28 changed files with 1154 additions and 11857 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,9 +1,2 @@
-*~
+SOURCES/icu4c-64_2-src.tgz
-*.swp
+SOURCES/node-v10.24.0-stripped.tar.gz
 /*.tar.gz
 /*.src.rpm
 /*.tgz
 /node-*/*
 /.build-*.log
 /noarch
 /x86_64
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -0,0 +1,2 @@
 3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz
 be0e0b385a852c376f452b3d94727492e05407e4 SOURCES/node-v10.24.0-stripped.tar.gz
--- a/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/0001-Disable-running-gyp-on-shared-deps.patch
@ -1,26 +0,0 @@
 From 6c80c1956373978489a297a630f4f50222c47775 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Tue, 30 May 2023 13:12:35 +0200
 Subject: [PATCH] Disable running gyp on shared deps
 Signed-off-by: rpm-build <rpm-build>
 ---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/Makefile b/Makefile
 index ef3eda2..8b52a4f 100644
 --- a/Makefile
 +++ b/Makefile
@@ -148,7 +148,7 @@ with-code-cache test-code-cache:
 	$(warning '$@' target is a noop)
 out/Makefile: config.gypi common.gypi node.gyp \
 -	deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
 +	deps/llhttp/llhttp.gyp \
 	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
 	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
 	$(PYTHON) tools/gyp_node.py -f make
 -- 
 2.44.0
--- a/0002-disable-fips-options.patch
+++ b/0002-disable-fips-options.patch
@ -1,26 +0,0 @@
 From b7d979b5f7d28114050d1cdc43f39e6e83bd80d5 Mon Sep 17 00:00:00 2001
 From: Honza Horak <hhorak@redhat.com>
 Date: Thu, 12 Oct 2023 13:52:59 +0200
 Subject: [PATCH] disable fips options
 Signed-off-by: rpm-build <rpm-build>
 ---
 src/crypto/crypto_util.cc | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
 index 59ae7f8..7343396 100644
 --- a/src/crypto/crypto_util.cc
 +++ b/src/crypto/crypto_util.cc
@@ -111,6 +111,8 @@ bool ProcessFipsOptions() {
   /* Override FIPS settings in configuration file, if needed. */
   if (per_process::cli_options->enable_fips_crypto ||
       per_process::cli_options->force_fips_crypto) {
 +      fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
 +      return false;
 #if OPENSSL_VERSION_MAJOR >= 3
     OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
     if (fips_provider == nullptr)
 -- 
 2.44.0
--- a/0003-deps-nghttp2-update-to-1.57.0.patch
+++ b/0003-deps-nghttp2-update-to-1.57.0.patch
--- a/0004-Fix-CVE-2024-22019.patch
+++ b/0004-Fix-CVE-2024-22019.patch
@ -1,581 +0,0 @@
 From fb8b050abf63459eb83cad4d4bf695c56db2790a Mon Sep 17 00:00:00 2001
 From: Honza Horak <hhorak@redhat.com>
 Date: Mon, 15 Apr 2024 15:21:35 +0200
 Subject: [PATCH] Fix CVE-2024-22019
 Resolves: RHEL-28064
 This is a combination of the upstream commit from v18:
 https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
 and necessary rebase of llhttp from 6.0.11 to 6.1.0 that has the needed
 chunk features.
 Original patch:
 > From 11bd886e0a4eadd7e55502758fff6486a3fa3a4e Mon Sep 17 00:00:00 2001
 > From: Paolo Insogna <paolo@cowtech.it>
 > Date: Tue, 9 Jan 2024 18:10:04 +0100
 > Subject: [PATCH] http: add maximum chunk extension size
 >
 > Cherry-picked from v18 patch:
 > https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
 >
 > PR-URL: https://github.com/nodejs-private/node-private/pull/520
 > Refs: https://github.com/nodejs-private/node-private/pull/518
 > CVE-ID: CVE-2024-22019
 Signed-off-by: rpm-build <rpm-build>
 ---
 deps/llhttp/.gitignore                        |   1 +
 deps/llhttp/CMakeLists.txt                    |   2 +-
 deps/llhttp/include/llhttp.h                  |   7 +-
 deps/llhttp/src/api.c                         |   7 +
 deps/llhttp/src/llhttp.c                      | 122 ++++++++++++++--
 doc/api/errors.md                             |  12 ++
 lib/_http_server.js                           |   9 ++
 src/node_http_parser.cc                       |  20 ++-
 .../test-http-chunk-extensions-limit.js       | 131 ++++++++++++++++++
 tools/update-llhttp.sh                        |   2 +-
 10 files changed, 294 insertions(+), 19 deletions(-)
 create mode 100644 deps/llhttp/.gitignore
 create mode 100644 test/parallel/test-http-chunk-extensions-limit.js
 diff --git a/deps/llhttp/.gitignore b/deps/llhttp/.gitignore
 new file mode 100644
 index 0000000..98438a2
 --- /dev/null
 +++ b/deps/llhttp/.gitignore
@@ -0,0 +1 @@
 +libllhttp.pc
 diff --git a/deps/llhttp/CMakeLists.txt b/deps/llhttp/CMakeLists.txt
 index d038203..747564a 100644
 --- a/deps/llhttp/CMakeLists.txt
 +++ b/deps/llhttp/CMakeLists.txt
@@ -1,7 +1,7 @@
 cmake_minimum_required(VERSION 3.5.1)
 cmake_policy(SET CMP0069 NEW)
 -project(llhttp VERSION 6.0.11)
 +project(llhttp VERSION 6.1.0)
 include(GNUInstallDirs)
 set(CMAKE_C_STANDARD 99)
 diff --git a/deps/llhttp/include/llhttp.h b/deps/llhttp/include/llhttp.h
 index 2da66f1..78f27ab 100644
 --- a/deps/llhttp/include/llhttp.h
 +++ b/deps/llhttp/include/llhttp.h
@@ -2,8 +2,8 @@
 #define INCLUDE_LLHTTP_H_
 #define LLHTTP_VERSION_MAJOR 6
 -#define LLHTTP_VERSION_MINOR 0
 -#define LLHTTP_VERSION_PATCH 11
 +#define LLHTTP_VERSION_MINOR 1
 +#define LLHTTP_VERSION_PATCH 0
 #ifndef LLHTTP_STRICT_MODE
 # define LLHTTP_STRICT_MODE 0
@@ -348,6 +348,9 @@ struct llhttp_settings_s {
    */
   llhttp_cb      on_headers_complete;
 +  /* Possible return values 0, -1, HPE_USER */
 +  llhttp_data_cb on_chunk_parameters;
 +
   /* Possible return values 0, -1, HPE_USER */
   llhttp_data_cb on_body;
 diff --git a/deps/llhttp/src/api.c b/deps/llhttp/src/api.c
 index c4ce197..d3065b3 100644
 --- a/deps/llhttp/src/api.c
 +++ b/deps/llhttp/src/api.c
@@ -355,6 +355,13 @@ int llhttp__on_chunk_header(llhttp_t* s, const char* p, const char* endp) {
 }
 +int llhttp__on_chunk_parameters(llhttp_t* s, const char* p, const char* endp) {
 +  int err;
 +  SPAN_CALLBACK_MAYBE(s, on_chunk_parameters, p, endp - p);
 +  return err;
 +}
 +
 +
 int llhttp__on_chunk_complete(llhttp_t* s, const char* p, const char* endp) {
   int err;
   CALLBACK_MAYBE(s, on_chunk_complete);
 diff --git a/deps/llhttp/src/llhttp.c b/deps/llhttp/src/llhttp.c
 index 5e7c5d1..46f86a0 100644
 --- a/deps/llhttp/src/llhttp.c
 +++ b/deps/llhttp/src/llhttp.c
@@ -340,6 +340,8 @@ enum llparse_state_e {
   s_n_llhttp__internal__n_invoke_is_equal_content_length,
   s_n_llhttp__internal__n_chunk_size_almost_done,
   s_n_llhttp__internal__n_chunk_parameters,
 +  s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters,
 +  s_n_llhttp__internal__n_chunk_parameters_ows,
   s_n_llhttp__internal__n_chunk_size_otherwise,
   s_n_llhttp__internal__n_chunk_size,
   s_n_llhttp__internal__n_chunk_size_digit,
@@ -539,6 +541,10 @@ int llhttp__on_body(
     llhttp__internal_t* s, const unsigned char* p,
     const unsigned char* endp);
 +int llhttp__on_chunk_parameters(
 +    llhttp__internal_t* s, const unsigned char* p,
 +    const unsigned char* endp);
 +
 int llhttp__on_status(
     llhttp__internal_t* s, const unsigned char* p,
     const unsigned char* endp);
@@ -1226,8 +1232,7 @@ static llparse_state_t llhttp__internal__run(
           goto s_n_llhttp__internal__n_chunk_parameters;
         }
         case 2: {
 -          p++;
 -          goto s_n_llhttp__internal__n_chunk_size_almost_done;
 +          goto s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters;
         }
         default: {
           goto s_n_llhttp__internal__n_error_10;
@@ -1236,6 +1241,34 @@ static llparse_state_t llhttp__internal__run(
       /* UNREACHABLE */;
       abort();
     }
 +    case s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters:
 +    s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters: {
 +      if (p == endp) {
 +        return s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
 +      }
 +      state->_span_pos0 = (void*) p;
 +      state->_span_cb0 = llhttp__on_chunk_parameters;
 +      goto s_n_llhttp__internal__n_chunk_parameters;
 +      /* UNREACHABLE */;
 +      abort();
 +    }
 +    case s_n_llhttp__internal__n_chunk_parameters_ows:
 +    s_n_llhttp__internal__n_chunk_parameters_ows: {
 +      if (p == endp) {
 +        return s_n_llhttp__internal__n_chunk_parameters_ows;
 +      }
 +      switch (*p) {
 +        case ' ': {
 +          p++;
 +          goto s_n_llhttp__internal__n_chunk_parameters_ows;
 +        }
 +        default: {
 +          goto s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
 +        }
 +      }
 +      /* UNREACHABLE */;
 +      abort();
 +    }
     case s_n_llhttp__internal__n_chunk_size_otherwise:
     s_n_llhttp__internal__n_chunk_size_otherwise: {
       if (p == endp) {
@@ -1246,13 +1279,9 @@ static llparse_state_t llhttp__internal__run(
           p++;
           goto s_n_llhttp__internal__n_chunk_size_almost_done;
         }
 -        case ' ': {
 -          p++;
 -          goto s_n_llhttp__internal__n_chunk_parameters;
 -        }
         case ';': {
           p++;
 -          goto s_n_llhttp__internal__n_chunk_parameters;
 +          goto s_n_llhttp__internal__n_chunk_parameters_ows;
         }
         default: {
