rpms/nodejs
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI nodejs-22.22.2-1.module+el8.10.0+24148+847b6786

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-04-08 15:27:56 -04:00
parent d9a6423cdb
commit 3dff411c5f
7 changed files with 7871 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.gitignore vendored
View File

@ -1,7 +1,7 @@
SOURCES/cjs-module-lexer-2.1.0.tar.gz
SOURCES/icu4c-77_1-data-bin-b.zip
SOURCES/icu4c-77_1-data-bin-l.zip
SOURCES/node-v22.22.0-stripped.tar.gz
SOURCES/undici-6.23.0.tar.gz
SOURCES/cjs-module-lexer-2.2.0.tar.gz
SOURCES/icu4c-78.2-data-bin-b.zip
SOURCES/icu4c-78.2-data-bin-l.zip
SOURCES/node-v22.22.2-stripped.tar.gz
SOURCES/undici-6.24.1.tar.gz
SOURCES/wasi-sdk-wasi-sdk-12.tar.gz
SOURCES/wasi-sdk-wasi-sdk-20.tar.gz

10
.nodejs.metadata
View File

@ -1,7 +1,7 @@
aecfb2810d05c3cef0e65a512dd980d6ba751076 SOURCES/cjs-module-lexer-2.1.0.tar.gz
c459faa36dedc60af6a0c6d5b9b84b6198389bf0 SOURCES/icu4c-77_1-data-bin-b.zip
c602459f93a43dfe7440686b46430e93a85dfc06 SOURCES/icu4c-77_1-data-bin-l.zip
a2924717a7ac98442f2ce7aa517fdfa10796ad45 SOURCES/node-v22.22.0-stripped.tar.gz
253cb4d8bd4aab74bf3723d6bf5aa4178860174e SOURCES/undici-6.23.0.tar.gz
7f1e286f563622e12e0e9a9283508138127373ce SOURCES/cjs-module-lexer-2.2.0.tar.gz
7a91e81c4f2c8368d80285a5bbdfe278d68e4a84 SOURCES/icu4c-78.2-data-bin-b.zip
b9f5918e2118ef8531b0ffc04b3d50e951e3a166 SOURCES/icu4c-78.2-data-bin-l.zip
ed26569e33179ca1a329eef2d5f8cfe63abdad58 SOURCES/node-v22.22.2-stripped.tar.gz
acae27bd2c667059f6ae526c3567ae41add4ba0b SOURCES/undici-6.24.1.tar.gz
5ea3a1deb65a52a36ceb41324da690f54b2a4805 SOURCES/wasi-sdk-wasi-sdk-12.tar.gz
da40abcb73a6dddafced6174d24ed49e414cda3c SOURCES/wasi-sdk-wasi-sdk-20.tar.gz

