diff --git a/.gitignore b/.gitignore
index f6ecfb1..86e0b6d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v14.11.0-stripped.tar.gz
+SOURCES/node-v14.15.4-stripped.tar.gz
diff --git a/.nodejs.metadata b/.nodejs.metadata
index bd287fb..24b324b 100644
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@@ -1,2 +1,2 @@
6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
-b279c48dbfa71187a214c87b9bbc330049213ca9 SOURCES/node-v14.11.0-stripped.tar.gz
+5defcd39ec57a7d529ae6343b9022f2c0e5e6e5f SOURCES/node-v14.15.4-stripped.tar.gz
diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
index bfc879c..361ea08 100644
--- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
@@ -1,6 +1,6 @@
-From 65f5eb67f4691ab535cc00240a00bd33efe29969 Mon Sep 17 00:00:00 2001
+From b0b4d1ddbc720db73fb8ab13cdbbf1ce6524eebd Mon Sep 17 00:00:00 2001
From: Zuzana Svetlikova <zsvetlik@redhat.com>
-Date: Thu, 27 Apr 2017 14:25:42 +0200
+Date: Fri, 17 Apr 2020 12:59:44 +0200
Subject: [PATCH 1/2] Disable running gyp on shared deps
---
@@ -8,18 +8,22 @@ Subject: [PATCH 1/2] Disable running gyp on shared deps
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
-index 34cdec7f7767b5152678adaeea10a8cf711fb9a8..3b548907033108831e99e054bc84d3ce91daa25c 100644
+index 93d63110ae2e3928a95d24036b86d11885ab240f..79caaec2112cefa8f6a1c947375b517e9676f176 100644
--- a/Makefile
+++ b/Makefile
-@@ -141,7 +141,7 @@ test-code-cache: with-code-cache
- echo "'test-code-cache' target is a noop"
-
+@@ -136,11 +136,11 @@ endif
+ .PHONY: test-code-cache
+ with-code-cache test-code-cache:
+ $(warning '$@' target is a noop)
+
out/Makefile: config.gypi common.gypi node.gyp \
- deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
-+ deps/uv/uv.gyp deps/llhttp/llhttp.gyp \
++ deps/llhttp/llhttp.gyp \
tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
$(PYTHON) tools/gyp_node.py -f make
---
-2.24.1
+
+ # node_version.h is listed because the N-API version is taken from there
+--
+2.29.2
diff --git a/SOURCES/0003-yarn-not-installable-on-aarch64.patch b/SOURCES/0003-yarn-not-installable-on-aarch64.patch
new file mode 100644
index 0000000..dd4a3bb
--- /dev/null
+++ b/SOURCES/0003-yarn-not-installable-on-aarch64.patch
@@ -0,0 +1,92 @@
+ From d4d05ceb418c525b0d07e76b81b8694ac2f5b309 Mon Sep 17 00:00:00 2001
+From: Daniel Bevenius <daniel.bevenius@gmail.com>
+Date: Wed, 16 Sep 2020 06:12:54 +0200
+Subject: [PATCH] [deps] V8: cherry-pick 71736859756b2bd0444bdb0a87a
+
+Original commit message:
+
+ [heap] Add large_object_threshold to AllocateRaw
+
+ This commit adds a check in Heap::AllocateRaw when setting the
+ large_object variable, when the AllocationType is of type kCode, to
+ take into account the size of the CodeSpace's area size.
+
+ The motivation for this change is that without this check it is
+ possible that size_in_bytes is less than 128, and hence not considered
+ a large object, but it might be larger than the available space
+ in code_space->AreaSize(), which will cause the object to be created
+ in the CodeLargeObjectSpace. This will later cause a segmentation fault
+ when calling the following chain of functions:
+
+ if (!large_object) {
+ MemoryChunk::FromHeapObject(heap_object)
+ ->GetCodeObjectRegistry()
+ ->RegisterNewlyAllocatedCodeObject(heap_object.address());
+ }
+
+ We (Red Hat) ran into this issue when running Node.js v12.16.1 in
+ combination with yarn on aarch64 (this was the only architecture that
+ this happed on).