           goto s_n_llhttp__internal__n_error_11;
@@ -6074,6 +6103,24 @@ static llparse_state_t llhttp__internal__run(
     /* UNREACHABLE */;
     abort();
   }
 +  s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
 +    const unsigned char* start;
 +    int err;
 +
 +    start = state->_span_pos0;
 +    state->_span_pos0 = NULL;
 +    err = llhttp__on_chunk_parameters(state, start, p);
 +    if (err != 0) {
 +      state->error = err;
 +      state->error_pos = (const char*) (p + 1);
 +      state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_chunk_size_almost_done;
 +      return s_error;
 +    }
 +    p++;
 +    goto s_n_llhttp__internal__n_chunk_size_almost_done;
 +    /* UNREACHABLE */;
 +    abort();
 +  }
   s_n_llhttp__internal__n_error_10: {
     state->error = 0x2;
     state->reason = "Invalid character in chunk parameters";
@@ -8441,6 +8488,8 @@ enum llparse_state_e {
   s_n_llhttp__internal__n_invoke_is_equal_content_length,
   s_n_llhttp__internal__n_chunk_size_almost_done,
   s_n_llhttp__internal__n_chunk_parameters,
 +  s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters,
 +  s_n_llhttp__internal__n_chunk_parameters_ows,
   s_n_llhttp__internal__n_chunk_size_otherwise,
   s_n_llhttp__internal__n_chunk_size,
   s_n_llhttp__internal__n_chunk_size_digit,
@@ -8635,6 +8684,10 @@ int llhttp__on_body(
     llhttp__internal_t* s, const unsigned char* p,
     const unsigned char* endp);
 +int llhttp__on_chunk_parameters(
 +    llhttp__internal_t* s, const unsigned char* p,
 +    const unsigned char* endp);
 +
 int llhttp__on_status(
     llhttp__internal_t* s, const unsigned char* p,
     const unsigned char* endp);
@@ -9299,8 +9352,7 @@ static llparse_state_t llhttp__internal__run(
           goto s_n_llhttp__internal__n_chunk_parameters;
         }
         case 2: {
 -          p++;
 -          goto s_n_llhttp__internal__n_chunk_size_almost_done;
 +          goto s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters;
         }
         default: {
           goto s_n_llhttp__internal__n_error_6;
@@ -9309,6 +9361,34 @@ static llparse_state_t llhttp__internal__run(
       /* UNREACHABLE */;
       abort();
     }
 +    case s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters:
 +    s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters: {
 +      if (p == endp) {
 +        return s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
 +      }
 +      state->_span_pos0 = (void*) p;
 +      state->_span_cb0 = llhttp__on_chunk_parameters;
 +      goto s_n_llhttp__internal__n_chunk_parameters;
 +      /* UNREACHABLE */;
 +      abort();
 +    }
 +    case s_n_llhttp__internal__n_chunk_parameters_ows:
 +    s_n_llhttp__internal__n_chunk_parameters_ows: {
 +      if (p == endp) {
 +        return s_n_llhttp__internal__n_chunk_parameters_ows;
 +      }
 +      switch (*p) {
 +        case ' ': {
 +          p++;
 +          goto s_n_llhttp__internal__n_chunk_parameters_ows;
 +        }
 +        default: {
 +          goto s_n_llhttp__internal__n_span_start_llhttp__on_chunk_parameters;
 +        }
 +      }
 +      /* UNREACHABLE */;
 +      abort();
 +    }
     case s_n_llhttp__internal__n_chunk_size_otherwise:
     s_n_llhttp__internal__n_chunk_size_otherwise: {
       if (p == endp) {
@@ -9319,13 +9399,9 @@ static llparse_state_t llhttp__internal__run(
           p++;
           goto s_n_llhttp__internal__n_chunk_size_almost_done;
         }
 -        case ' ': {
 -          p++;
 -          goto s_n_llhttp__internal__n_chunk_parameters;
 -        }
         case ';': {
           p++;
 -          goto s_n_llhttp__internal__n_chunk_parameters;
 +          goto s_n_llhttp__internal__n_chunk_parameters_ows;
         }
         default: {
           goto s_n_llhttp__internal__n_error_7;
@@ -13951,6 +14027,24 @@ static llparse_state_t llhttp__internal__run(
     /* UNREACHABLE */;
     abort();
   }
 +  s_n_llhttp__internal__n_span_end_llhttp__on_chunk_parameters: {
 +    const unsigned char* start;
 +    int err;
 +
 +    start = state->_span_pos0;
 +    state->_span_pos0 = NULL;
 +    err = llhttp__on_chunk_parameters(state, start, p);
 +    if (err != 0) {
 +      state->error = err;
 +      state->error_pos = (const char*) (p + 1);
 +      state->_current = (void*) (intptr_t) s_n_llhttp__internal__n_chunk_size_almost_done;
 +      return s_error;
 +    }
 +    p++;
 +    goto s_n_llhttp__internal__n_chunk_size_almost_done;
 +    /* UNREACHABLE */;
 +    abort();
 +  }
   s_n_llhttp__internal__n_error_6: {
     state->error = 0x2;
     state->reason = "Invalid character in chunk parameters";
 diff --git a/doc/api/errors.md b/doc/api/errors.md
 index dcf8744..a76bfe5 100644
 --- a/doc/api/errors.md
 +++ b/doc/api/errors.md
@@ -3043,6 +3043,18 @@ malconfigured clients, if more than 8 KiB of HTTP header data is received then
 HTTP parsing will abort without a request or response object being created, and
 an `Error` with this code will be emitted.
 +<a id="HPE_CHUNK_EXTENSIONS_OVERFLOW"></a>
 +
 +### `HPE_CHUNK_EXTENSIONS_OVERFLOW`
 +
 +<!-- YAML
 +added: REPLACEME
 +-->
 +
 +Too much data was received for a chunk extensions. In order to protect against
 +malicious or malconfigured clients, if more than 16 KiB of data is received
 +then an `Error` with this code will be emitted.
 +
 <a id="HPE_UNEXPECTED_CONTENT_LENGTH"></a>
 ### `HPE_UNEXPECTED_CONTENT_LENGTH`
 diff --git a/lib/_http_server.js b/lib/_http_server.js
 index 4e23266..325bce6 100644
 --- a/lib/_http_server.js
 +++ b/lib/_http_server.js
@@ -706,6 +706,12 @@ const requestHeaderFieldsTooLargeResponse = Buffer.from(
   `HTTP/1.1 431 ${STATUS_CODES[431]}\r\n` +
   'Connection: close\r\n\r\n', 'ascii'
 );
 +
 +const requestChunkExtensionsTooLargeResponse = Buffer.from(
 +  `HTTP/1.1 413 ${STATUS_CODES[413]}\r\n` +
 +  'Connection: close\r\n\r\n', 'ascii',
 +);
 +
 function socketOnError(e) {
   // Ignore further errors
   this.removeListener('error', socketOnError);
@@ -719,6 +725,9 @@ function socketOnError(e) {
         case 'HPE_HEADER_OVERFLOW':
           response = requestHeaderFieldsTooLargeResponse;
           break;
 +        case 'HPE_CHUNK_EXTENSIONS_OVERFLOW':
 +          response = requestChunkExtensionsTooLargeResponse;
 +          break;
         case 'ERR_HTTP_REQUEST_TIMEOUT':
           response = requestTimeoutResponse;
           break;
 diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc
 index 74f3248..b92e848 100644
 --- a/src/node_http_parser.cc
 +++ b/src/node_http_parser.cc
@@ -79,6 +79,8 @@ const uint32_t kOnExecute = 5;
 const uint32_t kOnTimeout = 6;
 // Any more fields than this will be flushed into JS
 const size_t kMaxHeaderFieldsCount = 32;
 +// Maximum size of chunk extensions
 +const size_t kMaxChunkExtensionsSize = 16384;
 const uint32_t kLenientNone = 0;
 const uint32_t kLenientHeaders = 1 << 0;
@@ -206,6 +208,7 @@ class Parser : public AsyncWrap, public StreamListener {
   int on_message_begin() {
     num_fields_ = num_values_ = 0;
 +    chunk_extensions_nread_ = 0;
     url_.Reset();
     status_message_.Reset();
     header_parsing_start_time_ = uv_hrtime();
@@ -443,9 +446,22 @@ class Parser : public AsyncWrap, public StreamListener {
     return 0;
   }
 -  // Reset nread for the next chunk
 +  int on_chunk_extension(const char* at, size_t length) {
 +    chunk_extensions_nread_ += length;
 +
 +    if (chunk_extensions_nread_ > kMaxChunkExtensionsSize) {
 +      llhttp_set_error_reason(&parser_,
 +        "HPE_CHUNK_EXTENSIONS_OVERFLOW:Chunk extensions overflow");
 +      return HPE_USER;
 +    }
 +
 +    return 0;
 +  }
 +
 +  // Reset nread for the next chunk and also reset the extensions counter
   int on_chunk_header() {
     header_nread_ = 0;
 +    chunk_extensions_nread_ = 0;
     return 0;
   }
@@ -887,6 +903,7 @@ class Parser : public AsyncWrap, public StreamListener {
   const char* current_buffer_data_;
   bool pending_pause_ = false;
   uint64_t header_nread_ = 0;
 +  uint64_t chunk_extensions_nread_ = 0;
   uint64_t max_http_header_size_;
   uint64_t headers_timeout_;
   uint64_t header_parsing_start_time_ = 0;
@@ -921,6 +938,7 @@ const llhttp_settings_t Parser::settings = {
   Proxy<DataCall, &Parser::on_header_field>::Raw,
   Proxy<DataCall, &Parser::on_header_value>::Raw,
   Proxy<Call, &Parser::on_headers_complete>::Raw,
 +  Proxy<DataCall, &Parser::on_chunk_extension>::Raw,
   Proxy<DataCall, &Parser::on_body>::Raw,
   Proxy<Call, &Parser::on_message_complete>::Raw,
   Proxy<Call, &Parser::on_chunk_header>::Raw,
 diff --git a/test/parallel/test-http-chunk-extensions-limit.js b/test/parallel/test-http-chunk-extensions-limit.js
 new file mode 100644
 index 0000000..6868b3d
 --- /dev/null
 +++ b/test/parallel/test-http-chunk-extensions-limit.js
@@ -0,0 +1,131 @@
 +'use strict';
 +
 +const common = require('../common');
 +const http = require('http');
 +const net = require('net');
 +const assert = require('assert');
 +
 +// Verify that chunk extensions are limited in size when sent all together.
