import UBI nodejs-22.22.2-1.module+el9.7.0+24157+8ddb2461

2026-04-09 16:39:21 -04:00 · 2026-04-09 16:39:21 -04:00 · ff76cf8248
commit ff76cf8248
parent 86586e6f7f
7 changed files with 7861 additions and 29 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
-SOURCES/icu4c-77_1-data-bin-b.zip
-SOURCES/icu4c-77_1-data-bin-l.zip
-SOURCES/node-v22.22.0-stripped.tar.gz
+SOURCES/icu4c-78.2-data-bin-b.zip
+SOURCES/icu4c-78.2-data-bin-l.zip
+SOURCES/node-v22.22.2-stripped.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,3 +1,3 @@
-c459faa36dedc60af6a0c6d5b9b84b6198389bf0 SOURCES/icu4c-77_1-data-bin-b.zip
-c602459f93a43dfe7440686b46430e93a85dfc06 SOURCES/icu4c-77_1-data-bin-l.zip
-f7083d75d2e0aef9b0a5648523d4553774f3df79 SOURCES/node-v22.22.0-stripped.tar.gz
+7a91e81c4f2c8368d80285a5bbdfe278d68e4a84 SOURCES/icu4c-78.2-data-bin-b.zip
+b9f5918e2118ef8531b0ffc04b3d50e951e3a166 SOURCES/icu4c-78.2-data-bin-l.zip
+99fded7e2ca8329a6bcdba962599c9c8f2f3b689 SOURCES/node-v22.22.2-stripped.tar.gz
--- a/SOURCES/0001-CVE-2026-25547-braces-expansion.patch
+++ b/SOURCES/0001-CVE-2026-25547-braces-expansion.patch
@ -0,0 +1,102 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: tjuhasz <tjuhasz@redhat.com>
+Date: Tue, 25 Feb 2026 14:21:26 +0100
+Subject: [PATCH] CVE-2026-25547: Fix brace expansion vulnerability
+
+Add expansion limit to prevent DoS attacks through excessive
+brace expansion in the brace-expansion module.
+
+---
+ deps/npm/node_modules/brace-expansion/index.js | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/deps/npm/node_modules/brace-expansion/index.js b/deps/npm/node_modules/brace-expansion/index.js
+--- a/deps/npm/node_modules/brace-expansion/index.js	2026-01-12 23:55:24.000000000 +0100
+++ b/deps/npm/node_modules/brace-expansion/index.js	2026-02-25 14:21:26.829483831 +0100
+@@ -8,6 +8,8 @@
+ var escComma = '\0COMMA'+Math.random()+'\0';
+ var escPeriod = '\0PERIOD'+Math.random()+'\0';
+ 
+const EXPANSION_MAX = 100_000;
+
+ function numeric(str) {
+   return parseInt(str, 10) == str
+     ? parseInt(str, 10)
+@@ -61,9 +63,11 @@
+   return parts;
+ }
+ 
+-function expandTop(str) {
+function expandTop(str, options = {}) {
+   if (!str)
+     return [];
+  
+  const { max = EXPANSION_MAX } = options;
+ 
+   // I don't know why Bash 4.3 does this, but it does.
+   // Anything starting with {} will have the first two bytes preserved
+@@ -75,7 +79,7 @@
+     str = '\\{\\}' + str.substr(2);
+   }
+ 
+-  return expand(escapeBraces(str), true).map(unescapeBraces);
+  return expand(escapeBraces(str), max, true).map(unescapeBraces);
+ }
+ 
+ function embrace(str) {
+@@ -92,7 +96,7 @@
+   return i >= y;
+ }
+ 
+-function expand(str, isTop) {
+function expand(str, max, isTop) {
+   var expansions = [];
+ 
+   var m = balanced('{', '}', str);
+@@ -101,11 +105,11 @@
+   // no need to expand pre, since it is guaranteed to be free of brace-sets
+   var pre = m.pre;
+   var post = m.post.length
+-    ? expand(m.post, false)
+    ? expand(m.post, max, false)
+     : [''];
+ 
+   if (/\$$/.test(m.pre)) {
+-    for (var k = 0; k < post.length; k++) {
+    for (var k = 0; k < post.length && k < max; k++) {
+       var expansion = pre+ '{' + m.body + '}' + post[k];
+       expansions.push(expansion);
+     }
+@@ -118,7 +122,7 @@
+       // {a},b}
+       if (m.post.match(/,(?!,).*\}/)) {
+         str = m.pre + '{' + m.body + escClose + m.post;
+-        return expand(str);
+        return expand(str, max, true);
+       }
+       return [str];
+     }
+@@ -130,7 +134,7 @@
+       n = parseCommaParts(m.body);
+       if (n.length === 1) {
+         // x{{a,b}}y ==> x{a}y x{b}y
+-        n = expand(n[0], false).map(embrace);
+        n = expand(n[0], max, false).map(embrace);
+         if (n.length === 1) {
+           return post.map(function(p) {
+             return m.pre + n[0] + p;
+@@ -185,12 +189,12 @@
+       N = [];
+ 
+       for (var j = 0; j < n.length; j++) {
+-        N.push.apply(N, expand(n[j], false));
+        N.push.apply(N, expand(n[j], max, false));
+       }
+     }
+ 
+     for (var j = 0; j < N.length; j++) {
+-      for (var k = 0; k < post.length; k++) {
+      for (var k = 0; k < post.length && expansions.length < max; k++) {
+         var expansion = pre + N[j] + post[k];
+         if (!isTop || isSequence || expansion)
+           expansions.push(expansion);
--- a/SOURCES/0001-deps-update-nghttp2-to-1.68.1.patch
+++ b/SOURCES/0001-deps-update-nghttp2-to-1.68.1.patch
--- a/SOURCES/nodejs-tarball.sh
+++ b/SOURCES/nodejs-tarball.sh
@ -115,14 +115,15 @@ rm -f node-v${version}.tar.gz node-v${version}-stripped.tar.gz
 wget http://nodejs.org/dist/v${version}/node-v${version}.tar.gz \
     http://nodejs.org/dist/v${version}/SHASUMS256.txt
 sha256sum -c SHASUMS256.txt --ignore-missing
+rm SHASUMS256.txt
 tar -zxf node-v${version}.tar.gz
 rm -rf node-v${version}/deps/openssl
 tar -zcf node-v${version}-stripped.tar.gz node-v${version}

