Update to latest release

Resolves CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215
Resolves CVE-2022-29244
Resolves: RHBZ#211100

.gitignore

@@ -25,3 +25,4 @@
 /icu4c-70_1-src.tgz
 /node-v18.2.0-stripped.tar.gz
 /icu4c-71_1-src.tgz
+/node-v18.7.0-stripped.tar.gz

0001-Disable-running-gyp-on-shared-deps.patch

@@ -1,4 +1,4 @@
-From 142fe30256f96e28b49f55d5c72e604719aaaad8 Mon Sep 17 00:00:00 2001
+From fe1e9d3f6d87416aa4cd8f8bee186d71a8ea2b0f Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
 Date: Fri, 17 Apr 2020 12:59:44 +0200
 Subject: [PATCH] Disable running gyp on shared deps
@@ -10,30 +10,30 @@ Signed-off-by: rpm-build <rpm-build>
  2 files changed, 1 insertion(+), 18 deletions(-)
 
 diff --git a/Makefile b/Makefile
-index 4aace77..0bad864 100644
+index e0d756f..c90bfa7 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -147,7 +147,7 @@ with-code-cache test-code-cache:
- 	$(warning '$@' target is a noop)
- 
+	$(warning '$@' target is a noop)
+
  out/Makefile: config.gypi common.gypi node.gyp \
 -	deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
 +	deps/llhttp/llhttp.gyp \
- 	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
- 	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
- 	$(PYTHON) tools/gyp_node.py -f make
+	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
+	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
+	$(PYTHON) tools/gyp_node.py -f make
 diff --git a/node.gyp b/node.gyp
-index 86fe9a6..bfa5093 100644
+index 6b3a6d9..5882cef 100644
 --- a/node.gyp
 +++ b/node.gyp
-@@ -449,23 +449,6 @@
+@@ -429,23 +429,6 @@
                ],
              },
            ],
 -         }, {
 -           'variables': {
 -              'opensslconfig_internal': '<(obj_dir)/deps/openssl/openssl.cnf',
--              'opensslconfig': './deps/openssl/openssl/apps/openssl.cnf',
+-              'opensslconfig': './deps/openssl/nodejs-openssl.cnf',
 -           },
 -           'actions': [
 -             {
@@ -42,14 +42,14 @@ index 86fe9a6..bfa5093 100644
 -               'outputs': [ '<(opensslconfig_internal)', ],
 -               'action': [
 -                 'python', 'tools/copyfile.py',
--                 './deps/openssl/openssl/apps/openssl.cnf',
--                 '<(obj_dir)/deps/openssl/openssl.cnf',
+-                 '<(opensslconfig)',
+-                 '<(opensslconfig_internal)',
 -               ],
 -             },
 -           ],
           }],
        ],
      }, # node_core_target_name
--- 
+--
 2.36.1
 

nodejs.spec

@@ -1,11 +1,3 @@
-%global with_debug 0
-
-# PowerPC, s390x and aarch64 segfault during Debug builds
-# https://github.com/nodejs/node/issues/20642
-%ifarch %{power64} s390x aarch64
-%global with_debug 0
-%endif
-
 # The following macros control the usage of dependencies bundled from upstream.
 #
 # When to use what:
@@ -17,7 +9,7 @@
 #
 # create bootstrapping build with bundled deps and extra release suffix
 %bcond_with bootstrap
-# bundle dependencies that are not available as Fedora modules
+# bundle dependencies that are not available in CentOS
 %if %{with bootstrap}
 %bcond_without bundled
 %else
@@ -37,7 +29,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 2
+%global baserelease 1
 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
@@ -48,7 +40,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 18
-%global nodejs_minor 2
+%global nodejs_minor 7
 %global nodejs_patch 0
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -63,9 +55,9 @@
 # Epoch is set to ensure clean upgrades from the old v8 package
 %global v8_epoch 2
 %global v8_major 10
-%global v8_minor 1
-%global v8_build 124
-%global v8_patch 8
+%global v8_minor 2
+%global v8_build 154
+%global v8_patch 13
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME
 %global v8_abi %{v8_major}.%{v8_minor}
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@@ -73,28 +65,16 @@
 
