From a8b33c447c82aa41385490383ed963e7ae63263c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 24 2022 23:06:00 +0000
Subject: import nodejs-14.20.0-2.module+el8.6.0+16231+7c1b33d9


---

diff --git a/.gitignore b/.gitignore
index f881379..751ebb7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/icu4c-69_1-src.tgz
-SOURCES/node-v14.18.2-stripped.tar.gz
+SOURCES/icu4c-70_1-src.tgz
+SOURCES/node-v14.20.0-stripped.tar.gz
diff --git a/.nodejs.metadata b/.nodejs.metadata
index 6dbf0a6..d868ff8 100644
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@@ -1,2 +1,2 @@
-620a71c84428758376baa0fb81a581c3daa866ce SOURCES/icu4c-69_1-src.tgz
-bba4efed29ee2e3e9078b955890d9b68f6750f6a SOURCES/node-v14.18.2-stripped.tar.gz
+f7c1363edee6be7de8b624ffbb801892b3417d4e SOURCES/icu4c-70_1-src.tgz
+66dc4b75e2e416d064f12be3450fc7953d72b21b SOURCES/node-v14.20.0-stripped.tar.gz
diff --git a/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch b/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch
new file mode 100644
index 0000000..3287b6c
--- /dev/null
+++ b/SOURCES/0001-deps-ansi-regex-fix-potential-ReDoS.patch
@@ -0,0 +1,46 @@
+From e12dad58e7c749d65d51e2dd49dece4102ddfa18 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 9 Dec 2021 15:48:46 +0100
+Subject: [PATCH] deps(ansi-regex): fix potential ReDoS
+
+This is the upstream fix [1] applied to all applicable bundled deps.
+
+[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9
+
+Fixes: CVE-2021-3807
+Signed-off-by: rpm-build <rpm-build>
+---
+ .../node_modules/string-width/node_modules/ansi-regex/index.js  | 2 +-
+ deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js    | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
+index c4aaecf..7d32201 100644
+--- a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
++++ b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
+@@ -2,7 +2,7 @@
+ 
+ module.exports = () => {
+ 	const pattern = [
+-		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)',
++		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))'
+ 	].join('|');
+ 
+diff --git a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
+index c254480..9e37ec3 100644
+--- a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
++++ b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
+@@ -6,7 +6,7 @@ module.exports = options => {
+ 	}, options);
+ 
+ 	const pattern = [
+-		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
++		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
+ 	].join('|');
+ 
+-- 
+2.36.1
+
+
diff --git a/SOURCES/0004-always-available-fips-options.patch b/SOURCES/0004-always-available-fips-options.patch
deleted file mode 100644
index 26d4853..0000000
--- a/SOURCES/0004-always-available-fips-options.patch
+++ /dev/null
@@ -1,624 +0,0 @@
-From 7c7f5159fcc71d915dfcc5f97ab18d5f8912f1b5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
-Date: Tue, 25 Aug 2020 14:04:54 +0200
-Subject: [PATCH] crypto: make FIPS related options always awailable
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-There is no reason to hide FIPS functionality behind build flags.
-OpenSSL always provide the information about FIPS availability via
-`FIPS_mode()` function.
-
-This makes the user experience more consistent, because the OpenSSL
-library is always queried and the `crypto.getFips()` always returns
-OpenSSL settings.
-
-Fixes #34903
-
-PR-URL: https://github.com/nodejs/node/pull/36341
-Reviewed-By: Anna Henningsen <anna@addaleax.net>
-Reviewed-By: Michael Dawson <midawson@redhat.com>
-Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
-Signed-off-by: Jan Staněk <jstanek@redhat.com>
-Signed-off-by: rpm-build <rpm-build>
----
- doc/api/cli.md                                |  8 +--
- lib/crypto.js                                 | 22 ++----
- node.gypi                                     |  3 -
- src/node.cc                                   |  6 +-
- src/node_config.cc                            |  2 -
- src/node_crypto.cc                            | 45 +++++++-----
- src/node_options.cc                           |  2 -
- src/node_options.h                            |  2 -
- test/parallel/test-cli-node-print-help.js     |  7 +-
- test/parallel/test-crypto-fips.js             | 71 +++++++++----------
- ...rocess-env-allowed-flags-are-documented.js | 11 +--
- 11 files changed, 74 insertions(+), 105 deletions(-)
-
-diff --git a/doc/api/cli.md b/doc/api/cli.md
-index a8ef339..c41bd49 100644
---- a/doc/api/cli.md
-+++ b/doc/api/cli.md
-@@ -182,8 +182,8 @@ code from strings throw an exception instead. This does not affect the Node.js
- added: v6.0.0
- -->
- 
--Enable FIPS-compliant crypto at startup. (Requires Node.js to be built with