 # Download the ICU binary data files
-ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g')
-ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g')
-rm -Rf icu4c-${ICU_MAJOR}_${ICU_MINOR}-data-bin-*.zip
+ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\).\([[:digit:]]\+\).*/\1/g')
+ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\).\([[:digit:]]\+\).*/\2/g')
+rm -Rf icu4c-${ICU_MAJOR}.${ICU_MINOR}-data-bin-*.zip
 wget $(grep -w 'Source3' nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
 wget $(grep -w 'Source4' nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")

@ -194,8 +195,8 @@ echo $NGTCP2_VERSION
 echo
 echo "ICU"
 echo "========================="
-ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g')
-ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g')
+ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\).\([[:digit:]]\+\).*/\1/g')
+ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\).\([[:digit:]]\+\).*/\2/g')
 echo "${ICU_MAJOR}.${ICU_MINOR}"
 echo
 echo "simdutf"
--- a/SOURCES/test-should-pass.txt
+++ b/SOURCES/test-should-pass.txt
@ -1458,12 +1458,14 @@ parallel/test-http2-client-request-options-errors.js
 parallel/test-http2-client-rststream-before-connect.js
 parallel/test-http2-client-setLocalWindowSize.js
 parallel/test-http2-client-setNextStreamID-errors.js
-parallel/test-http2-client-set-priority.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-client-set-priority.js
 parallel/test-http2-client-settings-before-connect.js
 parallel/test-http2-client-shutdown-before-connect.js
 parallel/test-http2-client-socket-destroy.js
 parallel/test-http2-client-stream-destroy-before-connect.js
-parallel/test-http2-client-unescaped-path.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-client-unescaped-path.js
 parallel/test-http2-client-upload.js
 parallel/test-http2-client-upload-reject.js
 parallel/test-http2-client-write-before-connect.js
@ -1558,16 +1560,19 @@ parallel/test-http2-large-writes-session-memory-leak.js
 parallel/test-http2-malformed-altsvc.js
 parallel/test-http2-many-writes-and-destroy.js
 parallel/test-http2-max-concurrent-streams.js
-parallel/test-http2-max-invalid-frames.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-max-invalid-frames.js
 parallel/test-http2-max-session-memory-leak.js
 parallel/test-http2-max-settings.js
 parallel/test-http2-methods.js
-parallel/test-http2-misbehaving-flow-control.js
-parallel/test-http2-misbehaving-flow-control-paused.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-misbehaving-flow-control.js
+# parallel/test-http2-misbehaving-flow-control-paused.js
 parallel/test-http2-misbehaving-multiplex.js
 parallel/test-http2-misc-util.js
 parallel/test-http2-misused-pseudoheaders.js
-parallel/test-http2-multi-content-length.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-multi-content-length.js
 parallel/test-http2-multiheaders.js
 parallel/test-http2-multiheaders-raw.js
 parallel/test-http2-multiplex.js
@ -1592,13 +1597,15 @@ parallel/test-http2-pipe.js
 parallel/test-http2-pipe-named-pipe.js
 parallel/test-http2-premature-close.js
 parallel/test-http2-priority-cycle-.js
-parallel/test-http2-priority-event.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-priority-event.js
 parallel/test-http2-propagate-session-destroy-code.js
 parallel/test-http2-removed-header-stays-removed.js
 parallel/test-http2-request-remove-connect-listener.js
 parallel/test-http2-request-response-proto.js
 parallel/test-http2-res-corked.js
-parallel/test-http2-reset-flood.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-reset-flood.js
 parallel/test-http2-respond-errors.js
 parallel/test-http2-respond-file-204.js
 parallel/test-http2-respond-file-304.js
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -58,7 +58,7 @@
 %global nodejs_epoch 1
 %global nodejs_major 22
 %global nodejs_minor 22
-%global nodejs_patch 0
+%global nodejs_patch 2
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 127
 %global nodejs_abi %{nodejs_soversion}
@ -94,7 +94,7 @@
 %global libuv_version 1.51.0