+
+ Bug: v8:10808
+ Change-Id: I0c396b0eb64bc4cc91d9a3be521254f3130eac7b
+ Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2390665
+ Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
+ Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
+ Cr-Commit-Position: refs/heads/master@{#69876}
+
+Refs: https://github.com/v8/v8/commit/71736859756b2bd0444bdb0a87a61a0b090cbba2
+---
+ deps/v8/src/heap/heap-inl.h | 13 +++--
+ deps/v8/src/heap/heap.h | 6 ++-
+ 4 files changed, 83 insertions(+), 6 deletions(-)
+
+diff --git a/deps/v8/src/heap/heap-inl.h b/deps/v8/src/heap/heap-inl.h
+index 39f5ec6c66e..b56ebc03d58 100644
+--- a/deps/v8/src/heap/heap-inl.h
++++ b/deps/v8/src/heap/heap-inl.h
+@@ -192,7 +192,12 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationType type,
+ IncrementObjectCounters();
+ #endif
+
+- bool large_object = size_in_bytes > kMaxRegularHeapObjectSize;
++ size_t large_object_threshold =
++ AllocationType::kCode == type
++ ? std::min(kMaxRegularHeapObjectSize, code_space()->AreaSize())
++ : kMaxRegularHeapObjectSize;
++ bool large_object =
++ static_cast<size_t>(size_in_bytes) > large_object_threshold;
+
+ HeapObject object;
+ AllocationResult allocation;
+@@ -225,10 +230,10 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationType type,
+ allocation = old_space_->AllocateRaw(size_in_bytes, alignment, origin);
+ }
+ } else if (AllocationType::kCode == type) {
+- if (size_in_bytes <= code_space()->AreaSize() && !large_object) {
+- allocation = code_space_->AllocateRawUnaligned(size_in_bytes);
+- } else {
++ if (large_object) {
+ allocation = code_lo_space_->AllocateRaw(size_in_bytes);
++ } else {
++ allocation = code_space_->AllocateRawUnaligned(size_in_bytes);
+ }
+ } else if (AllocationType::kMap == type) {
+ allocation = map_space_->AllocateRawUnaligned(size_in_bytes);
+diff --git a/deps/v8/src/heap/heap.h b/deps/v8/src/heap/heap.h
+index 888d174c02f..0165fa6970f 100644
+--- a/deps/v8/src/heap/heap.h
++++ b/deps/v8/src/heap/heap.h
+@@ -1404,8 +1404,10 @@ class Heap {
+ // Heap object allocation tracking. ==========================================
+ // ===========================================================================
+
+- void AddHeapObjectAllocationTracker(HeapObjectAllocationTracker* tracker);
+- void RemoveHeapObjectAllocationTracker(HeapObjectAllocationTracker* tracker);
++ V8_EXPORT_PRIVATE void AddHeapObjectAllocationTracker(
++ HeapObjectAllocationTracker* tracker);
++ V8_EXPORT_PRIVATE void RemoveHeapObjectAllocationTracker(
++ HeapObjectAllocationTracker* tracker);
+ bool has_heap_object_allocation_tracker() const {
+ return !allocation_trackers_.empty();
+ }
diff --git a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
new file mode 100644
index 0000000..88a9d75
--- /dev/null
+++ b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
@@ -0,0 +1,13 @@
+diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
+index d720681628..727362aac0 100644
+--- a/deps/npm/node_modules/y18n/index.js
++++ b/deps/npm/node_modules/y18n/index.js
+@@ -11,7 +11,7 @@ function Y18N (opts) {
+ this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
+
+ // internal stuff.
+- this.cache = {}
++ this.cache = Object.create(null)
+ this.writeQueue = []
+ }
+
diff --git a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
new file mode 100644
index 0000000..c2b1f3e
--- /dev/null
+++ b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
@@ -0,0 +1,99 @@
+From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
+From: isaacs <i@izs.me>
+Date: Tue, 8 Dec 2020 14:21:50 -0800
+Subject: [PATCH] do not allow invalid hazardous string as section name
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/ini/ini.js | 8 +++++
+ deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+ create mode 100644 deps/npm/node_modules/ini/test/proto.js
+
+diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
+index 590195d..0401258 100644
+--- a/deps/npm/node_modules/ini/ini.js
++++ b/deps/npm/node_modules/ini/ini.js
+@@ -80,6 +80,12 @@ function decode (str) {
+ if (!match) return
+ if (match[1] !== undefined) {
+ section = unsafe(match[1])
++ if (section === '__proto__') {
++ // not allowed
++ // keep parsing the section, but don't attach it.
++ p = {}
++ return
++ }
+ p = out[section] = out[section] || {}
+ return
+ }
+@@ -94,6 +100,7 @@ function decode (str) {
+ // Convert keys with '[]' suffix to an array
+ if (key.length > 2 && key.slice(-2) === '[]') {
+ key = key.substring(0, key.length - 2)
++ if (key === '__proto__') return
+ if (!p[key]) {
+ p[key] = []
+ } else if (!Array.isArray(p[key])) {
+@@ -125,6 +132,7 @@ function decode (str) {
+ var l = parts.pop()
+ var nl = l.replace(/\\\./g, '.')