--`./configure --openssl-fips`.)
-+Enable FIPS-compliant crypto at startup. (Requires Node.js to be built
-+against FIPS-compatible OpenSSL.)
- 
- ### `--enable-source-maps`
- <!-- YAML
-@@ -543,8 +543,8 @@ added: v6.9.0
- -->
- 
- Load an OpenSSL configuration file on startup. Among other uses, this can be
--used to enable FIPS-compliant crypto if Node.js is built with
--`./configure --openssl-fips`.
-+used to enable FIPS-compliant crypto if Node.js is built
-+against FIPS-enabled OpenSSL.
- 
- ### `--pending-deprecation`
- <!-- YAML
-diff --git a/lib/crypto.js b/lib/crypto.js
-index a41b02d..5c15ab3 100644
---- a/lib/crypto.js
-+++ b/lib/crypto.js
-@@ -37,12 +37,10 @@ assertCrypto();
- 
- const {
-   ERR_CRYPTO_FIPS_FORCED,
--  ERR_CRYPTO_FIPS_UNAVAILABLE
- } = require('internal/errors').codes;
- const constants = internalBinding('constants').crypto;
- const { getOptionValue } = require('internal/options');
- const pendingDeprecation = getOptionValue('--pending-deprecation');
--const { fipsMode } = internalBinding('config');
- const fipsForced = getOptionValue('--force-fips');
- const {
-   getFipsCrypto,
-@@ -193,10 +191,8 @@ module.exports = {
-   sign: signOneShot,
-   setEngine,
-   timingSafeEqual,
--  getFips: !fipsMode ? getFipsDisabled :
--    fipsForced ? getFipsForced : getFipsCrypto,
--  setFips: !fipsMode ? setFipsDisabled :
--    fipsForced ? setFipsForced : setFipsCrypto,
-+  getFips: fipsForced ? getFipsForced : getFipsCrypto,
-+  setFips: fipsForced ? setFipsForced : setFipsCrypto,
-   verify: verifyOneShot,
- 
-   // Classes
-@@ -215,19 +211,11 @@ module.exports = {
-   Verify
- };
- 
--function setFipsDisabled() {
--  throw new ERR_CRYPTO_FIPS_UNAVAILABLE();
--}
--
- function setFipsForced(val) {
-   if (val) return;
-   throw new ERR_CRYPTO_FIPS_FORCED();
- }
- 
--function getFipsDisabled() {
--  return 0;
--}
--
- function getFipsForced() {
-   return 1;
- }
-@@ -249,10 +237,8 @@ ObjectDefineProperties(module.exports, {
-   },
-   // crypto.fips is deprecated. DEP0093. Use crypto.getFips()/crypto.setFips()
-   fips: {
--    get: !fipsMode ? getFipsDisabled :
--      fipsForced ? getFipsForced : getFipsCrypto,
--    set: !fipsMode ? setFipsDisabled :
--      fipsForced ? setFipsForced : setFipsCrypto
-+    get: fipsForced ? getFipsForced : getFipsCrypto,
-+    set: fipsForced ? setFipsForced : setFipsCrypto
-   },
-   DEFAULT_ENCODING: {
-     enumerable: false,
-diff --git a/node.gypi b/node.gypi
-index 070f212..45f6a9f 100644
---- a/node.gypi
-+++ b/node.gypi
-@@ -319,9 +319,6 @@
-     [ 'node_use_openssl=="true"', {
-       'defines': [ 'HAVE_OPENSSL=1' ],
-       'conditions': [
--        ['openssl_fips != "" or openssl_is_fips=="true"', {
--          'defines': [ 'NODE_FIPS_MODE' ],
--        }],
-         [ 'node_shared_openssl=="false"', {
-           'dependencies': [
-             './deps/openssl/openssl.gyp:openssl',
-diff --git a/src/node.cc b/src/node.cc
-index 905afd8..c04d199 100644
---- a/src/node.cc
-+++ b/src/node.cc
-@@ -1035,11 +1035,11 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) {
-     if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs))
-       crypto::UseExtraCaCerts(extra_ca_certs);
-   }
--#ifdef NODE_FIPS_MODE
-   // In the case of FIPS builds we should make sure
-   // the random source is properly initialized first.
--  OPENSSL_init();
--#endif  // NODE_FIPS_MODE
-+  if (FIPS_mode()) {
-+    OPENSSL_init();
-+  }
-   // V8 on Windows doesn't have a good source of entropy. Seed it from
-   // OpenSSL's pool.
-   V8::SetEntropySource(crypto::EntropySource);
-diff --git a/src/node_config.cc b/src/node_config.cc
-index 6ee3164..e229eee 100644
---- a/src/node_config.cc
-+++ b/src/node_config.cc
-@@ -42,9 +42,7 @@ static void Initialize(Local<Object> target,
-   READONLY_FALSE_PROPERTY(target, "hasOpenSSL");
- #endif  // HAVE_OPENSSL
- 
--#ifdef NODE_FIPS_MODE
-   READONLY_TRUE_PROPERTY(target, "fipsMode");
--#endif
- 
- #ifdef NODE_HAVE_I18N_SUPPORT
- 
-diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index 31e8276..721c9d1 100644
---- a/src/node_crypto.cc
-+++ b/src/node_crypto.cc
-@@ -51,6 +51,11 @@
- #include <openssl/hmac.h>
- #include <openssl/rand.h>
- #include <openssl/pkcs12.h>
-+// The FIPS-related functions are only available
-+// when the OpenSSL itself was compiled with FIPS support.
-+#ifdef OPENSSL_FIPS
-+#include <openssl/fips.h>
-+#endif // OPENSSL_FIPS
- 
- #include <cerrno>
- #include <climits>  // INT_MAX
-@@ -101,6 +106,7 @@ using v8::String;
- using v8::Uint32;
- using v8::Uint8Array;
- using v8::Undefined;
-+using v8::TryCatch;
- using v8::Value;
- 
- #ifdef OPENSSL_NO_OCB
-@@ -3706,12 +3712,10 @@ void CipherBase::Init(const char* cipher_type,
