Commit Graph

42 Commits

Author SHA1 Message Date
Jan Staněk
ed578ec737 remove bundled WASM blobs
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-29 15:18:42 -05:00
Stephen Gallagher
f523665c4d sitelib is a symlink, not a dir
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-29 12:58:06 -05:00
Stephen Gallagher
9b2e0bcd71 Fix missing %dir
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-27 12:08:28 -05:00
Stephen Gallagher
4c864a0d68 Update to v20.10.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-27 10:39:23 -05:00
Stephen Gallagher
2ceeb8628f Update to 20.9.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-10-25 14:16:03 -04:00
Stephen Gallagher
8f462ce5d3 Update to 20.8.1
This is a security release.

The following CVEs are fixed in this release:

* [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High)
* [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High)
* [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High)
* [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High)
* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552):  Integrity checks according to policies can be circumvented (Medium)
* [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low)

More detailed information on each of the vulnerabilities can be found in [October 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/) blog post.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-10-16 11:59:52 -04:00
Stephen Gallagher
29ba6214c9 Update to 20.8.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-29 07:35:38 -04:00
Stephen Gallagher
8f4100250b Update to 20.7.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-20 13:44:46 -04:00
Stephen Gallagher
302a20ab06 Update to 20.6.1
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-15 10:12:29 -04:00
Stephen Gallagher
b64d26c94a Add default Obsoletes: for nodejsXX
This takes its cue from the Python 3.X approach

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-07 14:41:32 -04:00
Stephen Gallagher
f57981cf35 Update to 20.6.0
Starting from Node.js v20.6.0, Node.js supports `.env` files for configuring environment variables.

Your configuration file should follow the INI file format, with each line containing a key-value pair for an environment variable.
To initialize your Node.js application with predefined configurations, use the following CLI command: `node --env-file=config.env index.js`.

For example, you can access the following environment variable using `process.env.PASSWORD` when your application is initialized:

```text
PASSWORD=nodejs
```

In addition to environment variables, this change allows you to define your `NODE_OPTIONS` directly in the `.env` file, eliminating the need to include it in your `package.json`.

This feature was contributed by Yagiz Nizipli in [#48890](https://github.com/nodejs/node/pull/48890).

In ES modules, [`import.meta.resolve(specifier)`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/import.meta/resolve) can be used to get an absolute URL string to which `specifier` resolves, similar to `require.resolve` in CommonJS. This aligns Node.js with browsers and other server-side runtimes.

This feature was contributed by Guy Bedford in <https://github.com/nodejs/node/pull/49028>

There is a new API `register` available on `node:module` to specify a file that exports module customization hooks, and pass data to the hooks, and establish communication channels with them. The “define the file with the hooks” part was previously handled by a flag `--experimental-loader`, but when the hooks moved into a dedicated thread in 20.0.0 there was a need to provide a way to communicate between the main (application) thread and the hooks thread. This can now be done by calling `register` from the main thread and passing data, including `MessageChannel` instances.

We encourage users to migrate to an approach that uses [`--import`](https://nodejs.org/api/cli.html#--importmodule) with `register`, such as:

```bash
node --import ./file-that-calls-register.js ./app.js
```

Using `--import` ensures that the customization hooks are registered before any application code runs, even the entry point.

This feature was contributed by Izaak Schroeder in <https://github.com/nodejs/node/pull/48842> and <https://github.com/nodejs/node/pull/48559>

Authors of module customization hooks can how handle both ES module and CommonJS sources in the `load` hook. This works for CommonJS modules referenced via either `import` or `require`, so long as [the main entry point of the application is handled by the ES module loader](https://nodejs.org/api/cli.html#program-entry-point) (such as because the entry point is an ES module file, or if the `--import` flag is passed). This should simplify the customization of the Node.js module loading process, as package authors can customize more of Node.js without relying on deprecated APIs such as `require.extensions`.

