From f1bbfe74498742a197c357ce327bba49f88451c1 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 5 Oct 2021 22:00:59 -0400
Subject: [PATCH] import nodejs-12.22.5-1.module+el8.4.0+12242+af52a4c7

---
 .gitignore                                    |   2 +-
 .nodejs.metadata                              |   2 +-
 ...03-src-use-getauxval-in-node_main.cc.patch |  70 ++
 ...8n-prototype-pollution-vulnerability.patch |  13 -
 .../0004-always-available-fips-options.patch  | 622 ++++++++++++++++++
 ...o-not-allow-invalid-hazardous-string.patch |  99 ---
 ...005-CVE-2021-23343-nodejs-path-parse.patch | 180 +++++
 SOURCES/nodejs-tarball.sh                     |   8 +-
 SPECS/nodejs.spec                             |  76 ++-
 9 files changed, 933 insertions(+), 139 deletions(-)
 create mode 100644 SOURCES/0003-src-use-getauxval-in-node_main.cc.patch
 delete mode 100644 SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
 create mode 100644 SOURCES/0004-always-available-fips-options.patch
 delete mode 100644 SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
 create mode 100644 SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch

diff --git a/.gitignore b/.gitignore
index 3f9ed36..d8fc543 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v12.20.1-stripped.tar.gz
+SOURCES/node-v12.22.5-stripped.tar.gz
diff --git a/.nodejs.metadata b/.nodejs.metadata
index 45b7698..c0867c1 100644
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@@ -1,2 +1,2 @@
 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
-f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896 SOURCES/node-v12.20.1-stripped.tar.gz
+bb98afb22215e659a77853964f7575da6b1535e3 SOURCES/node-v12.22.5-stripped.tar.gz
diff --git a/SOURCES/0003-src-use-getauxval-in-node_main.cc.patch b/SOURCES/0003-src-use-getauxval-in-node_main.cc.patch
new file mode 100644
index 0000000..2ecf682
--- /dev/null
+++ b/SOURCES/0003-src-use-getauxval-in-node_main.cc.patch
@@ -0,0 +1,70 @@
+From 63b2d16ea3985b62be372ea1da7987dc32ddcc3b Mon Sep 17 00:00:00 2001
+From: Daniel Bevenius <daniel.bevenius@gmail.com>
+Date: Tue, 2 Jun 2020 05:33:25 +0200
+Subject: [PATCH 3/3] src: use getauxval in node_main.cc
+
+This commit suggests using getauxval in node_main.cc.
+
+The motivation for this is that getauxval was introduced in glibc 2.16
+and looking at BUILDING.md, in the 'Platform list' section, it looks
+like we now support glibc >= 2.17 and perhaps this change would be
+alright now.
+
+PR-URL: https://github.com/nodejs/node/pull/33693
+Refs: https://github.com/nodejs/node/pull/12548
+Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
+Reviewed-By: David Carlier <devnexen@gmail.com>
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
+Reviewed-By: James M Snell <jasnell@gmail.com>
+---
+ src/node_main.cc | 18 ++----------------
+ 1 file changed, 2 insertions(+), 16 deletions(-)
+
+diff --git a/src/node_main.cc b/src/node_main.cc
+index e92c0df94297e2ece43dbdf71166e555713ef6f2..70be5b83fafcde596e65086b08305aa89702fd52 100644
+--- a/src/node_main.cc
++++ b/src/node_main.cc
+@@ -72,17 +72,11 @@ int wmain(int argc, wchar_t* wargv[]) {
+   return node::Start(argc, argv);
+ }
+ #else
+ // UNIX
+ #ifdef __linux__
+-#include <elf.h>
+-#ifdef __LP64__
+-#define Elf_auxv_t Elf64_auxv_t
+-#else
+-#define Elf_auxv_t Elf32_auxv_t
+-#endif  // __LP64__
+-extern char** environ;
++#include <sys/auxv.h>
+ #endif  // __linux__
+ #if defined(__POSIX__) && defined(NODE_SHARED_MODE)
+ #include <string.h>
+ #include <signal.h>
+ #endif
+@@ -107,19 +101,11 @@ int main(int argc, char* argv[]) {
+     sigaction(SIGPIPE, &act, nullptr);
+   }
+ #endif
+ 
+ #if defined(__linux__)
+-  char** envp = environ;
+-  while (*envp++ != nullptr) {}
+-  Elf_auxv_t* auxv = reinterpret_cast<Elf_auxv_t*>(envp);
+-  for (; auxv->a_type != AT_NULL; auxv++) {
+-    if (auxv->a_type == AT_SECURE) {
+-      node::per_process::linux_at_secure = auxv->a_un.a_val;
+-      break;
+-    }
+-  }
++  node::per_process::linux_at_secure = getauxval(AT_SECURE);
+ #endif
+   // Disable stdio buffering, it interacts poorly with printf()
+   // calls elsewhere in the program (e.g., any logging from V8.)
+   setvbuf(stdout, nullptr, _IONBF, 0);
+   setvbuf(stderr, nullptr, _IONBF, 0);
+-- 
+2.30.1
+
diff --git a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
deleted file mode 100644
index 88a9d75..0000000
--- a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
-index d720681628..727362aac0 100644
---- a/deps/npm/node_modules/y18n/index.js
-+++ b/deps/npm/node_modules/y18n/index.js
-@@ -11,7 +11,7 @@ function Y18N (opts) {
-   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
- 
-   // internal stuff.
