
+- Add fips patch
+- Fixes CVE-2023-44487 (nghttp)
+- Fixes CVE-2023-45143, CVE-2023-39331, CVE-2023-39332, CVE-2023-38552, CVE-2023-39333
+
 * Thu Aug 10 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.5.1-1
 - Rebase to new security release
 - Address CVE-2023-32002, CVE-2023-32004, CVE-2023-32558 (high)