import UBI nodejs-18.20.2-2.module+el9.4.0+21742+692df1ea

2024-05-09 09:27:57 +00:00 · 2024-05-09 09:27:57 +00:00 · a2d135f341
commit a2d135f341
parent f5f6ea6550
6 changed files with 262 additions and 58 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,5 @@
 SOURCES/cjs-module-lexer-1.2.2.tar.gz
-SOURCES/icu4c-73_2-src.tgz
+SOURCES/icu4c-74_2-src.tgz
-SOURCES/node-v18.19.1-stripped.tar.gz
+SOURCES/node-v18.20.2-stripped.tar.gz
-SOURCES/undici-5.28.3.tar.gz
+SOURCES/undici-5.28.4.tar.gz
 SOURCES/wasi-sdk-11.0-linux.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,5 +1,5 @@
-b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
+164f7f39841415284b0280a648c43bd7ea1615ac SOURCES/cjs-module-lexer-1.2.2.tar.gz
-3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz
+43a8d688a3a6bc8f0f8c5e699d0ef7a905d24314 SOURCES/icu4c-74_2-src.tgz
-7962d96e7c1517cf7b34395fc582b32b8acebe3a SOURCES/node-v18.19.1-stripped.tar.gz
+09d2d4e4e9984ddb4d89df02465a8fde1917a2a7 SOURCES/node-v18.20.2-stripped.tar.gz
-b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz
+d38d72bec82e3c41a4de73d6ee56d9c9eff5f403 SOURCES/undici-5.28.4.tar.gz
 ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz
--- a/SOURCES/CVE-2024-28182.patch
+++ b/SOURCES/CVE-2024-28182.patch
@ -0,0 +1,157 @@
 Backport from upstream commits.
 https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
 https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
 diff -ur node-v18.19.1_orig/deps/nghttp2/lib/includes/nghttp2/nghttp2.h node-v18.19.1/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
 --- node-v18.19.1_orig/deps/nghttp2/lib/includes/nghttp2/nghttp2.h	2024-04-15 14:38:00.000000000 +0200
 +++ node-v18.19.1/deps/nghttp2/lib/includes/nghttp2/nghttp2.h	2024-04-15 14:43:36.000000000 +0200
@@ -440,7 +440,12 @@
    * exhaustion on server side to send these frames forever and does
    * not read network.
    */
 -  NGHTTP2_ERR_FLOODED = -904
 +  NGHTTP2_ERR_FLOODED = -904,
 +  /**
 +   * When a local endpoint receives too many CONTINUATION frames
 +   * following a HEADER frame.
 +   */
 +  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
 } nghttp2_error;
 /**
@@ -2775,6 +2780,17 @@
 /**
  * @function
 + *
 + * This function sets the maximum number of CONTINUATION frames
 + * following an incoming HEADER frame.  If more than those frames are
 + * received, the remote endpoint is considered to be misbehaving and
 + * session will be closed.  The default value is 8.
 + */
 +NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
 +                                                         size_t val);
 +
 +/**
 + * @function
  *
  * Initializes |*session_ptr| for client use.  The all members of
  * |callbacks| are copied to |*session_ptr|.  Therefore |*session_ptr|
 Only in node-v18.19.1/deps/nghttp2/lib/includes/nghttp2: nghttp2.h.orig
 diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_helper.c node-v18.19.1/deps/nghttp2/lib/nghttp2_helper.c
 --- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_helper.c	2024-04-15 14:38:00.000000000 +0200
 +++ node-v18.19.1/deps/nghttp2/lib/nghttp2_helper.c	2024-04-15 14:41:10.000000000 +0200
@@ -336,6 +336,8 @@
            "closed";
   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
     return "SETTINGS frame contained more than the maximum allowed entries";
 +  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
 +    return "Too many CONTINUATION frames following a HEADER frame";
   default:
     return "Unknown error code";
   }
 diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.c node-v18.19.1/deps/nghttp2/lib/nghttp2_option.c
 --- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.c	2024-04-15 14:38:00.000000000 +0200
 +++ node-v18.19.1/deps/nghttp2/lib/nghttp2_option.c	2024-04-15 14:43:36.000000000 +0200
@@ -150,3 +150,8 @@
   option->stream_reset_burst = burst;
   option->stream_reset_rate = rate;
 }
 +
 +void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
 +  option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
 +  option->max_continuations = val;
 +}
 diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.h node-v18.19.1/deps/nghttp2/lib/nghttp2_option.h
 --- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.h	2024-04-15 14:38:00.000000000 +0200
 +++ node-v18.19.1/deps/nghttp2/lib/nghttp2_option.h	2024-04-15 14:43:36.000000000 +0200
@@ -71,6 +71,7 @@
   NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
   NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
   NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
 +  NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
 } nghttp2_option_flag;
 /**
@@ -99,6 +100,10 @@
    */
   size_t max_settings;
   /**
 +   * NGHTTP2_OPT_MAX_CONTINUATIONS
 +   */
 +  size_t max_continuations;
 +  /**
    * Bitwise OR of nghttp2_option_flag to determine that which fields
    * are specified.
