diff --git a/.gitignore b/.gitignore
index 5529c49..3f9ed36 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v12.18.2-stripped.tar.gz
+SOURCES/node-v12.20.1-stripped.tar.gz
diff --git a/.nodejs.metadata b/.nodejs.metadata
index b816f66..45b7698 100644
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@@ -1,2 +1,2 @@
 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
-b8955ce8e33b4c1cfdd4c5be22f70f3419ce63df SOURCES/node-v12.18.2-stripped.tar.gz
+f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896 SOURCES/node-v12.20.1-stripped.tar.gz
diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
index 79dc997..4d59d71 100644
--- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
@@ -1,25 +1,26 @@
-From 4509b10cbe5d22216a7880cc7fb6bd5f92b18018 Mon Sep 17 00:00:00 2001
+From 641730c7d1322dacd8e1020ec0753795d01200f0 Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
 Date: Thu, 27 Apr 2017 14:25:42 +0200
-Subject: [PATCH 1/5] Disable running gyp on shared deps
+Subject: [PATCH] Disable running gyp on shared deps
 
+Signed-off-by: rpm-build <rpm-build>
 ---
  Makefile | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 56f5358..f289f25 100644
+index 32a8a6c..f44f88a 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -141,7 +141,7 @@ test-code-cache: with-code-cache
  	echo "'test-code-cache' target is a noop"
-
+ 
  out/Makefile: config.gypi common.gypi node.gyp \
 -	deps/uv/uv.gyp deps/http_parser/http_parser.gyp deps/zlib/zlib.gyp \
 +	deps/http_parser/http_parser.gyp \
  	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
  	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
  	$(PYTHON) tools/gyp_node.py -f make
---
-2.24.1
+-- 
+2.26.2
 
diff --git a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
new file mode 100644
index 0000000..88a9d75
--- /dev/null
+++ b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
@@ -0,0 +1,13 @@
+diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
+index d720681628..727362aac0 100644
+--- a/deps/npm/node_modules/y18n/index.js
++++ b/deps/npm/node_modules/y18n/index.js
+@@ -11,7 +11,7 @@ function Y18N (opts) {
+   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
+ 
+   // internal stuff.
+-  this.cache = {}
++  this.cache = Object.create(null)
+   this.writeQueue = []
+ }
+ 
diff --git a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
new file mode 100644
index 0000000..c2b1f3e
--- /dev/null
+++ b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
@@ -0,0 +1,99 @@
+From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001
+From: isaacs <i@izs.me>
+Date: Tue, 8 Dec 2020 14:21:50 -0800
+Subject: [PATCH] do not allow invalid hazardous string as section name
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/ini/ini.js        |  8 +++++
+ deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+ create mode 100644 deps/npm/node_modules/ini/test/proto.js
+
+diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
+index 590195d..0401258 100644
+--- a/deps/npm/node_modules/ini/ini.js
++++ b/deps/npm/node_modules/ini/ini.js
+@@ -80,6 +80,12 @@ function decode (str) {
+     if (!match) return
+     if (match[1] !== undefined) {
+       section = unsafe(match[1])
++      if (section === '__proto__') {
++        // not allowed
++        // keep parsing the section, but don't attach it.
++        p = {}
++        return
++      }
+       p = out[section] = out[section] || {}
+       return
+     }
+@@ -94,6 +100,7 @@ function decode (str) {
+     // Convert keys with '[]' suffix to an array
+     if (key.length > 2 && key.slice(-2) === '[]') {
+       key = key.substring(0, key.length - 2)
++      if (key === '__proto__') return
+       if (!p[key]) {
+         p[key] = []
+       } else if (!Array.isArray(p[key])) {
+@@ -125,6 +132,7 @@ function decode (str) {
+     var l = parts.pop()
+     var nl = l.replace(/\\\./g, '.')
+     parts.forEach(function (part, _, __) {
++      if (part === '__proto__') return
+       if (!p[part] || typeof p[part] !== 'object') p[part] = {}
+       p = p[part]
+     })
+diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
+new file mode 100644
+index 0000000..ab35533
+--- /dev/null
++++ b/deps/npm/node_modules/ini/test/proto.js
+@@ -0,0 +1,45 @@
++var ini = require('../')
++var t = require('tap')
++
++var data = `
++__proto__ = quux
++foo = baz
++[__proto__]
++foo = bar
++[other]
++foo = asdf
++[kid.__proto__.foo]
++foo = kid
++[arrproto]
++hello = snyk
++__proto__[] = you did a good job
++__proto__[] = so you deserve arrays
++thanks = true
++`
++var res = ini.parse(data)
++t.deepEqual(res, {
++  foo: 'baz',
++  other: {
++    foo: 'asdf',
++  },
++  kid: {
++    foo: {
++      foo: 'kid',
++    },
++  },
++  arrproto: {
++    hello: 'snyk',
++    thanks: true,
++  },
++})
++t.equal(res.__proto__, Object.prototype)
++t.equal(res.kid.__proto__, Object.prototype)
++t.equal(res.kid.foo.__proto__, Object.prototype)
++t.equal(res.arrproto.__proto__, Object.prototype)
++t.equal(Object.prototype.foo, undefined)
++t.equal(Object.prototype[0], undefined)
++t.equal(Object.prototype['0'], undefined)
++t.equal(Object.prototype[1], undefined)
++t.equal(Object.prototype['1'], undefined)
++t.equal(Array.prototype[0], undefined)
++t.equal(Array.prototype[1], undefined)
+--
+2.29.2
+
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index 6901062..fc6939a 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -1,6 +1,10 @@
 %global with_debug 0
 %global with_libs 0
 
