The following CVEs were fixed in the NodeJS itself:
CVE-2026-21637 CVE-2026-21710 CVE-2026-21711 CVE-2026-21712
CVE-2026-21713 CVE-2026-21714 CVE-2026-21715 CVE-2026-21716
CVE-2026-21717
The following CVEs were fixed in bundled undici:
CVE-2026-1525 CVE-2026-1528 CVE-2026-2581 CVE-2026-1527 CVE-2026-2229
CVE-2026-1526
Resolves: RHEL-163752
In some environments, a variant of rpm parser is used that does not
expand Lua or shell invocations. In that environment, using
%nodejs_define_version for defining (parts of) Name:, Version:, or
Release: fields will result in them being empty or incomplete
This swaps the definition order around, so that the fields are set
first with the verbatim values.
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Resolves: RHEL-111978
- Use correct form of %node_evr in place of non-existent %nodejs_evr
- Utilize %nodejs_subpackage_release during definition of the version
macros, then rely on %<name>_release everywhere.
[skip changelog]
Resolves: RHEL-111616
Extend existing shebang fixes to cover all npm nested modules and
shell scripts that call 'node' as a command. This prevents failures
when scripts try to call /usr/bin/node which is not shipped, instead
redirecting them to the versioned /usr/bin/node-24 binary.
Fixes include:
- All JavaScript/TypeScript files with node shebangs in npm nested modules
- Shell scripts like node-gyp that call 'node' as a command
- Remove tests that have issues with kojistream network
- Temporarily use vendor copies of dependencies
not up-to-date enough in the system
Related: RHEL-101566
Signed-off-by: Jan Staněk <jstanek@redhat.com>
