import UBI nodejs22-22.22.2-1.el10_1

.gitignore

@@ -1,3 +1,3 @@
-icu4c-77_1-data-bin-b.zip
-icu4c-77_1-data-bin-l.zip
-node-v22.22.0-stripped.tar.gz
+icu4c-78.2-data-bin-b.zip
+icu4c-78.2-data-bin-l.zip
+node-v22.22.2-stripped.tar.gz

0001-CVE-2026-25547-braces-expansion.patch

@@ -0,0 +1,102 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: tjuhasz <tjuhasz@redhat.com>
+Date: Tue, 25 Feb 2026 14:21:26 +0100
+Subject: [PATCH] CVE-2026-25547: Fix brace expansion vulnerability
+
+Add expansion limit to prevent DoS attacks through excessive
+brace expansion in the brace-expansion module.
+
+---
+ deps/npm/node_modules/brace-expansion/index.js | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/deps/npm/node_modules/brace-expansion/index.js b/deps/npm/node_modules/brace-expansion/index.js
+--- a/deps/npm/node_modules/brace-expansion/index.js	2026-01-12 23:55:24.000000000 +0100
++++ b/deps/npm/node_modules/brace-expansion/index.js	2026-02-25 14:21:26.829483831 +0100
+@@ -8,6 +8,8 @@
+ var escComma = '\0COMMA'+Math.random()+'\0';
+ var escPeriod = '\0PERIOD'+Math.random()+'\0';
+ 
++const EXPANSION_MAX = 100_000;
++
+ function numeric(str) {
+   return parseInt(str, 10) == str
+     ? parseInt(str, 10)
+@@ -61,9 +63,11 @@
+   return parts;
+ }
+ 
+-function expandTop(str) {
++function expandTop(str, options = {}) {
+   if (!str)
+     return [];
++  
++  const { max = EXPANSION_MAX } = options;
+ 
+   // I don't know why Bash 4.3 does this, but it does.
+   // Anything starting with {} will have the first two bytes preserved
+@@ -75,7 +79,7 @@
+     str = '\\{\\}' + str.substr(2);
+   }
+ 
+-  return expand(escapeBraces(str), true).map(unescapeBraces);
++  return expand(escapeBraces(str), max, true).map(unescapeBraces);
+ }
+ 
+ function embrace(str) {
+@@ -92,7 +96,7 @@
+   return i >= y;
+ }
+ 
+-function expand(str, isTop) {
++function expand(str, max, isTop) {
+   var expansions = [];
+ 
+   var m = balanced('{', '}', str);
+@@ -101,11 +105,11 @@
+   // no need to expand pre, since it is guaranteed to be free of brace-sets
+   var pre = m.pre;
+   var post = m.post.length
+-    ? expand(m.post, false)
++    ? expand(m.post, max, false)
+     : [''];
+ 
+   if (/\$$/.test(m.pre)) {
+-    for (var k = 0; k < post.length; k++) {
++    for (var k = 0; k < post.length && k < max; k++) {
+       var expansion = pre+ '{' + m.body + '}' + post[k];
+       expansions.push(expansion);
+     }
+@@ -118,7 +122,7 @@
+       // {a},b}
+       if (m.post.match(/,(?!,).*\}/)) {
+         str = m.pre + '{' + m.body + escClose + m.post;
+-        return expand(str);
++        return expand(str, max, true);
+       }
+       return [str];
+     }
+@@ -130,7 +134,7 @@
+       n = parseCommaParts(m.body);
+       if (n.length === 1) {
+         // x{{a,b}}y ==> x{a}y x{b}y
+-        n = expand(n[0], false).map(embrace);
++        n = expand(n[0], max, false).map(embrace);
+         if (n.length === 1) {
+           return post.map(function(p) {
+             return m.pre + n[0] + p;
+@@ -185,12 +189,12 @@
+       N = [];
+ 
+       for (var j = 0; j < n.length; j++) {
+-        N.push.apply(N, expand(n[j], false));
++        N.push.apply(N, expand(n[j], max, false));
+       }
+     }
+ 
+     for (var j = 0; j < N.length; j++) {
+-      for (var k = 0; k < post.length; k++) {
++      for (var k = 0; k < post.length && expansions.length < max; k++) {
+         var expansion = pre + N[j] + post[k];
+         if (!isTop || isSequence || expansion)
+           expansions.push(expansion);

nodejs-tarball.sh

@@ -120,11 +120,11 @@ rm -rf node-v${version}/deps/openssl
 tar -zcf node-v${version}-stripped.tar.gz node-v${version}
 
