diff --git a/.gitignore b/.gitignore
index 0b6d40a..a6e94a4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,6 @@
 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 SOURCES/icu4c-71_1-src.tgz
-SOURCES/node-v16.17.1-stripped.tar.gz
-SOURCES/undici-5.8.0.tar.gz
+SOURCES/node-v16.18.1-stripped.tar.gz
+SOURCES/undici-5.10.0.tar.gz
 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
diff --git a/.nodejs.metadata b/.nodejs.metadata
index 9e157c7..6d890b2 100644
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@@ -1,6 +1,6 @@
-6976e77068429bd0b47b573793289e065ceb6b27 SOURCES/cjs-module-lexer-1.2.2.tar.gz
+b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
-34ffd79dbdcb5aecebbb117d28023cac56414b80 SOURCES/node-v16.17.1-stripped.tar.gz
-ef225709142c4bd9fbb37598ff42a1228951e48b SOURCES/undici-5.8.0.tar.gz
+71f2019e8d646be20ec962859e6a356b13663313 SOURCES/node-v16.18.1-stripped.tar.gz
+a2668423c8ed5321e39ce08e239141b084563bb5 SOURCES/undici-5.10.0.tar.gz
 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
 900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
diff --git a/SOURCES/0002-Install-both-binaries-and-use-libdir.patch b/SOURCES/0002-Install-both-binaries-and-use-libdir.patch
deleted file mode 100644
index ed89d0d..0000000
--- a/SOURCES/0002-Install-both-binaries-and-use-libdir.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From e2ff0fc92ddbaa5535d684e353c55cefe99eb081 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Tue, 27 Sep 2022 13:48:12 +0200
-Subject: [PATCH] Install both binaries and use libdir
-
-Signed-off-by: rpm-build <rpm-build>
----
- configure.py     | 7 +++++++
- tools/install.py | 8 +++++---
- 2 files changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/configure.py b/configure.py
-index 1a7023d..b16db0c 100755
---- a/configure.py
-+++ b/configure.py
-@@ -739,6 +739,12 @@ parser.add_argument('--shared',
-     help='compile shared library for embedding node in another project. ' +
-          '(This mode is not officially supported for regular applications)')
- 
-+parser.add_argument('--libdir',
-+    action='store',
-+    dest='libdir',
-+    default='lib',
-+    help='a directory to install the shared library into')
-+
- parser.add_argument('--without-v8-platform',
-     action='store_true',
-     dest='without_v8_platform',
-@@ -1368,6 +1374,7 @@ def configure_node(o):
-   o['variables']['node_no_browser_globals'] = b(options.no_browser_globals)
- 
-   o['variables']['node_shared'] = b(options.shared)
-+  o['variables']['libdir'] = options.libdir
-   node_module_version = getmoduleversion.get_version()
- 
-   if options.dest_os == 'android':
-diff --git a/tools/install.py b/tools/install.py
-index a6d1f8b..e3ef9d7 100755
---- a/tools/install.py
-+++ b/tools/install.py
-@@ -144,6 +144,7 @@ def files(action):
-   is_windows = sys.platform == 'win32'
-   output_file = 'node'
-   output_prefix = 'out/Release/'
-+  output_libprefix = output_prefix
- 
-   if is_windows:
-     output_file += '.exe'
-@@ -151,8 +152,8 @@ def files(action):
- 
-   if 'true' == variables.get('node_shared'):
-     if is_windows:
--      action([output_prefix + 'libnode.dll'], 'bin/libnode.dll')
--      action([output_prefix + 'libnode.lib'], 'lib/libnode.lib')
-+      action([output_libprefix + 'libnode.dll'], 'bin/libnode.dll')
-+      action([output_libprefix + 'libnode.lib'], 'lib/libnode.lib')
-     elif sys.platform == 'zos':
-       # GYP will output to lib.target; see _InstallableTargetInstallPath
-       # function in tools/gyp/pylib/gyp/generator/make.py
-@@ -176,7 +177,8 @@ def files(action):
-       try_symlink(so_name, link_path)
-     else:
-       output_lib = 'libnode.' + variables.get('shlib_suffix')
--      action([output_prefix + output_lib], 'lib/' + output_lib)
-+      action([output_libprefix + output_lib], variables.get('libdir') + '/' + output_lib)
-+
-   if 'true' == variables.get('node_use_dtrace'):
-     action(['out/Release/node.d'], 'lib/dtrace/node.d')
- 
--- 
-2.37.3
-
diff --git a/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch b/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch
new file mode 100644
index 0000000..f055d91
--- /dev/null
+++ b/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch
@@ -0,0 +1,31 @@
+From 9872b897d6a9a39e3392c39bca70cfd9dd084558 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 26 Sep 2022 16:02:39 +0200
+Subject: [PATCH] install: keep installing dtrace and systemtap files
+
+Partly reverts commit e27e709d3ca93b3e7036ddc4f4d28dfde228bfb6.
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ tools/install.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/install.py b/tools/install.py
+index 4b01d67..dc16797 100755
+--- a/tools/install.py
++++ b/tools/install.py
+@@ -178,6 +178,11 @@ def files(action):
+       output_lib = 'libnode.' + variables.get('shlib_suffix')
+       action([output_prefix + output_lib], variables.get('libdir') + '/' + output_lib)
+ 
++  if 'true' == variables.get('node_use_dtrace'):
++    action(['out/Release/node.d'], variables.get('libdir') + '/dtrace/node.d')
++
++  action(['src/node.stp'], 'share/systemtap/tapset/')
++
+   action(['deps/v8/tools/gdbinit'], 'share/doc/node/')
+   action(['deps/v8/tools/lldb_commands.py'], 'share/doc/node/')
+ 
+-- 
+2.37.3
+
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index b0215c7..51541db 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -30,7 +30,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 3
 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
@@ -41,7 +41,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 16
-%global nodejs_minor 17
+%global nodejs_minor 18
 %global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -69,7 +69,7 @@
 %global c_ares_version 1.18.1
 