 +{
 +  const server = http.createServer((req, res) => {
 +    req.on('end', () => {
 +      res.writeHead(200, { 'Content-Type': 'text/plain' });
 +      res.end('bye');
 +    });
 +
 +    req.resume();
 +  });
 +
 +  server.listen(0, () => {
 +    const sock = net.connect(server.address().port);
 +    let data = '';
 +
 +    sock.on('data', (chunk) => data += chunk.toString('utf-8'));
 +
 +    sock.on('end', common.mustCall(function() {
 +      assert.strictEqual(data, 'HTTP/1.1 413 Payload Too Large\r\nConnection: close\r\n\r\n');
 +      server.close();
 +    }));
 +
 +    sock.end('' +
 +      'GET / HTTP/1.1\r\n' +
 +      'Host: localhost:8080\r\n' +
 +      'Transfer-Encoding: chunked\r\n\r\n' +
 +      '2;' + 'A'.repeat(20000) + '=bar\r\nAA\r\n' +
 +      '0\r\n\r\n'
 +    );
 +  });
 +}
 +
 +// Verify that chunk extensions are limited in size when sent in intervals.
 +{
 +  const server = http.createServer((req, res) => {
 +    req.on('end', () => {
 +      res.writeHead(200, { 'Content-Type': 'text/plain' });
 +      res.end('bye');
 +    });
 +
 +    req.resume();
 +  });
 +
 +  server.listen(0, () => {
 +    const sock = net.connect(server.address().port);
 +    let remaining = 20000;
 +    let data = '';
 +
 +    const interval = setInterval(
 +      () => {
 +        if (remaining > 0) {
 +          sock.write('A'.repeat(1000));
 +        } else {
 +          sock.write('=bar\r\nAA\r\n0\r\n\r\n');
 +          clearInterval(interval);
 +        }
 +
 +        remaining -= 1000;
 +      },
 +      common.platformTimeout(20),
 +    ).unref();
 +
 +    sock.on('data', (chunk) => data += chunk.toString('utf-8'));
 +
 +    sock.on('end', common.mustCall(function() {
 +      assert.strictEqual(data, 'HTTP/1.1 413 Payload Too Large\r\nConnection: close\r\n\r\n');
 +      server.close();
 +    }));
 +
 +    sock.write('' +
 +    'GET / HTTP/1.1\r\n' +
 +    'Host: localhost:8080\r\n' +
 +    'Transfer-Encoding: chunked\r\n\r\n' +
 +    '2;'
 +    );
 +  });
 +}
 +
 +// Verify the chunk extensions is correctly reset after a chunk
 +{
 +  const server = http.createServer((req, res) => {
 +    req.on('end', () => {
 +      res.writeHead(200, { 'content-type': 'text/plain', 'connection': 'close', 'date': 'now' });
 +      res.end('bye');
 +    });
 +
 +    req.resume();
 +  });
 +
 +  server.listen(0, () => {
 +    const sock = net.connect(server.address().port);
 +    let data = '';
 +
 +    sock.on('data', (chunk) => data += chunk.toString('utf-8'));
 +
 +    sock.on('end', common.mustCall(function() {
 +      assert.strictEqual(
 +        data,
 +        'HTTP/1.1 200 OK\r\n' +
 +        'content-type: text/plain\r\n' +
 +        'connection: close\r\n' +
 +        'date: now\r\n' +
 +        'Transfer-Encoding: chunked\r\n' +
 +        '\r\n' +
 +        '3\r\n' +
 +        'bye\r\n' +
 +        '0\r\n' +
 +        '\r\n',
 +      );
 +
 +      server.close();
 +    }));
 +
 +    sock.end('' +
 +      'GET / HTTP/1.1\r\n' +
 +      'Host: localhost:8080\r\n' +
 +      'Transfer-Encoding: chunked\r\n\r\n' +
 +      '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' +
 +      '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' +
 +      '2;' + 'A'.repeat(10000) + '=bar\r\nAA\r\n' +
 +      '0\r\n\r\n'
 +    );
 +  });
 +}
 diff --git a/tools/update-llhttp.sh b/tools/update-llhttp.sh
 index 12e2f46..a95eef1 100755
 --- a/tools/update-llhttp.sh
 +++ b/tools/update-llhttp.sh
@@ -59,5 +59,5 @@ echo ""
 echo "Please git add llhttp, commit the new version:"
 echo ""
 echo "$ git add -A deps/llhttp"
 -echo "$ git commit -m \"deps: update nghttp2 to $LLHTTP_VERSION\""
 +echo "$ git commit -m \"deps: update llhttp to $LLHTTP_VERSION\""
 echo ""
 -- 
 2.44.0
--- a/0005-src-ensure-to-close-stream-when-destroying-session.patch
+++ b/0005-src-ensure-to-close-stream-when-destroying-session.patch
@ -1,42 +0,0 @@
 From 2df9af7073929ab94b6dda040df08bc3ff7d8ab1 Mon Sep 17 00:00:00 2001
 From: RafaelGSS <rafael.nunu@hotmail.com>
 Date: Tue, 26 Mar 2024 15:55:13 -0300
 Subject: [PATCH] src: ensure to close stream when destroying session
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Co-Authored-By: Anna Henningsen <anna@addaleax.net>
 PR-URL: https://github.com/nodejs-private/node-private/pull/561
 Fixes: https://hackerone.com/reports/2319584
 Reviewed-By: Michael Dawson <midawson@redhat.com>
 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
 Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
 CVE-ID: CVE-2024-27983
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 Signed-off-by: rpm-build <rpm-build>
 ---
 src/node_http2.cc | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/src/node_http2.cc b/src/node_http2.cc
 index 53216dc..9a6d63d 100644
 --- a/src/node_http2.cc
 +++ b/src/node_http2.cc
@@ -529,6 +529,12 @@ Http2Session::Http2Session(Http2State* http2_state,
 Http2Session::~Http2Session() {
   CHECK(!is_in_scope());
   Debug(this, "freeing nghttp2 session");
 +  // Ensure that all `Http2Stream` instances and the memory they hold
 +  // on to are destroyed before the nghttp2 session is.
 +  for (const auto& [id, stream] : streams_) {
 +    stream->Detach();
 +  }
 +  streams_.clear();
   // Explicitly reset session_ so the subsequent
   // current_nghttp2_memory_ check passes.
   session_.reset();
 -- 
 2.44.0
--- a/0006-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch
+++ b/0006-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch
@ -1,112 +0,0 @@
 From 132ad9e8a8f8e246e59744a7fed995ed396f6cb4 Mon Sep 17 00:00:00 2001
 From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
 Date: Sat, 9 Mar 2024 16:26:42 +0900
 Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 Fixes: CVE-2024-28182
 Signed-off-by: rpm-build <rpm-build>
 ---
 deps/nghttp2/lib/includes/nghttp2/nghttp2.h |  7 ++++++-
 deps/nghttp2/lib/nghttp2_helper.c           |  2 ++
 deps/nghttp2/lib/nghttp2_session.c          |  7 +++++++
 deps/nghttp2/lib/nghttp2_session.h          | 10 ++++++++++
 4 files changed, 25 insertions(+), 1 deletion(-)
 diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
 index fa22081..b394bde 100644
 --- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
 +++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
@@ -440,7 +440,12 @@ typedef enum {
    * exhaustion on server side to send these frames forever and does
    * not read network.
    */
 -  NGHTTP2_ERR_FLOODED = -904
 +  NGHTTP2_ERR_FLOODED = -904,
 +  /**
 +   * When a local endpoint receives too many CONTINUATION frames
 +   * following a HEADER frame.
 +   */
 +  NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
 } nghttp2_error;
 /**
 diff --git a/deps/nghttp2/lib/nghttp2_helper.c b/deps/nghttp2/lib/nghttp2_helper.c
 index 93dd475..b3563d9 100644
 --- a/deps/nghttp2/lib/nghttp2_helper.c
 +++ b/deps/nghttp2/lib/nghttp2_helper.c
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
            "closed";
   case NGHTTP2_ERR_TOO_MANY_SETTINGS:
     return "SETTINGS frame contained more than the maximum allowed entries";
 +  case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
 +    return "Too many CONTINUATION frames following a HEADER frame";
   default:
     return "Unknown error code";
   }
 diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
 index ec5024d..8e4d2e7 100644
 --- a/deps/nghttp2/lib/nghttp2_session.c
 +++ b/deps/nghttp2/lib/nghttp2_session.c
@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,
   (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
   (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
   (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
 +  (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
   if (option) {
     if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
           }
         }
         session_inbound_frame_reset(session);
 +
 +        session->num_continuations = 0;
       }
       break;
     }
@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
       }
 #endif /* DEBUGBUILD */
 +      if (++session->num_continuations > session->max_continuations) {
 +        return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
 +      }
 +
       readlen = inbound_frame_buf_read(iframe, in, last);
       in += readlen;
 diff --git a/deps/nghttp2/lib/nghttp2_session.h b/deps/nghttp2/lib/nghttp2_session.h
 index b119329..ef8f7b2 100644
 --- a/deps/nghttp2/lib/nghttp2_session.h
 +++ b/deps/nghttp2/lib/nghttp2_session.h
@@ -110,6 +110,10 @@ typedef struct {
 #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
 #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
 +/* The default max number of CONTINUATION frames following an incoming
 +   HEADER frame. */
 +#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
 +
 /* Internal state when receiving incoming frame */
 typedef enum {
   /* Receiving frame header */
@@ -290,6 +294,12 @@ struct nghttp2_session {
   size_t max_send_header_block_length;
   /* The maximum number of settings accepted per SETTINGS frame. */
   size_t max_settings;
 +  /* The maximum number of CONTINUATION frames following an incoming
 +     HEADER frame. */
 +  size_t max_continuations;
 +  /* The number of CONTINUATION frames following an incoming HEADER
 +     frame.  This variable is reset when END_HEADERS flag is seen. */
 +  size_t num_continuations;
   /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
   uint32_t next_stream_id;
   /* The last stream ID this session initiated.  For client session,
 -- 
 2.44.0
--- a/0007-Add-nghttp2_option_set_max_continuations.patch
+++ b/0007-Add-nghttp2_option_set_max_continuations.patch
@ -1,94 +0,0 @@
 From 625b03149d2ec68cdbcfe3f2801d6f0420d917cb Mon Sep 17 00:00:00 2001
 From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
 Date: Sat, 9 Mar 2024 16:48:10 +0900
 Subject: [PATCH] Add nghttp2_option_set_max_continuations
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 Related: CVE-2024-28182
 Signed-off-by: rpm-build <rpm-build>
 ---
 deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
 deps/nghttp2/lib/nghttp2_option.c           |  5 +++++
 deps/nghttp2/lib/nghttp2_option.h           |  5 +++++
 deps/nghttp2/lib/nghttp2_session.c          |  4 ++++
 4 files changed, 25 insertions(+)
 diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
 index b394bde..4d3339b 100644
 --- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
 +++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
@@ -2778,6 +2778,17 @@ NGHTTP2_EXTERN void
 nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
                                            uint64_t burst, uint64_t rate);
 +/**
 + * @function
 + *
 + * This function sets the maximum number of CONTINUATION frames
 + * following an incoming HEADER frame.  If more than those frames are
 + * received, the remote endpoint is considered to be misbehaving and
 + * session will be closed.  The default value is 8.