    */
 diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.c node-v18.19.1/deps/nghttp2/lib/nghttp2_session.c
 --- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.c	2024-04-15 14:38:00.000000000 +0200
 +++ node-v18.19.1/deps/nghttp2/lib/nghttp2_session.c	2024-04-15 14:43:36.000000000 +0200
@@ -496,6 +496,7 @@
   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
 +  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
   if (option) {
     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -584,6 +585,10 @@
                            option->stream_reset_burst,
                            option->stream_reset_rate);
     }
 +
 +    if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
 +      (*session_ptr)->max_continuations = option->max_continuations;
 +    }
   }
   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
@@ -6778,6 +6783,8 @@
           }
         }
         session_inbound_frame_reset(session);
 +
 +        session->num_continuations = 0;
       }
       break;
     }
@@ -6899,6 +6906,10 @@
       }
 #endif /* DEBUGBUILD */
 +      if (++session->num_continuations > session->max_continuations) {
 +        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
 +      }
 +
       readlen = inbound_frame_buf_read(iframe, in, last);
       in += readlen;
 Only in node-v18.19.1/deps/nghttp2/lib: nghttp2_session.c.orig
 diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.h node-v18.19.1/deps/nghttp2/lib/nghttp2_session.h
 --- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.h	2024-04-15 14:38:00.000000000 +0200
 +++ node-v18.19.1/deps/nghttp2/lib/nghttp2_session.h	2024-04-15 14:41:10.000000000 +0200
@@ -110,6 +110,10 @@
 #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
 #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
 +/* The default max number of CONTINUATION frames following an incoming
 +   HEADER frame. */
 +#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
 +
 /* Internal state when receiving incoming frame */
 typedef enum {
   /* Receiving frame header */
@@ -290,6 +294,12 @@
   size_t max_send_header_block_length;
   /* The maximum number of settings accepted per SETTINGS frame. */
   size_t max_settings;
 +  /* The maximum number of CONTINUATION frames following an incoming
 +     HEADER frame. */
 +  size_t max_continuations;
 +  /* The number of CONTINUATION frames following an incoming HEADER
 +     frame.  This variable is reset when END_HEADERS flag is seen. */
 +  size_t num_continuations;
   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
   uint32_t next_stream_id;
   /* The last stream ID this session initiated.  For client session,
--- a/SOURCES/nodejs-fips-disable-options.patch
+++ b/SOURCES/nodejs-fips-disable-options.patch
@ -13,7 +13,6 @@ are similarly disabled.
