import UBI nodejs22-22.19.0-2.el10_0

2025-09-23 12:26:39 +00:00 · 2025-09-23 12:26:39 +00:00 · fda2332e89
commit fda2332e89
parent 1e402b2a99
4 changed files with 137 additions and 25 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
 icu4c-77_1-data-bin-b.zip
 icu4c-77_1-data-bin-l.zip
-node-v22.16.0-stripped.tar.gz
+node-v22.19.0-stripped.tar.gz
--- a/0001-fips-disable-options.patch
+++ b/0001-fips-disable-options.patch
@ -0,0 +1,84 @@
+From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
+From: Michael Dawson <midawson@redhat.com>
+Date: Fri, 23 Feb 2024 13:43:56 +0100
+Subject: [PATCH] Disable FIPS options
+
+On RHEL, FIPS should be configured only on system level.
+Additionally, the related options may cause segfault when used on RHEL.
+
+This patch causes the option processing to end sooner
+than the problematic code gets executed.
+Additionally, the JS-level options to mess with FIPS settings
+are similarly disabled.
+
+Upstream report: https://github.com/nodejs/node/pull/48950
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
+---
+ lib/crypto.js             | 10 ++++++++++
+ lib/internal/errors.js    |  6 ++++++
+ src/crypto/crypto_util.cc |  2 ++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/lib/crypto.js b/lib/crypto.js
+index 41adecc..b2627ac 100644
+--- a/lib/crypto.js
+++ b/lib/crypto.js
+@@ -36,7 +36,10 @@ const {
+ assertCrypto();
+
+ const {
+  // RHEL specific error
+  ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
+
+   ERR_CRYPTO_FIPS_FORCED,
+   ERR_WORKER_UNSUPPORTED_OPERATION,
+ } = require('internal/errors').codes;
+ const constants = internalBinding('constants').crypto;
+@@ -251,6 +254,13 @@ function getFips() {
+ }
+ 
+ function setFips(val) {
+  // in RHEL FIPS enable/disable should only be done at system level
+  if (getFips() != val) {
+    throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
+  } else {
+    return;
+  }
+
+   if (getOptionValue('--force-fips')) {
+     if (val) return;
+     throw new ERR_CRYPTO_FIPS_FORCED();
+diff --git a/lib/internal/errors.js b/lib/internal/errors.js
+index a722360..04d8a53 100644
+--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
+@@ -1111,6 +1111,12 @@ module.exports = {
+ //
+ // Note: Node.js specific errors must begin with the prefix ERR_
+ 
+// insert RHEL specific erro
+E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
+  'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
+  'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
+  Error);
+
+ E('ERR_ACCESS_DENIED',
+   function(msg, permission = '', resource = '') {
+     this.permission = permission;
+diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
+index 5734d8f..ef9d1b1 100644
+--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
+@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
+   /* Override FIPS settings in configuration file, if needed. */
+   if (per_process::cli_options->enable_fips_crypto ||
+       per_process::cli_options->force_fips_crypto) {
+      fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
+      return false;
+ #if OPENSSL_VERSION_MAJOR >= 3
+     OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
+     if (fips_provider == nullptr)
+-- 
+2.43.2
+
+
--- a/nodejs22.spec
+++ b/nodejs22.spec
@ -2,7 +2,7 @@
 ## (rpmautospec version 0.6.5)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 1;
+    release_number = 2;
    base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
    print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@ -62,7 +62,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 22
-%global nodejs_minor 16
+%global nodejs_minor 19
 %global nodejs_patch 0
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 127
@ -93,10 +93,10 @@
 %global c_ares_version 1.34.5

 # llhttp - from deps/llhttp/include/llhttp.h
-%global llhttp_version 9.2.1
+%global llhttp_version 9.3.0

 # libuv - from deps/uv/include/uv/version.h
-%global libuv_version 1.49.2
+%global libuv_version 1.51.0

 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
 %global nghttp2_version 1.64.0
@ -130,7 +130,7 @@

