14 changed files with 149 additions and 9 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,10 @@
-SOURCES/icu4c-64_2-src.tgz
-SOURCES/node-v10.24.0-stripped.tar.gz
+/node-v10.7.0-stripped.tar.gz
+/node-v10.11.0-stripped.tar.gz
+/node-v10.14.1-stripped.tar.gz
+/node-v10.16.3-stripped.tar.gz
+/node-v10.19.0-stripped.tar.gz
+/node-v10.21.0-stripped.tar.gz
+/icu4c-64_2-src.tgz
+/node-v10.22.1-stripped.tar.gz
+/node-v10.23.1-stripped.tar.gz
+/node-v10.24.0-stripped.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,2 +0,0 @@
-3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz
-be0e0b385a852c376f452b3d94727492e05407e4 SOURCES/node-v10.24.0-stripped.tar.gz
--- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
--- a/SOURCES/0002-Suppress-NPM-message-to-run-global-update.patch
+++ b/SOURCES/0002-Suppress-NPM-message-to-run-global-update.patch
--- a/SOURCES/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
+++ b/SOURCES/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
--- a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+++ b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
--- a/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+++ b/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
@ -0,0 +1,99 @@
+From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001
+From: isaacs <i@izs.me>
+Date: Tue, 8 Dec 2020 14:21:50 -0800
+Subject: [PATCH] do not allow invalid hazardous string as section name
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/ini/ini.js        |  8 +++++
+ deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+ create mode 100644 deps/npm/node_modules/ini/test/proto.js
+
+diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
+index 590195d..0401258 100644
+--- a/deps/npm/node_modules/ini/ini.js
+++ b/deps/npm/node_modules/ini/ini.js
+@@ -80,6 +80,12 @@ function decode (str) {
+     if (!match) return
+     if (match[1] !== undefined) {
+       section = unsafe(match[1])
+      if (section === '__proto__') {
+        // not allowed
+        // keep parsing the section, but don't attach it.
+        p = {}
+        return
+      }
+       p = out[section] = out[section] || {}
+       return
+     }
+@@ -94,6 +100,7 @@ function decode (str) {
+     // Convert keys with '[]' suffix to an array
+     if (key.length > 2 && key.slice(-2) === '[]') {
+       key = key.substring(0, key.length - 2)
+      if (key === '__proto__') return
+       if (!p[key]) {
+         p[key] = []
+       } else if (!Array.isArray(p[key])) {
+@@ -125,6 +132,7 @@ function decode (str) {
+     var l = parts.pop()
+     var nl = l.replace(/\\\./g, '.')
+     parts.forEach(function (part, _, __) {
+      if (part === '__proto__') return
+       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
+       p = p[part]
+     })
+diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
+new file mode 100644
+index 0000000..ab35533
+--- /dev/null
+++ b/deps/npm/node_modules/ini/test/proto.js
+@@ -0,0 +1,45 @@
+var ini = require('../')
+var t = require('tap')
+
+var data = `
+__proto__ = quux
+foo = baz
+[__proto__]
+foo = bar
+[other]
+foo = asdf
+[kid.__proto__.foo]
+foo = kid
+[arrproto]
+hello = snyk
+__proto__[] = you did a good job
+__proto__[] = so you deserve arrays
+thanks = true
+`
+var res = ini.parse(data)
+t.deepEqual(res, {
+  foo: 'baz',
+  other: {
+    foo: 'asdf',
+  },
+  kid: {
+    foo: {
+      foo: 'kid',
+    },
+  },
+  arrproto: {
+    hello: 'snyk',
+    thanks: true,
+  },
+})
+t.equal(res.__proto__, Object.prototype)
+t.equal(res.kid.__proto__, Object.prototype)
+t.equal(res.kid.foo.__proto__, Object.prototype)
+t.equal(res.arrproto.__proto__, Object.prototype)
+t.equal(Object.prototype.foo, undefined)
+t.equal(Object.prototype[0], undefined)
+t.equal(Object.prototype['0'], undefined)
+t.equal(Object.prototype[1], undefined)
+t.equal(Object.prototype['1'], undefined)
+t.equal(Array.prototype[0], undefined)
+t.equal(Array.prototype[1], undefined)
+-- 
+2.29.2
+
--- a/SOURCES/btest402.js
+++ b/SOURCES/btest402.js
--- a/macros.nodejs
+++ b/macros.nodejs
@ -0,0 +1,33 @@
+# nodejs binary
+%__nodejs %{_bindir}/node
+
+# nodejs library directory
+%nodejs_sitelib %{_prefix}/lib/node_modules
+
+#arch specific library directory
+#for future-proofing only; we don't do multilib
+%nodejs_sitearch %{nodejs_sitelib}
+
+# currently installed nodejs version
+%nodejs_version %(%{__nodejs} -v | sed s/v//)
+
+# symlink dependencies so `npm link` works
+# this should be run in every module's %%install section
+# pass --check to work in the current directory instead of the buildroot
+# pass --no-devdeps to ignore devDependencies when --check is used
+%nodejs_symlink_deps %{_rpmconfigdir}/nodejs-symlink-deps %{nodejs_sitelib}
+
+# patch package.json to fix a dependency
+# see `man npm-json` for details on writing dependencies for package.json files
+# e.g. `%%nodejs_fixdep frobber` makes any version of frobber do
+#      `%%nodejs_fixdep frobber '>1.0'` requires frobber > 1.0
+#      `%%nodejs_fixdep -r frobber removes the frobber dep
+%nodejs_fixdep %{_rpmconfigdir}/nodejs-fixdep
+
+# macro to filter unwanted provides from Node.js binary native modules
+%nodejs_default_filter %{expand: \
+%global __provides_exclude_from ^%{nodejs_sitearch}/.*\\.node$
+}
+
+# no-op macro to allow spec compatibility with EPEL
+%nodejs_find_provides_and_requires %{nil}
--- a/SOURCES/nodejs-tarball.sh
+++ b/SOURCES/nodejs-tarball.sh
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -622,18 +622,18 @@ end