--  this.cache = {}
-+  this.cache = Object.create(null)
-   this.writeQueue = []
- }
- 
diff --git a/SOURCES/0004-always-available-fips-options.patch b/SOURCES/0004-always-available-fips-options.patch
new file mode 100644
index 0000000..fb90f8f
--- /dev/null
+++ b/SOURCES/0004-always-available-fips-options.patch
@@ -0,0 +1,622 @@
+From 7bc4111b770ada25cdd6e1b938ca7a914617ea53 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
+Date: Tue, 25 Aug 2020 14:04:54 +0200
+Subject: [PATCH] crypto: make FIPS related options always awailable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+There is no reason to hide FIPS functionality behind build flags.
+OpenSSL always provide the information about FIPS availability via
+`FIPS_mode()` function.
+
+This makes the user experience more consistent, because the OpenSSL
+library is always queried and the `crypto.getFips()` always returns
+OpenSSL settings.
+
+Fixes #34903
+
+PR-URL: https://github.com/nodejs/node/pull/36341
+Reviewed-By: Anna Henningsen <anna@addaleax.net>
+Reviewed-By: Michael Dawson <midawson@redhat.com>
+Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ doc/api/cli.md                                |  8 +--
+ lib/crypto.js                                 | 22 ++----
+ node.gypi                                     |  3 -
+ src/node.cc                                   |  6 +-
+ src/node_config.cc                            |  2 -
+ src/node_crypto.cc                            | 45 +++++++-----
+ src/node_options.cc                           |  2 -
+ src/node_options.h                            |  2 -
+ test/parallel/test-cli-node-print-help.js     |  7 +-
+ test/parallel/test-crypto-fips.js             | 71 +++++++++----------
+ ...rocess-env-allowed-flags-are-documented.js | 11 +--
+ 11 files changed, 74 insertions(+), 105 deletions(-)
+
+diff --git a/doc/api/cli.md b/doc/api/cli.md
+index 86635f267b..6f14fa6810 100644
+--- a/doc/api/cli.md
++++ b/doc/api/cli.md
+@@ -183,8 +183,8 @@ code from strings throw an exception instead. This does not affect the Node.js
+ added: v6.0.0
+ -->
+ 
+-Enable FIPS-compliant crypto at startup. (Requires Node.js to be built with
+-`./configure --openssl-fips`.)
++Enable FIPS-compliant crypto at startup. (Requires Node.js to be built
++against FIPS-compatible OpenSSL.)
+ 
+ ### `--enable-source-maps`
+ <!-- YAML
+@@ -550,8 +550,8 @@ added: v6.9.0
+ -->
+ 
+ Load an OpenSSL configuration file on startup. Among other uses, this can be
+-used to enable FIPS-compliant crypto if Node.js is built with
+-`./configure --openssl-fips`.
++used to enable FIPS-compliant crypto if Node.js is built
++against FIPS-enabled OpenSSL.
+ 
+ ### `--pending-deprecation`
+ <!-- YAML
+diff --git a/lib/crypto.js b/lib/crypto.js
+index b2bcc4d0a4..93d5e21fa0 100644
+--- a/lib/crypto.js
++++ b/lib/crypto.js
+@@ -37,12 +37,10 @@ assertCrypto();
+ 
+ const {
+   ERR_CRYPTO_FIPS_FORCED,
+-  ERR_CRYPTO_FIPS_UNAVAILABLE
+ } = require('internal/errors').codes;
+ const constants = internalBinding('constants').crypto;
+ const { getOptionValue } = require('internal/options');
+ const pendingDeprecation = getOptionValue('--pending-deprecation');
+-const { fipsMode } = internalBinding('config');
+ const fipsForced = getOptionValue('--force-fips');
+ const {
+   getFipsCrypto,
+@@ -191,10 +189,8 @@ module.exports = {
+   sign: signOneShot,
+   setEngine,
+   timingSafeEqual,
+-  getFips: !fipsMode ? getFipsDisabled :
+-    fipsForced ? getFipsForced : getFipsCrypto,
+-  setFips: !fipsMode ? setFipsDisabled :
+-    fipsForced ? setFipsForced : setFipsCrypto,
++  getFips: fipsForced ? getFipsForced : getFipsCrypto,
++  setFips: fipsForced ? setFipsForced : setFipsCrypto,
+   verify: verifyOneShot,
+ 
+   // Classes
+@@ -213,19 +209,11 @@ module.exports = {
+   Verify
+ };
+ 
+-function setFipsDisabled() {
+-  throw new ERR_CRYPTO_FIPS_UNAVAILABLE();
+-}
+-
+ function setFipsForced(val) {
+   if (val) return;
+   throw new ERR_CRYPTO_FIPS_FORCED();
+ }
+ 
+-function getFipsDisabled() {
+-  return 0;
+-}
+-
+ function getFipsForced() {
+   return 1;
+ }
+@@ -247,10 +235,8 @@ ObjectDefineProperties(module.exports, {
+   },
+   // crypto.fips is deprecated. DEP0093. Use crypto.getFips()/crypto.setFips()
+   fips: {
+-    get: !fipsMode ? getFipsDisabled :
+-      fipsForced ? getFipsForced : getFipsCrypto,
+-    set: !fipsMode ? setFipsDisabled :
+-      fipsForced ? setFipsForced : setFipsCrypto
++    get: fipsForced ? getFipsForced : getFipsCrypto,
++    set: fipsForced ? setFipsForced : setFipsCrypto
+   },
+   DEFAULT_ENCODING: {
+     enumerable: false,
+diff --git a/node.gypi b/node.gypi
+index 116c1c7149..34f385f652 100644
+--- a/node.gypi
++++ b/node.gypi
+@@ -320,9 +320,6 @@
+     [ 'node_use_openssl=="true"', {
+       'defines': [ 'HAVE_OPENSSL=1' ],
+       'conditions': [
+-        ['openssl_fips != "" or openssl_is_fips=="true"', {
+-          'defines': [ 'NODE_FIPS_MODE' ],
+-        }],
+         [ 'node_shared_openssl=="false"', {
+           'dependencies': [
+             './deps/openssl/openssl.gyp:openssl',
+diff --git a/src/node.cc b/src/node.cc
+index 46e8f74cc2..0a5c3ee8ee 100644
+--- a/src/node.cc
++++ b/src/node.cc
+@@ -964,11 +964,11 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
+     if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
+       crypto::UseExtraCaCerts(extra_ca_certs);
+   }
+-#ifdef NODE_FIPS_MODE
+   // In the case of FIPS builds we should make sure
+   // the random source is properly initialized first.