 Upstream report: https://github.com/nodejs/node/pull/48950
 RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
 Customer case: https://access.redhat.com/support/cases/#/case/03711488
 ---
 lib/crypto.js             | 10 ++++++++++
 lib/internal/errors.js    |  6 ++++++
@ -80,3 +79,4 @@ index 5734d8f..ef9d1b1 100644
     if (fips_provider == nullptr)
 -- 
 2.43.2
--- a/SOURCES/nodejs-tarball.sh
+++ b/SOURCES/nodejs-tarball.sh
@ -135,67 +135,109 @@ rm -f node-v${version}.tar.gz
 set +e
 # Determine the bundled versions of the various packages
 echo "Included software versions"
 echo "-------------------------"
 echo
 echo "Node.js version"
 echo "========================="
 echo "${version}"
 echo
 echo "Bundled software versions"
 echo "-------------------------"
 echo
-echo "libnode shared object version"
+echo "libnode shared object version (nodejs_soversion)"
 echo "========================="
-grep "define NODE_MODULE_VERSION" node-v${version}/src/node_version.h
+NODE_SOVERSION=$(grep -oP '(?<=#define NODE_MODULE_VERSION )\d+' node-v${version}/src/node_version.h)
 echo "${NODE_SOVERSION}"
 echo
 echo "V8"
 echo "========================="
-grep "define V8_MAJOR_VERSION" node-v${version}/deps/v8/include/v8-version.h
+V8_MAJOR=$(grep -oP '(?<=#define V8_MAJOR_VERSION )\d+' node-v${version}/deps/v8/include/v8-version.h)
-grep "define V8_MINOR_VERSION" node-v${version}/deps/v8/include/v8-version.h
+V8_MINOR=$(grep -oP '(?<=#define V8_MINOR_VERSION )\d+' node-v${version}/deps/v8/include/v8-version.h)
-grep "define V8_BUILD_NUMBER" node-v${version}/deps/v8/include/v8-version.h
+V8_BUILD=$(grep -oP '(?<=#define V8_BUILD_NUMBER )\d+' node-v${version}/deps/v8/include/v8-version.h)
-grep "define V8_PATCH_LEVEL" node-v${version}/deps/v8/include/v8-version.h
+V8_PATCH=$(grep -oP '(?<=#define V8_PATCH_LEVEL )\d+' node-v${version}/deps/v8/include/v8-version.h)
 echo "${V8_MAJOR}.${V8_MINOR}.${V8_BUILD}.${V8_PATCH}"
 echo
 echo "c-ares"
 echo "========================="
-grep "define ARES_VERSION_MAJOR" node-v${version}/deps/cares/include/ares_version.h
+C_ARES_VERSION=$(grep -oP '(?<=#define ARES_VERSION_STR ).*\"' node-v${version}/deps/cares/include/ares_version.h |sed -e 's/^"//' -e 's/"$//')
-grep "define ARES_VERSION_MINOR" node-v${version}/deps/cares/include/ares_version.h
+echo $C_ARES_VERSION
 grep "define ARES_VERSION_PATCH" node-v${version}/deps/cares/include/ares_version.h
 echo
 echo "llhttp"
 echo "========================="
-grep "define LLHTTP_VERSION_MAJOR" node-v${version}/deps/llhttp/include/llhttp.h
+LLHTTP_MAJOR=$(grep -oP '(?<=#define LLHTTP_VERSION_MAJOR )\d+' node-v${version}/deps/llhttp/include/llhttp.h)
-grep "define LLHTTP_VERSION_MINOR" node-v${version}/deps/llhttp/include/llhttp.h
+LLHTTP_MINOR=$(grep -oP '(?<=#define LLHTTP_VERSION_MINOR )\d+' node-v${version}/deps/llhttp/include/llhttp.h)
-grep "define LLHTTP_VERSION_PATCH" node-v${version}/deps/llhttp/include/llhttp.h
+LLHTTP_PATCH=$(grep -oP '(?<=#define LLHTTP_VERSION_PATCH )\d+' node-v${version}/deps/llhttp/include/llhttp.h)
 LLHTTP_VERSION="${LLHTTP_MAJOR}.${LLHTTP_MINOR}.${LLHTTP_PATCH}"
 echo $LLHTTP_VERSION
 echo
 echo "libuv"
 echo "========================="
-grep "define UV_VERSION_MAJOR" node-v${version}/deps/uv/include/uv/version.h
+UV_MAJOR=$(grep -oP '(?<=#define UV_VERSION_MAJOR )\d+' node-v${version}/deps/uv/include/uv/version.h)
-grep "define UV_VERSION_MINOR" node-v${version}/deps/uv/include/uv/version.h
+UV_MINOR=$(grep -oP '(?<=#define UV_VERSION_MINOR )\d+' node-v${version}/deps/uv/include/uv/version.h)