 %changelog
 * Wed Feb 24 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.24.0-1
- Resolves: RHBZ#1932373, RHBZ#1932426
+- Resolves: RHBZ#1934597, RHBZ#1934566
 - Resolves CVE-2021-22883 and CVE-2021-22884
- remove -debug-nghttp2 flag (1930775)
+- remove -debug-nghttp2 flag
 - remove ini patch merged upstream

 * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1
 - January Security release
 - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
 - Rebase to 10.23.1
- Resolves: RHBZ#1916461, RHBZ#1914789
- Resolves: RHBZ#1914783, RHBZ#1916462, RHBZ#1916395, RHBZ#1916459
- Resolves: RHBZ#1916691, RHBZ#1916689, RHBZ#1916388
+- Resolves: RHBZ#1912999, RHBZ#1912954
+- Resolves: RHBZ#1912634, RHBZ#1878543, RHBZ#1898764, RHBZ#1893983
+- Resolves: RHBZ#1857054, RHBZ#1861601, RHBZ#1875686
 - Remove dot-prop patch, as it is fixed by npm rebase

 * Tue Sep 22 2020 Jan Staněk <jstanek@redhat.com> - 1:10.22.1-1
--- a/SOURCES/nodejs_native.attr
+++ b/SOURCES/nodejs_native.attr
--- a/SOURCES/npmrc
+++ b/SOURCES/npmrc
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+SHA512 (node-v10.24.0-stripped.tar.gz) = c6106f16c6a91fcc0b36d733f23f5e6535c7fe215422c9ffae2542e0e572d07e32887053c94249c021f39135dbf828daf9fb19c2d0e7ee3aead8105d1212550e
+SHA512 (icu4c-64_2-src.tgz) = 5ecb4c230ba45918747a1cf9aef86f555aa07d5b29b1d07ab674e8013f46dfb907a0e9d6945db41155f9dc3012fd94e1152ffc19f61a68b6dfcbabdcb8ae9d78