Update to 16.14.0

Resolves: #2042995, #2042970, #2042981, #2042989
Resolves: #2029936, #2024890, #2014499, #2014135
Resolves: #2013834, #1945299

nodejs.spec

@@ -1,15 +1,24 @@
 # bundle dependencies that are not available as Fedora modules
-%bcond_with bootstrap
+%bcond_without bootstrap
+
+%if 0%{?rhel} && 0%{?rhel} < 9
 %bcond_without python3_fixup
+%else
+%bcond_with python3_fixup
+%endif
 
 # LTO is currently broken on Node.js builds
 %define _lto_cflags %{nil}
 
+# Heavy-handed approach to avoiding issues with python
+# bytecompiling files in the node_modules/ directory
+%global __python %{__python3}
+
 # == Master Relase ==
-# This is used by both the nodejs package and the npm subpackage thar
+# This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 2
 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
@@ -20,7 +29,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 16
-%global nodejs_minor 10
+%global nodejs_minor 14
 %global nodejs_patch 0
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -35,9 +44,9 @@
 # Epoch is set to ensure clean upgrades from the old v8 package
 %global v8_epoch 2
 %global v8_major 9
-%global v8_minor 3
-%global v8_build 345
-%global v8_patch 19
+%global v8_minor 4
+%global v8_build 146
+%global v8_patch 24
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME
 %global v8_abi %{v8_major}.%{v8_minor}
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@@ -45,28 +54,16 @@
 
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
-%global c_ares_major 1
-%global c_ares_minor 17
-%global c_ares_patch 2
-%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
+%global c_ares_version 1.18.1
 
 # llhttp - from deps/llhttp/include/llhttp.h
-%global llhttp_major 6
-%global llhttp_minor 0
-%global llhttp_patch 2
-%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
+%global llhttp_version 6.0.4
 
 # libuv - from deps/uv/include/uv/version.h
-%global libuv_major 1
-%global libuv_minor 41
-%global libuv_patch 0
-%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
+%global libuv_version 1.43.0
 
 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_major 1
-%global nghttp2_minor 42
-%global nghttp2_patch 0
-%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
+%global nghttp2_version 1.45.1
 
 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_major 0
@@ -81,7 +78,7 @@
 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
 
 # ICU - from tools/icu/current_ver.dep
-%global icu_major 69
+%global icu_major 70
 %global icu_minor 1
 %global icu_version %{icu_major}.%{icu_minor}
 
@@ -105,29 +102,11 @@
 # punycode - from lib/punycode.js
 # Note: this was merged into the mainline since 0.6.x
 # Note: this will be unmerged in an upcoming major release
-%global punycode_major 2
-%global punycode_minor 1
-%global punycode_patch 0
-%global punycode_version %{punycode_major}.%{punycode_minor}.%{punycode_patch}
+%global punycode_version 2.1.0
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_major 7
-%global npm_minor 24
-%global npm_patch 0
-%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
-
-# uvwasi - from deps/uvwasi/include/uvwasi.h
-%global uvwasi_major 0
-%global uvwasi_minor 0
-%global uvwasi_patch 11
-%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
-
-# histogram_c - assumed from timestamps
-%global histogram_major 0
-%global histogram_minor 9
-%global histogram_patch 7
-%global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}
+%global npm_version 8.3.1
 
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@@ -135,8 +114,14 @@
 # base npm version number is increasing.
 %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
 
+# uvwasi - from deps/uvwasi/include/uvwasi.h
+%global uvwasi_version 0.0.12
+
+# histogram_c - assumed from timestamps
+%global histogram_version 0.9.7
+
 # Node.js 16.9.1 and later comes with an experimental package management tool
-%global corepack_version 0.9.0
+%global corepack_version 0.10.0
 
 Name: nodejs
 Epoch: %{nodejs_epoch}
@@ -172,10 +157,15 @@ Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 BuildRequires: make
 BuildRequires: python3-devel
 BuildRequires: python3-setuptools
+BuildRequires: python3-jinja2
+%if !%{with python3_fixup}
+BuildRequires: python-unversioned-command
+%endif
 BuildRequires: zlib-devel
 BuildRequires: brotli-devel
 BuildRequires: gcc >= 8.3.0
 BuildRequires: gcc-c++ >= 8.3.0
+BuildRequires: jq
 # needed to generate bundled provides for npm dependencies
 # https://src.fedoraproject.org/rpms/nodejs/pull-request/2
 # https://pagure.io/nodejs-packaging/pull-request/10
@@ -190,8 +180,13 @@ Provides: bundled(nghttp2) = %{nghttp2_version}
 %else
 BuildRequires: libuv-devel >= 1:%{libuv_version}
 Requires: libuv >= 1:%{libuv_version}
+%if 0%{?fedora} || 0%{?rhel} >= 9
 BuildRequires: libnghttp2-devel >= %{nghttp2_version}
 Requires: libnghttp2 >= %{nghttp2_version}
+%else
+%define nghttp2_configure %{nil}
+Provides: bundled(nghttp2) = %{nghttp2_version}
+%endif
 %endif
 