+-  OPENSSL_init();
+-#endif  // NODE_FIPS_MODE
++  if (FIPS_mode()) {
++    OPENSSL_init();
++  }
+   // V8 on Windows doesn't have a good source of entropy. Seed it from
+   // OpenSSL's pool.
+   V8::SetEntropySource(crypto::EntropySource);
+diff --git a/src/node_config.cc b/src/node_config.cc
+index 6ee3164a13..e229eee765 100644
+--- a/src/node_config.cc
++++ b/src/node_config.cc
+@@ -42,9 +42,7 @@ static void Initialize(Local<Object> target,
+   READONLY_FALSE_PROPERTY(target, "hasOpenSSL");
+ #endif  // HAVE_OPENSSL
+ 
+-#ifdef NODE_FIPS_MODE
+   READONLY_TRUE_PROPERTY(target, "fipsMode");
+-#endif
+ 
+ #ifdef NODE_HAVE_I18N_SUPPORT
+ 
+diff --git a/src/node_crypto.cc b/src/node_crypto.cc
+index 764dcb8720..f142e625ef 100644
+--- a/src/node_crypto.cc
++++ b/src/node_crypto.cc
+@@ -50,6 +50,11 @@
+ #include <openssl/hmac.h>
+ #include <openssl/rand.h>
+ #include <openssl/pkcs12.h>
++// The FIPS-related functions are only available
++// when the OpenSSL itself was compiled with FIPS support.
++#ifdef OPENSSL_FIPS
++#include <openssl/fips.h>
++#endif // OPENSSL_FIPS
+ 
+ #include <cerrno>
+ #include <climits>  // INT_MAX
+@@ -97,6 +102,7 @@ using v8::Signature;
+ using v8::String;
+ using v8::Uint32;
+ using v8::Undefined;
++using v8::TryCatch;
+ using v8::Value;
+ 
+ #ifdef OPENSSL_NO_OCB
+@@ -3595,12 +3601,10 @@ void CipherBase::Init(const char* cipher_type,
+   HandleScope scope(env()->isolate());
+   MarkPopErrorOnReturn mark_pop_error_on_return;
+ 
+-#ifdef NODE_FIPS_MODE
+   if (FIPS_mode()) {
+     return env()->ThrowError(
+         "crypto.createCipher() is not supported in FIPS mode.");
+   }
+-#endif  // NODE_FIPS_MODE
+ 
+   const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type);
+   if (cipher == nullptr)
+@@ -3786,13 +3790,11 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len,
+       return false;
+     }
+ 
+-#ifdef NODE_FIPS_MODE
+     // TODO(tniessen) Support CCM decryption in FIPS mode
+     if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) {
+       env()->ThrowError("CCM decryption not supported in FIPS mode");
+       return false;
+     }
+-#endif
+ 
+     // Tell OpenSSL about the desired length.
+     if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len,
+@@ -4712,7 +4714,6 @@ static AllocatedBuffer Node_SignFinal(Environment* env,
+ }
+ 
+ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
+-#ifdef NODE_FIPS_MODE
+   /* Validate DSA2 parameters from FIPS 186-4 */
+   if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) {
+     DSA* dsa = EVP_PKEY_get0_DSA(key);
+@@ -4728,7 +4729,6 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
+            (L == 2048 && N == 256) ||
+            (L == 3072 && N == 256);
+   }
+-#endif  // NODE_FIPS_MODE
+ 
+   return true;
+ }
+@@ -6889,7 +6889,6 @@ void InitCryptoOnce() {
+   settings = nullptr;
+ #endif
+ 
+-#ifdef NODE_FIPS_MODE
+   /* Override FIPS settings in cnf file, if needed. */
+   unsigned long err = 0;  // NOLINT(runtime/int)
+   if (per_process::cli_options->enable_fips_crypto ||
+@@ -6899,12 +6898,10 @@ void InitCryptoOnce() {
+     }
+   }
+   if (0 != err) {
+-    fprintf(stderr,
+-            "openssl fips failed: %s\n",
+-            ERR_error_string(err, nullptr));
+-    UNREACHABLE();
++      auto* isolate = Isolate::GetCurrent();
++      auto* env = Environment::GetCurrent(isolate);
++      return ThrowCryptoError(env, err);
+   }
+-#endif  // NODE_FIPS_MODE
+ 
+ 
+   // Turn off compression. Saves memory and protects against CRIME attacks.
