Replace whole repo with latest content from branch stream-12-rhel-8.8.0

Content corresponds with RHEL dist-git commit 3dab532

.gitignore

@@ -1,4 +1,17 @@
-SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v12.20.1-stripped.tar.gz
+/node-v10.7.0-stripped.tar.gz
+/node-v10.11.0-stripped.tar.gz
+/node-v10.14.1-stripped.tar.gz
+/node-v12.4.0-stripped.tar.gz
+/node-v12.13.1-stripped.tar.gz
+/node-v12.14.1-stripped.tar.gz
+/node-v12.16.1-stripped.tar.gz
+/node-v12.18.1-stripped.tar.gz
 /icu4c-67_1-src.tgz
+/node-v12.18.2-stripped.tar.gz
+/node-v12.18.4-stripped.tar.gz
+/node-v12.19.1-stripped.tar.gz
 /node-v12.20.1-stripped.tar.gz
+/node-v12.21.0-stripped.tar.gz
+/node-v12.22.2-stripped.tar.gz
+/node-v12.22.3-stripped.tar.gz
+/node-v12.22.5-stripped.tar.gz

0002-Install-both-binaries-and-use-libdir.patch

@@ -1,32 +1,36 @@
-From e2ff0fc92ddbaa5535d684e353c55cefe99eb081 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Tue, 27 Sep 2022 13:48:12 +0200
-Subject: [PATCH] Install both binaries and use libdir
+From a496364130e7566afb153375b00e0f1d9c96943c Mon Sep 17 00:00:00 2001
+From: Elliott Sales de Andrade <quantum.analyst@gmail.com>
+Date: Tue, 19 Mar 2019 23:22:40 -0400
+Subject: [PATCH] Install both binaries and use libdir.
 
+This allows us to build with a shared library for other users while
+still providing the normal executable.
+
+Signed-off-by: Elliott Sales de Andrade <quantum.analyst@gmail.com>
 Signed-off-by: rpm-build <rpm-build>
 ---
- configure.py     | 7 +++++++
- tools/install.py | 8 +++++---
- 2 files changed, 12 insertions(+), 3 deletions(-)
+ configure.py     |  7 +++++++
+ tools/install.py | 31 ++++++++++++++-----------------
+ 2 files changed, 21 insertions(+), 17 deletions(-)
 
 diff --git a/configure.py b/configure.py
-index 1a7023d..b16db0c 100755
+index b67ad1f..875ebef 100755
 --- a/configure.py
 +++ b/configure.py
-@@ -739,6 +739,12 @@ parser.add_argument('--shared',
+@@ -602,6 +602,12 @@ parser.add_option('--shared',
      help='compile shared library for embedding node in another project. ' +
           '(This mode is not officially supported for regular applications)')
  
-+parser.add_argument('--libdir',
++parser.add_option('--libdir',
 +    action='store',
 +    dest='libdir',
 +    default='lib',
 +    help='a directory to install the shared library into')
 +
- parser.add_argument('--without-v8-platform',
+ parser.add_option('--without-v8-platform',
      action='store_true',
      dest='without_v8_platform',
-@@ -1368,6 +1374,7 @@ def configure_node(o):
+@@ -1168,6 +1174,7 @@ def configure_node(o):
    o['variables']['node_no_browser_globals'] = b(options.no_browser_globals)
  
    o['variables']['node_shared'] = b(options.shared)
@@ -35,38 +39,50 @@ index 1a7023d..b16db0c 100755
  
    if options.dest_os == 'android':
 diff --git a/tools/install.py b/tools/install.py
-index a6d1f8b..e3ef9d7 100755
+index 6558029..a1cae2e 100755
 --- a/tools/install.py
 +++ b/tools/install.py
-@@ -144,6 +144,7 @@ def files(action):
+@@ -121,26 +121,23 @@ def subdir_files(path, dest, action):
+ 
+ def files(action):
    is_windows = sys.platform == 'win32'
-   output_file = 'node'
+-  output_file = 'node'
    output_prefix = 'out/Release/'
 +  output_libprefix = output_prefix
  
