Rebase to version 18.17.1

.gitignore

@@ -45,3 +45,6 @@
 /wasi-sdk-wasi-sdk-14.tar.gz
 /node-v18.16.1-stripped.tar.gz
 /undici-5.21.0.tar.gz
+/node-v18.17.1-stripped.tar.gz
+/icu4c-73_1-src.zip
+/undici-5.22.1.tar.gz

nodejs-tarball.sh

@@ -120,10 +120,10 @@ rm -rf node-v${version}/deps/openssl
 tar -zcf node-v${version}-stripped.tar.gz node-v${version}
 
 # Download the matching version of ICU
-rm -f icu4c*-src.tgz icu.md5
+rm -f icu4c*-src.zip icu.md5
 ICUMD5=$(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].md5')
 wget $(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].url')
-ICUTARBALL=$(ls -1 icu4c*-src.tgz)
+ICUTARBALL=$(ls -1 icu4c*-src.zip)
 echo "$ICUMD5  $ICUTARBALL" > icu.md5
 md5sum -c icu.md5
 rm -f icu.md5 SHASUMS256.txt

nodejs.spec

@@ -29,7 +29,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 2
+%global baserelease 1
 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
@@ -40,7 +40,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 18
-%global nodejs_minor 16
+%global nodejs_minor 17
 %global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -89,7 +89,7 @@
 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
 
 # ICU - from tools/icu/current_ver.dep
-%global icu_major 72
+%global icu_major 73
 %global icu_minor 1
 %global icu_version %{icu_major}.%{icu_minor}
 
@@ -110,11 +110,11 @@
 # simduft from deps/simdutf/simdutf.h
 %global simduft_major 3
 %global simduft_minor 2
-%global simduft_patch 2
+%global simduft_patch 12
 %global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
 
 # ada from deps/ada/ada.h
-%global ada_version 1.0.4
+%global ada_version 2.5.0
 
 # OpenSSL minimum version
 %global openssl_minimum 1:1.1.1
@@ -126,7 +126,7 @@
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 9.5.1
+%global npm_version 9.6.7
 
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@@ -135,7 +135,7 @@
 %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
-%global uvwasi_version 0.0.15
+%global uvwasi_version 0.0.18
 
 # histogram_c - assumed from timestamps
 %global histogram_version 0.11.2
@@ -157,7 +157,7 @@ ExclusiveArch: %{nodejs_arches}
 Source0: node-v%{nodejs_version}-stripped.tar.gz
 Source1: npmrc
 Source2: btest402.js
-Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-src.tgz
+Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-src.zip
 Source100: %{name}-tarball.sh
 
 # The native module Requires generator remains in the nodejs SRPM, so it knows
@@ -181,12 +181,10 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
 Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
 
 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.21.0.tar.gz
-# Adjustments: rm -f undici-5.20.0/lib/llhttp/llhttp*.wasm
-# wasi-sdk version can be found in Dockerfile
-# https://github.com/nodejs/undici/blob/v5.21.0/build/Dockerfile
-Source102: undici-5.21.0.tar.gz
-Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-14.0-linux.tar.gz
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.22.1.tar.gz
+# Adjustments: rm -f undici-5.22.1/lib/llhttp/llhttp*.wasm
+# Build uses alpine image, see alpine for sources for wasi-sdk
+Source102: undici-5.22.1.tar.gz
 
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
@@ -426,7 +424,7 @@ export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cfl
 export LDFLAGS="%{build_ldflags}"
 
 %{__python3} configure.py --prefix=%{_prefix} --verbose \
-           --shared-openssl \
+           --shared-openssl --openssl-conf-name=openssl_conf \
            --shared-zlib \
            --shared-brotli \
            %{!?with_bundled:--shared-libuv} \
@@ -442,7 +440,7 @@ make BUILDTYPE=Release %{?_smp_mflags}
 
 # Extract the ICU data and convert it to the appropriate endianness
 pushd deps/
-tar xfz %SOURCE3
+unzip -a %{SOURCE3}
 
 pushd icu/source
 
@@ -630,6 +628,13 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
 
 
 %changelog
+* Wed Aug 23 2023 Jan Staněk <jstanek@redhat.com> - 1:18.17.1-1
+- Rebase to version 18.17.1
+  Resolves: rhbz#2228940
+  Resolves: CVE-2023-32002 CVE-2023-32006 CVE-2023-32559
+- Specify proper OpenSSL configuration section build
+  Related: rhbz#2226726
+
 * Mon Jul 31 2023 Honza Horak <hhorak@redhat.com> - 1:18.16.1-2
 - Fix segfault that happens when processing fips-related options
   Resolves: BZ#2226726

sources

@@ -1,6 +1,5 @@
-SHA512 (node-v18.16.1-stripped.tar.gz) = 8548e92504760c8ea3b5d8bf1e745b7577668bd249786247fcbfeafd519c308b7f3974d6692cc98c124482a3e5d6867d4c6e2ad829ada4ec6b7b1b0114194911
-SHA512 (icu4c-72_1-src.tgz) = 848c341b37c0ff077e34a95d92c6200d5aaddd0ee5e06134101a74e04deb08256a5e817c8aefab020986abe810b7827dd7b2169a60dacd250c298870518dcae8
-SHA512 (undici-5.21.0.tar.gz) = 69097b92f7aac8f47207e6e76074b2676ecee8ecbadf8c35e7295cdf550e881e32bce9f0123f612d7a1cb5e7a2c5de798550f5e097ac053e4257e61d025db7d8
+SHA512 (node-v18.17.1-stripped.tar.gz) = cdb879e3a9b5ac7a942092528ef63cddbbbfedde65f0228c8fdd15f5a18c96161db821dc2294447137ec9dd2c91fe5523d385ec35d6f9e7052b86aa92c411f46
+SHA512 (icu4c-73_1-src.zip) = 8f429cf0779742e20236a824d37151d57c94e0c9513a6d78dde30c09d1d45fce689355dfad9bd8429949b86979871efa8dfaefa3f43db46df521658a3b611595
+SHA512 (undici-5.22.1.tar.gz) = 07c9d76390ef5b986b312d313421e27fb0f25f2cea83ba8f1dfa56dd8a6f839b4f34440dc983922a97b1382c2a1aabbe9b1261cd0172d1676d341a0a5dd35f7d
 SHA512 (cjs-module-lexer-1.2.2.tar.gz) = 2c8e9caf2231ca7d61e71936305389774859aca9b5c86c63489c9a62a81f4736f99477c3f0cbb41077bb7924fdd23e0f24b7bce858e42fb0f87e7c0ffc87afeb
 SHA512 (wasi-sdk-11.0-linux.tar.gz) = e3ed4597f7f2290967eef6238e9046f60abbcb8633a4a2a51525d00e7393df8df637a98a5b668217d332dd44fcbf2442ec7efd5e65724e888d90611164451e20
-SHA512 (wasi-sdk-14.0-linux.tar.gz) = 288a367e051f5b3f5853de97fabaedd3acf2255819d50c24f48f573897518500ea808342fd9aea832b2a5717089807bf1cbcf6d46b156b4eb60cc6b3c02ee997