Update to version 22.22.2

- introduced patch updating deps/nghttp2 to v 1.68.1 for CVE-2026-27135 - disabled failing tests in nghttp2 due to newer version - patch for npm/braces CVE-2026-25547 Resolves: RHEL-154022 Fixes: CVE-2026-1528 CVE-2026-27135 CVE-2026-27904 CVE-2026-26996 CVE-2026-25547
2026-03-25 13:37:31 +01:00 · 2026-03-25 13:37:31 +01:00 · fda37c709c
commit fda37c709c
parent cd542fda43
5 changed files with 7842 additions and 19 deletions
--- a/0001-CVE-2026-25547-braces-expansion.patch
+++ b/0001-CVE-2026-25547-braces-expansion.patch
@ -0,0 +1,102 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: tjuhasz <tjuhasz@redhat.com>
+Date: Tue, 25 Feb 2026 14:21:26 +0100
+Subject: [PATCH] CVE-2026-25547: Fix brace expansion vulnerability
+
+Add expansion limit to prevent DoS attacks through excessive
+brace expansion in the brace-expansion module.
+
+---
+ deps/npm/node_modules/brace-expansion/index.js | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/deps/npm/node_modules/brace-expansion/index.js b/deps/npm/node_modules/brace-expansion/index.js
+--- a/deps/npm/node_modules/brace-expansion/index.js	2026-01-12 23:55:24.000000000 +0100
+++ b/deps/npm/node_modules/brace-expansion/index.js	2026-02-25 14:21:26.829483831 +0100
+@@ -8,6 +8,8 @@
+ var escComma = '\0COMMA'+Math.random()+'\0';
+ var escPeriod = '\0PERIOD'+Math.random()+'\0';
+ 
+const EXPANSION_MAX = 100_000;
+
+ function numeric(str) {
+   return parseInt(str, 10) == str
+     ? parseInt(str, 10)
+@@ -61,9 +63,11 @@
+   return parts;
+ }
+ 
+-function expandTop(str) {
+function expandTop(str, options = {}) {
+   if (!str)
+     return [];
+  
+  const { max = EXPANSION_MAX } = options;
+ 
+   // I don't know why Bash 4.3 does this, but it does.
+   // Anything starting with {} will have the first two bytes preserved
+@@ -75,7 +79,7 @@
+     str = '\\{\\}' + str.substr(2);
+   }
+ 
+-  return expand(escapeBraces(str), true).map(unescapeBraces);
+  return expand(escapeBraces(str), max, true).map(unescapeBraces);
+ }
+ 
+ function embrace(str) {
+@@ -92,7 +96,7 @@
+   return i >= y;
+ }
+ 
+-function expand(str, isTop) {
+function expand(str, max, isTop) {
+   var expansions = [];
+ 
+   var m = balanced('{', '}', str);
+@@ -101,11 +105,11 @@
+   // no need to expand pre, since it is guaranteed to be free of brace-sets
+   var pre = m.pre;
+   var post = m.post.length
+-    ? expand(m.post, false)
+    ? expand(m.post, max, false)
+     : [''];
+ 
+   if (/\$$/.test(m.pre)) {
+-    for (var k = 0; k < post.length; k++) {
+    for (var k = 0; k < post.length && k < max; k++) {
+       var expansion = pre+ '{' + m.body + '}' + post[k];
+       expansions.push(expansion);
+     }
+@@ -118,7 +122,7 @@
+       // {a},b}
+       if (m.post.match(/,(?!,).*\}/)) {
+         str = m.pre + '{' + m.body + escClose + m.post;
+-        return expand(str);
+        return expand(str, max, true);
+       }
+       return [str];
+     }
+@@ -130,7 +134,7 @@
+       n = parseCommaParts(m.body);
+       if (n.length === 1) {
+         // x{{a,b}}y ==> x{a}y x{b}y
+-        n = expand(n[0], false).map(embrace);
+        n = expand(n[0], max, false).map(embrace);
+         if (n.length === 1) {
+           return post.map(function(p) {
+             return m.pre + n[0] + p;
+@@ -185,12 +189,12 @@
+       N = [];
+ 
+       for (var j = 0; j < n.length; j++) {
+-        N.push.apply(N, expand(n[j], false));
+        N.push.apply(N, expand(n[j], max, false));
+       }
+     }
+ 
+     for (var j = 0; j < N.length; j++) {
+-      for (var k = 0; k < post.length; k++) {
+      for (var k = 0; k < post.length && expansions.length < max; k++) {
+         var expansion = pre + N[j] + post[k];
+         if (!isTop || isSequence || expansion)
+           expansions.push(expansion);
--- a/0001-deps-update-nghttp2-to-1.68.1.patch
+++ b/0001-deps-update-nghttp2-to-1.68.1.patch
--- a/nodejs22.spec
+++ b/nodejs22.spec
@ -53,7 +53,7 @@
 %global nodejs_epoch 1
 %global nodejs_major 22
 %global nodejs_minor 22
-%global nodejs_patch 0
+%global nodejs_patch 2
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 127
 %global nodejs_abi %{nodejs_soversion}
@ -89,7 +89,7 @@
 %global libuv_version 1.51.0