 + */
 +NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
 +                                                         size_t val);
 +
 /**
  * @function
  *
 diff --git a/deps/nghttp2/lib/nghttp2_option.c b/deps/nghttp2/lib/nghttp2_option.c
 index 43d4e95..53144b9 100644
 --- a/deps/nghttp2/lib/nghttp2_option.c
 +++ b/deps/nghttp2/lib/nghttp2_option.c
@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
   option->stream_reset_burst = burst;
   option->stream_reset_rate = rate;
 }
 +
 +void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
 +  option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
 +  option->max_continuations = val;
 +}
 diff --git a/deps/nghttp2/lib/nghttp2_option.h b/deps/nghttp2/lib/nghttp2_option.h
 index 2259e18..c89cb97 100644
 --- a/deps/nghttp2/lib/nghttp2_option.h
 +++ b/deps/nghttp2/lib/nghttp2_option.h
@@ -71,6 +71,7 @@ typedef enum {
   NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
   NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
   NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
 +  NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
 } nghttp2_option_flag;
 /**
@@ -98,6 +99,10 @@ struct nghttp2_option {
    * NGHTTP2_OPT_MAX_SETTINGS
    */
   size_t max_settings;
 +  /**
 +   * NGHTTP2_OPT_MAX_CONTINUATIONS
 +   */
 +  size_t max_continuations;
   /**
    * Bitwise OR of nghttp2_option_flag to determine that which fields
    * are specified.
 diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
 index 8e4d2e7..ced7517 100644
 --- a/deps/nghttp2/lib/nghttp2_session.c
 +++ b/deps/nghttp2/lib/nghttp2_session.c
@@ -585,6 +585,10 @@ static int session_new(nghttp2_session **session_ptr,
                            option->stream_reset_burst,
                            option->stream_reset_rate);
     }
 +
 +    if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
 +      (*session_ptr)->max_continuations = option->max_continuations;
 +    }
   }
   rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
 -- 
 2.44.0
--- a/0008-zlib-pause-stream-if-outgoing-buffer-is-full.patch
+++ b/0008-zlib-pause-stream-if-outgoing-buffer-is-full.patch
--- a/0009-Address-CVE-2024-25629.patch
+++ b/0009-Address-CVE-2024-25629.patch
@ -1,39 +0,0 @@
 From ec80a9196e2aedfd617d05964725f113000a41ea Mon Sep 17 00:00:00 2001
 From: Brad House <brad@brad-house.com>
 Date: Thu, 22 Feb 2024 16:23:33 -0500
 Subject: [PATCH] Address CVE-2024-25629
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Original commit title: Merge pull request from GHSA-mg26-v6qh-x48q
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 Fixes: CVE-2024-25629
 Signed-off-by: rpm-build <rpm-build>
 ---
 deps/cares/src/lib/ares__read_line.c | 8 ++++++++
 1 file changed, 8 insertions(+)
 diff --git a/deps/cares/src/lib/ares__read_line.c b/deps/cares/src/lib/ares__read_line.c
 index c62ad2a..16627e4 100644
 --- a/deps/cares/src/lib/ares__read_line.c
 +++ b/deps/cares/src/lib/ares__read_line.c
@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
       if (!fgets(*buf + offset, bytestoread, fp))
         return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
       len = offset + strlen(*buf + offset);
 +
 +      /* Probably means there was an embedded NULL as the first character in
 +      * the line, throw away line */
 +      if (len == 0) {
 +        offset = 0;
 +        continue;
 +      }
 +
       if ((*buf)[len - 1] == '\n')
         {
           (*buf)[len - 1] = 0;
 -- 
 2.44.0
--- a/0010-http-do-not-allow-OBS-fold-in-headers-by-default.patch
+++ b/0010-http-do-not-allow-OBS-fold-in-headers-by-default.patch
--- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
@ -0,0 +1,31 @@
 From 2cd4c12776af3da588231d3eb498e6451c30eae5 Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
 Date: Thu, 27 Apr 2017 14:25:42 +0200
 Subject: [PATCH] Disable running gyp on shared deps
 Signed-off-by: rpm-build <rpm-build>
 ---
 Makefile | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)
 diff --git a/Makefile b/Makefile
 index 73feb4c..45bbceb 100644
 --- a/Makefile
 +++ b/Makefile
@@ -123,10 +123,9 @@ with-code-cache:
 test-code-cache: with-code-cache
 	$(PYTHON) tools/test.py $(PARALLEL_ARGS) --mode=$(BUILDTYPE_LOWER) code-cache
 -out/Makefile: common.gypi deps/uv/uv.gyp deps/http_parser/http_parser.gyp \
 -              deps/zlib/zlib.gyp deps/v8/gypfiles/toolchain.gypi \
 -              deps/v8/gypfiles/features.gypi deps/v8/gypfiles/v8.gyp node.gyp \
 -              config.gypi
 +out/Makefile: common.gypi deps/http_parser/http_parser.gyp \
 +              deps/v8/gypfiles/toolchain.gypi deps/v8/gypfiles/features.gypi \
 +			  deps/v8/gypfiles/v8.gyp node.gyp config.gypi
 	$(PYTHON) tools/gyp_node.py -f make
 config.gypi: configure configure.py
 -- 
 2.26.2
--- a/SOURCES/0002-Suppress-NPM-message-to-run-global-update.patch
+++ b/SOURCES/0002-Suppress-NPM-message-to-run-global-update.patch
@ -0,0 +1,84 @@
 From e7afb2d6e2a6c8f9c9c32e12a10c3c5c4902a251 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Tue, 1 May 2018 08:05:30 -0400
 Subject: [PATCH] Suppress NPM message to run global update
 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
 Signed-off-by: rpm-build <rpm-build>
 ---
 deps/npm/bin/npm-cli.js | 54 -----------------------------------------
 1 file changed, 54 deletions(-)
 diff --git a/deps/npm/bin/npm-cli.js b/deps/npm/bin/npm-cli.js
 index c0d9be0..0f0892e 100755
 --- a/deps/npm/bin/npm-cli.js
 +++ b/deps/npm/bin/npm-cli.js
@@ -71,65 +71,11 @@
     npm.command = 'help'
   }
 -  var isGlobalNpmUpdate = conf.global && ['install', 'update'].includes(npm.command) && npm.argv.includes('npm')
 -
   // now actually fire up npm and run the command.
   // this is how to use npm programmatically:
   conf._exit = true
   npm.load(conf, function (er) {
     if (er) return errorHandler(er)
 -    if (
 -      !isGlobalNpmUpdate &&
 -      npm.config.get('update-notifier') &&
 -      !unsupported.checkVersion(process.version).unsupported
 -    ) {
 -      const pkg = require('../package.json')
 -      let notifier = require('update-notifier')({pkg})
 -      const isCI = require('ci-info').isCI
 -      if (
 -        notifier.update &&
 -        notifier.update.latest !== pkg.version &&
 -        !isCI
 -      ) {
 -        const color = require('ansicolors')
 -        const useColor = npm.config.get('color')
 -        const useUnicode = npm.config.get('unicode')
 -        const old = notifier.update.current
 -        const latest = notifier.update.latest
 -        let type = notifier.update.type
 -        if (useColor) {
 -          switch (type) {
 -            case 'major':
 -              type = color.red(type)
 -              break
 -            case 'minor':
 -              type = color.yellow(type)
 -              break
 -            case 'patch':
 -              type = color.green(type)
 -              break
 -          }
 -        }
 -        const changelog = `https://github.com/npm/cli/releases/tag/v${latest}`
 -        notifier.notify({
 -          message: `New ${type} version of ${pkg.name} available! ${
 -            useColor ? color.red(old) : old
 -          } ${useUnicode ? '→' : '->'} ${
 -            useColor ? color.green(latest) : latest
 -          }\n` +
 -          `${
 -            useColor ? color.yellow('Changelog:') : 'Changelog:'
 -          } ${
 -            useColor ? color.cyan(changelog) : changelog
 -          }\n` +
 -          `Run ${
 -            useColor
 -              ? color.green(`npm install -g ${pkg.name}`)
 -              : `npm i -g ${pkg.name}`
 -          } to update!`
 -        })
 -      }
 -    }
     npm.commands[npm.command](npm.argv, function (err) {
       // https://genius.com/Lin-manuel-miranda-your-obedient-servant-lyrics
       if (
 -- 
 2.26.2
--- a/SOURCES/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
+++ b/SOURCES/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
@ -0,0 +1,122 @@
 From 0028cc74dac4dd24b8599ade85cb49fdafa9f559 Mon Sep 17 00:00:00 2001
 From: Stephen Gallagher <sgallagh@redhat.com>
 Date: Fri, 6 Dec 2019 16:40:25 -0500
 Subject: [PATCH] build: auto-load ICU data from --with-icu-default-data-dir
 When compiled with `--with-intl=small` and
 `--with-icu-default-data-dir=PATH`, Node.js will use PATH as a
 fallback location for the ICU data.
 We will first perform an access check using fopen(PATH, 'r') to
 ensure that the file is readable. If it is, we'll set the
 icu_data_directory and proceed. There's a slight overhead for the
 fopen() check, but it should be barely measurable.
 This will be useful for Linux distribution packagers who want to
 be able to ship a minimal node binary in a container image but
 also be able to add on the full i18n support where needed. With
 this patch, it becomes possible to ship the interpreter as
 /usr/bin/node in one package for the distribution and to ship the
 data files in another package (without a strict dependency
 between the two). This means that users of the distribution will
 not need to explicitly direct Node.js to locate the ICU data. It
 also means that in environments where full internationalization is
 not required, they do not need to carry the extra content (with
 the associated storage costs).