-   HandleScope scope(env()->isolate());
-   MarkPopErrorOnReturn mark_pop_error_on_return;
- 
--#ifdef NODE_FIPS_MODE
-   if (FIPS_mode()) {
-     return env()->ThrowError(
-         "crypto.createCipher() is not supported in FIPS mode.");
-   }
--#endif  // NODE_FIPS_MODE
- 
-   const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type);
-   if (cipher == nullptr)
-@@ -3897,13 +3901,11 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len,
-       return false;
-     }
- 
--#ifdef NODE_FIPS_MODE
-     // TODO(tniessen) Support CCM decryption in FIPS mode
-     if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) {
-       env()->ThrowError("CCM decryption not supported in FIPS mode");
-       return false;
-     }
--#endif
- 
-     // Tell OpenSSL about the desired length.
-     if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len,
-@@ -4778,7 +4780,6 @@ static AllocatedBuffer Node_SignFinal(Environment* env,
- }
- 
- static inline bool ValidateDSAParameters(EVP_PKEY* key) {
--#ifdef NODE_FIPS_MODE
-   /* Validate DSA2 parameters from FIPS 186-4 */
-   if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) {
-     DSA* dsa = EVP_PKEY_get0_DSA(key);
-@@ -4794,7 +4795,6 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) {
-            (L == 2048 && N == 256) ||
-            (L == 3072 && N == 256);
-   }
--#endif  // NODE_FIPS_MODE
- 
-   return true;
- }
-@@ -7032,7 +7032,6 @@ void InitCryptoOnce() {
-   settings = nullptr;
- #endif
- 
--#ifdef NODE_FIPS_MODE
-   /* Override FIPS settings in cnf file, if needed. */
-   unsigned long err = 0;  // NOLINT(runtime/int)
-   if (per_process::cli_options->enable_fips_crypto ||
-@@ -7042,12 +7041,10 @@ void InitCryptoOnce() {
-     }
-   }
-   if (0 != err) {
--    fprintf(stderr,
--            "openssl fips failed: %s\n",
--            ERR_error_string(err, nullptr));
--    UNREACHABLE();
-+      auto* isolate = Isolate::GetCurrent();
-+      auto* env = Environment::GetCurrent(isolate);
-+      return ThrowCryptoError(env, err);
-   }
--#endif  // NODE_FIPS_MODE
- 
- 
-   // Turn off compression. Saves memory and protects against CRIME attacks.
-@@ -7093,7 +7090,6 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) {
- }
- #endif  // !OPENSSL_NO_ENGINE
- 
--#ifdef NODE_FIPS_MODE
- void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
-   args.GetReturnValue().Set(FIPS_mode() ? 1 : 0);
- }
-@@ -7111,7 +7107,16 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) {
-     return ThrowCryptoError(env, err);
-   }
- }
--#endif /* NODE_FIPS_MODE */
-+
-+void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) {
-+#ifdef OPENSSL_FIPS
-+  const auto enabled = FIPS_selftest() ? 1 : 0;
-+#else  // OPENSSL_FIPS
-+  const auto enabled = 0;
-+#endif  // OPENSSL_FIPS
-+
-+  args.GetReturnValue().Set(enabled);
-+}
- 
- namespace {
- // SecureBuffer uses openssl to allocate a Uint8Array using
-@@ -7147,10 +7152,17 @@ void Initialize(Local<Object> target,
-                 Local<Value> unused,
-                 Local<Context> context,
-                 void* priv) {
-+  Environment* env = Environment::GetCurrent(context);
-+
-   static uv_once_t init_once = UV_ONCE_INIT;
-+  TryCatch try_catch{env->isolate()};
-   uv_once(&init_once, InitCryptoOnce);
- 
--  Environment* env = Environment::GetCurrent(context);
-+  if (try_catch.HasCaught() && !try_catch.HasTerminated()) {
-+    try_catch.ReThrow();
-+    return;
-+  }
-+
-   SecureContext::Initialize(env, target);
-   target->Set(env->context(),
-             FIXED_ONE_BYTE_STRING(env->isolate(), "KeyObjectHandle"),
-@@ -7179,10 +7191,9 @@ void Initialize(Local<Object> target,
-   env->SetMethod(target, "setEngine", SetEngine);
- #endif  // !OPENSSL_NO_ENGINE
- 
--#ifdef NODE_FIPS_MODE
-   env->SetMethodNoSideEffect(target, "getFipsCrypto", GetFipsCrypto);
-   env->SetMethod(target, "setFipsCrypto", SetFipsCrypto);
--#endif
-+  env->SetMethodNoSideEffect(target, "testFipsCrypto", TestFipsCrypto);
- 
-   env->SetMethod(target, "pbkdf2", PBKDF2);
-   env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA);
-diff --git a/src/node_options.cc b/src/node_options.cc
-index 0102329..1ad44f4 100644
---- a/src/node_options.cc
-+++ b/src/node_options.cc
-@@ -753,7 +753,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
-             &PerProcessOptions::ssl_openssl_cert_store);
-   Implies("--use-openssl-ca", "[ssl_openssl_cert_store]");
-   ImpliesNot("--use-bundled-ca", "[ssl_openssl_cert_store]");
--#if NODE_FIPS_MODE
-   AddOption("--enable-fips",
-             "enable FIPS crypto at startup",
-             &PerProcessOptions::enable_fips_crypto,
-@@ -762,7 +761,6 @@ PerProcessOptionsParser::PerProcessOptionsParser(