-   if is_windows:
-     output_file += '.exe'
-@@ -151,8 +152,8 @@ def files(action):
- 
-   if 'true' == variables.get('node_shared'):
-     if is_windows:
--      action([output_prefix + 'libnode.dll'], 'bin/libnode.dll')
--      action([output_prefix + 'libnode.lib'], 'lib/libnode.lib')
-+      action([output_libprefix + 'libnode.dll'], 'bin/libnode.dll')
-+      action([output_libprefix + 'libnode.lib'], 'lib/libnode.lib')
-     elif sys.platform == 'zos':
-       # GYP will output to lib.target; see _InstallableTargetInstallPath
-       # function in tools/gyp/pylib/gyp/generator/make.py
-@@ -176,7 +177,8 @@ def files(action):
-       try_symlink(so_name, link_path)
-     else:
-       output_lib = 'libnode.' + variables.get('shlib_suffix')
--      action([output_prefix + output_lib], 'lib/' + output_lib)
-+      action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib)
+-  if 'false' == variables.get('node_shared'):
+-    if is_windows:
+-      output_file += '.exe'
++  if is_windows:
++    output_bin = 'node.exe'
++    output_lib = 'node.dll'
+   else:
+-    if is_windows:
+-      output_file += '.dll'
+-    else:
+-      output_file = 'lib' + output_file + '.' + variables.get('shlib_suffix')
+-      # GYP will output to lib.target except on OS X, this is hardcoded
+-      # in its source - see the _InstallableTargetInstallPath function.
+-      if sys.platform != 'darwin':
+-        output_prefix += 'lib.target/'
+-
+-  if 'false' == variables.get('node_shared'):
+-    action([output_prefix + output_file], 'bin/' + output_file)
+-  else:
+-    action([output_prefix + output_file], 'lib/' + output_file)
++    output_bin = 'node'
++    output_lib = 'libnode.' + variables.get('shlib_suffix')
++    # GYP will output to lib.target except on OS X, this is hardcoded
++    # in its source - see the _InstallableTargetInstallPath function.
++    if sys.platform != 'darwin':
++      output_prefix += 'lib.target/'
 +
++  action([output_prefix + output_bin], 'bin/' + output_bin)
++  if 'true' == variables.get('node_shared'):
++    action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib)
+ 
    if 'true' == variables.get('node_use_dtrace'):
      action(['out/Release/node.d'], 'lib/dtrace/node.d')
- 
 -- 
-2.37.3
+2.26.2
 

0002-install-keep-installing-dtrace-and-systemtap-files.patch

@@ -1,31 +0,0 @@
-From 9872b897d6a9a39e3392c39bca70cfd9dd084558 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Mon, 26 Sep 2022 16:02:39 +0200
-Subject: [PATCH] install: keep installing dtrace and systemtap files
-
-Partly reverts commit e27e709d3ca93b3e7036ddc4f4d28dfde228bfb6.
-
-Signed-off-by: rpm-build <rpm-build>
----
- tools/install.py | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/tools/install.py b/tools/install.py
-index 4b01d67..dc16797 100755
---- a/tools/install.py
-+++ b/tools/install.py
-@@ -178,6 +178,11 @@ def files(action):
-       output_lib = 'libnode.' + variables.get('shlib_suffix')
-       action([output_prefix + output_lib], variables.get('libdir') + '/' + output_lib)
- 
-+  if 'true' == variables.get('node_use_dtrace'):
-+    action(['out/Release/node.d'], variables.get('libdir') + '/dtrace/node.d')
-+
-+  action(['src/node.stp'], 'share/systemtap/tapset/')
-+
-   action(['deps/v8/tools/gdbinit'], 'share/doc/node/')
-   action(['deps/v8/tools/lldb_commands.py'], 'share/doc/node/')
- 
--- 
-2.37.3
-

0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch

@@ -1,13 +0,0 @@
-diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
-index d720681628..727362aac0 100644
---- a/deps/npm/node_modules/y18n/index.js
-+++ b/deps/npm/node_modules/y18n/index.js
-@@ -11,7 +11,7 @@ function Y18N (opts) {
-   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
- 
-   // internal stuff.
--  this.cache = {}
-+  this.cache = Object.create(null)
-   this.writeQueue = []
- }
- 