 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_version 1.64.0
+%global nghttp2_version 1.68.1

 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_version 1.6.0
@ -98,8 +98,8 @@
 %global ngtcp2_version 1.11.0

 # ICU - from tools/icu/current_ver.dep
-%global icu_major 77
-%global icu_minor 1
+%global icu_major 78
+%global icu_minor 2
 %global icu_version %{icu_major}.%{icu_minor}

 %global icudatadir %{nodejs_datadir}/icudata
@ -120,7 +120,7 @@

 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 10.9.4
+%global npm_version 10.9.7

 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@ -137,7 +137,7 @@
 %global histogram_version 0.11.9

 # sqlite – from deps/sqlite/sqlite3.h
-%global sqlite_version 3.50.4
+%global sqlite_version 3.51.2


 Name: nodejs%{nodejs_pkg_major}
@ -172,6 +172,8 @@ Source301: test-should-pass.txt

 Patch: 0001-Remove-unused-OpenSSL-config.patch
 Patch: 0001-fips-disable-options.patch
+Patch: 0001-deps-update-nghttp2-to-1.68.1.patch
+Patch: 0001-CVE-2026-25547-braces-expansion.patch

 %if 0%{?nodejs_default}
 %global pkgname nodejs
@ -348,14 +350,14 @@ Provides: bundled(ada) = 2.9.2

 # undici and cjs-module-lexer ship with pre-built WASM binaries.
 %if %{with bundled_cjs_module_lexer}
-Provides: bundled(nodejs-cjs-module-lexer) = 1.4.1
+Provides: bundled(nodejs-cjs-module-lexer) = 2.2.0
 %else
 BuildRequires: nodejs-cjs-module-lexer
 Requires: nodejs-cjs-module-lexer
 %endif