-             "force FIPS crypto (cannot be disabled)",
-             &PerProcessOptions::force_fips_crypto,
-             kAllowedInEnvironment);
--#endif
- #endif
-   AddOption("--use-largepages",
-             "Map the Node.js static code to large pages. Options are "
-diff --git a/src/node_options.h b/src/node_options.h
-index 58a21e0..f22b254 100644
---- a/src/node_options.h
-+++ b/src/node_options.h
-@@ -243,10 +243,8 @@ class PerProcessOptions : public Options {
- #endif
-   bool use_openssl_ca = false;
-   bool use_bundled_ca = false;
--#if NODE_FIPS_MODE
-   bool enable_fips_crypto = false;
-   bool force_fips_crypto = false;
--#endif
- #endif
- 
-   // Per-process because reports can be triggered outside a known V8 context.
-diff --git a/test/parallel/test-cli-node-print-help.js b/test/parallel/test-cli-node-print-help.js
-index ab8cd10..7e7c77f 100644
---- a/test/parallel/test-cli-node-print-help.js
-+++ b/test/parallel/test-cli-node-print-help.js
-@@ -8,8 +8,6 @@ const common = require('../common');
- 
- const assert = require('assert');
- const { exec } = require('child_process');
--const { internalBinding } = require('internal/test/binding');
--const { fipsMode } = internalBinding('config');
- let stdOut;
- 
- 
-@@ -28,9 +26,8 @@ function validateNodePrintHelp() {
-   const cliHelpOptions = [
-     { compileConstant: HAVE_OPENSSL,
-       flags: [ '--openssl-config=...', '--tls-cipher-list=...',
--               '--use-bundled-ca', '--use-openssl-ca' ] },
--    { compileConstant: fipsMode,
--      flags: [ '--enable-fips', '--force-fips' ] },
-+               '--use-bundled-ca', '--use-openssl-ca',
-+               '--enable-fips', '--force-fips' ] },
-     { compileConstant: NODE_HAVE_I18N_SUPPORT,
-       flags: [ '--icu-data-dir=...', 'NODE_ICU_DATA' ] },
-     { compileConstant: HAVE_INSPECTOR,
-diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js
-index eae3134..a1ed645 100644
---- a/test/parallel/test-crypto-fips.js
-+++ b/test/parallel/test-crypto-fips.js
-@@ -9,27 +9,20 @@ const spawnSync = require('child_process').spawnSync;
- const path = require('path');
- const fixtures = require('../common/fixtures');
- const { internalBinding } = require('internal/test/binding');
--const { fipsMode } = internalBinding('config');
-+const { testFipsCrypto } = internalBinding('crypto');
- 
- const FIPS_ENABLED = 1;
- const FIPS_DISABLED = 0;
--const FIPS_ERROR_STRING =
--  'Error [ERR_CRYPTO_FIPS_UNAVAILABLE]: Cannot set FIPS mode in a ' +
--  'non-FIPS build.';
- const FIPS_ERROR_STRING2 =
-   'Error [ERR_CRYPTO_FIPS_FORCED]: Cannot set FIPS mode, it was forced with ' +
-   '--force-fips at startup.';
--const OPTION_ERROR_STRING = 'bad option';
-+const FIPS_UNSUPPORTED_ERROR_STRING = 'fips mode not supported';
- 
- const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf');
- const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf');
- 
- let num_children_ok = 0;
- 
--function compiledWithFips() {
--  return fipsMode ? true : false;
--}
--
- function sharedOpenSSL() {
-   return process.config.variables.node_shared_openssl;
- }
-@@ -75,17 +68,17 @@ testHelper(
- 
- // --enable-fips should turn FIPS mode on
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--enable-fips'],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").getFips()',
-   process.env);
- 
- // --force-fips should turn FIPS mode on
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--force-fips'],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").getFips()',
-   process.env);
- 
-@@ -106,7 +99,7 @@ if (!sharedOpenSSL()) {
-   testHelper(
-     'stdout',
-     [`--openssl-config=${CNF_FIPS_ON}`],
--    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
-+    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
-     'require("crypto").getFips()',
-     process.env);
- 
-@@ -114,7 +107,7 @@ if (!sharedOpenSSL()) {
-   testHelper(
-     'stdout',
-     [],
--    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
-+    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
-     'require("crypto").getFips()',
-     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON }));
- 
-@@ -122,7 +115,7 @@ if (!sharedOpenSSL()) {
-   testHelper(
-     'stdout',
-     [`--openssl-config=${CNF_FIPS_ON}`],
--    compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED,
-+    testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED,
-     'require("crypto").getFips()',
-     Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
- }
-@@ -136,50 +129,50 @@ testHelper(
- 
- // --enable-fips should take precedence over OpenSSL config file
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").getFips()',