+@@ -6950,7 +6947,6 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) {
+ }
+ #endif  // !OPENSSL_NO_ENGINE
+ 
+-#ifdef NODE_FIPS_MODE
+ void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
+   args.GetReturnValue().Set(FIPS_mode() ? 1 : 0);
+ }
+@@ -6968,17 +6964,33 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
+     return ThrowCryptoError(env, err);
+   }
+ }
+-#endif /* NODE_FIPS_MODE */
++
++void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) {
++#ifdef OPENSSL_FIPS
++  const auto enabled = FIPS_selftest() ? 1 : 0;
++#else  // OPENSSL_FIPS
++  const auto enabled = 0;
++#endif  // OPENSSL_FIPS
++
++  args.GetReturnValue().Set(enabled);
++}
+ 
+ 
+ void Initialize(Local<Object> target,
+                 Local<Value> unused,
+                 Local<Context> context,
+                 void* priv) {
++  Environment* env = Environment::GetCurrent(context);
++
+   static uv_once_t init_once = UV_ONCE_INIT;
++  TryCatch try_catch{env->isolate()};
+   uv_once(&init_once, InitCryptoOnce);
+ 
+-  Environment* env = Environment::GetCurrent(context);
++  if (try_catch.HasCaught() && !try_catch.HasTerminated()) {
++    try_catch.ReThrow();
++    return;
++  }
++
+   SecureContext::Initialize(env, target);
+   target->Set(env->context(),
+             FIXED_ONE_BYTE_STRING(env->isolate(), "KeyObjectHandle"),
+@@ -7007,10 +7019,9 @@ void Initialize(Local<Object> target,
+   env->SetMethod(target, "setEngine", SetEngine);
+ #endif  // !OPENSSL_NO_ENGINE
+ 
+-#ifdef NODE_FIPS_MODE
+   env->SetMethodNoSideEffect(target, "getFipsCrypto", GetFipsCrypto);
+   env->SetMethod(target, "setFipsCrypto", SetFipsCrypto);
+-#endif
++  env->SetMethodNoSideEffect(target, "testFipsCrypto", TestFipsCrypto);
+ 
+   env->SetMethod(target, "pbkdf2", PBKDF2);
+   env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA);
+diff --git a/src/node_options.cc b/src/node_options.cc
+index 0240b2ef58..d1230da1ad 100644
+--- a/src/node_options.cc
++++ b/src/node_options.cc
+@@ -729,7 +729,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
+             &PerProcessOptions::ssl_openssl_cert_store);
+   Implies("--use-openssl-ca", "[ssl_openssl_cert_store]");
+   ImpliesNot("--use-bundled-ca", "[ssl_openssl_cert_store]");
+-#if NODE_FIPS_MODE
+   AddOption("--enable-fips",
+             "enable FIPS crypto at startup",
+             &PerProcessOptions::enable_fips_crypto,
+@@ -738,7 +737,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
+             "force FIPS crypto (cannot be disabled)",
+             &PerProcessOptions::force_fips_crypto,
+             kAllowedInEnvironment);
+-#endif
+ #endif
+   AddOption("--use-largepages",
+             "Map the Node.js static code to large pages. Options are "
+diff --git a/src/node_options.h b/src/node_options.h
+index aa138c6970..f5e1e7da57 100644
+--- a/src/node_options.h
++++ b/src/node_options.h
+@@ -236,10 +236,8 @@ class PerProcessOptions : public Options {
+ #endif
+   bool use_openssl_ca = false;
+   bool use_bundled_ca = false;
+-#if NODE_FIPS_MODE
+   bool enable_fips_crypto = false;
+   bool force_fips_crypto = false;
+-#endif
+ #endif
+ 
+   // Per-process because reports can be triggered outside a known V8 context.
+diff --git a/test/parallel/test-cli-node-print-help.js b/test/parallel/test-cli-node-print-help.js
+index e115124b04..ed58bf085c 100644
+--- a/test/parallel/test-cli-node-print-help.js
++++ b/test/parallel/test-cli-node-print-help.js
+@@ -8,8 +8,6 @@ const common = require('../common');
+ 
+ const assert = require('assert');
+ const { exec } = require('child_process');
+-const { internalBinding } = require('internal/test/binding');
+-const { fipsMode } = internalBinding('config');
+ let stdOut;
+ 
+ 
+@@ -29,9 +27,8 @@ function validateNodePrintHelp() {
+   const cliHelpOptions = [
+     { compileConstant: HAVE_OPENSSL,
+       flags: [ '--openssl-config=...', '--tls-cipher-list=...',
+-               '--use-bundled-ca', '--use-openssl-ca' ] },
+-    { compileConstant: fipsMode,
+-      flags: [ '--enable-fips', '--force-fips' ] },
++               '--use-bundled-ca', '--use-openssl-ca',
++               '--enable-fips', '--force-fips' ] },
+     { compileConstant: NODE_HAVE_I18N_SUPPORT,
+       flags: [ '--icu-data-dir=...', 'NODE_ICU_DATA' ] },
+     { compileConstant: HAVE_INSPECTOR,
+diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
+index eae3134402..a1ed645184 100644
+--- a/test/parallel/test-crypto-fips.js
++++ b/test/parallel/test-crypto-fips.js
+@@ -9,27 +9,20 @@ const spawnSync = require('child_process').spawnSync;
+ const path = require('path');
+ const fixtures = require('../common/fixtures');
+ const { internalBinding } = require('internal/test/binding');
+-const { fipsMode } = internalBinding('config');
++const { testFipsCrypto } = internalBinding('crypto');
+ 
+ const FIPS_ENABLED = 1;
+ const FIPS_DISABLED = 0;
+-const FIPS_ERROR_STRING =
+-  'Error [ERR_CRYPTO_FIPS_UNAVAILABLE]: Cannot set FIPS mode in a ' +
+-  'non-FIPS build.';
+ const FIPS_ERROR_STRING2 =
+   'Error [ERR_CRYPTO_FIPS_FORCED]: Cannot set FIPS mode, it was forced with ' +
+   '--force-fips at startup.';
+-const OPTION_ERROR_STRING = 'bad option';
++const FIPS_UNSUPPORTED_ERROR_STRING = 'fips mode not supported';
+ 
+ const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf');