0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch

@@ -1,99 +0,0 @@
-From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
-From: isaacs <i@izs.me>
-Date: Tue, 8 Dec 2020 14:21:50 -0800
-Subject: [PATCH] do not allow invalid hazardous string as section name
-
-Signed-off-by: rpm-build <rpm-build>
----
- deps/npm/node_modules/ini/ini.js        |  8 +++++
- deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
- 2 files changed, 53 insertions(+)
- create mode 100644 deps/npm/node_modules/ini/test/proto.js
-
-diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
-index 590195d..0401258 100644
---- a/deps/npm/node_modules/ini/ini.js
-+++ b/deps/npm/node_modules/ini/ini.js
-@@ -80,6 +80,12 @@ function decode (str) {
-     if (!match) return
-     if (match[1] !== undefined) {
-       section = unsafe(match[1])
-+      if (section === '__proto__') {
-+        // not allowed
-+        // keep parsing the section, but don't attach it.
-+        p = {}
-+        return
-+      }
-       p = out[section] = out[section] || {}
-       return
-     }
-@@ -94,6 +100,7 @@ function decode (str) {
-     // Convert keys with '[]' suffix to an array
-     if (key.length > 2 && key.slice(-2) === '[]') {
-       key = key.substring(0, key.length - 2)
-+      if (key === '__proto__') return
-       if (!p[key]) {
-         p[key] = []
-       } else if (!Array.isArray(p[key])) {
-@@ -125,6 +132,7 @@ function decode (str) {
-     var l = parts.pop()
-     var nl = l.replace(/\\\./g, '.')
-     parts.forEach(function (part, _, __) {
-+      if (part === '__proto__') return
-       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
-       p = p[part]
-     })
-diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
-new file mode 100644
-index 0000000..ab35533
---- /dev/null
-+++ b/deps/npm/node_modules/ini/test/proto.js
-@@ -0,0 +1,45 @@
-+var ini = require('../')
-+var t = require('tap')
-+
-+var data = `
-+__proto__ = quux
-+foo = baz
-+[__proto__]
-+foo = bar
-+[other]
-+foo = asdf
-+[kid.__proto__.foo]
-+foo = kid
-+[arrproto]
-+hello = snyk
-+__proto__[] = you did a good job
-+__proto__[] = so you deserve arrays
-+thanks = true
-+`
-+var res = ini.parse(data)
-+t.deepEqual(res, {
-+  foo: 'baz',
-+  other: {
-+    foo: 'asdf',
-+  },
-+  kid: {
-+    foo: {
-+      foo: 'kid',
-+    },
-+  },
-+  arrproto: {
-+    hello: 'snyk',
-+    thanks: true,
-+  },
-+})
-+t.equal(res.__proto__, Object.prototype)
-+t.equal(res.kid.__proto__, Object.prototype)
-+t.equal(res.kid.foo.__proto__, Object.prototype)
-+t.equal(res.arrproto.__proto__, Object.prototype)
-+t.equal(Object.prototype.foo, undefined)
-+t.equal(Object.prototype[0], undefined)
-+t.equal(Object.prototype['0'], undefined)
-+t.equal(Object.prototype[1], undefined)
-+t.equal(Object.prototype['1'], undefined)
-+t.equal(Array.prototype[0], undefined)
-+t.equal(Array.prototype[1], undefined)
---
-2.29.2
-

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-9
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

nodejs-tarball.sh

@@ -185,15 +185,19 @@ echo "punycode"
 echo "========================="
 grep "'version'" node-v${version}/lib/punycode.js
 echo
+echo "npm"
+echo "========================="
+grep "\"version\":" node-v${version}/deps/npm/package.json
+echo
 echo "uvwasi"
 echo "========================="
 grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h
 echo
-echo "npm"
+echo "brotli"
 echo "========================="
-grep "\"version\":" node-v${version}/deps/npm/package.json
+grep "#define BROTLI_VERSION" node-v${version}/deps/brotli/c/common/version.h
 echo
 echo "Make sure these versions match what is in the RPM spec file"
 

nodejs.spec

@@ -29,8 +29,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 12
-%global nodejs_minor 20
-%global nodejs_patch 1
+%global nodejs_minor 22
+%global nodejs_patch 5
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -57,8 +57,8 @@
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
 %global c_ares_major 1
-%global c_ares_minor 16
-%global c_ares_patch 1
+%global c_ares_minor 17
+%global c_ares_patch 2
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
 
 # http-parser - from deps/http_parser/http_parser.h
@@ -106,7 +106,7 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 10
+%global npm_patch 14
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
@@ -167,12 +167,16 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 %endif
 
-# CVE-2020-7774
-Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+# Upstream patch to use getauxval
+Patch3: 0003-src-use-getauxval-in-node_main.cc.patch
 
-# CVE-2020-7788
-Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+# Make FIPS always available
+#  https://github.com/nodejs/node/issues/34903
+Patch4: 0004-always-available-fips-options.patch
 
+Patch5: 0005-CVE-2021-23343-nodejs-path-parse.patch
+
+BuildRequires: make
 BuildRequires: python2-devel
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
@@ -184,13 +188,13 @@ BuildRequires: gcc-c++ >= 6.3.0
 BuildRequires: nodejs-packaging
 BuildRequires: chrpath
 BuildRequires: libatomic
+BuildRequires: systemtap-sdt-devel
 