-   process.env);
- 
- // OPENSSL_CONF should _not_ make a difference to --enable-fips
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--enable-fips'],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").getFips()',
-   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
- 
- // --force-fips should take precedence over OpenSSL config file
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").getFips()',
-   process.env);
- 
- // Using OPENSSL_CONF should not make a difference to --force-fips
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--force-fips'],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").getFips()',
-   Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF }));
- 
- // setFipsCrypto should be able to turn FIPS mode on
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   [],
--  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   '(require("crypto").setFips(true),' +
-   'require("crypto").getFips())',
-   process.env);
- 
- // setFipsCrypto should be able to turn FIPS mode on and off
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   [],
--  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   '(require("crypto").setFips(true),' +
-   'require("crypto").setFips(false),' +
-   'require("crypto").getFips())',
-@@ -187,27 +180,27 @@ testHelper(
- 
- // setFipsCrypto takes precedence over OpenSSL config file, FIPS on
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   [`--openssl-config=${CNF_FIPS_OFF}`],
--  compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   '(require("crypto").setFips(true),' +
-   'require("crypto").getFips())',
-   process.env);
- 
- // setFipsCrypto takes precedence over OpenSSL config file, FIPS off
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  'stdout',
-   [`--openssl-config=${CNF_FIPS_ON}`],
--  compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING,
-+  FIPS_DISABLED,
-   '(require("crypto").setFips(false),' +
-   'require("crypto").getFips())',
-   process.env);
- 
- // --enable-fips does not prevent use of setFipsCrypto API
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--enable-fips'],
--  compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   '(require("crypto").setFips(false),' +
-   'require("crypto").getFips())',
-   process.env);
-@@ -216,15 +209,15 @@ testHelper(
- testHelper(
-   'stderr',
-   ['--force-fips'],
--  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").setFips(false)',
-   process.env);
- 
- // --force-fips makes setFipsCrypto enable a no-op (FIPS stays on)
- testHelper(
--  compiledWithFips() ? 'stdout' : 'stderr',
-+  testFipsCrypto() ? 'stdout' : 'stderr',
-   ['--force-fips'],
--  compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING,
-   '(require("crypto").setFips(true),' +
-   'require("crypto").getFips())',
-   process.env);
-@@ -233,7 +226,7 @@ testHelper(
- testHelper(
-   'stderr',
-   ['--force-fips', '--enable-fips'],
--  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").setFips(false)',
-   process.env);
- 
-@@ -241,6 +234,6 @@ testHelper(
- testHelper(
-   'stderr',
-   ['--enable-fips', '--force-fips'],
--  compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING,
-+  testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING,
-   'require("crypto").setFips(false)',
-   process.env);
-diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
-index 1c91444..1d1605d 100644
---- a/test/parallel/test-process-env-allowed-flags-are-documented.js
-+++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
-@@ -45,17 +45,8 @@ const conditionalOpts = [
-     include: common.hasCrypto,
-     filter: (opt) => {
-       return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca',
--              '--use-openssl-ca' ].includes(opt);
-+              '--use-openssl-ca', '--enable-fips', '--force-fips' ].includes(opt);
-     }
--  }, {
--    // We are using openssl_is_fips from the configuration because it could be
--    // the case that OpenSSL is FIPS compatible but fips has not been enabled
--    // (starting node with --enable-fips). If we use common.hasFipsCrypto
--    // that would only tells us if fips has been enabled, but in this case we
--    // want to check options which will be available regardless of whether fips
--    // is enabled at runtime or not.
--    include: process.config.variables.openssl_is_fips,
--    filter: (opt) => opt.includes('-fips')
-   }, {
-     include: common.hasIntl,
-     filter: (opt) => opt === '--icu-data-dir'
--- 
-2.31.1
-
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index 1cdcca4..77e76c5 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -1,5 +1,4 @@
 %bcond_with debug
-%bcond_with libs
 
