diff --git a/.gitignore b/.gitignore
index 5529c49..09a0bd2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 SOURCES/icu4c-67_1-src.tgz
-SOURCES/node-v12.18.2-stripped.tar.gz
+SOURCES/node-v12.18.4-stripped.tar.gz
diff --git a/.nodejs.metadata b/.nodejs.metadata
index b816f66..76a9a3f 100644
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@@ -1,2 +1,2 @@
 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz
-b8955ce8e33b4c1cfdd4c5be22f70f3419ce63df SOURCES/node-v12.18.2-stripped.tar.gz
+31bb163dc0d11a30767ce9b71f1283d9b8d93903 SOURCES/node-v12.18.4-stripped.tar.gz
diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
index 79dc997..4d59d71 100644
--- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
@@ -1,25 +1,26 @@
-From 4509b10cbe5d22216a7880cc7fb6bd5f92b18018 Mon Sep 17 00:00:00 2001
+From 641730c7d1322dacd8e1020ec0753795d01200f0 Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
 Date: Thu, 27 Apr 2017 14:25:42 +0200
-Subject: [PATCH 1/5] Disable running gyp on shared deps
+Subject: [PATCH] Disable running gyp on shared deps
 
+Signed-off-by: rpm-build <rpm-build>
 ---
  Makefile | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/Makefile b/Makefile
-index 56f5358..f289f25 100644
+index 32a8a6c..f44f88a 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -141,7 +141,7 @@ test-code-cache: with-code-cache
  	echo "'test-code-cache' target is a noop"
-
+ 
  out/Makefile: config.gypi common.gypi node.gyp \
 -	deps/uv/uv.gyp deps/http_parser/http_parser.gyp deps/zlib/zlib.gyp \
 +	deps/http_parser/http_parser.gyp \
  	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
  	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
  	$(PYTHON) tools/gyp_node.py -f make
---
-2.24.1
+-- 
+2.26.2
 
diff --git a/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch b/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
new file mode 100644
index 0000000..b078f92
--- /dev/null
+++ b/SOURCES/0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
@@ -0,0 +1,106 @@
+From 9473adba9cba6767e8e506f8f19e0ff8f66920be Mon Sep 17 00:00:00 2001
+From: Marco Carini <cmdcarini@gmail.com>
+Date: Mon, 3 Aug 2020 17:16:07 -0500
+Subject: [PATCH] dot-prop: patch 4.2.0 with fixes for CVE-2020-8116
+
+Adjusted from
+https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587.patch
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/dot-prop/index.js     | 18 ++++++++++++++++++
+ deps/npm/node_modules/dot-prop/package.json |  6 +++---
+ deps/npm/node_modules/dot-prop/readme.md    |  2 ++
+ 3 files changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js
+index 15282bb..189831c 100644
+--- a/deps/npm/node_modules/dot-prop/index.js
++++ b/deps/npm/node_modules/dot-prop/index.js
+@@ -1,6 +1,14 @@
+ 'use strict';
+ const isObj = require('is-obj');
+ 
++const disallowedKeys = [
++	'__proto__',
++	'prototype',
++	'constructor'
++];
++
++const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment));
++
+ function getPathSegments(path) {
+ 	const pathArr = path.split('.');
+ 	const parts = [];
+@@ -16,6 +24,10 @@ function getPathSegments(path) {
+ 		parts.push(p);
+ 	}
+ 
++	if (!isValidPath(parts)) {
++		return [];
++	}
++
+ 	return parts;
+ }
+ 
+@@ -26,6 +38,9 @@ module.exports = {
+ 		}
+ 
+ 		const pathArr = getPathSegments(path);
++		if (pathArr.length === 0) {
++			return;
++		}
+ 
+ 		for (let i = 0; i < pathArr.length; i++) {
+ 			if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) {
+@@ -58,6 +73,9 @@ module.exports = {
+ 
+ 		const root = obj;
+ 		const pathArr = getPathSegments(path);
++		if (pathArr.length === 0) {
++			return;
++		}
+ 
+ 		for (let i = 0; i < pathArr.length; i++) {
+ 			const p = pathArr[i];
+diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json
+index 40fefa3..93daf7d 100644
+--- a/deps/npm/node_modules/dot-prop/package.json
++++ b/deps/npm/node_modules/dot-prop/package.json
+@@ -37,9 +37,9 @@
+   "deprecated": false,
+   "description": "Get, set, or delete a property from a nested object using a dot path",
+   "devDependencies": {
+-    "ava": "*",
++    "ava": "1.4.1",
+     "matcha": "^0.7.0",
+-    "xo": "*"
++    "xo": "0.24.0"
+   },
+   "engines": {
+     "node": ">=4"
+@@ -73,7 +73,7 @@
+     "bench": "matcha bench.js",
+     "test": "xo && ava"
+   },
+-  "version": "4.2.0",
++  "version": "4.2.1",
+   "xo": {
+     "esnext": true
+   }
+diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md
+index fab3b7a..0e18f78 100644
+--- a/deps/npm/node_modules/dot-prop/readme.md
++++ b/deps/npm/node_modules/dot-prop/readme.md
+@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key.
+ 
+ Use `\\.` if you have a `.` in the key.
+ 
++The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`.
++
+ #### value
+ 
+ Type: `any`
+-- 
+2.26.2
+
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index 6901062..1602d84 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -26,7 +26,7 @@
 %global nodejs_epoch 1
 %global nodejs_major 12
 %global nodejs_minor 18
-%global nodejs_patch 2
+%global nodejs_patch 4
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %if %{?with_libs} == 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -65,8 +65,8 @@
 
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_major 2
-%global llhttp_minor 0
-%global llhttp_patch 4
+%global llhttp_minor 1
+%global llhttp_patch 2
 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
 
 # libuv - from deps/uv/include/uv/version.h
@@ -102,7 +102,7 @@
 %global npm_epoch 1
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 5
+%global npm_patch 6
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
@@ -157,6 +157,9 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
 Patch2: 0002-Install-both-binaries-and-use-libdir.patch
 %endif
 
+# Fix for CVE-2020-8116
+Patch3: 0003-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-8116.patch
+
 BuildRequires: python2-devel
 BuildRequires: python3-devel
 BuildRequires: zlib-devel
@@ -817,6 +820,9 @@ end
 
 
 %changelog
+* Tue Sep 22 2020 Jan Staněk <jstanek@redhat.com> - 12.18.4-1
+- Rebase to 12.18.4
+
 * Tue Jun 30 2020 Jan Staněk <jstanek@redhat.com> - 12.18.2-1
 - Rebase to 12.18.2