 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_version 1.64.0
+%global nghttp2_version 1.68.1

 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_version 1.6.0
@ -103,8 +103,8 @@
 %global ngtcp2_version 1.11.0

 # ICU - from tools/icu/current_ver.dep
-%global icu_major 77
-%global icu_minor 1
+%global icu_major 78
+%global icu_minor 2
 %global icu_version %{icu_major}.%{icu_minor}

 %global icudatadir %{nodejs_datadir}/icudata
@ -125,7 +125,7 @@

 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 10.9.4
+%global npm_version 10.9.7

 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@ -142,7 +142,7 @@
 %global histogram_version 0.11.9

 # sqlite - from deps/sqlite/sqlite3.h
-%global sqlite_version 3.50.4
+%global sqlite_version 3.51.2


 Name: nodejs
@ -164,8 +164,8 @@ Source0: node-v%{nodejs_version}-stripped.tar.gz
 Source1: npmrc
 Source2: btest402.js
 # The binary data that icu-small can use to get icu-full capability
-Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-b.zip
-Source4: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-l.zip
+Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}.%{icu_minor}/icu4c-%{icu_major}.%{icu_minor}-data-bin-b.zip
+Source4: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}.%{icu_minor}/icu4c-%{icu_major}.%{icu_minor}-data-bin-l.zip
 Source200: nodejs-tarball.sh
 Source201: npmrc.builtin.in
 Source202: nodejs.pc.in
@ -175,6 +175,8 @@ Source301: test-should-pass.txt

 Patch: 0001-Remove-unused-OpenSSL-config.patch
 Patch: 0003-fips-disable-options.patch
+Patch: 0001-deps-update-nghttp2-to-1.68.1.patch
+Patch: 0001-CVE-2026-25547-braces-expansion.patch

 %global pkgname nodejs

@ -327,14 +329,14 @@ Provides: bundled(ada) = 2.9.2

 # undici and cjs-module-lexer ship with pre-built WASM binaries.
 %if %{with bundled_cjs_module_lexer}
-Provides: bundled(nodejs-cjs-module-lexer) = 1.2.2
+Provides: bundled(nodejs-cjs-module-lexer) = 2.2.0
 %else
 BuildRequires: nodejs-cjs-module-lexer
 Requires: nodejs-cjs-module-lexer
 %endif

 %if %{with bundled_undici}
-Provides: bundled(nodejs-undici) = 6.23.0
+Provides: bundled(nodejs-undici) = 6.24.1
 %else
 BuildRequires: nodejs-undici
 Requires: nodejs-undici
@ -897,6 +899,14 @@ end


 %changelog
+* Wed Mar 25 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.22.2-1
+- Update to version 22.22.2
+- introduced patch updating deps/nghttp2 to v 1.68.1 for CVE-2026-27135
+- disabled failing tests in nghttp2 due to newer version
+- patch for npm/braces CVE-2026-25547
+  Resolves: RHEL-163369
+  Fixes: CVE-2026-1528 CVE-2026-2229 CVE-2026-1526 CVE-2026-1525 CVE-2026-27135 CVE-2026-27904 CVE-2026-26996 CVE-2026-25547
+
 * Tue Jan 13 2026 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.22.0-1
 - Update to 22.22.0
  Resolves: RHEL-141879