 Refs: https://github.com/nodejs/node/issues/3460
 Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
 Signed-off-by: rpm-build <rpm-build>
 ---
 configure.py |  9 +++++++++
 node.gypi    |  7 +++++++
 src/node.cc  | 20 ++++++++++++++++++++
 3 files changed, 36 insertions(+)
 diff --git a/configure.py b/configure.py
 index 89f7bf5..d611a88 100755
 --- a/configure.py
 +++ b/configure.py
@@ -433,6 +433,14 @@ intl_optgroup.add_option('--with-icu-source',
         'the icu4c source archive. '
         'v%d.x or later recommended.' % icu_versions['minimum_icu'])
 +intl_optgroup.add_option('--with-icu-default-data-dir',
 +    action='store',
 +    dest='with_icu_default_data_dir',
 +    help='Path to the icuXXdt{lb}.dat file. If unspecified, ICU data will '
 +         'only be read if the NODE_ICU_DATA environment variable or the '
 +         '--icu-data-dir runtime argument is used. This option has effect '
 +         'only when Node.js is built with --with-intl=small-icu.')
 +
 parser.add_option('--with-ltcg',
     action='store_true',
     dest='with_ltcg',
@@ -1359,6 +1367,7 @@ def configure_intl(o):
     locs.add('root')  # must have root
     o['variables']['icu_locales'] = string.join(locs,',')
     # We will check a bit later if we can use the canned deps/icu-small
 +    o['variables']['icu_default_data'] = options.with_icu_default_data_dir or ''
   elif with_intl == 'full-icu':
     # full ICU
     o['variables']['v8_enable_i18n_support'] = 1
 diff --git a/node.gypi b/node.gypi
 index 466a174..65b97d6 100644
 --- a/node.gypi
 +++ b/node.gypi
@@ -113,6 +113,13 @@
       'conditions': [
         [ 'icu_small=="true"', {
           'defines': [ 'NODE_HAVE_SMALL_ICU=1' ],
 +          'conditions': [
 +            [ 'icu_default_data!=""', {
 +              'defines': [
 +                'NODE_ICU_DEFAULT_DATA_DIR="<(icu_default_data)"',
 +              ],
 +            }],
 +          ],
       }]],
     }],
     [ 'node_use_bundled_v8=="true" and \
 diff --git a/src/node.cc b/src/node.cc
 index 7c01187..c9840e3 100644
 --- a/src/node.cc
 +++ b/src/node.cc
@@ -92,6 +92,7 @@
 #if defined(NODE_HAVE_I18N_SUPPORT)
 #include <unicode/uvernum.h>
 +#include <unicode/utypes.h>
 #endif
 #if defined(LEAK_SANITIZER)
@@ -2643,6 +2644,25 @@ void Init(std::vector<std::string>* argv,
   // If the parameter isn't given, use the env variable.
   if (per_process_opts->icu_data_dir.empty())
     SafeGetenv("NODE_ICU_DATA", &per_process_opts->icu_data_dir);
 +
 +#ifdef NODE_ICU_DEFAULT_DATA_DIR
 +  // If neither the CLI option nor the environment variable was specified,
 +  // fall back to the configured default
 +  if (per_process_opts->icu_data_dir.empty()) {
 +    // Check whether the NODE_ICU_DEFAULT_DATA_DIR contains the right data
 +    // file and can be read.
 +    static const char full_path[] =
 +        NODE_ICU_DEFAULT_DATA_DIR "/" U_ICUDATA_NAME ".dat";
 +
 +    FILE* f = fopen(full_path, "rb");
 +
 +    if (f != nullptr) {
 +      fclose(f);
 +      per_process_opts->icu_data_dir = NODE_ICU_DEFAULT_DATA_DIR;
 +    }
 +  }
 +#endif  // NODE_ICU_DEFAULT_DATA_DIR
 +
   // Initialize ICU.
   // If icu_data_dir is empty here, it will load the 'minimal' data.
   if (!i18n::InitializeICUDirectory(per_process_opts->icu_data_dir)) {
 -- 
 2.26.2
--- a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+++ b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
@ -0,0 +1,13 @@
 diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
 index d720681628..727362aac0 100644
 --- a/deps/npm/node_modules/y18n/index.js
 +++ b/deps/npm/node_modules/y18n/index.js
@@ -11,7 +11,7 @@ function Y18N (opts) {
   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
   // internal stuff.
 -  this.cache = {}
 +  this.cache = Object.create(null)
   this.writeQueue = []
 }
--- a/SOURCES/btest402.js
+++ b/SOURCES/btest402.js
--- a/SOURCES/nodejs-tarball.sh
+++ b/SOURCES/nodejs-tarball.sh
@ -128,7 +128,7 @@ echo "$ICUMD5  $ICUTARBALL" > icu.md5
 md5sum -c icu.md5
 rm -f icu.md5 SHASUMS256.txt
-#fedpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz
+rhpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz
 rm -f node-v${version}.tar.gz
@ -155,11 +155,11 @@ grep "define ARES_VERSION_MAJOR" node-v${version}/deps/cares/include/ares_versio
 grep "define ARES_VERSION_MINOR" node-v${version}/deps/cares/include/ares_version.h
 grep "define ARES_VERSION_PATCH" node-v${version}/deps/cares/include/ares_version.h
 echo
-echo "llhttp"
+echo "http-parser"
 echo "========================="
-grep "define LLHTTP_VERSION_MAJOR" node-v${version}/deps/llhttp/include/llhttp.h
+grep "define HTTP_PARSER_VERSION_MAJOR" node-v${version}/deps/http_parser/http_parser.h
-grep "define LLHTTP_VERSION_MINOR" node-v${version}/deps/llhttp/include/llhttp.h
+grep "define HTTP_PARSER_VERSION_MINOR" node-v${version}/deps/http_parser/http_parser.h
-grep "define LLHTTP_VERSION_PATCH" node-v${version}/deps/llhttp/include/llhttp.h
+grep "define HTTP_PARSER_VERSION_PATCH" node-v${version}/deps/http_parser/http_parser.h
 echo
 echo "libuv"
 echo "========================="
@ -171,14 +171,6 @@ echo "nghttp2"
 echo "========================="
 grep "define NGHTTP2_VERSION " node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
 echo
 echo "nghttp3"
 echo "========================="
 grep "define NGHTTP3_VERSION " node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 echo
 echo "ngtcp2"
 echo "========================="
 grep "define NGTCP2_VERSION " node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
 echo
 echo "ICU"
 echo "========================="
 grep "url" node-v${version}/tools/icu/current_ver.dep
@ -187,12 +179,6 @@ echo "punycode"
 echo "========================="
 grep "'version'" node-v${version}/lib/punycode.js
 echo
 echo "uvwasi"
 echo "========================="
 grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h
 grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h
 echo
 echo "npm"
 echo "========================="
 grep "\"version\":" node-v${version}/deps/npm/package.json
--- a/SOURCES/nodejs_native.attr
+++ b/SOURCES/nodejs_native.attr
--- a/SOURCES/npmrc
+++ b/SOURCES/npmrc
@ -0,0 +1 @@
 prefix=/usr/local
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -0,0 +1,894 @@
 %global with_debug 0
 # PowerPC, s390x and aarch64 segfault during Debug builds
 # https://github.com/nodejs/node/issues/20642
 %ifarch %{power64} s390x aarch64
 %global with_debug 0
 %endif
 # bundle dependencies that are not available as Fedora modules
 %bcond_with bootstrap
 # == Master Relase ==
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
 %global baserelease 1
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 # == Node.js Version ==
 # Note: Fedora should only ship LTS versions of Node.js (currently expected
 # to be major versions with even numbers). The odd-numbered versions are new
 # feature releases that are only supported for nine months, which is shorter
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 10
 %global nodejs_minor 24
 %global nodejs_patch 0
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 64
 %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
 %global nodejs_release %{baserelease}
 %global nodejs_datadir %{_datarootdir}/nodejs
 # == Bundled Dependency Versions ==
 # v8 - from deps/v8/include/v8-version.h
 # Epoch is set to ensure clean upgrades from the old v8 package
 %global v8_epoch 1
 %global v8_major 6
 %global v8_minor 8
 %global v8_build 275
 %global v8_patch 32
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME
 %global v8_abi %{v8_major}.%{v8_minor}
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
 %global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
 %global c_ares_major 1
 %global c_ares_minor 15
 %global c_ares_patch 0
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
 # http-parser - from deps/http_parser/http_parser.h
 %global http_parser_major 2
 %global http_parser_minor 9
 %global http_parser_patch 4
 %global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch}
 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
 %global libuv_minor 34
 %global libuv_patch 2
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
 %global nghttp2_major 1
 %global nghttp2_minor 41
 %global nghttp2_patch 0
 %global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
 # ICU - from tools/icu/current_ver.dep
 %global icu_major 64
 %global icu_minor 2
 %global icu_version %{icu_major}.%{icu_minor}
 %global icudatadir %{nodejs_datadir}/icudata
 %{!?little_endian: %global little_endian %(%{__python3} -c "import sys;print (0 if sys.byteorder=='big' else 1)")}
 # " this line just fixes syntax highlighting for vim that is confused by the above and continues literal
 # punycode - from lib/punycode.js
 # Note: this was merged into the mainline since 0.6.x
 # Note: this will be unmerged in an upcoming major release
 %global punycode_major 2
 %global punycode_minor 1
 %global punycode_patch 0
 %global punycode_version %{punycode_major}.%{punycode_minor}.%{punycode_patch}
 # npm - from deps/npm/package.json
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
 %global npm_patch 11
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
 # to increment safely. Changing this can only be done during an update when the
 # base npm version number is increasing.
 %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
 # brotli - from deps/brotli/c/common/version.h
 # v10.x doesn't have --shared-brotli configure option, so we have to bundle it
 %global brotli_major 1
 %global brotli_minor 0
 %global brotli_patch 7
 %global brotli_version %{brotli_major}.%{brotli_minor}.%{brotli_patch}
 Name: nodejs
 Epoch: %{nodejs_epoch}
 Version: %{nodejs_version}
 Release: %{nodejs_release}%{?dist}
 Summary: JavaScript runtime
 License: MIT and ASL 2.0 and ISC and BSD
 Group: Development/Languages
 URL: http://nodejs.org/
 ExclusiveArch: %{nodejs_arches}
 # nodejs bundles openssl, but we use the system version in Fedora
 # because openssl contains prohibited code, we remove openssl completely from
 # the tarball, using the script in Source100
 Source0: node-v%{nodejs_version}-stripped.tar.gz
 Source1: npmrc
 Source2: btest402.js
 Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-src.tgz
 Source100: %{name}-tarball.sh
 # The native module Requires generator remains in the nodejs SRPM, so it knows
 # the nodejs and v8 versions.  The remainder has migrated to the
 # nodejs-packaging SRPM.
 Source7: nodejs_native.attr
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 # Suppress the message from npm to run `npm -g update npm`