This feature was contributed by Antoine du Hamel in <https://github.com/nodejs/node/pull/47999>

Now when Node.js starts up, it makes sure that there is a `v8::CppHeap` attached to the V8 isolate. This enables users to allocate in the `v8::CppHeap` using `<cppgc/*>` headers from V8, which are now also included into the Node.js headers available to addons. Note that since Node.js only bundles the cppgc library coming from V8, [the ABI stability](https://nodejs.org/en/docs/guides/abi-stability#abi-stability-in-nodejs) of cppgc is currently not guaranteed in semver-minor and -patch updates, but we do not expect the ABI to break often, as it has been stable and battle-tested in Chromium for years. We may consider including cppgc into the ABI stability guarantees when it gets enough adoption internally and externally.

To help addon authors create JavaScript-to-C++ references of which V8's garbage collector can be aware, a helper function [`node::SetCppgcReference(isolate, js_object, cppgc_object)`](https://github.com/nodejs/node/blob/v20.6.0/test/addons/cppgc-object/binding.cc) has been added to `node.h`. V8 may provide a native alternative in the future, which could then replace this Node.js-specific helper. In the mean time, users can use this API to avoid having to hard-code the layout of JavaScript wrapper objects. An example of how to create garbage-collected C++ objects in the unified heap and wrap it in a JavaScript object can be found in the [Node.js addon tests](https://github.com/nodejs/node/blob/v20.6.0/test/addons/cppgc-object/binding.cc).

The existing `node::ObjectWrap` helper would continue to work, while cppgc-based object management serves as an alternative with some advantages mentioned in [the V8 blog post about Oilpan](https://v8.dev/blog/oilpan-library).

This feature was contributed by Daryl Haresign and Joyee Cheung in <https://github.com/nodejs/node/pull/48660> and <https://github.com/nodejs/node/pull/45704>.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-05 10:46:54 -04:00
Jan Staněk
61dfae6179 Specify openssl configuration section
By default, node does not use the common openssl configuration section,
relying instead on node-specific `nodejs_conf` section.
Since we want node to use the system configuration, the section name
should be changed (back) to `openssl_conf`.

See discussion in https://github.com/nodejs/node/pull/48950
for the reason this change is suggested.
2023-08-28 18:34:01 -04:00
Stephen Gallagher
fd717eb4cc Update to 20.5.1
** 2023-08-09, Version 20.5.1 (Current), @RafaelGSS

This is a security release.

*** Notable Changes

The following CVEs are fixed in this release:

* [CVE-2023-32002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32002):  Policies can be bypassed via Module.\_load (High)
* [CVE-2023-32558](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32558): process.binding() can bypass the permission model through path traversal (High)
* [CVE-2023-32004](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32004): Permission model can be bypassed by specifying a path traversal sequence in a Buffer (High)
* [CVE-2023-32006](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32006): Policies can be bypassed by module.constructor.createRequire (Medium)
* [CVE-2023-32559](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32559): Policies can be bypassed via process.binding (Medium)
* [CVE-2023-32005](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32005): fs.statfs can bypass the permission model (Low)
* [CVE-2023-32003](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32003): fs.mkdtemp() and fs.mkdtempSync() can bypass the permission model (Low)
* OpenSSL Security Releases
  * [OpenSSL security advisory 14th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html).
  * [OpenSSL security advisory 19th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html).
  * [OpenSSL security advisory 31st July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html)

More detailed information on each of the vulnerabilities can be found in [August 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/) blog post.

** 2023-07-18, Version 20.5.0 (Current), @juanarbol

*** Notable Changes

* \[[`45be29d89f`](https://github.com/nodejs/node/commit/45be29d89f)] - **doc**: add atlowChemi to collaborators (atlowChemi) [#48757](https://github.com/nodejs/node/pull/48757)
* \[[`a316808136`](https://github.com/nodejs/node/commit/a316808136)] - **(SEMVER-MINOR)** **events**: allow safely adding listener to abortSignal (Chemi Atlow) [#48596](https://github.com/nodejs/node/pull/48596)
* \[[`986b46a567`](https://github.com/nodejs/node/commit/986b46a567)] - **fs**: add a fast-path for readFileSync utf-8 (Yagiz Nizipli) [#48658](https://github.com/nodejs/node/pull/48658)
* \[[`0ef73ff6f0`](https://github.com/nodejs/node/commit/0ef73ff6f0)] - **(SEMVER-MINOR)** **test\_runner**: add shards support (Raz Luvaton) [#48639](https://github.com/nodejs/node/pull/48639)