 # llhttp - from deps/llhttp/include/llhttp.h
-%global llhttp_version 6.0.9
+%global llhttp_version 6.0.10
 
 # libuv - from deps/uv/include/uv/version.h
 %global libuv_version 1.43.0
@@ -79,14 +79,14 @@
 
 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_major 0
-%global nghttp3_minor 1
-%global nghttp3_patch 0-DEV
+%global nghttp3_minor 7
+%global nghttp3_patch 0
 %global nghttp3_version %{nghttp3_major}.%{nghttp3_minor}.%{nghttp3_patch}
 
 # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
 %global ngtcp2_major 0
-%global ngtcp2_minor 1
-%global ngtcp2_patch 0-DEV
+%global ngtcp2_minor 8
+%global ngtcp2_patch 1
 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
 
 # ICU - from tools/icu/current_ver.dep
@@ -118,7 +118,7 @@
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 8.15.0
+%global npm_version 8.19.2
 
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@@ -127,10 +127,10 @@
 %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
-%global uvwasi_version 0.0.12
+%global uvwasi_version 0.0.13
 
 # histogram_c - assumed from timestamps
-%global histogram_version 0.9.7
+%global histogram_version 0.11.2
 
 Name: nodejs
 Epoch: %{nodejs_epoch}
@@ -170,18 +170,16 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
 Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz
 
 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.8.0.tar.gz
-# Adjustments: rm -f undici-5.8.0/lib/llhttp/llhttp*.wasm*
-Source111: undici-5.8.0.tar.gz
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.10.0.tar.gz
+# Adjustments: rm -f undici-5.10.0/lib/llhttp/llhttp*.wasm*
+Source111: undici-5.10.0.tar.gz
 # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in.
 # Version source: build/Dockerfile
 Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz
 
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
-
-# Patch to install both node and libnode.so, using the correct libdir
-Patch2: 0002-Install-both-binaries-and-use-libdir.patch
+Patch2: 0002-install-keep-installing-dtrace-and-systemtap-files.patch
 
 BuildRequires: make
 BuildRequires: python3-devel
@@ -406,6 +404,22 @@ rm -rf deps/brotli
 rm -rf deps/v8/third_party/jinja2
 rm -rf tools/inspector_protocol/jinja2
 