 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 10.9.2
+%global npm_version 10.9.3

 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@ -147,7 +147,7 @@
 %global histogram_version 0.11.8

 # sqlite – from deps/sqlite/sqlite3.h
-%global sqlite_version 3.49.1
+%global sqlite_version 3.50.4


 Name: nodejs%{nodejs_pkg_major}
@ -181,6 +181,7 @@ Source300: test-runner.sh
 Source301: test-should-pass.txt

 Patch: 0001-Remove-unused-OpenSSL-config.patch
+Patch: 0001-fips-disable-options.patch

 %if 0%{?nodejs_default}
 %global pkgname nodejs
@ -413,8 +414,10 @@ Provides: nodejs-devel = %{nodejs_envr}
 %endif
 %unversioned_obsoletes_of_nodejsXX_if_default devel

-Provides: nodejs-devel-pkg = %{nodejs_envr}
+Provides: alternative-for(nodejs-devel) = %{nodejs_envr}
+Conflicts: alternative-for(nodejs-devel)
 Conflicts: nodejs-devel-pkg
+ # previously VP used for the same reason as alternative-for() above


 %description -n %{pkgname}-devel
@ -604,6 +607,7 @@ export PATH="${cwd}/.bin:$PATH"
           --ninja \
           --enable-lto \
           --prefix=%{_prefix} \
+           --use-prefix-to-find-headers \
           --shared \
           --libdir=%{_lib} \
           %{ssl_configure} \
@ -655,12 +659,16 @@ chrpath --delete %{buildroot}%{_bindir}/node
 # Rename the node binary
 mv %{buildroot}%{_bindir}/node %{buildroot}%{_bindir}/node-%{nodejs_pkg_major}

-# Adjust the npm binaries
-# 1. Replace all hasbangs with versioned ones
-grep --extended-regexp --files-with-matches --recursive \
-    '^#!/usr/bin/(env )?node($|[[:space:]])+' '%{buildroot}%{nodejs_private_sitelib}/npm/bin' \
-| xargs sed --in-place --regexp-extended \
-    's;^#!/usr/bin/(env )?node($|[[:space:]])+;#!/usr/bin/node-%{nodejs_pkg_major};'
+# Adjust npm binaries
+# 1. Replace all hashbangs with versioned ones
+readonly NPM_DIR="%{buildroot}%{nodejs_private_sitelib}/npm"
+readonly SHEBANG_ERE='^#!/usr/bin/(env\s+)?node\b'
+readonly SHEBANG_FIX='#!%{_bindir}/node-%{nodejs_pkg_major}'
+readonly -a npm_bin_dirs=("${NPM_DIR}/bin" "${NPM_DIR}/node_modules")
+
+find "${npm_bin_dirs[@]}" -type f \
+| xargs grep --extended-regexp --files-with-matches "${SHEBANG_ERE}" \
+| xargs sed --regexp-extended --in-place "s;${SHEBANG_ERE};${SHEBANG_FIX};"

 # 2. Replace original links with the adjusted ones
 for bin in npm npx; do
@ -681,6 +689,13 @@ ln -srf %{buildroot}%{_bindir}/npx-%{nodejs_pkg_major} \
        %{buildroot}%{_bindir}/npx
 %endif

+# Fix shell scripts that call 'node' as command
+readonly -a known_shell_scripts=(
+    "${NPM_DIR}/bin/node-gyp-bin/node-gyp"
+    "${NPM_DIR}/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp"
+)
+sed --regexp-extended --in-place 's;\bnode(\s);%{_bindir}/node-%{nodejs_pkg_major}\1;' "${known_shell_scripts[@]}"
+
 # Install library symlink
 ln -srf %{buildroot}%{_libdir}/libnode.so.%{nodejs_soversion} \
        %{buildroot}%{_libdir}/libnode.so
@ -774,11 +789,6 @@ find %{buildroot}%{nodejs_private_sitelib}/npm \
 chmod 0755 %{buildroot}%{nodejs_private_sitelib}/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp
 chmod 0755 %{buildroot}%{nodejs_private_sitelib}/npm/node_modules/node-gyp/bin/node-gyp.js