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-08-09 16:13:26 -04:00
Stephen Gallagher
2dee98da40 Release 20.4.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-07-12 12:50:28 -04:00
Stephen Gallagher
9d9ff2a528 Update to security release 20.3.1
- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
- https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.3.1

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-06-22 12:54:46 -04:00
Stephen Gallagher
6fdba8a532
Release Node.js 20.2.0
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.2.0

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-05-17 09:23:34 -04:00
Stephen Gallagher
6d822b2572
Update to 20.1.0
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.1.0

Also drop upstreamed patch

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-05-04 16:16:03 -04:00
Stephen Gallagher
d8fdc60e0f
Temporarily reduce optimizations
Something in -O2 is causing segfaults in v8

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-05-02 17:35:20 -04:00
Stephen Gallagher
1a9e720653
Fix up shebangs for npm and npx
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-28 10:43:13 -04:00
Jan Staněk
1827854f11
Replace /usr/etc/npmrc symlink with builtin configuration
We want to have the system-level npmrc located at /etc/npmrc.
By default, npm looks for it in /usr/etc/npmrc,
so we placed a symlink to /etc/npmrc there.
However, we are the only known package that has anything in /usr/etc,
which confuses and/or breaks various tooling (see related bug).

This gets rid of the symlink,
and instead uses "builtin"-level configuration of npm
to cause it to load the system-level configuration from /etc/npmrc.

Related: rhbz#2177776
2023-04-27 13:23:13 +02:00
Stephen Gallagher
8a6ffdbb6a
Fix npm manpage symlinks
Resolves: rhbz#2187978

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-26 14:54:17 -04:00
Stephen Gallagher
443480e5d2
Fix bug on gcc13
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-26 14:53:08 -04:00
Stephen Gallagher
1047bf482c
Update to 20.0.0
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.0.0

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-26 12:02:51 -04:00
Stephen Gallagher
280abb5a74
Apply changes to actual spec
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-12 16:21:09 -04:00
Stephen Gallagher
4443d6afb2
Update to 19.9.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-11 10:51:53 -04:00
Stephen Gallagher
64f0989a8d
Adjust nodejs-devel Provides
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-04-03 09:05:25 -04:00
Stephen Gallagher
a293cec3bf
Add pkg-config files
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-29 18:09:21 -04:00
Stephen Gallagher
7f25939b50
More v8-devel fixes
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-29 13:56:00 -04:00
Stephen Gallagher
559c6e6d44
Drop extraneous endif
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-27 19:06:53 -04:00
Stephen Gallagher
39a633e36e
Fix build issue on non-default releases
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-27 19:05:15 -04:00
Stephen Gallagher
2e164bd121
Fix libv8 packaging issue
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-27 14:57:59 -04:00
Stephen Gallagher
7136699056
Update to 19.8.1
- Namespace the v8 compatibility libraries

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-16 15:35:05 -04:00
Stephen Gallagher
52e4162484
Update to 19.8.0
- https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V19.md#19.8.0

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-15 10:51:53 -04:00
Stephen Gallagher
3c0fa670d2
Apply typo fix to specfile
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-01 15:08:44 -05:00
Stephen Gallagher
c4586d42a2
template: Add support for RHEL default version
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-01 14:34:39 -05:00
Stephen Gallagher
0479a8dfd7
Enable dtrace for Node.js < 19
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-01 14:00:26 -05:00
Stephen Gallagher
18ed5c68ec
Drop vestigial bundling bcond
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-03-01 13:09:42 -05:00
Stephen Gallagher
0b4597e2bc
sources: use jinja2 template to support patches
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-02-28 22:22:15 -05:00
Stephen Gallagher
7ad58e1a63
Specfile tweaks
Make the template more reusable for v18 and v16

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-02-28 18:38:21 -05:00
Stephen Gallagher
b8c1833746
Drop unneeded patch
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-02-23 15:19:03 -05:00
Stephen Gallagher
a35607a1c3
Update to 19.7.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-02-21 14:45:36 -05:00
Stephen Gallagher
ce26a524b5
First Node.js 20 prerelease
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-02-21 10:06:35 -05:00