+# set to 1 for RHEL >= 8.3
+# RHBZ#1856776 - brotli needed for nodejs-devel is not available
+%bcond_with shared_brotli
+
 # PowerPC, s390x and aarch64 segfault during Debug builds
 # https://github.com/nodejs/node/issues/20642
 %ifarch %{power64} s390x aarch64
@@ -25,8 +29,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 12
-%global nodejs_minor 18
-%global nodejs_patch 2
+%global nodejs_minor 20
+%global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -54,24 +58,24 @@
 # https://github.com/nodejs/node/pull/9332
 %global c_ares_major 1
 %global c_ares_minor 16
-%global c_ares_patch 0
+%global c_ares_patch 1
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
 
 # http-parser - from deps/http_parser/http_parser.h
 %global http_parser_major 2
 %global http_parser_minor 9
-%global http_parser_patch 3
+%global http_parser_patch 4
 %global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch}
 
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_major 2
-%global llhttp_minor 0
-%global llhttp_patch 4
+%global llhttp_minor 1
+%global llhttp_patch 3
 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
 
 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
-%global libuv_minor 38
+%global libuv_minor 40
 %global libuv_patch 0
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
 
@@ -102,13 +106,13 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 5
+%global npm_patch 10
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
 %global uvwasi_major 0
 %global uvwasi_minor 0
-%global uvwasi_patch 9
+%global uvwasi_patch 11
 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
 
 # histogram_c - assumed from timestamps
@@ -117,6 +121,12 @@
 %global histogram_patch 7
 %global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}
 
+# brotli - from deps/brotli/c/common/version.h
+%global brotli_major 1
+%global brotli_minor 0
+%global brotli_patch 9
+%global brotli_version %{brotli_major}.%{brotli_minor}.%{brotli_patch}
+
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
 # to increment safely. Changing this can only be done during an update when the
@@ -157,10 +167,15 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 %endif
 
+# CVE-2020-7774
+Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+
+# CVE-2020-7788
+Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+
 BuildRequires: python2-devel
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
-BuildRequires: brotli-devel
 BuildRequires: gcc >= 6.3.0
 BuildRequires: gcc-c++ >= 6.3.0
 # needed to generate bundled provides for npm dependencies
@@ -180,12 +195,18 @@ BuildRequires: libuv-devel >= 1:%{libuv_version}
 Requires: libuv >= 1:%{libuv_version}
 BuildRequires: libnghttp2-devel >= %{nghttp2_version}
 Requires: libnghttp2 >= %{nghttp2_version}
+%endif
 
 # Temporarily bundle http-parser and llhttp because the latter
 # isn't packaged yet and they are controlled by the same
 # configure flag.
 Provides: bundled(http-parser) = %{http_parser_version}
 Provides: bundled(llhttp) = %{llhttp_version}
+
+%if %{with shared_brotli}
+BuildRequires: brotli-devel
+%else
+Provides: bundled(brotli) = %{brotli_version}
 %endif
 
 BuildRequires: openssl-devel
@@ -272,7 +293,9 @@ Group: Development/Languages
 Requires: %{name}%{?_isa} = %{epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
 Requires: openssl-devel%{?_isa}
 Requires: zlib-devel%{?_isa}
+%if %{with shared_brotli}
 Requires: brotli-devel%{?_isa}
+%endif
 Requires: nodejs-packaging
 
 %if %{with bootstrap}
@@ -373,7 +396,9 @@ The API documentation for the Node.js JavaScript runtime.
 