 # This does bad things on an RPM-managed npm.
 Patch2: 0002-Suppress-NPM-message-to-run-global-update.patch
 # Upstream patch to enable auto-detection of full ICU data
 # https://github.com/nodejs/node/pull/30825
 Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
 # CVE-2020-7774
 Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
 BuildRequires: make
 BuildRequires: python2-devel
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
 BuildRequires: gcc >= 6.3.0
 BuildRequires: gcc-c++ >= 6.3.0
 # needed to generate bundled provides for npm dependencies
 # https://src.fedoraproject.org/rpms/nodejs/pull-request/2
 # https://pagure.io/nodejs-packaging/pull-request/10
 BuildRequires: nodejs-packaging
 BuildRequires: chrpath
 BuildRequires: libatomic
 %if %{with bootstrap}
 Provides: bundled(http-parser) = %{http_parser_version}
 Provides: bundled(libuv) = %{libuv_version}
 Provides: bundled(nghttp2) = %{nghttp2_version}
 %else
 BuildRequires: systemtap-sdt-devel
 BuildRequires: libuv-devel >= 1:%{libuv_version}
 Requires: libuv >= 1:%{libuv_version}
 BuildRequires: libnghttp2-devel >= %{nghttp2_version}
 Requires: libnghttp2 >= %{nghttp2_version}
 BuildRequires: http-parser-devel >= %{http_parser_version}
 Requires: http-parser >= %{http_parser_version}
 %endif
 BuildRequires: openssl-devel
 # we need the system certificate store
 Requires: ca-certificates
 # Pull in the full-icu data by default
 Recommends: nodejs-full-i18n%{?_isa} = %{nodejs_epoch}:%{version}-%{release}
 # we need ABI virtual provides where SONAMEs aren't enough/not present so deps
 # break when binary compatibility is broken
 Provides: nodejs(abi) = %{nodejs_abi}
 Provides: nodejs(abi%{nodejs_major}) = %{nodejs_abi}
 Provides: nodejs(v8-abi) = %{v8_abi}
 Provides: nodejs(v8-abi%{v8_major}) = %{v8_abi}
 # this corresponds to the "engine" requirement in package.json
 Provides: nodejs(engine) = %{nodejs_version}
 # Node.js currently has a conflict with the 'node' package in Fedora
 # The ham-radio group has agreed to rename their binary for us, but
 # in the meantime, we're setting an explicit Conflicts: here
 Conflicts: node <= 0.3.2-12
 # The punycode module was absorbed into the standard library in v0.6.
 # It still exists as a seperate package for the benefit of users of older
 # versions.  Since we've never shipped anything older than v0.10 in Fedora,
 # we don't need the seperate nodejs-punycode package, so we Provide it here so
 # dependent packages don't need to override the dependency generator.
 # See also: RHBZ#11511811
 # UPDATE: punycode will be deprecated and so we should unbundle it in Node v8
 # and use upstream module instead
 # https://github.com/nodejs/node/commit/29e49fc286080215031a81effbd59eac092fff2f
 Provides: nodejs-punycode = %{punycode_version}
 Provides: npm(punycode) = %{punycode_version}
 # Node.js has forked c-ares from upstream in an incompatible way, so we need
 # to carry the bundled version internally.
 # See https://github.com/nodejs/node/commit/766d063e0578c0f7758c3a965c971763f43fec85
 Provides: bundled(c-ares) = %{c_ares_version}
 # Node.js is closely tied to the version of v8 that is used with it. It makes
 # sense to use the bundled version because upstream consistently breaks ABI
 # even in point releases. Node.js upstream has now removed the ability to build
 # against a shared system version entirely.
 # See https://github.com/nodejs/node/commit/d726a177ed59c37cf5306983ed00ecd858cfbbef
 Provides: bundled(v8) = %{v8_version}
 # Node.js is bound to a specific version of ICU which may not match the OS
 # We cannot pin the OS to this version of ICU because every update includes
 # an ABI-break, so we'll use the bundled copy.
 Provides: bundled(icu) = %{icu_version}
 # Make sure we keep NPM up to date when we update Node.js
 %if 0%{?rhel}
 # EPEL doesn't support Recommends, so make it strict
 Requires: npm = %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
 %else
 Recommends: npm = %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
 %endif
 # Provide bundled brotli until we can build it with system package
 Provides: bundled(brotli) = %{brotli_version}
 %description
 Node.js is a platform built on Chrome's JavaScript runtime
 for easily building fast, scalable network applications.
 Node.js uses an event-driven, non-blocking I/O model that
 makes it lightweight and efficient, perfect for data-intensive
 real-time applications that run across distributed devices.
 %package devel
 Summary: JavaScript runtime - development headers
 Group: Development/Languages
 Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
 Requires: openssl-devel%{?_isa}
 Requires: zlib-devel%{?_isa}
 Requires: nodejs-packaging
 %if %{with bootstrap}
 # deps are bundled
 %else
 Requires: http-parser-devel%{?_isa}
 Requires: libuv-devel%{?_isa}
 %endif
 %description devel
 Development headers for the Node.js JavaScript runtime.
 %package full-i18n
 Summary: Non-English locale data for Node.js
 Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
 %description full-i18n
 Optional data files to provide full-icu support for Node.js. Remove this
 package to save space if non-English locales are not needed.
 %package -n npm
 Summary: Node.js Package Manager
 Epoch: %{npm_epoch}
 Version: %{npm_version}
 Release: %{npm_release}%{?dist}
 # We used to ship npm separately, but it is so tightly integrated with Node.js
 # (and expected to be present on all Node.js systems) that we ship it bundled
 # now.
 Obsoletes: npm < 0:3.5.4-6
 Provides: npm = %{npm_epoch}:%{npm_version}
 Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
 # Do not add epoch to the virtual NPM provides or it will break
 # the automatic dependency-generation script.
 Provides: npm(npm) = %{npm_version}
 %description -n npm
 npm is a package manager for node.js. You can use it to install and publish
 your node programs. It manages dependencies and does other cool stuff.
 %package docs
 Summary: Node.js API documentation
 Group: Documentation
 BuildArch: noarch
 # We don't require that the main package be installed to
 # use the docs, but if it is installed, make sure the
 # version always matches
 Conflicts: %{name} > %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
 Conflicts: %{name} < %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
 %description docs
 The API documentation for the Node.js JavaScript runtime.
 %prep
 %autosetup -p1 -n node-v%{nodejs_version}
 # remove bundled dependencies that we aren't building
 rm -rf deps/zlib
 # Replace any instances of unversioned python' with python2
 pathfix.py -i %{__python2} -pn $(find -type f ! -name "*.js")
 find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python2~" {} \;
 find . -type f -exec sed -i "s~/usr\/bin\/python\W~/usr/bin/python2~" {} \;
 sed -i "s~python~python2~" $(find . -type f | grep "gyp$")
 sed -i "s~usr\/bin\/python2~usr\/bin\/python3~" ./deps/v8/tools/gen-inlining-tests.py
 sed -i "s~usr\/bin\/python.*$~usr\/bin\/python2~" ./deps/v8/tools/mb/mb_unittest.py
 find . -type f -exec sed -i "s~python -c~python2 -c~" {} \;
 sed -i "s~which('python')~which('python2')~" configure
 %build
 %ifarch s390 s390x %{arm} %ix86
 # Decrease debuginfo verbosity to reduce memory consumption during final
 # library linking
 %global optflags %(echo %{optflags} | sed 's/-g /-g1 /')
 %endif
 export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 export CC='%{__cc}'
 export CXX='%{__cxx}'
 # build with debugging symbols and add defines from libuv (#892601)
 # Node's v8 breaks with GCC 6 because of incorrect usage of methods on
 # NULL objects. We need to pass -fno-delete-null-pointer-checks
 export CFLAGS='%{optflags} \
               -D_LARGEFILE_SOURCE \
               -D_FILE_OFFSET_BITS=64 \
               -DZLIB_CONST \
               -fno-delete-null-pointer-checks'
 export CXXFLAGS='%{optflags} \
                 -D_LARGEFILE_SOURCE \
                 -D_FILE_OFFSET_BITS=64 \
                 -DZLIB_CONST \
                 -fno-delete-null-pointer-checks'
 # Explicit new lines in C(XX)FLAGS can break naive build scripts
 export CFLAGS="$(echo ${CFLAGS} | tr '\n\\' '  ')"
 export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' '  ')"
 export LDFLAGS="%{build_ldflags}"