 # PowerPC, s390x and aarch64 segfault during Debug builds
 # https://github.com/nodejs/node/issues/20642
@@ -42,13 +41,9 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 14
-%global nodejs_minor 18
-%global nodejs_patch 2
+%global nodejs_minor 20
+%global nodejs_patch 0
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
-%if %{with libs}
-# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
-%global nodejs_soversion 83
-%endif
 %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
 %global nodejs_release %{baserelease}
 
@@ -77,7 +72,7 @@
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_major 2
 %global llhttp_minor 1
-%global llhttp_patch 4
+%global llhttp_patch 5
 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
 
 # libuv - from deps/uv/include/uv/version.h
@@ -93,7 +88,7 @@
 %global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
 
 # ICU - from tools/icu/current_ver.dep
-%global icu_major 69
+%global icu_major 70
 %global icu_minor 1
 %global icu_version %{icu_major}.%{icu_minor}
 
@@ -126,7 +121,7 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 15
+%global npm_patch 17
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
@@ -176,14 +171,7 @@ Source7: nodejs_native.attr
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 
-%if %{with libs}
-# Patch to install both node and libnode.so, using the correct libdir
-Patch2: 0002-Install-both-binaries-and-use-libdir.patch
-%endif
-
-# Make FIPS always available
-# https://github.com/nodejs/node/issues/34903
-Patch3: 0004-always-available-fips-options.patch
+Patch4: 0001-deps-ansi-regex-fix-potential-ReDoS.patch
 
 BuildRequires: make
 BuildRequires: python3-devel
@@ -223,10 +211,6 @@ Requires: openssl >= %{openssl_minimum}
 # we need the system certificate store
 Requires: ca-certificates
 
-%if %{with libs}
-Requires: nodejs-libs%{?_isa} = %{nodejs_epoch}:%{version}-%{release}
-%endif
-
 # Pull in the full-icu data by default
 Recommends: nodejs-full-i18n%{?_isa} = %{nodejs_epoch}:%{version}-%{release}
 
@@ -312,31 +296,6 @@ Requires: libuv-devel%{?_isa}
 Development headers for the Node.js JavaScript runtime.
 