-grep "define UV_VERSION_PATCH" node-v${version}/deps/uv/include/uv/version.h
+UV_PATCH=$(grep -oP '(?<=#define UV_VERSION_PATCH )\d+' node-v${version}/deps/uv/include/uv/version.h)
 LIBUV_VERSION="${UV_MAJOR}.${UV_MINOR}.${UV_PATCH}"
 echo $LIBUV_VERSION
 echo
 echo "nghttp2"
 echo "========================="
-grep "define NGHTTP2_VERSION " node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
+NGHTTP2_VERSION=$(grep -oP '(?<=#define NGHTTP2_VERSION ).*\"' node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h |sed -e 's/^"//' -e 's/"$//')
 echo $NGHTTP2_VERSION
 echo
 echo "nghttp3"
 echo "========================="
-grep "define NGHTTP3_VERSION " node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
+NGHTTP3_VERSION=$(grep -oP '(?<=#define NGHTTP3_VERSION ).*\"' node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h |sed -e 's/^"//' -e 's/"$//')
 echo $NGHTTP3_VERSION
 echo
 echo "ngtcp2"
 echo "========================="
-grep "define NGTCP2_VERSION " node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
+NGTCP2_VERSION=$(grep -oP '(?<=#define NGTCP2_VERSION ).*\"' node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h |sed -e 's/^"//' -e 's/"$//')
 echo $NGTCP2_VERSION
 echo
 echo "ICU"
 echo "========================="
-grep "url" node-v${version}/tools/icu/current_ver.dep
+ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g')
 ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g')
 echo "${ICU_MAJOR}.${ICU_MINOR}"
 echo
 echo "simdutf"
 echo "========================="
 SIMDUTF_VERSION=$(grep -oP '(?<=#define SIMDUTF_VERSION ).*\"' node-v${version}/deps/simdutf/simdutf.h |sed -e 's/^"//' -e 's/"$//')
 echo $SIMDUTF_VERSION
 echo
 echo "ada"
 echo "========================="
 ADA_VERSION=$(grep -osP '(?<=#define ADA_VERSION ).*\"' node-v${version}/deps/ada/ada.h |sed -e 's/^"//' -e 's/"$//')
 ADA_VERSION=${ADA_VERSION:-0}
 echo "${ADA_VERSION}"
 echo
 echo "punycode"
 echo "========================="
-grep "'version'" node-v${version}/lib/punycode.js
+PUNYCODE_VERSION=$(grep -oP "'version': '\K[^']+" ./node-v${version}/lib/punycode.js)
-echo
+echo $PUNYCODE_VERSION
 echo "uvwasi"
 echo "========================="
 grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h
 echo
 echo "npm"
 echo "========================="
-grep "\"version\":" node-v${version}/deps/npm/package.json
+NPM_VERSION=$(jq -r .version ./node-v${version}/deps/npm/package.json)
 echo $NPM_VERSION
 echo
 echo "corepack"
 echo "========================="
 COREPACK_VERSION=$(jq -r .version ./node-v${version}/deps/corepack/package.json)
 echo $COREPACK_VERSION
 echo
 echo "uvwasi"
 echo "========================="
 UVWASI_MAJOR=$(grep -oP '(?<=#define UVWASI_VERSION_MAJOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h)
 UVWASI_MINOR=$(grep -oP '(?<=#define UVWASI_VERSION_MINOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h)
 UVWASI_PATCH=$(grep -oP '(?<=#define UVWASI_VERSION_PATCH )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h)
 UVWASI_VERSION="${UVWASI_MAJOR}.${UVWASI_MINOR}.${UVWASI_PATCH}"
 echo $UVWASI_VERSION
 echo
 echo "histogram_c"
 echo "========================="
 HISTOGRAM_VERSION=$(grep -oP '(?<=#define HDR_HISTOGRAM_VERSION ).*\"' node-v${version}/deps/histogram/include/hdr/hdr_histogram_version.h|sed -e 's/^"//' -e 's/"$//')
 echo $HISTOGRAM_VERSION
 echo
 echo "Make sure these versions match what is in the RPM spec file"
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -29,7 +29,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 2 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -40,8 +40,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 18