 # remove bundled dependencies that we aren't building
 rm -rf deps/zlib
+%if %{with shared_brotli}
 rm -rf deps/brotli
+%endif
 
 # Replace any instances of unversioned python' with python2
 pathfix.py -i %{__python2} -pn $(find -type f ! -name "*.js")
@@ -417,11 +442,40 @@ export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' '  ')"
 
 export LDFLAGS="%{build_ldflags}"
 
-%if %{?with_libs} == 1
+# we're not building with libs in RHEL, so let's comment this out
+# for the sake of readability
+#%if %{?with_libs} == 1
+#%if %{with bootstrap}
+#./configure --prefix=%{_prefix} \
+#           --shared \
+#           --libdir=%{_lib} \
+#           --shared-openssl \
+#           --shared-zlib \
+#           --shared-brotli \
+#           --without-dtrace \
+#           --with-intl=small-icu \
+#           --debug-nghttp2 \
+#           --openssl-use-def-ca-store
+#%else
+#./configure --prefix=%{_prefix} \
+#           --shared \
+#           --libdir=%{_lib} \
+#           --shared-openssl \
+#           --shared-zlib \
+#           --shared-brotli \
+#           --shared-libuv \
+#           --shared-nghttp2 \
+#           --with-dtrace \
+#           --with-intl=%{icu_flag} \
+#           --with-icu-default-data-dir=%{icudatadir} \
+#           --debug-nghttp2 \
+#           --openssl-use-def-ca-store
+#%endif
+
+%if %{with shared_brotli}
+
 %if %{with bootstrap}
 ./configure --prefix=%{_prefix} \
-           --shared \
-           --libdir=%{_lib} \
            --shared-openssl \
            --shared-zlib \
            --shared-brotli \
@@ -431,8 +485,6 @@ export LDFLAGS="%{build_ldflags}"
            --openssl-use-def-ca-store
 %else
 ./configure --prefix=%{_prefix} \
-           --shared \
-           --libdir=%{_lib} \
            --shared-openssl \
            --shared-zlib \
            --shared-brotli \
@@ -444,12 +496,13 @@ export LDFLAGS="%{build_ldflags}"
            --debug-nghttp2 \
            --openssl-use-def-ca-store
 %endif
+
 %else
+
 %if %{with bootstrap}
 ./configure --prefix=%{_prefix} \
            --shared-openssl \
            --shared-zlib \
-           --shared-brotli \
            --without-dtrace \
            --with-intl=small-icu \
            --debug-nghttp2 \
@@ -458,7 +511,6 @@ export LDFLAGS="%{build_ldflags}"
 ./configure --prefix=%{_prefix} \
            --shared-openssl \
            --shared-zlib \
-           --shared-brotli \
            --shared-libuv \
            --shared-nghttp2 \
            --with-dtrace \
@@ -467,6 +519,7 @@ export LDFLAGS="%{build_ldflags}"
            --debug-nghttp2 \
            --openssl-use-def-ca-store
 %endif
+
 %endif
 
 %if %{?with_debug} == 1
@@ -817,6 +870,23 @@ end
 
 
 %changelog
+* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1
+- Security rebase for January security release
+- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
+- Resolves: RHBZ#1916460, RHBZ#1914786
+- Resolves: RHBZ#1914784, RHBZ#1916396
+
+* Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1
+- Resolves: RHBZ#1901044, #1901045, #1901046, #1901047
+- c-ares, ajv and y18n CVEs and yarn installability issues
+
+* Mon Oct 05 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.4-2
+- Fix RHBZ#1856776 - nodejs-devel not installable due to missing brotli
+- Some spec fixes
+
+* Tue Sep 22 2020 Jan Staněk <jstanek@redhat.com> - 12.18.4-1
+- Rebase to 12.18.4
+
 * Tue Jun 30 2020 Jan Staněk <jstanek@redhat.com> - 12.18.2-1
 - Rebase to 12.18.2