 
-%if %{with libs}
-%package libs
-Summary: Node.js and v8 libraries
-
-# Compatibility for obsolete v8 package
-%if 0%{?__isa_bits} == 64
-Provides: libv8.so.%{v8_major}()(64bit)
-Provides: libv8_libbase.so.%{v8_major}()(64bit)
-Provides: libv8_libplatform.so.%{v8_major}()(64bit)
-%else
-# 32-bits
-Provides: libv8.so.%{v8_major}
-Provides: libv8_libbase.so.%{v8_major}
-Provides: libv8_libplatform.so.%{v8_major}
-%endif
-
-Provides: v8 = %{v8_epoch}:%{v8_version}-%{nodejs_release}%{?dist}
-Provides: v8%{?_isa} = %{v8_epoch}:%{v8_version}-%{nodejs_release}%{?dist}
-Obsoletes: v8 < 1:6.7.17-10
-
-%description libs
-Libraries to support Node.js and provide stable v8 interfaces.
-%endif
-
-
 %package full-i18n
 Summary: Non-English locale data for Node.js
 Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
@@ -346,19 +305,6 @@ Optional data files to provide full-icu support for Node.js. Remove this
 package to save space if non-English locales are not needed.
 
 
-%if %{with libs}
-%package -n v8-devel
-Summary: v8 - development headers
-Epoch: %{v8_epoch}
-Version: %{v8_version}
-Release: %{v8_release}%{?dist}
-Requires: %{name}-devel%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
-
-%description -n v8-devel
-Development headers for the v8 runtime.
-%endif
-
-
 %package -n npm
 Summary: Node.js Package Manager
 Epoch: %{npm_epoch}
@@ -431,17 +377,17 @@ export CXX='g++'
 # build with debugging symbols and add defines from libuv (#892601)
 # Node's v8 breaks with GCC 6 because of incorrect usage of methods on
 # NULL objects. We need to pass -fno-delete-null-pointer-checks
+
 extra_cflags=(
-  -D_LARGEFILE_SOURCE
-  -D_FILE_OFFSET_BITS=64
-  -DZLIB_CONST
-  -fno-delete-null-pointer-checks
+    -D_LARGEFILE_SOURCE
+    -D_FILE_OFFSET_BITS=64
+    -DZLIB_CONST
+    -fno-delete-null-pointer-checks
 )
 export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cflags[*]}"
 export LDFLAGS="%{build_ldflags}"
 
 %{__python3} configure.py --prefix=%{_prefix} \
-           %{?with_libs:--shared --libdir=%{_lib}} \
            --shared-openssl \
            --shared-zlib \
            --shared-brotli \
@@ -450,6 +396,7 @@ export LDFLAGS="%{build_ldflags}"
            %{?with_bundled:--without-dtrace}%{!?with_bundled:--with-dtrace} \
            --with-intl=small-icu \
            --with-icu-default-data-dir=%{icudatadir} \
+           --without-corepack \
            --openssl-use-def-ca-store \
            --openssl-default-cipher-list=PROFILE=SYSTEM
 
@@ -504,22 +451,6 @@ chrpath --delete %{buildroot}%{_bindir}/node
 install -Dpm0755 out/Debug/node %{buildroot}/%{_bindir}/node_g
 %endif
 
-%if %{with libs}
-# Install library symlink
-ln -s %{_libdir}/libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/libnode.so
-
-# Install v8 compatibility symlinks
-for header in %{buildroot}%{_includedir}/node/libplatform %{buildroot}%{_includedir}/node/v8*.h; do
-    header=$(basename ${header})
-    ln -s %{_includedir}/node/${header} %{buildroot}%{_includedir}/${header}
-done
-ln -s ./node/cppgc %{buildroot}%{_includedir}/cppgc
-for soname in libv8 libv8_libbase libv8_libplatform; do
-    ln -s %{_libdir}/libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/${soname}.so
-    ln -s %{_libdir}/libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/${soname}.so.%{v8_major}
-done
-%endif
-
 # own the sitelib directory
 mkdir -p %{buildroot}%{_prefix}/lib/node_modules
 