-%global nodejs_minor 19
+%global nodejs_minor 20
-%global nodejs_patch 1
+%global nodejs_patch 2
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 108
@ -65,10 +65,10 @@
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
-%global c_ares_version 1.20.1
+%global c_ares_version 1.27.0
 # llhttp - from deps/llhttp/include/llhttp.h
-%global llhttp_version 6.1.0
+%global llhttp_version 6.1.1
 # libuv - from deps/uv/include/uv/version.h
 %global libuv_version 1.44.2
@ -89,7 +89,7 @@
 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
 # ICU - from tools/icu/current_ver.dep
-%global icu_major 73
+%global icu_major 74
 %global icu_minor 2
 %global icu_version %{icu_major}.%{icu_minor}
@ -108,13 +108,13 @@
 %endif
 # simduft from deps/simdutf/simdutf.h
-%global simduft_major 3
+%global simduft_major 4
-%global simduft_minor 2
+%global simduft_minor 0
-%global simduft_patch 14
+%global simduft_patch 8
 %global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
 # ada from deps/ada/ada.h
-%global ada_version 2.6.0
+%global ada_version 2.7.6
 # OpenSSL minimum version
 %global openssl_minimum 1:1.1.1
@ -126,7 +126,7 @@
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 10.2.4
+%global npm_version 10.5.0
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@ -181,14 +181,15 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
 Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.4.tar.gz
-# Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm
+# Adjustments: rm -f undici-5.28.4/lib/llhttp/llhttp*.wasm
 # Build uses alpine image, see alpine for sources for wasi-sdk
-Source102: undici-5.28.3.tar.gz
+Source102: undici-5.28.4.tar.gz
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch3: nodejs-fips-disable-options.patch
 Patch4: CVE-2024-28182.patch
 BuildRequires: make
 BuildRequires: python3-devel
@ -530,6 +531,11 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \
    -executable -type f \
    -exec chmod -x {} \;
 # Remove powwershell files form npm
 # it isn't useful for linux systems
 # is caused problems - it creates /usr/bin/pwsh requirement
 find %{buildroot}%{_prefix}/lib/node_modules/npm/bin/*.ps1 -executable -type f -exec rm {} \;
 # The above command is a little overzealous. Add a few permissions back.
 chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp
 chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
@ -628,19 +634,18 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
 %changelog
-* Thu Feb 29 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:18.19.1-1
+* Mon Apr 15 2024 Filip Janus <fjanus@redhat.com> - 1:18.20.2-2
 - Rebase to 18.20.2
 - Fixes: CVE-2024-27983, CVE-2024-28182, CVE-2024-27982, CVE-2024-25629
 * Tue Mar 05 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:18.19.1-1
 - Rebase to version 18.19.1
- Fix FIPS handling of the cmd-line options (RHBZ#2226726)
+- Fixes: CVE-2024-21892 CVE-2024-22019 (high)
- Resolves: RHEL-26695 RHEL-26009 RHEL-26690
+- Fixes: CVE-2023-46809 (medium)
 * Thu Jan 18 2024 Jan Staněk <jstanek@redhat.com> - 1:18.19.0-1
 - Rebase to version 18.19.0
-  Resolves: RHEL-21438
+  Resolves: RHEL-21436
 * Sat Oct 14 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.18.2-1
 - Rebase to 18.18.2 (Security release)
 - Switch icu from zip to tgz
 - Fixes #2228925, CVE-2023-45143, CVE-2023-44487, CVE-2023-38552, CVE-2023-39333
 * Wed Aug 23 2023 Jan Staněk <jstanek@redhat.com> - 1:18.17.1-1
 - Rebase to version 18.17.1