 %if %{with bundled_undici}
-Provides: bundled(nodejs-undici) = 6.23.0
+Provides: bundled(nodejs-undici) = 6.24.1
 %else
 BuildRequires: nodejs-undici
 Requires: nodejs-undici
--- a/6
+++ b/6
@ -1,3 +1,3 @@
-SHA512 (node-v22.22.0-stripped.tar.gz) = 32049c569d90145c918dd4db7847ccf4d979a418a54a01ecf966d277607c7460d13e62334386d75d9854db4ec345dcc1abfda32bde4edbda18a61cbf484d0580
-SHA512 (icu4c-77_1-data-bin-b.zip) = 93b4c8228a059546e7c3e337f1f837db255c0046c15f50a31a7bd20daf361174edab05b01faaac1dd4f515ca3c1f1d7fb0f61e4177eb5631833ad1450e252c4e
-SHA512 (icu4c-77_1-data-bin-l.zip) = 3de15bb5925956b8e51dc6724c2114a1009ec471a2241b09ae09127f1760f44d02cc29cfbeed6cbaac6ee880553ac8395c61c6043c00ddba3277233e19e6490e
+SHA512 (node-v22.22.2-stripped.tar.gz) = 82c3357cce10a3fe89373ec4e3460af5992d853f28a7339358a3f910959e7b17987c8eb1748d9c3033d4c642701d321e2265cc0ac004a218860da4eda2971226
+SHA512 (icu4c-78.2-data-bin-b.zip) = 032a1e519bf92dfa7936ef85ebed697550dbcb4e32c6ecd28ffecb158a403eeff6c0a3545b2551eba73f288e31693be6880e202a38cd86c129dffa395e8ab625
+SHA512 (icu4c-78.2-data-bin-l.zip) = c0b46de115332940d3276763904caa6257eb516edce4382632f4b96a5b010fee4cb06a5e10ef5eee2f881515c1ee8277d9ae59015f6de6fe1d175b9d00dbb1ca
--- a/test-should-pass.txt
+++ b/test-should-pass.txt
@ -1464,12 +1464,14 @@ parallel/test-http2-client-request-options-errors.js
 parallel/test-http2-client-rststream-before-connect.js
 parallel/test-http2-client-setLocalWindowSize.js
 parallel/test-http2-client-setNextStreamID-errors.js
-parallel/test-http2-client-set-priority.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-client-set-priority.js
 parallel/test-http2-client-settings-before-connect.js
 parallel/test-http2-client-shutdown-before-connect.js
 parallel/test-http2-client-socket-destroy.js
 parallel/test-http2-client-stream-destroy-before-connect.js
-parallel/test-http2-client-unescaped-path.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-client-unescaped-path.js
 parallel/test-http2-client-upload.js
 parallel/test-http2-client-upload-reject.js
 parallel/test-http2-client-write-before-connect.js
@ -1563,16 +1565,19 @@ parallel/test-http2-large-writes-session-memory-leak.js
 parallel/test-http2-malformed-altsvc.js
 parallel/test-http2-many-writes-and-destroy.js
 parallel/test-http2-max-concurrent-streams.js
-parallel/test-http2-max-invalid-frames.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-max-invalid-frames.js
 parallel/test-http2-max-session-memory-leak.js
 parallel/test-http2-max-settings.js
 parallel/test-http2-methods.js
-parallel/test-http2-misbehaving-flow-control.js
-parallel/test-http2-misbehaving-flow-control-paused.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-misbehaving-flow-control.js
+# parallel/test-http2-misbehaving-flow-control-paused.js
 parallel/test-http2-misbehaving-multiplex.js
 parallel/test-http2-misc-util.js
 parallel/test-http2-misused-pseudoheaders.js
-parallel/test-http2-multi-content-length.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-multi-content-length.js
 parallel/test-http2-multiheaders.js
 parallel/test-http2-multiheaders-raw.js
 parallel/test-http2-multiplex.js
@ -1596,13 +1601,15 @@ parallel/test-http2-ping-unsolicited-ack.js
 parallel/test-http2-pipe.js
 parallel/test-http2-pipe-named-pipe.js
 parallel/test-http2-priority-cycle-.js
-parallel/test-http2-priority-event.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-priority-event.js
 parallel/test-http2-propagate-session-destroy-code.js
 parallel/test-http2-removed-header-stays-removed.js
 parallel/test-http2-request-remove-connect-listener.js
 parallel/test-http2-request-response-proto.js
 parallel/test-http2-res-corked.js
-parallel/test-http2-reset-flood.js
+# disabled on 25.03.26, see https://github.com/nodejs/node/issues/60661
+# parallel/test-http2-reset-flood.js
 parallel/test-http2-respond-errors.js
 parallel/test-http2-respond-file-204.js
 parallel/test-http2-respond-file-304.js