+ const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf');
+ 
+ let num_children_ok = 0;
+ 
+-function compiledWithFips() {
+-  return fipsMode ? true : false;
+-}
+-
+ function sharedOpenSSL() {
+   return process.config.variables.node_shared_openssl;
+ }
+@@ -75,17 +68,17 @@ testHelper(
+ 
+ // --enable-fips should turn FIPS mode on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+ // --force-fips should turn FIPS mode on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+@@ -106,7 +99,7 @@ if (!sharedOpenSSL()) {
+   testHelper(
+     'stdout',
+     [`--openssl-config=${CNF_FIPS_ON}`],
+-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
++    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
+     'require("crypto").getFips()',
+     process.env);
+ 
+@@ -114,7 +107,7 @@ if (!sharedOpenSSL()) {
+   testHelper(
+     'stdout',
+     [],
+-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
++    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
+     'require("crypto").getFips()',
+     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON }));
+ 
+@@ -122,7 +115,7 @@ if (!sharedOpenSSL()) {
+   testHelper(
+     'stdout',
+     [`--openssl-config=${CNF_FIPS_ON}`],
+-    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
++    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
+     'require("crypto").getFips()',
+     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
+ }
+@@ -136,50 +129,50 @@ testHelper(
+ 
+ // --enable-fips should take precedence over OpenSSL config file
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+ // OPENSSL_CONF should _not_ make a difference to --enable-fips
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
+ 
+ // --force-fips should take precedence over OpenSSL config file
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   process.env);
+ 
+ // Using OPENSSL_CONF should not make a difference to --force-fips
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").getFips()',
+   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
+ 
+ // setFipsCrypto should be able to turn FIPS mode on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   [],
+-  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").getFips())',
+   process.env);
+ 
+ // setFipsCrypto should be able to turn FIPS mode on and off
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   [],
+-  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
++  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").setFips(false),' +
+   'require("crypto").getFips())',
+@@ -187,27 +180,27 @@ testHelper(
+ 
+ // setFipsCrypto takes precedence over OpenSSL config file, FIPS on
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   [`--openssl-config=${CNF_FIPS_OFF}`],
+-  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").getFips())',
+   process.env);
+ 
+ // setFipsCrypto takes precedence over OpenSSL config file, FIPS off
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  'stdout',
+   [`--openssl-config=${CNF_FIPS_ON}`],
+-  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
++  FIPS_DISABLED,
+   '(require("crypto").setFips(false),' +
+   'require("crypto").getFips())',
+   process.env);
+ 
+ // --enable-fips does not prevent use of setFipsCrypto API
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--enable-fips'],
+-  compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(false),' +
+   'require("crypto").getFips())',
+   process.env);
+@@ -216,15 +209,15 @@ testHelper(
+ testHelper(
+   'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").setFips(false)',
+   process.env);
+ 
+ // --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
+ testHelper(
+-  compiledWithFips() ? 'stdout' : 'stderr',
++  testFipsCrypto() ? 'stdout' : 'stderr',
+   ['--force-fips'],
+-  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
+   '(require("crypto").setFips(true),' +
+   'require("crypto").getFips())',
+   process.env);
+@@ -233,7 +226,7 @@ testHelper(
+ testHelper(
+   'stderr',
+   ['--force-fips', '--enable-fips'],
+-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").setFips(false)',
+   process.env);
+ 
+@@ -241,6 +234,6 @@ testHelper(
+ testHelper(
+   'stderr',
+   ['--enable-fips', '--force-fips'],
+-  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
++  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
+   'require("crypto").setFips(false)',
+   process.env);
+diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
+index 0e0af9471c..af10809634 100644
+--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
+@@ -44,17 +44,8 @@ const conditionalOpts = [
+   { include: common.hasCrypto,
+     filter: (opt) => {
+       return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca',
+-              '--use-openssl-ca' ].includes(opt);
++              '--use-openssl-ca', '--enable-fips', '--force-fips' ].includes(opt);
+     } },
+-  {
+-    // We are using openssl_is_fips from the configuration because it could be
+-    // the case that OpenSSL is FIPS compatible but fips has not been enabled
+-    // (starting node with --enable-fips). If we use common.hasFipsCrypto
+-    // that would only tells us if fips has been enabled, but in this case we
+-    // want to check options which will be available regardless of whether fips
+-    // is enabled at runtime or not.
