diff --git a/.gitignore b/.gitignore
index d8fc543..3f9ed36 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v12.22.5-stripped.tar.gz
+SOURCES/node-v12.20.1-stripped.tar.gz
diff --git a/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch b/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
new file mode 100644
index 0000000..88a9d75
--- /dev/null
+++ b/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
@@ -0,0 +1,13 @@
+diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
+index d720681628..727362aac0 100644
+--- a/deps/npm/node_modules/y18n/index.js
++++ b/deps/npm/node_modules/y18n/index.js
+@@ -11,7 +11,7 @@ function Y18N (opts) {
+   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
+ 
+   // internal stuff.
+-  this.cache = {}
++  this.cache = Object.create(null)
+   this.writeQueue = []
+ }
+ 
diff --git a/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
new file mode 100644
index 0000000..c2b1f3e
--- /dev/null
+++ b/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
@@ -0,0 +1,99 @@
+From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
+From: isaacs <i@izs.me>
+Date: Tue, 8 Dec 2020 14:21:50 -0800
+Subject: [PATCH] do not allow invalid hazardous string as section name
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/ini/ini.js        |  8 +++++
+ deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+ create mode 100644 deps/npm/node_modules/ini/test/proto.js
+
+diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
+index 590195d..0401258 100644
+--- a/deps/npm/node_modules/ini/ini.js
++++ b/deps/npm/node_modules/ini/ini.js
+@@ -80,6 +80,12 @@ function decode (str) {
+     if (!match) return
+     if (match[1] !== undefined) {
+       section = unsafe(match[1])
++      if (section === '__proto__') {
++        // not allowed
++        // keep parsing the section, but don't attach it.
++        p = {}
++        return
++      }
+       p = out[section] = out[section] || {}
+       return
+     }
+@@ -94,6 +100,7 @@ function decode (str) {
+     // Convert keys with '[]' suffix to an array
+     if (key.length > 2 && key.slice(-2) === '[]') {
+       key = key.substring(0, key.length - 2)
++      if (key === '__proto__') return
+       if (!p[key]) {
+         p[key] = []
+       } else if (!Array.isArray(p[key])) {
+@@ -125,6 +132,7 @@ function decode (str) {
+     var l = parts.pop()
+     var nl = l.replace(/\\\./g, '.')
+     parts.forEach(function (part, _, __) {
++      if (part === '__proto__') return
+       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
+       p = p[part]
+     })
+diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
+new file mode 100644
+index 0000000..ab35533
+--- /dev/null
++++ b/deps/npm/node_modules/ini/test/proto.js
+@@ -0,0 +1,45 @@
++var ini = require('../')
++var t = require('tap')
++
++var data = `
++__proto__ = quux
++foo = baz
++[__proto__]
++foo = bar
++[other]
++foo = asdf
++[kid.__proto__.foo]
++foo = kid
++[arrproto]
++hello = snyk
++__proto__[] = you did a good job
++__proto__[] = so you deserve arrays
++thanks = true
++`
++var res = ini.parse(data)
++t.deepEqual(res, {
++  foo: 'baz',
++  other: {
++    foo: 'asdf',
++  },
++  kid: {
++    foo: {
++      foo: 'kid',
++    },
++  },
++  arrproto: {
++    hello: 'snyk',
++    thanks: true,
++  },
++})
++t.equal(res.__proto__, Object.prototype)
++t.equal(res.kid.__proto__, Object.prototype)
++t.equal(res.kid.foo.__proto__, Object.prototype)
++t.equal(res.arrproto.__proto__, Object.prototype)
++t.equal(Object.prototype.foo, undefined)
++t.equal(Object.prototype[0], undefined)
++t.equal(Object.prototype['0'], undefined)
++t.equal(Object.prototype[1], undefined)
++t.equal(Object.prototype['1'], undefined)
++t.equal(Array.prototype[0], undefined)
++t.equal(Array.prototype[1], undefined)
+--
+2.29.2
+
diff --git a/nodejs-tarball.sh b/nodejs-tarball.sh
index 2ed756a..f3f3298 100755
--- a/nodejs-tarball.sh
+++ b/nodejs-tarball.sh
@@ -185,19 +185,15 @@ echo "punycode"
 echo "========================="
 grep "'version'" node-v${version}/lib/punycode.js
 echo
-echo "npm"
-echo "========================="
-grep "\"version\":" node-v${version}/deps/npm/package.json
-echo
 echo "uvwasi"
 echo "========================="
 grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h
 echo
-echo "brotli"
+echo "npm"
 echo "========================="
-grep "#define BROTLI_VERSION" node-v${version}/deps/brotli/c/common/version.h
+grep "\"version\":" node-v${version}/deps/npm/package.json
 echo
 echo "Make sure these versions match what is in the RPM spec file"
 
diff --git a/nodejs.spec b/nodejs.spec
index 28a459a..fc6939a 100644
--- a/nodejs.spec
+++ b/nodejs.spec
@@ -29,8 +29,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 12
-%global nodejs_minor 22
-%global nodejs_patch 5
+%global nodejs_minor 20
+%global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -57,8 +57,8 @@
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
 %global c_ares_major 1
-%global c_ares_minor 17
-%global c_ares_patch 2
+%global c_ares_minor 16
+%global c_ares_patch 1
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
 
 # http-parser - from deps/http_parser/http_parser.h
@@ -106,7 +106,7 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 14
+%global npm_patch 10
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
@@ -167,16 +167,12 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 %endif
 
-# Upstream patch to use getauxval
-Patch3: 0003-src-use-getauxval-in-node_main.cc.patch
+# CVE-2020-7774
+Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
 
-# Make FIPS always available
-#  https://github.com/nodejs/node/issues/34903
-Patch4: 0004-always-available-fips-options.patch
+# CVE-2020-7788
+Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
 