 %if %{with bootstrap}
 Provides: bundled(http-parser) = %{http_parser_version}
 Provides: bundled(libuv) = %{libuv_version}
 Provides: bundled(nghttp2) = %{nghttp2_version}
 %else
-BuildRequires: systemtap-sdt-devel
 BuildRequires: libuv-devel >= 1:%{libuv_version}
 Requires: libuv >= 1:%{libuv_version}
 BuildRequires: libnghttp2-devel >= %{nghttp2_version}
@@ -454,7 +458,6 @@ export LDFLAGS="%{build_ldflags}"
 #           --shared-brotli \
 #           --without-dtrace \
 #           --with-intl=small-icu \
-#           --debug-nghttp2 \
 #           --openssl-use-def-ca-store
 #%else
 #./configure --prefix=%{_prefix} \
@@ -481,8 +484,8 @@ export LDFLAGS="%{build_ldflags}"
            --shared-brotli \
            --without-dtrace \
            --with-intl=small-icu \
-           --debug-nghttp2 \
-           --openssl-use-def-ca-store
+           --openssl-use-def-ca-store \
+           --openssl-default-cipher-list=PROFILE=SYSTEM
 %else
 ./configure --prefix=%{_prefix} \
            --shared-openssl \
@@ -493,8 +496,8 @@ export LDFLAGS="%{build_ldflags}"
            --with-dtrace \
            --with-intl=%{icu_flag} \
            --with-icu-default-data-dir=%{icudatadir} \
-           --debug-nghttp2 \
-           --openssl-use-def-ca-store
+           --openssl-use-def-ca-store \
+           --openssl-default-cipher-list=PROFILE=SYSTEM
 %endif
 
 %else
@@ -505,8 +508,8 @@ export LDFLAGS="%{build_ldflags}"
            --shared-zlib \
            --without-dtrace \
            --with-intl=small-icu \
-           --debug-nghttp2 \
-           --openssl-use-def-ca-store
+           --openssl-use-def-ca-store \
+           --openssl-default-cipher-list=PROFILE=SYSTEM
 %else
 ./configure --prefix=%{_prefix} \
            --shared-openssl \
@@ -516,8 +519,8 @@ export LDFLAGS="%{build_ldflags}"
            --with-dtrace \
            --with-intl=%{icu_flag} \
            --with-icu-default-data-dir=%{icudatadir} \
-           --debug-nghttp2 \
-           --openssl-use-def-ca-store
+           --openssl-use-def-ca-store \
+           --openssl-default-cipher-list=PROFILE=SYSTEM
 %endif
 
 %endif
@@ -870,14 +873,42 @@ end
 
 
 %changelog
+* Mon Aug 16 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.5-1
+- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940,
+- Resolves CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
+- Resolves: RHBZ#1951621 (make FIPS always available)
+- Resolves: RHBZ#1988596, RHBZ#1993814, RHBZ#1993808, RHBZ#1993094
+- Resolves: RHBZ#1986742, RHBZ#1993946, RHBZ#1993939, RHBZ#1989426
+
+* Mon Aug 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-3
+- Resolves CVE-2021-23362 CVE-2021-27290
+- Resolves: RHBZ#1945512, RHBZ#1945286
+- Add missing CVE trackers
+
+* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-2
+- Resolves: RHBZ#1979843, RHBZ#1977759
+- Resolves: RHBz#1952915
+- Fix typo, BR systemtap-sdt-level always, remove y18n patch
+
+* Wed Jul 07 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-1
+- Resolves: RHBZ#1979843, RHBZ#1977759
+- Resolves: RHBz#1952915
+- Resolves CVE-2021-22918(libuv), use system cipher list
+
+* Tue Mar 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.21.0-1
+- Resolves: RHBZ#1934566, RHBZ#1934598
+- remove --debug-nghttp2 option
+- remove ini patch
+- Backport patch to use getauxval
+
 * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1
 - Security rebase for January security release
 - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
-- Resolves: RHBZ#1916460, RHBZ#1914786
-- Resolves: RHBZ#1914784, RHBZ#1916396
+- Resolves: RHBZ#1913000, RHBZ#1912952
+- Resolves: RHBZ#1912635, RHBZ#1893984
 
 * Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1
-- Resolves: RHBZ#1901044, #1901045, #1901046, #1901047
+- Resolves: RHBZ#1861602, #1874302, #1898598, #1898765
 - c-ares, ajv and y18n CVEs and yarn installability issues
 
 * Mon Oct 05 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.4-2

package.cfg

@@ -1,2 +0,0 @@
-[koji]
-targets = master f34 f33

sources

@@ -1,2 +1,2 @@
+SHA512 (node-v12.22.5-stripped.tar.gz) = 9bda1a68f6f94710881c0f80dd75168f4eac5a7599f4395f14c97693b1ee571020ea781e90ef15621112a50f3e5b62fb2dfe947f31be2ef20112a6a8f91da93a
 SHA512 (icu4c-67_1-src.tgz) = 4779f1ce1ca7976f6fad6768853ea8c540da54d11509e3b6cfd864a04b5f2db1c3d4b546387f91ad02fb90804525bc37d2543173f0d705d6ca11dc6f2b7640a8
-SHA512 (node-v12.20.1-stripped.tar.gz) = 3f4ee70278921f68ca1ba123f988916072bd5141ffca21413b278110d409c71101a84fcb1cee839d2a081ff5e3fbe2d07dec85b98d747de66a18cbef828b5123