+-    include: process.config.variables.openssl_is_fips,
+-    filter: (opt) => opt.includes('-fips') },
+   { include: common.hasIntl,
+     filter: (opt) => opt === '--icu-data-dir' },
+   { include: process.features.inspector,
+-- 
+2.31.1
+
diff --git a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
deleted file mode 100644
index c2b1f3e..0000000
--- a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
-From: isaacs <i@izs.me>
-Date: Tue, 8 Dec 2020 14:21:50 -0800
-Subject: [PATCH] do not allow invalid hazardous string as section name
-
-Signed-off-by: rpm-build <rpm-build>
----
- deps/npm/node_modules/ini/ini.js        |  8 +++++
- deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
- 2 files changed, 53 insertions(+)
- create mode 100644 deps/npm/node_modules/ini/test/proto.js
-
-diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
-index 590195d..0401258 100644
---- a/deps/npm/node_modules/ini/ini.js
-+++ b/deps/npm/node_modules/ini/ini.js
-@@ -80,6 +80,12 @@ function decode (str) {
-     if (!match) return
-     if (match[1] !== undefined) {
-       section = unsafe(match[1])
-+      if (section === '__proto__') {
-+        // not allowed
-+        // keep parsing the section, but don't attach it.
-+        p = {}
-+        return
-+      }
-       p = out[section] = out[section] || {}
-       return
-     }
-@@ -94,6 +100,7 @@ function decode (str) {
-     // Convert keys with '[]' suffix to an array
-     if (key.length > 2 && key.slice(-2) === '[]') {
-       key = key.substring(0, key.length - 2)
-+      if (key === '__proto__') return
-       if (!p[key]) {
-         p[key] = []
-       } else if (!Array.isArray(p[key])) {
-@@ -125,6 +132,7 @@ function decode (str) {
-     var l = parts.pop()
-     var nl = l.replace(/\\\./g, '.')
-     parts.forEach(function (part, _, __) {
-+      if (part === '__proto__') return
-       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
-       p = p[part]
-     })
-diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
-new file mode 100644
-index 0000000..ab35533
---- /dev/null
-+++ b/deps/npm/node_modules/ini/test/proto.js
-@@ -0,0 +1,45 @@
-+var ini = require('../')
-+var t = require('tap')
-+
-+var data = `
-+__proto__ = quux
-+foo = baz
-+[__proto__]
-+foo = bar
-+[other]
-+foo = asdf
-+[kid.__proto__.foo]
-+foo = kid
-+[arrproto]
-+hello = snyk
-+__proto__[] = you did a good job
-+__proto__[] = so you deserve arrays
-+thanks = true
-+`
-+var res = ini.parse(data)
-+t.deepEqual(res, {
-+  foo: 'baz',
-+  other: {
-+    foo: 'asdf',
-+  },
-+  kid: {
-+    foo: {
-+      foo: 'kid',
-+    },
-+  },
-+  arrproto: {
-+    hello: 'snyk',
-+    thanks: true,
-+  },
-+})
-+t.equal(res.__proto__, Object.prototype)
-+t.equal(res.kid.__proto__, Object.prototype)
-+t.equal(res.kid.foo.__proto__, Object.prototype)
-+t.equal(res.arrproto.__proto__, Object.prototype)
-+t.equal(Object.prototype.foo, undefined)
-+t.equal(Object.prototype[0], undefined)
-+t.equal(Object.prototype['0'], undefined)
-+t.equal(Object.prototype[1], undefined)
-+t.equal(Object.prototype['1'], undefined)
-+t.equal(Array.prototype[0], undefined)
-+t.equal(Array.prototype[1], undefined)
---
-2.29.2
-
diff --git a/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch b/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch
new file mode 100644
index 0000000..201721d
--- /dev/null
+++ b/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch
@@ -0,0 +1,180 @@
+https://github.com/jbgutierrez/path-parse/pull/10
+
+From 72c38e3a36b8ed2ec03960ac659aa114cbe6a420 Mon Sep 17 00:00:00 2001
+From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
+Date: Thu, 13 May 2021 10:53:50 -0400
+Subject: [PATCH 1/2] fixed regexes to avoid ReDoS attacks
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/path-parse/index.js |  6 +++---
+ deps/npm/node_modules/path-parse/redos.js | 20 ++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 3 deletions(-)
+ create mode 100644 deps/npm/node_modules/path-parse/redos.js
+
+diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js
+index 3b7601f..e6b2af1 100644
+--- a/deps/npm/node_modules/path-parse/index.js
++++ b/deps/npm/node_modules/path-parse/index.js
+@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32';
+ // Regex to split a windows path into three parts: [*, device, slash,
+ // tail] windows-only
+ var splitDeviceRe =
+-    /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/;
++    /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
+
+ // Regex to split the tail part of the above into [*, dir, basename, ext]
+ var splitTailRe =
+-    /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
++    /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
+
+ var win32 = {};
+
+@@ -51,7 +51,7 @@ win32.parse = function(pathString) {
+ // Split a filename into [root, dir, basename, ext], unix version
+ // 'root' is just a slash, or nothing.