+ parts.forEach(function (part, _, __) {
++ if (part === '__proto__') return
+ if (!p[part] || typeof p[part] !== 'object') p[part] = {}
+ p = p[part]
+ })
+diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
+new file mode 100644
+index 0000000..ab35533
+--- /dev/null
++++ b/deps/npm/node_modules/ini/test/proto.js
+@@ -0,0 +1,45 @@
++var ini = require('../')
++var t = require('tap')
++
++var data = `
++__proto__ = quux
++foo = baz
++[__proto__]
++foo = bar
++[other]
++foo = asdf
++[kid.__proto__.foo]
++foo = kid
++[arrproto]
++hello = snyk
++__proto__[] = you did a good job
++__proto__[] = so you deserve arrays
++thanks = true
++`
++var res = ini.parse(data)
++t.deepEqual(res, {
++ foo: 'baz',
++ other: {
++ foo: 'asdf',
++ },
++ kid: {
++ foo: {
++ foo: 'kid',
++ },
++ },
++ arrproto: {
++ hello: 'snyk',
++ thanks: true,
++ },
++})
++t.equal(res.__proto__, Object.prototype)
++t.equal(res.kid.__proto__, Object.prototype)
++t.equal(res.kid.foo.__proto__, Object.prototype)
++t.equal(res.arrproto.__proto__, Object.prototype)
++t.equal(Object.prototype.foo, undefined)
++t.equal(Object.prototype[0], undefined)
++t.equal(Object.prototype['0'], undefined)
++t.equal(Object.prototype[1], undefined)
++t.equal(Object.prototype['1'], undefined)
++t.equal(Array.prototype[0], undefined)
++t.equal(Array.prototype[1], undefined)
+--
+2.29.2
+
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index 7d31933..80e4730 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -15,7 +15,7 @@
# This is used by both the nodejs package and the npm subpackage thar
# has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 2
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@@ -26,8 +26,8 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 14
-%global nodejs_minor 11
-%global nodejs_patch 0
+%global nodejs_minor 15
+%global nodejs_patch 4
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
%if %{?with_libs} == 1
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -55,18 +55,18 @@
# https://github.com/nodejs/node/pull/9332
%global c_ares_major 1
%global c_ares_minor 16
-%global c_ares_patch 0
+%global c_ares_patch 1
%global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
# llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_major 2
%global llhttp_minor 1
-%global llhttp_patch 2
+%global llhttp_patch 3
%global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
# libuv - from deps/uv/include/uv/version.h
%global libuv_major 1
-%global libuv_minor 39
+%global libuv_minor 40
%global libuv_patch 0
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
@@ -110,13 +110,13 @@
%global npm_epoch 1
%global npm_major 6
%global npm_minor 14
-%global npm_patch 8
+%global npm_patch 10
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# uvwasi - from deps/uvwasi/include/uvwasi.h
%global uvwasi_major 0
%global uvwasi_minor 0
-%global uvwasi_patch 10
+%global uvwasi_patch 11
%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
# histogram_c - assumed from timestamps
@@ -165,6 +165,15 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch2: 0002-Install-both-binaries-and-use-libdir.patch
%endif
+# RHBZ#1915296 - yarn install crashes with nodejs:14 on aarch64
+Patch3: 0003-yarn-not-installable-on-aarch64.patch
+
+# CVE-2020-7774
+Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+
+# CVE-2020-7788
+Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+
BuildRequires: python3-devel
BuildRequires: zlib-devel
BuildRequires: brotli-devel
@@ -819,6 +828,20 @@ end
%changelog
+* Tue Jan 26 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.4-2
+- Add patch for yarn crash
+- Resolves: RHBZ#1916465
+
+* Tue Jan 19 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.4-1
+- Security rebase to 14.15.4
+- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
+- Resolves: RHBZ#1916463, RHBZ#1914788
+- Resolves: RHBZ#1914785, RHBZ#1916387, RHBZ#1916389, RHBZ#1916390, RHBZ#1916690
+
+* Thu Oct 29 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.0-1
+- Update to LTS release
+- Rebase: RHBZ#1891809
+
* Mon Sep 21 2020 Jan Staněk <jstanek@redhat.com> - 1:14.11.0-1
- Security update to 14.11.0