-Patch5: 0005-CVE-2021-23343-nodejs-path-parse.patch
-
-BuildRequires: make
 BuildRequires: python2-devel
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
@@ -188,13 +184,13 @@ BuildRequires: gcc-c++ >= 6.3.0
 BuildRequires: nodejs-packaging
 BuildRequires: chrpath
 BuildRequires: libatomic
-BuildRequires: systemtap-sdt-devel
 
 %if %{with bootstrap}
 Provides: bundled(http-parser) = %{http_parser_version}
 Provides: bundled(libuv) = %{libuv_version}
 Provides: bundled(nghttp2) = %{nghttp2_version}
 %else
+BuildRequires: systemtap-sdt-devel
 BuildRequires: libuv-devel >= 1:%{libuv_version}
 Requires: libuv >= 1:%{libuv_version}
 BuildRequires: libnghttp2-devel >= %{nghttp2_version}
@@ -458,6 +454,7 @@ export LDFLAGS="%{build_ldflags}"
 #           --shared-brotli \
 #           --without-dtrace \
 #           --with-intl=small-icu \
+#           --debug-nghttp2 \
 #           --openssl-use-def-ca-store
 #%else
 #./configure --prefix=%{_prefix} \
@@ -467,6 +464,7 @@ export LDFLAGS="%{build_ldflags}"
 #           --shared-zlib \
 #           --shared-brotli \
 #           --shared-libuv \
+#           --shared-nghttp2 \
 #           --with-dtrace \
 #           --with-intl=%{icu_flag} \
 #           --with-icu-default-data-dir=%{icudatadir} \
@@ -483,8 +481,8 @@ export LDFLAGS="%{build_ldflags}"
            --shared-brotli \
            --without-dtrace \
            --with-intl=small-icu \
-           --openssl-use-def-ca-store \
-           --openssl-default-cipher-list=PROFILE=SYSTEM
+           --debug-nghttp2 \
+           --openssl-use-def-ca-store
 %else
 ./configure --prefix=%{_prefix} \
            --shared-openssl \
@@ -495,8 +493,8 @@ export LDFLAGS="%{build_ldflags}"
            --with-dtrace \
            --with-intl=%{icu_flag} \
            --with-icu-default-data-dir=%{icudatadir} \
-           --openssl-use-def-ca-store \
-           --openssl-default-cipher-list=PROFILE=SYSTEM
+           --debug-nghttp2 \
+           --openssl-use-def-ca-store
 %endif
 
 %else
@@ -507,8 +505,8 @@ export LDFLAGS="%{build_ldflags}"
            --shared-zlib \
            --without-dtrace \
            --with-intl=small-icu \
-           --openssl-use-def-ca-store \
-           --openssl-default-cipher-list=PROFILE=SYSTEM
+           --debug-nghttp2 \
+           --openssl-use-def-ca-store
 %else
 ./configure --prefix=%{_prefix} \
            --shared-openssl \
@@ -518,8 +516,8 @@ export LDFLAGS="%{build_ldflags}"
            --with-dtrace \
            --with-intl=%{icu_flag} \
            --with-icu-default-data-dir=%{icudatadir} \
-           --openssl-use-def-ca-store \
-           --openssl-default-cipher-list=PROFILE=SYSTEM
+           --debug-nghttp2 \
+           --openssl-use-def-ca-store
 %endif
 
 %endif
@@ -872,42 +870,14 @@ end
 
 
 %changelog
-* Mon Aug 16 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.5-1
-- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940,
-- CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
-- Resolves RHBZ#1951621 (make FIPS always available)
-- Resolves: RHBZ#1988595, RHBZ#1993992, RHBZ#1993989, RHBZ#1993093
-- Resolves: RHBZ#1994025, RHBZ#1994403, RHBZ#1994407, RHBZ#1994399
-- Resolves: RHBZ#1993927 (make FIPS always available)
-
-* Mon Aug 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-3
-- Resolves CVE-2021-23362 CVE-2021-27290
-- Resolves: RHBZ#1991584, RHBZ#1991578
-- Add missing CVE trackers
-
-* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-2
-- Resolves: RHBZ#1980031, RHBZ#1978201
-- Fix typo, BR systemtap-sdt-level always, remove y18n patch
-
-* Wed Jul 07 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-1
-- Resolves: RHBZ#1980031, RHBZ#1978201
-- Resolves #1952915
-- Resolves CVE-2021-22918(libuv), use system cipher list
-
-* Tue Mar 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.21.0-1
-- Resolves: RHBZ#1932316, RHBZ#1932365
-- remove --debug-nghttp2 option
-- remove ini patch
-- Backport patch to use getauxval
-
 * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1
 - Security rebase for January security release
 - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
-- Resolves: RHBZ#1913000, RHBZ#1912952
-- Resolves: RHBZ#1912635, RHBZ#1893984
+- Resolves: RHBZ#1916460, RHBZ#1914786
+- Resolves: RHBZ#1914784, RHBZ#1916396
 
 * Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1
-- Resolves: RHBZ#1861602, #1874302, #1898598, #1898765
+- Resolves: RHBZ#1901044, #1901045, #1901046, #1901047
 - c-ares, ajv and y18n CVEs and yarn installability issues
 
 * Mon Oct 05 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.4-2
diff --git a/sources b/sources
index fde8492..9c04416 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 SHA1 (icu4c-67_1-src.tgz) = 6822a4a94324d1ba591b3e8ef084e4491af253c1
-SHA1 (node-v12.22.5-stripped.tar.gz) = bb98afb22215e659a77853964f7575da6b1535e3
+SHA1 (node-v12.20.1-stripped.tar.gz) = f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896