102
SOURCES/0001-CVE-2026-25547-braces-expansion.patch Normal file
View File

@ -0,0 +1,102 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: tjuhasz <tjuhasz@redhat.com>
Date: Tue, 25 Feb 2026 14:21:26 +0100
Subject: [PATCH] CVE-2026-25547: Fix brace expansion vulnerability
Add expansion limit to prevent DoS attacks through excessive
brace expansion in the brace-expansion module.
---
deps/npm/node_modules/brace-expansion/index.js | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/deps/npm/node_modules/brace-expansion/index.js b/deps/npm/node_modules/brace-expansion/index.js
--- a/deps/npm/node_modules/brace-expansion/index.js 2026-01-12 23:55:24.000000000 +0100
+++ b/deps/npm/node_modules/brace-expansion/index.js 2026-02-25 14:21:26.829483831 +0100
@@ -8,6 +8,8 @@
var escComma = '\0COMMA'+Math.random()+'\0';
var escPeriod = '\0PERIOD'+Math.random()+'\0';
+const EXPANSION_MAX = 100_000;
+
function numeric(str) {
return parseInt(str, 10) == str
? parseInt(str, 10)
@@ -61,9 +63,11 @@
return parts;
}
-function expandTop(str) {
+function expandTop(str, options = {}) {
if (!str)
return [];
+
+ const { max = EXPANSION_MAX } = options;
// I don't know why Bash 4.3 does this, but it does.
// Anything starting with {} will have the first two bytes preserved
@@ -75,7 +79,7 @@
str = '\\{\\}' + str.substr(2);
}
- return expand(escapeBraces(str), true).map(unescapeBraces);
+ return expand(escapeBraces(str), max, true).map(unescapeBraces);
}
function embrace(str) {
@@ -92,7 +96,7 @@
return i >= y;
}
-function expand(str, isTop) {
+function expand(str, max, isTop) {
var expansions = [];
var m = balanced('{', '}', str);
@@ -101,11 +105,11 @@
// no need to expand pre, since it is guaranteed to be free of brace-sets
var pre = m.pre;
var post = m.post.length
- ? expand(m.post, false)
+ ? expand(m.post, max, false)
: [''];
if (/\$$/.test(m.pre)) {
- for (var k = 0; k < post.length; k++) {
+ for (var k = 0; k < post.length && k < max; k++) {
var expansion = pre+ '{' + m.body + '}' + post[k];
expansions.push(expansion);
}
@@ -118,7 +122,7 @@
// {a},b}
if (m.post.match(/,(?!,).*\}/)) {
str = m.pre + '{' + m.body + escClose + m.post;
- return expand(str);
+ return expand(str, max, true);
}
return [str];
}
@@ -130,7 +134,7 @@
n = parseCommaParts(m.body);
if (n.length === 1) {
// x{{a,b}}y ==> x{a}y x{b}y
- n = expand(n[0], false).map(embrace);
+ n = expand(n[0], max, false).map(embrace);
if (n.length === 1) {
return post.map(function(p) {
return m.pre + n[0] + p;
@@ -185,12 +189,12 @@
N = [];
for (var j = 0; j < n.length; j++) {
- N.push.apply(N, expand(n[j], false));
+ N.push.apply(N, expand(n[j], max, false));
}
}
for (var j = 0; j < N.length; j++) {
- for (var k = 0; k < post.length; k++) {
+ for (var k = 0; k < post.length && expansions.length < max; k++) {
var expansion = pre + N[j] + post[k];
if (!isTop || isSequence || expansion)
expansions.push(expansion);

7712
SOURCES/0001-deps-update-nghttp2-to-1.68.1.patch Normal file
View File

File diff suppressed because it is too large Load Diff

18
SOURCES/nodejs-sources.sh
View File

@ -119,14 +119,12 @@ tar -zxf node-v${version}.tar.gz
rm -rf node-v${version}/deps/openssl
tar -zcf node-v${version}-stripped.tar.gz node-v${version}
# Download the matching version of ICU
rm -f icu4c*-src.tgz icu.md5
ICUMD5=$(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].md5')
wget $(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].url')
ICUTARBALL=$(ls -1 icu4c*-src.tgz)
echo "$ICUMD5 $ICUTARBALL" > icu.md5
md5sum -c icu.md5
rm -f icu.md5 SHASUMS256.txt
# Download the ICU binary data files
ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\).\([[:digit:]]\+\).*/\1/g')
ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\).\([[:digit:]]\+\).*/\2/g')
rm -Rf icu4c-${ICU_MAJOR}.${ICU_MINOR}-data-bin-*.zip
wget $(grep -w 'Source3' nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
wget $(grep -w 'Source4' nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
#fedpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz
@ -196,8 +194,8 @@ echo $NGTCP2_VERSION
echo
echo "ICU"
echo "========================="
ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g')
ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g')
ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\).\([[:digit:]]\+\).*/\1/g')
ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\).\([[:digit:]]\+\).*/\2/g')
echo "${ICU_MAJOR}.${ICU_MINOR}"
echo
echo "simdutf"