 %if %{with bootstrap}
 ./configure --prefix=%{_prefix} \
           --shared-openssl \
           --shared-zlib \
           --without-dtrace \
           --with-intl=small-icu \
           --openssl-use-def-ca-store
 %else
 ./configure --prefix=%{_prefix} \
           --shared-openssl \
           --shared-zlib \
           --shared-libuv \
           --shared-http-parser \
           --shared-nghttp2 \
           --with-dtrace \
           --with-intl=small-icu \
           --with-icu-default-data-dir=%{icudatadir} \
           --openssl-use-def-ca-store
 %endif
 %if %{?with_debug} == 1
 # Setting BUILDTYPE=Debug builds both release and debug binaries
 make BUILDTYPE=Debug %{?_smp_mflags}
 %else
 make BUILDTYPE=Release %{?_smp_mflags}
 %endif
 # Extract the ICU data and convert it to the appropriate endianness
 pushd deps/
 tar xfz %SOURCE3
 pushd icu/source
 mkdir -p converted
 %if 0%{?little_endian}
 # The little endian data file is included in the ICU sources
 install -Dpm0644 data/in/icudt%{icu_major}l.dat converted/
 %else
 # For the time being, we need to build ICU and use the included `icupkg` tool
 # to convert the little endian data file into a big-endian one.
 # At some point in the future, ICU releases will start including both data
 # files and we should switch to those.
 mkdir -p data/out/tmp
 %configure
 %make_build
 icu_root=$(pwd)
 LD_LIBRARY_PATH=./lib ./bin/icupkg -tb data/in/icudt%{icu_major}l.dat \
                                       converted/icudt%{icu_major}b.dat
 %endif
 popd # icu/source
 popd # deps
 %install
 export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 rm -rf %{buildroot}
 ./tools/install.py install %{buildroot} %{_prefix}
 # Set the binary permissions properly
 chmod 0755 %{buildroot}/%{_bindir}/node
 chrpath --delete %{buildroot}%{_bindir}/node
 %if %{?with_debug} == 1
 # Install the debug binary and set its permissions
 install -Dpm0755 out/Debug/node %{buildroot}/%{_bindir}/node_g
 %endif
 # own the sitelib directory
 mkdir -p %{buildroot}%{_prefix}/lib/node_modules
 # ensure Requires are added to every native module that match the Provides from
 # the nodejs build in the buildroot
 install -Dpm0644 %{SOURCE7} %{buildroot}%{_rpmconfigdir}/fileattrs/nodejs_native.attr
 cat << EOF > %{buildroot}%{_rpmconfigdir}/nodejs_native.req
 #!/bin/sh
 echo 'nodejs(abi%{nodejs_major}) >= %nodejs_abi'
 echo 'nodejs(v8-abi%{v8_major}) >= %v8_abi'
 EOF
 chmod 0755 %{buildroot}%{_rpmconfigdir}/nodejs_native.req
 # install documentation
 mkdir -p %{buildroot}%{_pkgdocdir}/html
 cp -pr doc/* %{buildroot}%{_pkgdocdir}/html
 rm -f %{buildroot}%{_pkgdocdir}/html/nodejs.1
 # node-gyp needs common.gypi too
 mkdir -p %{buildroot}%{_datadir}/node
 cp -p common.gypi %{buildroot}%{_datadir}/node
 # Install the GDB init tool into the documentation directory
 mv %{buildroot}/%{_datadir}/doc/node/gdbinit %{buildroot}/%{_pkgdocdir}/gdbinit
 # install NPM docs to mandir
 mkdir -p %{buildroot}%{_mandir} \
         %{buildroot}%{_pkgdocdir}/npm
 cp -pr deps/npm/man/* %{buildroot}%{_mandir}/
 rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/man
 ln -sf %{_mandir}  %{buildroot}%{_prefix}/lib/node_modules/npm/man
 # Install Gatsby HTML documentation to %{_pkgdocdir}
 cp -pr deps/npm/docs %{buildroot}%{_pkgdocdir}/npm/
 rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/docs
 ln -sf %{_pkgdocdir}/npm %{buildroot}%{_prefix}/lib/node_modules/npm/docs
 # Node tries to install some python files into a documentation directory
 # (and not the proper one). Remove them for now until we figure out what to
 # do with them.
 rm -f %{buildroot}/%{_defaultdocdir}/node/lldb_commands.py \
      %{buildroot}/%{_defaultdocdir}/node/lldbinit
 # Some NPM bundled deps are executable but should not be. This causes
 # unnecessary automatic dependencies to be added. Make them not executable.
 # Skip the npm bin directory or the npm binary will not work.
 find %{buildroot}%{_prefix}/lib/node_modules/npm \
    -not -path "%{buildroot}%{_prefix}/lib/node_modules/npm/bin/*" \
    -executable -type f \
    -exec chmod -x {} \;
 # The above command is a little overzealous. Add a few permissions back.
 chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/npm-lifecycle/node-gyp-bin/node-gyp
 chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
 # Drop the NPM default configuration in place
 mkdir -p %{buildroot}%{_sysconfdir}
 cp %{SOURCE1} %{buildroot}%{_sysconfdir}/npmrc
 # NPM upstream expects it to be in /usr/etc/npmrc, so we'll put a symlink here
 # This is done in the interests of keeping /usr read-only.
 mkdir -p %{buildroot}%{_prefix}/etc
 ln -s %{_sysconfdir}/npmrc %{buildroot}%{_prefix}/etc/npmrc
 # Install the full-icu data files
 install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/*
 %check
 # Fail the build if the versions don't match
 %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.node, '%{nodejs_version}')"
 %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')"
 %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.ares.replace(/-DEV$/, ''), '%{c_ares_version}')"
 # Ensure we have punycode and that the version matches
 %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')"
 # Ensure we have npm and that the version matches
 NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')"
 # Make sure i18n support is working
 NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2}
 %pretrans -n npm -p <lua>
 -- Remove all of the symlinks from the bundled npm node_modules directory
 -- This scriptlet can be removed in Fedora 31
 base_path = "%{_prefix}/lib/node_modules/npm/node_modules/"
 d_st = posix.stat(base_path)
 if d_st then
  for f in posix.files(base_path) do
    path = base_path..f
    st = posix.stat(path)
    if st and st.type == "link" then
      os.remove(path)
    end
  end
 end
 -- Replace the npm man directory with a symlink
 -- Drop this scriptlet when F31 is EOL
 path = "%{_prefix}/lib/node_modules/npm/man"
 st = posix.stat(path)
 if st and st.type == "directory" then
  status = os.rename(path, path .. ".rpmmoved")
  if not status then
    suffix = 0
    while not status do
      suffix = suffix + 1
      status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
    end
    os.rename(path, path .. ".rpmmoved")
  end
 end
 %files
 %{_bindir}/node
 %dir %{_prefix}/lib/node_modules
 %dir %{_datadir}/node
 %dir %{_datadir}/systemtap
 %dir %{_datadir}/systemtap/tapset
 %{_datadir}/systemtap/tapset/node.stp
 %if %{with bootstrap}
 # no dtrace
 %else
 %dir %{_usr}/lib/dtrace
 %{_usr}/lib/dtrace/node.d
 %endif
 %{_rpmconfigdir}/fileattrs/nodejs_native.attr
 %{_rpmconfigdir}/nodejs_native.req
 %license LICENSE
 %doc AUTHORS CHANGELOG.md COLLABORATOR_GUIDE.md GOVERNANCE.md README.md
 %doc %{_mandir}/man1/node.1*
 %files devel
 %if %{?with_debug} == 1
 %{_bindir}/node_g
 %endif
 %{_includedir}/node
 %{_datadir}/node/common.gypi
 %{_pkgdocdir}/gdbinit
 %files full-i18n
 %dir %{icudatadir}
 %{icudatadir}/icudt%{icu_major}*.dat
 %files -n npm
 %{_bindir}/npm
 %{_bindir}/npx
 %{_prefix}/lib/node_modules/npm
 %config(noreplace) %{_sysconfdir}/npmrc
 %{_prefix}/etc/npmrc
 %ghost %{_sysconfdir}/npmignore
 %doc %{_mandir}/man1/npm*.1*
 %doc %{_mandir}/man1/npx.1*
 %doc %{_mandir}/man5/folders.5*
 %doc %{_mandir}/man5/install.5*
 %doc %{_mandir}/man5/npmrc.5*
 %doc %{_mandir}/man5/package-json.5*
 %doc %{_mandir}/man5/package-lock-json.5*
 %doc %{_mandir}/man5/package-locks.5*
 %doc %{_mandir}/man5/shrinkwrap-json.5*
 %doc %{_mandir}/man7/config.7*
 %doc %{_mandir}/man7/developers.7*
 %doc %{_mandir}/man7/disputes.7*
 %doc %{_mandir}/man7/orgs.7*
 %doc %{_mandir}/man7/registry.7*
 %doc %{_mandir}/man7/removal.7*
 %doc %{_mandir}/man7/scope.7*
 %doc %{_mandir}/man7/scripts.7*
 %doc %{_mandir}/man7/semver.7*
 %files docs
 %dir %{_pkgdocdir}
 %{_pkgdocdir}/html
 %{_pkgdocdir}/npm/docs
 %changelog
 * Wed Feb 24 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.24.0-1
 - Resolves: RHBZ#1932373, RHBZ#1932426
 - Resolves CVE-2021-22883 and CVE-2021-22884
 - remove -debug-nghttp2 flag (1930775)
 - remove ini patch merged upstream
 * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1
 - January Security release
 - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
 - Rebase to 10.23.1
 - Resolves: RHBZ#1916461, RHBZ#1914789
 - Resolves: RHBZ#1914783, RHBZ#1916462, RHBZ#1916395, RHBZ#1916459
 - Resolves: RHBZ#1916691, RHBZ#1916689, RHBZ#1916388
 - Remove dot-prop patch, as it is fixed by npm rebase
 * Tue Sep 22 2020 Jan Staněk <jstanek@redhat.com> - 1:10.22.1-1
 - Security rebase to 10.22.1
 * Wed Jun 17 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.21.0-3
 - Resolves: RHBZ#1845307
 - Remove brotli-devel requires from nodejs-devel
 * Tue Jun 16 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.21.0-2
 - Resolves: RHBZ#1845307
 - Turn off debug builds
 * Mon Jun 15 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.21.0-1
 - Security update to 10.21.0
 - Resolves: RHBZ#1845307
 - Fixes CVE-2020-11080, CVE-2020-8174, CVE-2020-10531
 - Bundle brotli, because --shared-brotli configure option is missing
 - Add i18n subpackage
 * Wed Mar 18 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.19.0-2
 - Resolves: RHBZ#1811499
 * Mon Feb 10 2020 Jan Staněk <jstanek@redhat.com> - 1:10.19.0-1
 - Rebase to 10.19.0 to fix CVE-2019-15604 to CVE-2019-15606
 * Tue Sep 10 2019 Jan Staněk <jstanek@redhat.com> - 1:10.16.3-1
 - Rebase to 10.16.3 to fix CVE-2019-9511 to CVE-2019-9518
 * Thu Mar 14 2019 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.14.1-2
 - move nodejs-packaging BR out of conditional
 * Tue Dec 11 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.14.1-1
 - Resolves: RHBZ#1644207
 - fixes node-gyp permissions
 - rebase
 * Thu Oct 11 2018 Jan Staněk <jstanek@redhat.com> - 1:10.11.0-2
 - BuildRequire nodejs-packaging for proper npm dependency generation
 - Resolves: rhbz#1615947
 * Mon Oct 08 2018 Jan Staněk <jstanek@redhat.com> - 1:10.11.0-1
 - Rebase to 10.11.0
 - Import changes from fedora
 - Resolves: rhbz#1621766
 * Mon Jul 30 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.7.0-5
 - Import sources from fedora
 - Allow using python2 at %%build and %%install
 - turn off debug for aarch64
 * Fri Jul 20 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.7.0-4
 - Fix npm upgrade scriptlet
 - Fix unexpected trailing .1 in npm release field
 * Fri Jul 20 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.7.0-3
 - Restore annotations to binaries