 # Temporarily bundle llhttp because the upstream doesn't
@@ -383,6 +378,8 @@ The API documentation for the Node.js JavaScript runtime.
 # remove bundled dependencies that we aren't building
 rm -rf deps/zlib
 rm -rf deps/brotli
+rm -rf deps/v8/third_party/jinja2
+rm -rf tools/inspector_protocol/jinja2
 
 # Replace any instances of unversioned python' with python3
 %if %{with python3_fixup}
@@ -546,7 +543,7 @@ cp -pr deps/npm/man/* %{buildroot}%{_mandir}/
 rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/man
 ln -sf %{_mandir}  %{buildroot}%{_prefix}/lib/node_modules/npm/man
 
-# Install Gatsby HTML documentation to %{_pkgdocdir}
+# Install Gatsby HTML documentation to %%{_pkgdocdir}
 cp -pr deps/npm/docs %{buildroot}%{_pkgdocdir}/npm/
 rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/docs
 
@@ -567,7 +564,7 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \
     -exec chmod -x {} \;
 
 # The above command is a little overzealous. Add a few permissions back.
-chmod 0775 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp
+chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp
 chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
 
 # Corepack contains a number of executable"shims", including some for Windows
@@ -598,7 +595,7 @@ LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require(
 LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')"
 
 # Ensure we have npm and that the version matches
-NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')"
+LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}%{_bindir}/node %{buildroot}%{_bindir}/npm version --json |jq -e '.npm == "%{npm_version}"'
 
 # Make sure i18n support is working
 NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2}
@@ -691,6 +688,7 @@ end
 %doc %{_mandir}/man7/config.7*
 %doc %{_mandir}/man7/developers.7*
 %doc %{_mandir}/man7/orgs.7*
+%doc %{_mandir}/man7/logging.7*
 %doc %{_mandir}/man7/registry.7*
 %doc %{_mandir}/man7/removal.7*
 %doc %{_mandir}/man7/scope.7*
@@ -706,6 +704,21 @@ end
 
 
 %changelog
+* Sun Feb 13 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.14.0-2
+- Build with bootstrap by default due to old versions of dependencies available
+- Resolves: #2042995, #2042970, #2042981, #2042989
+- Resolves: #2029936, #2024890, #2014499, #2014135
+- Resolves: #2013834, #1945299
+
+* Fri Feb 11 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.14.0-1
+- Update to latest version
+- Use jinja and jq
+- Don't fix python3
+- Resolves: CVE-2022-21824, CVE-2021-44531, CVE-2021-44532, CVE-2021-44533
+- Resolves CVE-2020-15095
+- Resolves: CVE-2021-3918, CVE-2021-22959, CVE-2021-22960
+- Resolves: CVE-2021-3807, CVE-2021-27290
+
 * Wed Sep 29 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.10.0-1
 - Rebase to 16.10.0, add corepack, fix PowerShell dependency
 - Resolves: RHBZ#2000539, #2000548, #2000549, #2002177

sources

@@ -1,2 +1,2 @@
-SHA512 (node-v16.10.0-stripped.tar.gz) = 3be9583eca3eeee6f277e6c12f4371fddc05b72adfdfdf08e1276b25b5f51927d4c1925c95898988e17eef631910049769858693032bb2ca398e2745d8e67726
-SHA512 (icu4c-69_1-src.tgz) = d4aeb781715144ea6e3c6b98df5bbe0490bfa3175221a1d667f3e6851b7bd4a638fa4a37d4a921ccb31f02b5d15a6dded9464d98051964a86f7b1cde0ff0aab7
+SHA512 (icu4c-70_1-src.tgz) = 0b26ae7207155cb65a8fdb25f7b2fa4431e74b12bccbed0884a17feaae3c96833d12451064dd152197fd6ea5fd3adfd95594284a463e66c82e0d860f645880c9
+SHA512 (node-v16.14.0-stripped.tar.gz) = 14f146a04e7ce8dded189b52053d71f927c154498d9b2f4b1f4f61547effcebc33e81f99a0a92c08347dc6179f42b98e3cd0f5b6e5160b01a7dfc3721c875642