23
SOURCES/test-should-pass.txt
View File

@ -1458,12 +1458,14 @@ parallel/test-http2-client-request-options-errors.js
parallel/test-http2-client-rststream-before-connect.js
parallel/test-http2-client-setLocalWindowSize.js
parallel/test-http2-client-setNextStreamID-errors.js
parallel/test-http2-client-set-priority.js
# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
# parallel/test-http2-client-set-priority.js
parallel/test-http2-client-settings-before-connect.js
parallel/test-http2-client-shutdown-before-connect.js
parallel/test-http2-client-socket-destroy.js
parallel/test-http2-client-stream-destroy-before-connect.js
parallel/test-http2-client-unescaped-path.js
# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
# parallel/test-http2-client-unescaped-path.js
parallel/test-http2-client-upload.js
parallel/test-http2-client-upload-reject.js
parallel/test-http2-client-write-before-connect.js
@ -1558,16 +1560,19 @@ parallel/test-http2-large-writes-session-memory-leak.js
parallel/test-http2-malformed-altsvc.js
parallel/test-http2-many-writes-and-destroy.js
parallel/test-http2-max-concurrent-streams.js
parallel/test-http2-max-invalid-frames.js
# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
# parallel/test-http2-max-invalid-frames.js
parallel/test-http2-max-session-memory-leak.js
parallel/test-http2-max-settings.js
parallel/test-http2-methods.js
parallel/test-http2-misbehaving-flow-control.js
parallel/test-http2-misbehaving-flow-control-paused.js
# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
# parallel/test-http2-misbehaving-flow-control.js
# parallel/test-http2-misbehaving-flow-control-paused.js
parallel/test-http2-misbehaving-multiplex.js
parallel/test-http2-misc-util.js
parallel/test-http2-misused-pseudoheaders.js
parallel/test-http2-multi-content-length.js
# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
# parallel/test-http2-multi-content-length.js
parallel/test-http2-multiheaders.js
parallel/test-http2-multiheaders-raw.js
parallel/test-http2-multiplex.js
@ -1592,13 +1597,15 @@ parallel/test-http2-pipe.js
parallel/test-http2-pipe-named-pipe.js
parallel/test-http2-premature-close.js
parallel/test-http2-priority-cycle-.js
parallel/test-http2-priority-event.js
# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
# parallel/test-http2-priority-event.js
parallel/test-http2-propagate-session-destroy-code.js
parallel/test-http2-removed-header-stays-removed.js
parallel/test-http2-request-remove-connect-listener.js
parallel/test-http2-request-response-proto.js
parallel/test-http2-res-corked.js
parallel/test-http2-reset-flood.js
# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
# parallel/test-http2-reset-flood.js
parallel/test-http2-respond-errors.js
parallel/test-http2-respond-file-204.js
parallel/test-http2-respond-file-304.js