 - Fix unexpected trailing .1 in release field
 * Thu Jul 19 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.7.0-2
 - Update to 10.7.0
 - https://nodejs.org/en/blog/release/v10.7.0/
 - https://nodejs.org/en/blog/release/v10.6.0/
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:10.5.0-1.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Thu Jun 21 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.5.0-1
 - Update to 10.5.0
 - https://nodejs.org/en/blog/release/v10.5.0/
 * Thu Jun 14 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.4.1-1
 - Update to 10.4.1 to address security issues
 - https://nodejs.org/en/blog/release/v10.4.1/
 - Resolves: rhbz#1590801
 - Resolves: rhbz#1591014
 - Resolves: rhbz#1591019
 * Thu Jun 07 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.4.0-1
 - Update to 10.4.0
 - https://nodejs.org/en/blog/release/v10.4.0/
 * Wed May 30 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.3.0-1
 - Update to 10.3.0
 - Update npm to 6.1.0
 - https://nodejs.org/en/blog/release/v10.3.0/
 * Tue May 29 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.2.1-2
 - Fix up bare 'python' to be python2
 - Drop redundant entry in docs section
 * Fri May 25 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.2.1-1
 - Update to 10.2.1
 - https://nodejs.org/en/blog/release/v10.2.1/
 * Wed May 23 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.2.0-1
 - Update to 10.2.0
 - https://nodejs.org/en/blog/release/v10.2.0/
 * Thu May 10 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.1.0-3
 - Fix incorrect rpm macro
 * Thu May 10 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.1.0-2
 - Include upstream v8 fix for ppc64[le]
 - Disable debug build on ppc64[le] and s390x
 * Wed May 09 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.1.0-1
 - Update to 10.1.0
 - https://nodejs.org/en/blog/release/v10.1.0/
 - Reenable node_g binary
 * Thu Apr 26 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.0.0-1
 - Update to 10.0.0
 - https://nodejs.org/en/blog/release/v10.0.0/
 - Drop workaround patch
 - Temporarily drop node_g binary due to
  https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85587
 * Fri Apr 13 2018 Rafael dos Santos <rdossant@redhat.com> - 1:9.11.1-2
 - Use standard Fedora linker flags (bug #1543859)
 * Thu Apr 05 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:9.11.1-1
 - Update to 9.11.1
 - https://nodejs.org/en/blog/release/v9.11.0/
 - https://nodejs.org/en/blog/release/v9.11.1/
 * Wed Mar 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:9.10.0-1
 - Update to 9.10.0
 - https://nodejs.org/en/blog/release/v9.10.0/
 * Wed Mar 21 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:9.9.0-1
 - Update to 9.9.0
 - https://nodejs.org/en/blog/release/v9.9.0/
 * Thu Mar 08 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:9.8.0-1
 - Update to 9.8.0
 - https://nodejs.org/en/blog/release/v9.8.0/
 * Thu Mar 01 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:9.7.0-1
 - Update to 9.7.0
 - https://nodejs.org/en/blog/release/v9.7.0/
 - Work around F28 build issue
 * Sun Feb 25 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:9.6.1-1
 - Update to 9.6.1
 - https://nodejs.org/en/blog/release/v9.6.1/
 - https://nodejs.org/en/blog/release/v9.6.0/
 * Mon Feb 05 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:9.5.0-1
 - Package Node.js 9.5.0
 * Thu Jan 11 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:8.9.4-2
 - Fix incorrect Requires:
 * Thu Jan 11 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:8.9.4-1
 - Update to 8.9.4
 - https://nodejs.org/en/blog/release/v8.9.4/
 - Switch to system copy of nghttp2
 * Fri Dec 08 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:8.9.3-2
 - Update to 8.9.3
 - https://nodejs.org/en/blog/release/v8.9.3/
 - https://nodejs.org/en/blog/release/v8.9.2/
 * Thu Nov 30 2017 Pete Walter <pwalter@fedoraproject.org> - 1:8.9.1-2
 - Rebuild for ICU 60.1
 * Thu Nov 09 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.9.1-1
 - Update to 8.9.1
 * Tue Oct 31 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:8.9.0-1
 - Update to 8.9.0
 - Drop upstreamed patch
 * Thu Oct 26 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:8.8.1-1
 - Update to 8.8.1 to fix a regression
 * Wed Oct 25 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.8.0-1
 - Security update to 8.8.0
 - https://nodejs.org/en/blog/release/v8.8.0/
 * Sun Oct 15 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.7.0-1
 - Update to 8.7.0
 - https://nodejs.org/en/blog/release/v8.7.0/
 * Fri Oct 06 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.6.0-2
 - Use bcond macro instead of bootstrap conditional
 * Wed Sep 27 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.6.0-1
 - Fix nghttp2 version
 - Update to 8.6.0
 - https://nodejs.org/en/blog/release/v8.6.0/
 * Wed Sep 20 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.5.0-3
 - Build with bootstrap + bundle libuv for modularity
 - backport patch for aarch64 debug build
 * Wed Sep 13 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:8.5.0-2
 - Disable debug builds on aarch64 due to https://github.com/nodejs/node/issues/15395
 * Tue Sep 12 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:8.5.0-1
 - Update to v8.5.0
 - https://nodejs.org/en/blog/release/v8.5.0/
 * Thu Sep 07 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.4.0-2
 - Refactor openssl BR
 * Wed Aug 16 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.4.0-1
 - Update to v8.4.0
 - https://nodejs.org/en/blog/release/v8.4.0/
 - http2 is now supported, add bundled nghttp2
 - remove openssl 1.0.1 patches, we won't be using them in fedora
 * Thu Aug 10 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.3.0-1
 - Update to v8.3.0
 - https://nodejs.org/en/blog/release/v8.3.0/
 - update V8 to 6.0
 - update minimal gcc and g++ requirements to 4.9.4
 * Wed Aug 09 2017 Tom Hughes <tom@compton.nu> - 1:8.2.1-2
 - Bump release to fix broken dependencies
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:8.2.1-1.2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 * Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:8.2.1-1.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Fri Jul 21 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:8.2.1-1
 - Update to v8.2.1
 - https://nodejs.org/en/blog/release/v8.2.1/
 * Thu Jul 20 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:8.2.0-1
 - Update to v8.2.0
 - https://nodejs.org/en/blog/release/v8.2.0/
 - Update npm to 5.3.0
 - Adds npx command
 * Tue Jul 18 2017 Igor Gnatenko <ignatenko@redhat.com> - 1:8.1.4-3
 - s/BuildRequires/Requires/ for http-parser-devel%%{?_isa}
 * Mon Jul 17 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.1.4-2
 - Rename python-devel to python2-devel
 - own %%{_pkgdocdir}/npm
 * Tue Jul 11 2017 Stephen Gallagher <sgallagh@redhat.com> - 1:8.1.4-1
 - Update to v8.1.4
 - https://nodejs.org/en/blog/release/v8.1.4/
 - Drop upstreamed c-ares patch
 * Thu Jun 29 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.1.3-1
 - Update to v8.1.3
 - https://nodejs.org/en/blog/release/v8.1.3/
 * Wed Jun 28 2017 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:8.1.2-1
 - Update to v8.1.2
 - remove GCC 7 patch, as it is now fixed in node >= 6.12
--- a/gating.yaml
+++ b/gating.yaml
@ -1,6 +0,0 @@
 --- !Policy
 product_versions:
  - rhel-9
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
--- a/macros.nodejs
+++ b/macros.nodejs
@ -1,33 +0,0 @@
 # nodejs binary
 %__nodejs %{_bindir}/node
 # nodejs library directory
 %nodejs_sitelib %{_prefix}/lib/node_modules
 #arch specific library directory
 #for future-proofing only; we don't do multilib
 %nodejs_sitearch %{nodejs_sitelib}
 # currently installed nodejs version
 %nodejs_version %(%{__nodejs} -v | sed s/v//)
 # symlink dependencies so `npm link` works
 # this should be run in every module's %%install section
 # pass --check to work in the current directory instead of the buildroot
 # pass --no-devdeps to ignore devDependencies when --check is used
 %nodejs_symlink_deps %{_rpmconfigdir}/nodejs-symlink-deps %{nodejs_sitelib}
 # patch package.json to fix a dependency
 # see `man npm-json` for details on writing dependencies for package.json files
 # e.g. `%%nodejs_fixdep frobber` makes any version of frobber do
 #      `%%nodejs_fixdep frobber '>1.0'` requires frobber > 1.0
 #      `%%nodejs_fixdep -r frobber removes the frobber dep
 %nodejs_fixdep %{_rpmconfigdir}/nodejs-fixdep
 # macro to filter unwanted provides from Node.js binary native modules
 %nodejs_default_filter %{expand: \
 %global __provides_exclude_from ^%{nodejs_sitearch}/.*\\.node$
 }
 # no-op macro to allow spec compatibility with EPEL
 %nodejs_find_provides_and_requires %{nil}
--- a/nodejs.spec
+++ b/nodejs.spec
--- a/2
+++ b/2
@ -1,2 +0,0 @@
 prefix=/usr/local
 python=/usr/bin/python3
--- a/npmrc.builtin.in
+++ b/npmrc.builtin.in
@ -1,5 +0,0 @@
 # This is the distibution-level configuration file for npm.
 # To configure NPM on a system level, use the globalconfig below (defaults to @SYSCONFDIR@/npmrc).
 # vim:set filetype=dosini:
 globalconfig=@SYSCONFDIR@/npmrc
--- a/package.cfg
+++ b/package.cfg
@ -1,2 +0,0 @@
 [koji]
 targets = master f34 f33
--- a/6
+++ b/6
@ -1,6 +0,0 @@
 SHA512 (node-v16.20.2-stripped.tar.gz) = 9ab65824a56382a72075533274ba5a86dc1fc2adb0215c81c6c9084c6dea45c3107630c0d203557cac867e00caf1c5449a97445cd5914c3e870d9055d2c409de
 SHA512 (icu4c-71_1-src.tgz) = 1fd2a20aef48369d1f06e2bb74584877b8ad0eb529320b976264ec2db87420bae242715795f372dbc513ea80047bc49077a064e78205cd5e8b33d746fd2a2912
 SHA512 (cjs-module-lexer-1.2.2.tar.gz) = 2c8e9caf2231ca7d61e71936305389774859aca9b5c86c63489c9a62a81f4736f99477c3f0cbb41077bb7924fdd23e0f24b7bce858e42fb0f87e7c0ffc87afeb
 SHA512 (undici-5.20.0.tar.gz) = 75a4c164081bbc8114aceeb48680db003cb014d7f92f157d03e9a36c775606a4bede5dbba236ba1722a651ab91968cb192eeae671ec1024f826c4b452d4e20ff
 SHA512 (wasi-sdk-wasi-sdk-11.tar.gz) = cb37f357b09431a3efad26141d83dce63232a35b536d9a7bd341d4d9627a0a3d4bd4d57504b6e3dab421942d2c168a96da2a6be889aab3f9a2852fc5a3200d3c
 SHA512 (wasi-sdk-wasi-sdk-14.tar.gz) = 4fecb3d9c04b91eb2388a9e51d49fbff6f22b81f9945a07ecdbfe479c96dad1e3b673b8bee24842b0dae5294129a9cb35dcf8e5ecf45437a6d01fb6e0fd13645
		`@ -0,0 +1,2 @@`
							`3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz`
							`be0e0b385a852c376f452b3d94727492e05407e4 SOURCES/node-v10.24.0-stripped.tar.gz`
		`@ -1,2 +0,0 @@`
			`prefix=/usr/local`
			`python=/usr/bin/python3`