+ var splitPathRe =
+-    /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
++    /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
+ var posix = {};
+
+
+diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js
+new file mode 100644
+index 0000000..261947f
+--- /dev/null
++++ b/deps/npm/node_modules/path-parse/redos.js
+@@ -0,0 +1,20 @@
++var pathParse = require('.');
++
++function build_attack(n) {
++    var ret = ""
++    for (var i = 0; i < n; i++) {
++        ret += "/"
++    }
++    return ret + "◎";
++}
++
++for(var i = 1; i <= 5000000; i++) {
++    if (i % 10000 == 0) {
++        var time = Date.now();
++        var attack_str = build_attack(i)
++        pathParse.posix(attack_str);
++        pathParse.win32(attack_str);
++        var time_cost = Date.now() - time;
++        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
++    }
++}
+--
+2.31.1
+
+
+From 44d1c9cd047988bb819707c726d9640f8aabe04d Mon Sep 17 00:00:00 2001
+From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
+Date: Thu, 13 May 2021 11:51:45 -0400
+Subject: [PATCH 2/2] streamlined regexes, simplified parse() returns
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/path-parse/index.js | 52 ++++++++---------------
+ 1 file changed, 17 insertions(+), 35 deletions(-)
+
+diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js
+index e6b2af1..f062d0a 100644
+--- a/deps/npm/node_modules/path-parse/index.js
++++ b/deps/npm/node_modules/path-parse/index.js
+@@ -2,29 +2,14 @@
+
+ var isWindows = process.platform === 'win32';
+
+-// Regex to split a windows path into three parts: [*, device, slash,
+-// tail] windows-only
+-var splitDeviceRe =
+-    /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
+-
+-// Regex to split the tail part of the above into [*, dir, basename, ext]
+-var splitTailRe =
+-    /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
++// Regex to split a windows path into into [dir, root, basename, name, ext]
++var splitWindowsRe =
++    /^(((?:[a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/]*[\\\/])*)((\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))[\\\/]*$/;
+
+ var win32 = {};
+
+-// Function to split a filename into [root, dir, basename, ext]
+ function win32SplitPath(filename) {
+-  // Separate device+slash from tail
+-  var result = splitDeviceRe.exec(filename),
+-      device = (result[1] || '') + (result[2] || ''),
+-      tail = result[3] || '';
+-  // Split the tail into dir, basename and extension
+-  var result2 = splitTailRe.exec(tail),
+-      dir = result2[1],
+-      basename = result2[2],
+-      ext = result2[3];
+-  return [device, dir, basename, ext];
++  return splitWindowsRe.exec(filename).slice(1);
+ }
+
+ win32.parse = function(pathString) {
+@@ -34,24 +19,24 @@ win32.parse = function(pathString) {
+     );
+   }
+   var allParts = win32SplitPath(pathString);
+-  if (!allParts || allParts.length !== 4) {
++  if (!allParts || allParts.length !== 5) {
+     throw new TypeError("Invalid path '" + pathString + "'");
+   }
+   return {
+-    root: allParts[0],
+-    dir: allParts[0] + allParts[1].slice(0, -1),
++    root: allParts[1],
++    dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1),
+     base: allParts[2],
+-    ext: allParts[3],
+-    name: allParts[2].slice(0, allParts[2].length - allParts[3].length)
++    ext: allParts[4],
++    name: allParts[3]
+   };
+ };
+
+
+
+-// Split a filename into [root, dir, basename, ext], unix version
++// Split a filename into [dir, root, basename, name, ext], unix version
+ // 'root' is just a slash, or nothing.
+ var splitPathRe =
+-    /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
++    /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/;
+ var posix = {};
+
+
+@@ -67,19 +52,16 @@ posix.parse = function(pathString) {
+     );
+   }
+   var allParts = posixSplitPath(pathString);
+-  if (!allParts || allParts.length !== 4) {
++  if (!allParts || allParts.length !== 5) {
+     throw new TypeError("Invalid path '" + pathString + "'");
+   }
+-  allParts[1] = allParts[1] || '';
+-  allParts[2] = allParts[2] || '';
+-  allParts[3] = allParts[3] || '';
+-
++
+   return {
+-    root: allParts[0],
+-    dir: allParts[0] + allParts[1].slice(0, -1),
++    root: allParts[1],
++    dir: allParts[0].slice(0, -1),
+     base: allParts[2],
+-    ext: allParts[3],
+-    name: allParts[2].slice(0, allParts[2].length - allParts[3].length)
++    ext: allParts[4],
++    name: allParts[3],
+   };
+ };
+
+--
+2.31.1
+
diff --git a/SOURCES/nodejs-tarball.sh b/SOURCES/nodejs-tarball.sh
index f3f3298..2ed756a 100755
--- a/SOURCES/nodejs-tarball.sh
+++ b/SOURCES/nodejs-tarball.sh
@@ -185,15 +185,19 @@ echo "punycode"
 echo "========================="
 grep "'version'" node-v${version}/lib/punycode.js
 echo
+echo "npm"
+echo "========================="
+grep "\"version\":" node-v${version}/deps/npm/package.json
+echo
 echo "uvwasi"
 echo "========================="
 grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h
 echo
-echo "npm"
+echo "brotli"
 echo "========================="
-grep "\"version\":" node-v${version}/deps/npm/package.json
+grep "#define BROTLI_VERSION" node-v${version}/deps/brotli/c/common/version.h
 echo
 echo "Make sure these versions match what is in the RPM spec file"
 
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index fc6939a..28a459a 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -29,8 +29,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 12
-%global nodejs_minor 20
-%global nodejs_patch 1
+%global nodejs_minor 22