40
SPECS/nodejs.spec
View File

@ -79,7 +79,7 @@
%global nodejs_epoch 1
%global nodejs_major 22
%global nodejs_minor 22
%global nodejs_patch 0
%global nodejs_patch 2
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 127
%global nodejs_abi %{nodejs_soversion}
@ -115,7 +115,7 @@
%global libuv_version 1.51.0
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
%global nghttp2_version 1.64.0
%global nghttp2_version 1.68.1
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
%global nghttp3_version 1.6.0
@ -124,8 +124,8 @@
%global ngtcp2_version 1.11.0
# ICU - from tools/icu/current_ver.dep
%global icu_major 77
%global icu_minor 1
%global icu_major 78
%global icu_minor 2
%global icu_version %{icu_major}.%{icu_minor}
%global icudatadir %{nodejs_datadir}/icudata
@ -146,7 +146,7 @@
# npm - from deps/npm/package.json
%global npm_epoch 1
%global npm_version 10.9.4
%global npm_version 10.9.7
# In order to avoid needing to keep incrementing the release version for the
# main package forever, we will just construct one for npm that is guaranteed
@ -163,10 +163,10 @@
%global histogram_version 0.11.9
# sqlite - from deps/sqlite/sqlite3.h
%global sqlite_version 3.50.4
%global sqlite_version 3.51.2
# Version: jq '.version' deps/undici/src/package.json
%global undici_version 6.23.0
%global undici_version 6.24.1
Name: nodejs
@ -191,8 +191,8 @@ Source0: node-v%{nodejs_version}-stripped.tar.gz
Source1: npmrc
Source2: btest402.js
# The binary data that icu-small can use to get icu-full capability
Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-b.zip
Source4: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-l.zip
Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}.%{icu_minor}/icu4c-%{icu_major}.%{icu_minor}-data-bin-b.zip
Source4: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}.%{icu_minor}/icu4c-%{icu_major}.%{icu_minor}-data-bin-l.zip
Source100: nodejs-sources.sh
Source101: npmrc.builtin.in
Source102: nodejs.pc.in
@ -203,15 +203,15 @@ Source103: v8.pc.in
# Recipes for creating these blobs are included in the sources.
# Version: jq '.version' deps/cjs-module-lexer/package.json
# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/2.1.0.tar.gz
# Adjustments: rm -f cjs-module-lexer-2.1.0/lib/lexer.wasm
Source201: cjs-module-lexer-2.1.0.tar.gz
# Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/2.2.0.tar.gz
# Adjustments: rm -f cjs-module-lexer-2.2.0/lib/lexer.wasm
Source201: cjs-module-lexer-2.2.0.tar.gz
# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in.
# Version source (cjs-module-lexer tarball): Makefile
Source202: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-12/wasi-sdk-wasi-sdk-12.tar.gz
# Original: https://github.com/nodejs/undici/archive/refs/tags/v6.23.0.tar.gz
# Adjustments: rm -f undici-6.23.0/lib/llhttp/llhttp*wasm*
# Original: https://github.com/nodejs/undici/archive/refs/tags/v6.24.1.tar.gz
# Adjustments: rm -f undici-6.24.1/lib/llhttp/llhttp*wasm*
Source211: undici-%{undici_version}.tar.gz
# The WASM blob was made using wasi-sdk v16; compiler libraries are linked in.
@ -220,8 +220,11 @@ Source211: undici-%{undici_version}.tar.gz
Source212: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-20/wasi-sdk-wasi-sdk-20.tar.gz
Source300: test-runner.sh
Source301: test-should-pass.txt
Patch1: 0001-Remove-unused-OpenSSL-config.patch
Patch2: 0002-fips-disable-options.patch
Patch3: 0001-deps-update-nghttp2-to-1.68.1.patch
Patch4: 0001-CVE-2026-25547-braces-expansion.patch
%global pkgname nodejs
@ -375,14 +378,14 @@ Provides: bundled(ada) = 2.9.2
# undici and cjs-module-lexer ship with pre-built WASM binaries.
%if %{with bundled_cjs_module_lexer}
Provides: bundled(nodejs-cjs-module-lexer) = 2.1.0
Provides: bundled(nodejs-cjs-module-lexer) = 2.2.0
%else
BuildRequires: nodejs-cjs-module-lexer
Requires: nodejs-cjs-module-lexer
%endif
%if %{with bundled_undici}
Provides: bundled(nodejs-undici) = 6.21.2
Provides: bundled(nodejs-undici) = 6.24.1
%else
BuildRequires: nodejs-undici
Requires: nodejs-undici
@ -953,6 +956,11 @@ end
%changelog
* Wed Mar 25 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.22.2-1
- Update to version 22.22.2
Resolves: RHEL-154019
Fixes: CVE-2026-1528 CVE-2026-27135 CVE-2026-27904 CVE-2026-26996 CVE-2026-27135 CVE-2026-1528
* Thu Jan 15 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.22.0-1
- Update to 22.22.0
Resolves: RHEL-118152