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
-%global c_ares_major 1
-%global c_ares_minor 18
-%global c_ares_patch 1
-%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
+%global c_ares_version 1.18.1
 
 # llhttp - from deps/llhttp/include/llhttp.h
-%global llhttp_major 6
-%global llhttp_minor 0
-%global llhttp_patch 6
-%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
+%global llhttp_version 6.0.7
 
 # libuv - from deps/uv/include/uv/version.h
-%global libuv_major 1
-%global libuv_minor 43
-%global libuv_patch 0
-%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
+%global libuv_version 1.43.0
 
 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_major 1
-%global nghttp2_minor 47
-%global nghttp2_patch 0
-%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
+%global nghttp2_version 1.47.0
 
 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_major 0
@@ -133,29 +113,11 @@
 # punycode - from lib/punycode.js
 # Note: this was merged into the mainline since 0.6.x
 # Note: this will be unmerged in an upcoming major release
-%global punycode_major 2
-%global punycode_minor 1
-%global punycode_patch 0
-%global punycode_version %{punycode_major}.%{punycode_minor}.%{punycode_patch}
+%global punycode_version 2.1.0
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_major 8
-%global npm_minor 9
-%global npm_patch 0
-%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
-
-# uvwasi - from deps/uvwasi/include/uvwasi.h
-%global uvwasi_major 0
-%global uvwasi_minor 0
-%global uvwasi_patch 12
-%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
-
-# histogram_c - assumed from timestamps
-%global histogram_major 0
-%global histogram_minor 9
-%global histogram_patch 7
-%global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}
+%global npm_version 8.15.0
 
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@@ -163,8 +125,11 @@
 # base npm version number is increasing.
 %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
 
-# Node.js 16.9.1 and later comes with an experimental package management tool
-%global corepack_version 0.10.0
+# uvwasi - from deps/uvwasi/include/uvwasi.h
+%global uvwasi_version 0.0.12
+
+# histogram_c - assumed from timestamps
+%global histogram_version 0.9.7
 
 Name: nodejs
 Epoch: %{nodejs_epoch}
@@ -196,10 +161,16 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 
 BuildRequires: make
 BuildRequires: python3-devel
+BuildRequires: python3-setuptools
+BuildRequires: python3-jinja2
+%if !%{with python3_fixup}
+BuildRequires: python-unversioned-command
+%endif
 BuildRequires: zlib-devel
 BuildRequires: brotli-devel
 BuildRequires: gcc >= 8.3.0
 BuildRequires: gcc-c++ >= 8.3.0
+BuildRequires: jq
 # needed to generate bundled provides for npm dependencies
 # https://src.fedoraproject.org/rpms/nodejs/pull-request/2
 # https://pagure.io/nodejs-packaging/pull-request/10
@@ -285,15 +256,9 @@ Provides: bundled(icu) = %{icu_version}
 # or there's no option to built it as a shared dependency, so we bundle them
 Provides: bundled(uvwasi) = %{uvwasi_version}
 Provides: bundled(histogram) = %{histogram_version}
-Provides: bundled(corepack) = %{corepack_version}
 
 # Make sure we keep NPM up to date when we update Node.js
-%if 0%{?rhel} < 8
-# EPEL doesn't support Recommends, so make it strict
-Requires: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
-%else
 Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
-%endif
 
 %description
 Node.js is a platform built on Chrome's JavaScript runtime
@@ -341,9 +306,7 @@ Release: %{npm_release}%{?dist}
 Obsoletes: npm < 0:3.5.4-6
 Provides: npm = %{npm_epoch}:%{npm_version}
 Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
-%if 0%{?fedora} || 0%{?rhel} >= 8
 Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
-%endif
 
 # Do not add epoch to the virtual NPM provides or it will break
 # the automatic dependency-generation script.
@@ -375,6 +338,8 @@ The API documentation for the Node.js JavaScript runtime.
 # remove bundled dependencies that we aren't building
 rm -rf deps/zlib
 rm -rf deps/brotli
+rm -rf deps/v8/third_party/jinja2
+rm -rf tools/inspector_protocol/jinja2
 