+# check for correct versions of dependencies we are bundling
+check_wasm_dep() {
+  local -r name="$1" source="$2" packagejson="$3"
+  local -r expected_version="$(jq -r '.version' "${packagejson}")"
+
+  if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then
+    printf '%s version matches\n' "${name}" >&2
+  else
+    printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2
+    return 1
+  fi
+}
+
+check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json
+check_wasm_dep undici           '%{SOURCE111}' deps/undici/src/package.json
+
 # Replace any instances of unversioned python' with python3
 %if %{with python3_fixup}
 pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
@@ -436,21 +450,13 @@ export CXX='%{__cxx}'
 # build with debugging symbols and add defines from libuv (#892601)
 # Node's v8 breaks with GCC 6 because of incorrect usage of methods on
 # NULL objects. We need to pass -fno-delete-null-pointer-checks
-export CFLAGS='%{optflags} \
-               -D_LARGEFILE_SOURCE \
-               -D_FILE_OFFSET_BITS=64 \
-               -DZLIB_CONST \
-               -fno-delete-null-pointer-checks'
-export CXXFLAGS='%{optflags} \
-                 -D_LARGEFILE_SOURCE \
-                 -D_FILE_OFFSET_BITS=64 \
-                 -DZLIB_CONST \
-                 -fno-delete-null-pointer-checks'
-
-# Explicit new lines in C(XX)FLAGS can break naive build scripts
-export CFLAGS="$(echo ${CFLAGS} | tr '\n\\' '  ')"
-export CXXFLAGS="$(echo ${CXXFLAGS} | tr '\n\\' '  ')"
-
+extra_cflags=(
+    -D_LARGEFILE_SOURCE
+    -D_FILE_OFFSET_BITS=64
+    -DZLIB_CONST
+    -fno-delete-null-pointer-checks
+)
+export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cflags[*]}"
 export LDFLAGS="%{build_ldflags}"
 
 %{__python3} configure.py --prefix=%{_prefix} \
@@ -461,7 +467,7 @@ export LDFLAGS="%{build_ldflags}"
            --shared-brotli \
            %{!?with_bundled:--shared-libuv} \
            %{!?with_bundled:--shared-nghttp2} \
-           --with-dtrace \
+           %{?with_bundled:--without-dtrace}%{!?with_bundled:--with-dtrace} \
            --with-intl=small-icu \
            --with-icu-default-data-dir=%{icudatadir} \
            --without-corepack \
@@ -635,11 +641,14 @@ end
 %dir %{_datadir}/systemtap/tapset
 %{_datadir}/systemtap/tapset/node.stp
 
+%if %{without bundled}
 %dir %{_usr}/lib/dtrace
 %{_usr}/lib/dtrace/node.d
+%endif
 
 %{_rpmconfigdir}/fileattrs/nodejs_native.attr
 %{_rpmconfigdir}/nodejs_native.req
+%license LICENSE
 %doc AUTHORS CHANGELOG.md onboarding.md GOVERNANCE.md README.md
 %doc %{_mandir}/man1/node.1*
 
@@ -690,6 +699,7 @@ end
 %doc %{_mandir}/man5/package-lock-json.5*
 %doc %{_mandir}/man5/npm-shrinkwrap-json.5*
 %doc %{_mandir}/man7/config.7*
+%doc %{_mandir}/man7/dependency-selectors.7*
 %doc %{_mandir}/man7/developers.7*
 %doc %{_mandir}/man7/logging.7*
 %doc %{_mandir}/man7/orgs.7*
@@ -709,6 +719,21 @@ end
 
 
 %changelog
+* Wed Dec 07 2022 Jan Staněk <jstanek@redhat.com> - 1:16.18.1-3
+- Update sources of undici WASM blobs
+  Resolves: rhbz#2151617
+
+* Mon Dec 05 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.18.1-2
+- Add back libs and v8-devel subpackages
+- Related: RHBZ#2121126
+- Record previously fixed CVE
+- Resolves: CVE-2021-44906
+
+* Wed Nov 16 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.18.1-1
+- Rebase + CVEs
+- Resolves: #2142808
+- Resolves: #2142826, #2131745, #2142855
+
 * Tue Sep 27 2022 Jan Staněk <jstanek@redhat.com> - 16.17.1-1
 - Rebase to version 16.17.1
   Resolves: CVE-2022-35255 CVE-2022-35256
@@ -726,9 +751,9 @@ end
 - Apply lock file validation fixes
   Resolves: CVE-2021-43616
 
-* Mon Mar 07 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.14.0-3
-- Resolves: #2059949
-- Make Brew not append ~bootstrap when the macro is used
+* Thu Mar 31 2022 Jan Staněk <jstanek@redhat.com> - 16.14.0-3
+- Refactor bootstap handling and configure script invocation
+  Resolves: rhbz#2056969
 
 * Sun Feb 13 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.14.0-2
 - Build with bootstrap by default due to old versions of dependencies available