+%global nodejs_patch 5
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -57,8 +57,8 @@
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
 %global c_ares_major 1
-%global c_ares_minor 16
-%global c_ares_patch 1
+%global c_ares_minor 17
+%global c_ares_patch 2
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
 
 # http-parser - from deps/http_parser/http_parser.h
@@ -106,7 +106,7 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 10
+%global npm_patch 14
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
@@ -167,12 +167,16 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 %endif
 
-# CVE-2020-7774
-Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+# Upstream patch to use getauxval
+Patch3: 0003-src-use-getauxval-in-node_main.cc.patch
 
-# CVE-2020-7788
-Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+# Make FIPS always available
+#  https://github.com/nodejs/node/issues/34903
+Patch4: 0004-always-available-fips-options.patch
 
+Patch5: 0005-CVE-2021-23343-nodejs-path-parse.patch
+
+BuildRequires: make
 BuildRequires: python2-devel
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
@@ -184,13 +188,13 @@ BuildRequires: gcc-c++ >= 6.3.0
 BuildRequires: nodejs-packaging
 BuildRequires: chrpath
 BuildRequires: libatomic
+BuildRequires: systemtap-sdt-devel
 
 %if %{with bootstrap}
 Provides: bundled(http-parser) = %{http_parser_version}
 Provides: bundled(libuv) = %{libuv_version}
 Provides: bundled(nghttp2) = %{nghttp2_version}
 %else
-BuildRequires: systemtap-sdt-devel
 BuildRequires: libuv-devel >= 1:%{libuv_version}
 Requires: libuv >= 1:%{libuv_version}
 BuildRequires: libnghttp2-devel >= %{nghttp2_version}
@@ -454,7 +458,6 @@ export LDFLAGS="%{build_ldflags}"
 #           --shared-brotli \
 #           --without-dtrace \
 #           --with-intl=small-icu \
-#           --debug-nghttp2 \
 #           --openssl-use-def-ca-store
 #%else
 #./configure --prefix=%{_prefix} \
@@ -464,7 +467,6 @@ export LDFLAGS="%{build_ldflags}"
 #           --shared-zlib \
 #           --shared-brotli \
 #           --shared-libuv \
-#           --shared-nghttp2 \
 #           --with-dtrace \
 #           --with-intl=%{icu_flag} \
 #           --with-icu-default-data-dir=%{icudatadir} \
@@ -481,8 +483,8 @@ export LDFLAGS="%{build_ldflags}"
            --shared-brotli \
            --without-dtrace \
            --with-intl=small-icu \
-           --debug-nghttp2 \
-           --openssl-use-def-ca-store
+           --openssl-use-def-ca-store \
+           --openssl-default-cipher-list=PROFILE=SYSTEM
 %else
 ./configure --prefix=%{_prefix} \
            --shared-openssl \
@@ -493,8 +495,8 @@ export LDFLAGS="%{build_ldflags}"
            --with-dtrace \
            --with-intl=%{icu_flag} \
            --with-icu-default-data-dir=%{icudatadir} \
-           --debug-nghttp2 \
-           --openssl-use-def-ca-store
+           --openssl-use-def-ca-store \
+           --openssl-default-cipher-list=PROFILE=SYSTEM
 %endif
 
 %else
@@ -505,8 +507,8 @@ export LDFLAGS="%{build_ldflags}"
            --shared-zlib \
            --without-dtrace \
            --with-intl=small-icu \
-           --debug-nghttp2 \
-           --openssl-use-def-ca-store
+           --openssl-use-def-ca-store \
+           --openssl-default-cipher-list=PROFILE=SYSTEM
 %else
 ./configure --prefix=%{_prefix} \
            --shared-openssl \
@@ -516,8 +518,8 @@ export LDFLAGS="%{build_ldflags}"
            --with-dtrace \
            --with-intl=%{icu_flag} \
            --with-icu-default-data-dir=%{icudatadir} \
-           --debug-nghttp2 \
-           --openssl-use-def-ca-store
+           --openssl-use-def-ca-store \
+           --openssl-default-cipher-list=PROFILE=SYSTEM
 %endif
 
 %endif
@@ -870,14 +872,42 @@ end
 
 
 %changelog
+* Mon Aug 16 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.5-1
+- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940,
+- CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
+- Resolves RHBZ#1951621 (make FIPS always available)
+- Resolves: RHBZ#1988595, RHBZ#1993992, RHBZ#1993989, RHBZ#1993093
+- Resolves: RHBZ#1994025, RHBZ#1994403, RHBZ#1994407, RHBZ#1994399
+- Resolves: RHBZ#1993927 (make FIPS always available)
+
+* Mon Aug 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-3
+- Resolves CVE-2021-23362 CVE-2021-27290
+- Resolves: RHBZ#1991584, RHBZ#1991578
+- Add missing CVE trackers
+
+* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-2
+- Resolves: RHBZ#1980031, RHBZ#1978201
+- Fix typo, BR systemtap-sdt-level always, remove y18n patch
+
+* Wed Jul 07 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-1
+- Resolves: RHBZ#1980031, RHBZ#1978201
+- Resolves #1952915
+- Resolves CVE-2021-22918(libuv), use system cipher list
+
+* Tue Mar 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.21.0-1
+- Resolves: RHBZ#1932316, RHBZ#1932365
+- remove --debug-nghttp2 option
+- remove ini patch
+- Backport patch to use getauxval
+
 * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1
 - Security rebase for January security release
 - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
-- Resolves: RHBZ#1916460, RHBZ#1914786
-- Resolves: RHBZ#1914784, RHBZ#1916396
+- Resolves: RHBZ#1913000, RHBZ#1912952
+- Resolves: RHBZ#1912635, RHBZ#1893984
 
 * Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1
-- Resolves: RHBZ#1901044, #1901045, #1901046, #1901047
+- Resolves: RHBZ#1861602, #1874302, #1898598, #1898765
 - c-ares, ajv and y18n CVEs and yarn installability issues
 
 * Mon Oct 05 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.4-2