-# Set the hashbang to use the matching Node.js interpreter
-sed --in-place --regexp-extended \
-    's;^#!/usr/bin/env node($|\ |\t)+;#!/usr/bin/node-%{nodejs_pkg_major};g' \
-    %{buildroot}%{nodejs_private_sitelib}/npm/node_modules/node-gyp/bin/node-gyp.js
-
 # Drop the NPM builtin configuration in place
 sed -e 's#@SYSCONFDIR@#%{_sysconfdir}#g' \
    %{SOURCE201} > %{buildroot}%{nodejs_private_sitelib}/npm/npmrc
@ -962,19 +972,37 @@ end

 %changelog
 ## START: Generated by rpmautospec
-* Tue May 27 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.16.0-1
+* Wed Sep 03 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.19.0-2
+- spec: devel packages explicitly conflicts
+
+* Wed Sep 03 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.19.0-1
+- Update to version 22.19.0
+
+* Fri Aug 29 2025 tjuhasz <tjuhasz@redhat.com> - 1:22.16.0-5
+- Add patch to prevent fips usage segfault
+
+* Mon Aug 25 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.16.0-4
+- configure.py: use local headers for building native addons when available
+
+* Mon Aug 25 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.16.0-3
+- spec: fix node binary calls to use versioned binary
+
+* Wed Aug 20 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.16.0-2
+- Test plan adjustments
+
+* Wed May 28 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.16.0-1
 - Update to version 22.16.0

-* Tue May 20 2025 tjuhasz <tjuhasz@redhat.com> - 1:22.15.0-3
+* Wed May 21 2025 tjuhasz <tjuhasz@redhat.com> - 1:22.15.0-3
 - Make grep Source stricter in nodejs-tarball

-* Tue May 20 2025 tjuhasz <tjuhasz@redhat.com> - 1:22.15.0-2
+* Wed May 21 2025 tjuhasz <tjuhasz@redhat.com> - 1:22.15.0-2
 - Add unit-test during build for nodejs22

-* Thu Apr 24 2025 tjuhasz <tjuhasz@redhat.com> - 1:22.15.0-1
+* Tue Apr 29 2025 tjuhasz <tjuhasz@redhat.com> - 1:22.15.0-1
 - Update to version 22.15.0

-* Tue Apr 22 2025 tjuhasz <tjuhasz@redhat.com> - 1:22.13.1-6
+* Tue Apr 15 2025 tjuhasz <tjuhasz@redhat.com> - 1:22.13.1-6
 - Update c-ares with fix for CVE-2025-31498

 * Thu Mar 06 2025 Jan Staněk <jstanek@redhat.com> - 1:22.13.1-5
--- a/2
+++ b/2
@ -1,3 +1,3 @@
 SHA512 (icu4c-77_1-data-bin-b.zip) = 93b4c8228a059546e7c3e337f1f837db255c0046c15f50a31a7bd20daf361174edab05b01faaac1dd4f515ca3c1f1d7fb0f61e4177eb5631833ad1450e252c4e
 SHA512 (icu4c-77_1-data-bin-l.zip) = 3de15bb5925956b8e51dc6724c2114a1009ec471a2241b09ae09127f1760f44d02cc29cfbeed6cbaac6ee880553ac8395c61c6043c00ddba3277233e19e6490e
-SHA512 (node-v22.16.0-stripped.tar.gz) = 63f9ccf38a9c3384ba07d5792cde18517b0c3fbfb612f13cce6b98381a8c951008550a5950bec7078b88e7f7f69e714a82f586cf2433659295db64d8013df784
+SHA512 (node-v22.19.0-stripped.tar.gz) = cbf43bfc0edce8e80e3c29b6f391ea97f2a531eb1c271e9d48b1d26e5a9d8198052b873e37739bddb4de696eb3f1f1bc53503d2145cfc16efbe1bef0a54cfd56