 # Download the ICU binary data files
-ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g')
-ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g')
-rm -Rf icu4c-${ICU_MAJOR}_${ICU_MINOR}-data-bin-*.zip
-wget $(grep -w 'Source3' nodejs*.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
-wget $(grep -w 'Source4' nodejs*.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
+ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\).\([[:digit:]]\+\).*/\1/g')
+ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\).\([[:digit:]]\+\).*/\2/g')
+rm -Rf icu4c-${ICU_MAJOR}.${ICU_MINOR}-data-bin-*.zip
+wget $(grep -w 'Source3' nodejs22.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
+wget $(grep -w 'Source4' nodejs22.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
 
 #fedpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz
 
@@ -194,8 +194,8 @@ echo $NGTCP2_VERSION
 echo
 echo "ICU"
 echo "========================="
-ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g')
-ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g')
+ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\).\([[:digit:]]\+\).*/\1/g')
+ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\).\([[:digit:]]\+\).*/\2/g')
 echo "${ICU_MAJOR}.${ICU_MINOR}"
 echo
 echo "simdutf"

nodejs22.spec

@@ -1,8 +1,8 @@
 ## START: Set by rpmautospec
-## (rpmautospec version 0.8.3)
+## (rpmautospec version 0.6.5)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 3;
+    release_number = 1;
     base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
     print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -63,7 +63,7 @@
 %global nodejs_epoch 1
 %global nodejs_major 22
 %global nodejs_minor 22
-%global nodejs_patch 0
+%global nodejs_patch 2
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 127
 %global nodejs_abi %{nodejs_soversion}
@@ -99,7 +99,7 @@
 %global libuv_version 1.51.0
 
 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_version 1.64.0
+%global nghttp2_version 1.68.1
 
 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_version 1.6.0
@@ -108,8 +108,8 @@
 %global ngtcp2_version 1.11.0
 
 # ICU - from tools/icu/current_ver.dep
-%global icu_major 77
-%global icu_minor 1
+%global icu_major 78
+%global icu_minor 2
 %global icu_version %{icu_major}.%{icu_minor}
 
 %global icudatadir %{nodejs_datadir}/icudata
@@ -130,7 +130,7 @@
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 10.9.4
+%global npm_version 10.9.7
 
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@@ -147,7 +147,7 @@
 %global histogram_version 0.11.9
 
 # sqlite – from deps/sqlite/sqlite3.h
-%global sqlite_version 3.50.4
+%global sqlite_version 3.51.2
 
 
 Name: nodejs%{nodejs_pkg_major}
@@ -169,8 +169,8 @@ Source0: node-v%{nodejs_version}-stripped.tar.gz
 Source1: npmrc
 Source2: btest402.js
 # The binary data that icu-small can use to get icu-full capability
-Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-b.zip
-Source4: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-l.zip
+Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}.%{icu_minor}/icu4c-%{icu_major}.%{icu_minor}-data-bin-b.zip
+Source4: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}.%{icu_minor}/icu4c-%{icu_major}.%{icu_minor}-data-bin-l.zip
 Source200: nodejs-tarball.sh
 Source201: npmrc.builtin.in
 Source202: nodejs.pc.in
@@ -182,6 +182,8 @@ Source301: test-should-pass.txt
 
 Patch: 0001-Remove-unused-OpenSSL-config.patch
 Patch: 0001-fips-disable-options.patch
+Patch: 0001-deps-update-nghttp2-to-1.68.1.patch
+Patch: 0001-CVE-2026-25547-braces-expansion.patch
 
 %if 0%{?nodejs_default}
 %global pkgname nodejs
@@ -358,14 +360,14 @@ Provides: bundled(ada) = 2.9.2
 
 # undici and cjs-module-lexer ship with pre-built WASM binaries.
 %if %{with bundled_cjs_module_lexer}
-Provides: bundled(nodejs-cjs-module-lexer) = 1.4.1
+Provides: bundled(nodejs-cjs-module-lexer) = 2.2.0
 %else
 BuildRequires: nodejs-cjs-module-lexer
 Requires: nodejs-cjs-module-lexer
 %endif
 
 %if %{with bundled_undici}
-Provides: bundled(nodejs-undici) = 6.23.0
+Provides: bundled(nodejs-undici) = 6.24.1
 %else
 BuildRequires: nodejs-undici
 Requires: nodejs-undici
@@ -972,6 +974,15 @@ end
 