 # Replace any instances of unversioned python' with python3
 %if %{with python3_fixup}
@@ -382,20 +347,19 @@ pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
 find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python3~" {} \;
 find . -type f -exec sed -i "s~/usr\/bin\/python\W~/usr/bin/python3~" {} \;
 sed -i "s~usr\/bin\/python2~usr\/bin\/python3~" ./deps/v8/tools/gen-inlining-tests.py
-sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_unittest.py
+sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_test.py
 find . -type f -exec sed -i "s~python -c~python3 -c~" {} \;
 %endif
 
 %build
-
 %ifarch s390 s390x %{arm} %ix86
 # Decrease debuginfo verbosity to reduce memory consumption during final
 # library linking
 %global optflags %(echo %{optflags} | sed 's/-g /-g1 /')
 %endif
 
-export CC='gcc'
-export CXX='g++'
+export CC='%{__cc}'
+export CXX='%{__cxx}'
 %{?with_python3_fixup:export NODE_GYP_FORCE_PYTHON=%{__python3}}
 
 # build with debugging symbols and add defines from libuv (#892601)
@@ -419,15 +383,11 @@ export LDFLAGS="%{build_ldflags}"
            --with-dtrace \
            --with-intl=small-icu \
            --with-icu-default-data-dir=%{icudatadir} \
+           --without-corepack \
            --openssl-use-def-ca-store \
            --openssl-default-cipher-list=PROFILE=SYSTEM
 
-%if %{?with_debug} == 1
-# Setting BUILDTYPE=Debug builds both release and debug binaries
-make BUILDTYPE=Debug %{?_smp_mflags}
-%else
 make BUILDTYPE=Release %{?_smp_mflags}
-%endif
 
 # Extract the ICU data and convert it to the appropriate endianness
 pushd deps/
@@ -468,11 +428,6 @@ rm -rf %{buildroot}
 chmod 0755 %{buildroot}/%{_bindir}/node
 chrpath --delete %{buildroot}%{_bindir}/node
 
-%if %{?with_debug} == 1
-# Install the debug binary and set its permissions
-install -Dpm0755 out/Debug/node %{buildroot}/%{_bindir}/node_g
-%endif
-
 # own the sitelib directory
 mkdir -p %{buildroot}%{_prefix}/lib/node_modules
 
@@ -530,11 +485,6 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \
 chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp
 chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
 
-# Corepack contains a number of executable"shims", including some for Windows
-# PowerShell. Drop the executable bit for those so we don't pick up an
-# automatic dependency on /usr/bin/pwsh that we cannot satisfy.
-chmod -x %{buildroot}%{_prefix}/lib/node_modules/corepack/shims/*.ps1
-
 # Drop the NPM default configuration in place
 mkdir -p %{buildroot}%{_sysconfdir}
 cp %{SOURCE1} %{buildroot}%{_sysconfdir}/npmrc
@@ -558,77 +508,12 @@ install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/*
 %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')"
 
 # Ensure we have npm and that the version matches
-# NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')"
 NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(JSON.parse(require(\"fs\").readFileSync(\"%{buildroot}%{_prefix}/lib/node_modules/npm/package.json\")).version, '%{npm_version}')"
 