@@ -553,7 +484,7 @@ cp -pr deps/npm/man/* %{buildroot}%{_mandir}/
 rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/man
 ln -sf %{_mandir}  %{buildroot}%{_prefix}/lib/node_modules/npm/man
 
-# Install Gatsby HTML documentation to %{_pkgdocdir}
+# Install Gatsby HTML documentation to %%{_pkgdocdir}
 cp -pr deps/npm/docs %{buildroot}%{_pkgdocdir}/npm/
 rm -rf %{buildroot}%{_prefix}/lib/node_modules/npm/docs
 
@@ -591,18 +522,6 @@ install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/*
 
 
 %check
-%if %{with libs}
-# Fail the build if the versions don't match
-LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.node, '%{nodejs_version}')"
-LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')"
-LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.ares.replace(/-DEV$/, ''), '%{c_ares_version}')"
-
-# Ensure we have punycode and that the version matches
-LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')"
-
-# Ensure we have npm and that the version matches
-NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')"
-%else
 # Fail the build if the versions don't match
 %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.node, '%{nodejs_version}')"
 %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')"
@@ -613,7 +532,6 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
 
 # Ensure we have npm and that the version matches
 NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"npm\").version, '%{npm_version}')"
-%endif
 
 # Make sure i18n support is working
 NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2}
@@ -683,26 +601,6 @@ if st and st.type == "directory" then
 end
 
 
-%if %{with libs}
-%pretrans -n v8-devel -p <lua>
--- Replace the v8 libplatform include directory with a symlink
--- Drop this scriptlet when F30 is EOL
-path = "%{_includedir}/libplatform"
-st = posix.stat(path)
-if st and st.type == "directory" then
-  status = os.rename(path, path .. ".rpmmoved")
-  if not status then
-    suffix = 0
-    while not status do
-      suffix = suffix + 1
-      status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
-    end
-    os.rename(path, path .. ".rpmmoved")
-  end
-end
-%endif
-
-
 %files
 %{_bindir}/node
 %dir %{_prefix}/lib/node_modules
@@ -726,7 +624,6 @@ end
 %files devel
 %{?with_debug:%{_bindir}/node_g}
 %{_includedir}/node
-%{?with_libs:%{_libdir}/libnode.so}
 %{_datadir}/node/common.gypi
 %{_pkgdocdir}/gdbinit
 
@@ -736,26 +633,6 @@ end
 %{icudatadir}/icudt%{icu_major}*.dat
 
 
-%if %{with libs}
-%files libs
-%{_libdir}/libnode.so.%{nodejs_soversion}
-%{_libdir}/libv8.so.%{v8_major}
-%{_libdir}/libv8_libbase.so.%{v8_major}
-%{_libdir}/libv8_libplatform.so.%{v8_major}
-%dir %{nodejs_datadir}/
-
-
-%files -n v8-devel
-%{_includedir}/libplatform
-%{_includedir}/v8*.h
-%{_includedir}/cppgc
-%{_libdir}/libv8.so
-%{_libdir}/libv8_libbase.so
-%{_libdir}/libv8_libplatform.so
-%ghost %{_includedir}/libplatform.rpmmoved
-%endif
-
-
 %files -n npm
 %{_bindir}/npm
 %{_bindir}/npx
@@ -791,11 +668,26 @@ end
 
 
 %changelog
-* Wed May 25 2022 Jan Staněk <jstanek@redhat.com> - 1:14.18.2-2
+* Tue Aug 02 2022 Zuzana Svetlikova <zsvetlik@redhat.com - 1:14.20.0-2
 - Replace with_* macros with RPM confitionals
 - Unify configure calls into single command
 - Refactor bootstrap-related parts
 - Decouple dependency bundling from bootstrapping
+- Resolves: RHBZ#2111417
+
+* Mon Jul 25 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.20.0-1
+- Rebase to latest version
+- Resolves: RHBZ#2106367
+- CVE fixes for CVE-2022-32212/3/4/5
+- Resolves: #2109576, #2109579, #2109582, #2109585
+
+* Tue Jan 11 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-3
+- Resolves: RHBZ#2029519
+- Add missing BZ to changelog
+
+* Mon Dec 13 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-2
+- Add missing fixes
+- Resolves: RHBZ#2027641, RHBZ#2027634
 
 * Wed Dec 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.18.2-1
 - Resolves: RHBZ#2026325