 %changelog
 ## START: Generated by rpmautospec
+* Mon Mar 30 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.22.2-1
+- Update to version 22.22.2
+- introduced patch updating deps/nghttp2 to v 1.68.1 for CVE-2026-27135
+- disabled failing tests in nghttp2 due to newer version
+- patch for npm/braces CVE-2026-25547
+
+* Wed Mar 25 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.22.0-4
+- sources: changed ICU version syntax
+
 * Tue Jan 20 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.22.0-3
 - Bump release to get correct RHEL build
 

sources

@@ -1,3 +1,3 @@
-SHA512 (icu4c-77_1-data-bin-b.zip) = 93b4c8228a059546e7c3e337f1f837db255c0046c15f50a31a7bd20daf361174edab05b01faaac1dd4f515ca3c1f1d7fb0f61e4177eb5631833ad1450e252c4e
-SHA512 (icu4c-77_1-data-bin-l.zip) = 3de15bb5925956b8e51dc6724c2114a1009ec471a2241b09ae09127f1760f44d02cc29cfbeed6cbaac6ee880553ac8395c61c6043c00ddba3277233e19e6490e
-SHA512 (node-v22.22.0-stripped.tar.gz) = 32049c569d90145c918dd4db7847ccf4d979a418a54a01ecf966d277607c7460d13e62334386d75d9854db4ec345dcc1abfda32bde4edbda18a61cbf484d0580
+SHA512 (icu4c-78.2-data-bin-b.zip) = 032a1e519bf92dfa7936ef85ebed697550dbcb4e32c6ecd28ffecb158a403eeff6c0a3545b2551eba73f288e31693be6880e202a38cd86c129dffa395e8ab625
+SHA512 (icu4c-78.2-data-bin-l.zip) = c0b46de115332940d3276763904caa6257eb516edce4382632f4b96a5b010fee4cb06a5e10ef5eee2f881515c1ee8277d9ae59015f6de6fe1d175b9d00dbb1ca
+SHA512 (node-v22.22.2-stripped.tar.gz) = 82c3357cce10a3fe89373ec4e3460af5992d853f28a7339358a3f910959e7b17987c8eb1748d9c3033d4c642701d321e2265cc0ac004a218860da4eda2971226

test-should-pass.txt

@@ -1464,12 +1464,14 @@ parallel/test-http2-client-request-options-errors.js
 parallel/test-http2-client-rststream-before-connect.js
 parallel/test-http2-client-setLocalWindowSize.js
 parallel/test-http2-client-setNextStreamID-errors.js
-parallel/test-http2-client-set-priority.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-client-set-priority.js
 parallel/test-http2-client-settings-before-connect.js
 parallel/test-http2-client-shutdown-before-connect.js
 parallel/test-http2-client-socket-destroy.js
 parallel/test-http2-client-stream-destroy-before-connect.js
-parallel/test-http2-client-unescaped-path.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-client-unescaped-path.js
 parallel/test-http2-client-upload.js
 parallel/test-http2-client-upload-reject.js
 parallel/test-http2-client-write-before-connect.js
@@ -1563,16 +1565,19 @@ parallel/test-http2-large-writes-session-memory-leak.js
 parallel/test-http2-malformed-altsvc.js
 parallel/test-http2-many-writes-and-destroy.js
 parallel/test-http2-max-concurrent-streams.js
-parallel/test-http2-max-invalid-frames.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-max-invalid-frames.js
 parallel/test-http2-max-session-memory-leak.js
 parallel/test-http2-max-settings.js
 parallel/test-http2-methods.js
-parallel/test-http2-misbehaving-flow-control.js
-parallel/test-http2-misbehaving-flow-control-paused.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-misbehaving-flow-control.js
+# parallel/test-http2-misbehaving-flow-control-paused.js
 parallel/test-http2-misbehaving-multiplex.js
 parallel/test-http2-misc-util.js
 parallel/test-http2-misused-pseudoheaders.js
-parallel/test-http2-multi-content-length.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-multi-content-length.js
 parallel/test-http2-multiheaders.js
 parallel/test-http2-multiheaders-raw.js
 parallel/test-http2-multiplex.js
@@ -1596,13 +1601,15 @@ parallel/test-http2-ping-unsolicited-ack.js
 parallel/test-http2-pipe.js
 parallel/test-http2-pipe-named-pipe.js
 parallel/test-http2-priority-cycle-.js
-parallel/test-http2-priority-event.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-priority-event.js
 parallel/test-http2-propagate-session-destroy-code.js
 parallel/test-http2-removed-header-stays-removed.js
 parallel/test-http2-request-remove-connect-listener.js
 parallel/test-http2-request-response-proto.js
 parallel/test-http2-res-corked.js
-parallel/test-http2-reset-flood.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-reset-flood.js
 parallel/test-http2-respond-errors.js
 parallel/test-http2-respond-file-204.js
 parallel/test-http2-respond-file-304.js