 # Make sure i18n support is working
 NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2}
 
 
-%pretrans -n npm -p <lua>
--- Remove all of the symlinks from the bundled npm node_modules directory
--- This scriptlet can be removed in Fedora 31
-base_path = "%{_prefix}/lib/node_modules/npm/node_modules/"
-d_st = posix.stat(base_path)
-if d_st then
-  for f in posix.files(base_path) do
-    path = base_path..f
-    st = posix.stat(path)
-    if st and st.type == "link" then
-      os.remove(path)
-    end
-  end
-end
-
--- Replace the npm docs directory with a symlink
--- Drop this scriptlet when F31 is EOL
-path = "%{_prefix}/lib/node_modules/npm/doc"
-st = posix.stat(path)
-if st and st.type == "directory" then
-  status = os.rename(path, path .. ".rpmmoved")
-  if not status then
-    suffix = 0
-    while not status do
-      suffix = suffix + 1
-      status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
-    end
-    os.rename(path, path .. ".rpmmoved")
-  end
-end
-
--- Replace the npm docs directory with a symlink
--- Drop this scriptlet when F31 is EOL
-path = "%{_prefix}/lib/node_modules/npm/html"
-st = posix.stat(path)
-if st and st.type == "directory" then
-  status = os.rename(path, path .. ".rpmmoved")
-  if not status then
-    suffix = 0
-    while not status do
-      suffix = suffix + 1
-      status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
-    end
-    os.rename(path, path .. ".rpmmoved")
-  end
-end
-
--- Replace the npm man directory with a symlink
--- Drop this scriptlet when F31 is EOL
-path = "%{_prefix}/lib/node_modules/npm/man"
-st = posix.stat(path)
-if st and st.type == "directory" then
-  status = os.rename(path, path .. ".rpmmoved")
-  if not status then
-    suffix = 0
-    while not status do
-      suffix = suffix + 1
-      status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
-    end
-    os.rename(path, path .. ".rpmmoved")
-  end
-end
-
-
 %files
 %{_bindir}/node
 %dir %{_prefix}/lib/node_modules
@@ -637,10 +522,6 @@ end
 %dir %{_datadir}/systemtap/tapset
 %{_datadir}/systemtap/tapset/node.stp
 
-# corepack
-%{_bindir}/corepack
-%{_prefix}/lib/node_modules/corepack
-
 %dir %{_usr}/lib/dtrace
 %{_usr}/lib/dtrace/node.d
 
@@ -652,9 +533,6 @@ end
 
 
 %files devel
-%if %{?with_debug} == 1
-%{_bindir}/node_g
-%endif
 %{_includedir}/node
 %{_datadir}/node/common.gypi
 %{_pkgdocdir}/gdbinit
@@ -682,8 +560,9 @@ end
 %doc %{_mandir}/man5/npm-shrinkwrap-json.5*
 %doc %{_mandir}/man7/config.7*
 %doc %{_mandir}/man7/developers.7*
-%doc %{_mandir}/man7/orgs.7*
 %doc %{_mandir}/man7/logging.7*
+%doc %{_mandir}/man7/orgs.7*
+%doc %{_mandir}/man7/package-spec.7*
 %doc %{_mandir}/man7/registry.7*
 %doc %{_mandir}/man7/removal.7*
 %doc %{_mandir}/man7/scope.7*
@@ -699,6 +578,12 @@ end
 
 
 %changelog
+* Mon Aug 08 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.7.0-1
+- Update to latest release
+- Resolves CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215
+- Resolves CVE-2022-29244
+- Resolves: RHBZ#2111009
+
 * Mon Jun 20 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.2.0-2
 - Disable LTO
 - Related: #1990096

sources

@@ -1,2 +1,2 @@
-SHA512 (node-v18.2.0-stripped.tar.gz) = c51881ae16d950a8a9f3e123b8901937b0152e81128a51645cdc07408a076cc4212883a408b3e88de91bfa30d6d2dc327a1f7b842e4b78f62defb13d78d4d08b
-SHA512 (icu4c-71_1-src.tgz) = 1fd2a20aef48369d1f06e2bb74584877b8ad0eb529320b976264ec2db87420bae242715795f372dbc513ea80047bc49077a064e78205cd5e8b33d746fd2a2912
+SHA512 (icu4c-70_1-src.tgz) = 0b26ae7207155cb65a8fdb25f7b2fa4431e74b12bccbed0884a17feaae3c96833d12451064dd152197fd6ea5fd3adfd95594284a463e66c82e0d860f645880c9
+SHA512 (node-v18.7.0-stripped.tar.gz) = 710c3ab1e8417bcda55ab7aa74b9c54367d899f8a039cff3d6644d3d15fae98ce257e1632f997ad2f67132b17fc585c1e1de0f570add6ffb7e5d6b5405e1bb29