diff --git a/.gitignore b/.gitignore
index a6e94a4..932e368 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,6 @@
SOURCES/cjs-module-lexer-1.2.2.tar.gz
SOURCES/icu4c-71_1-src.tgz
-SOURCES/node-v16.18.1-stripped.tar.gz
-SOURCES/undici-5.10.0.tar.gz
+SOURCES/node-v16.19.1-stripped.tar.gz
+SOURCES/undici-5.19.1.tar.gz
SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
diff --git a/.nodejs.metadata b/.nodejs.metadata
index c58aefc..58f145f 100644
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@@ -1,6 +1,6 @@
b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
-0e8bf36bf0ed737011cc49026a1e7b82d7a1f638 SOURCES/node-v16.18.1-stripped.tar.gz
-a2668423c8ed5321e39ce08e239141b084563bb5 SOURCES/undici-5.10.0.tar.gz
+bd54c70441a0d8933e6e78378e47501ef5639038 SOURCES/node-v16.19.1-stripped.tar.gz
+4ba08daec56f2571fc8af493b3a2628d290f9390 SOURCES/undici-5.19.1.tar.gz
8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
diff --git a/SOURCES/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch b/SOURCES/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
new file mode 100644
index 0000000..278ba06
--- /dev/null
+++ b/SOURCES/0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
@@ -0,0 +1,45 @@
+From df574e2999dc6c2c38138bd0c3ec61dfafe9c929 Mon Sep 17 00:00:00 2001
+From: Kornel <kornel@geekhood.net>
+Date: Fri, 27 Jan 2023 01:20:38 +0000
+Subject: [PATCH] deps(http-cache-semantics): Don't use regex to trim
+ whitespace
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/http-cache-semantics/index.js | 6 +++---
+ deps/npm/node_modules/http-cache-semantics/package.json | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/deps/npm/node_modules/http-cache-semantics/index.js b/deps/npm/node_modules/http-cache-semantics/index.js
+index 4f6c2f3..39d58a7 100644
+--- a/deps/npm/node_modules/http-cache-semantics/index.js
++++ b/deps/npm/node_modules/http-cache-semantics/index.js
+@@ -79,10 +79,10 @@ function parseCacheControl(header) {
+
+ // TODO: When there is more than one value present for a given directive (e.g., two Expires header fields, multiple Cache-Control: max-age directives),
+ // the directive's value is considered invalid. Caches are encouraged to consider responses that have invalid freshness information to be stale
+- const parts = header.trim().split(/\s*,\s*/); // TODO: lame parsing
++ const parts = header.trim().split(/,/);
+ for (const part of parts) {
+- const [k, v] = part.split(/\s*=\s*/, 2);
+- cc[k] = v === undefined ? true : v.replace(/^"|"$/g, ''); // TODO: lame unquoting
++ const [k, v] = part.split(/=/, 2);
++ cc[k.trim()] = v === undefined ? true : v.trim().replace(/^"|"$/g, '');
+ }
+
+ return cc;
+diff --git a/deps/npm/node_modules/http-cache-semantics/package.json b/deps/npm/node_modules/http-cache-semantics/package.json
+index 897798d..79c020a 100644
+--- a/deps/npm/node_modules/http-cache-semantics/package.json
++++ b/deps/npm/node_modules/http-cache-semantics/package.json
+@@ -1,6 +1,6 @@
+ {
+ "name": "http-cache-semantics",
+- "version": "4.1.0",
++ "version": "4.1.1",
+ "description": "Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies",
+ "repository": "https://github.com/kornelski/http-cache-semantics.git",
+ "main": "index.js",
+--
+2.39.2
+
diff --git a/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch b/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch
deleted file mode 100644
index f055d91..0000000
--- a/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 9872b897d6a9a39e3392c39bca70cfd9dd084558 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Mon, 26 Sep 2022 16:02:39 +0200
-Subject: [PATCH] install: keep installing dtrace and systemtap files
-
-Partly reverts commit e27e709d3ca93b3e7036ddc4f4d28dfde228bfb6.
-
-Signed-off-by: rpm-build <rpm-build>
----
- tools/install.py | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/tools/install.py b/tools/install.py
-index 4b01d67..dc16797 100755
---- a/tools/install.py
-+++ b/tools/install.py
-@@ -178,6 +178,11 @@ def files(action):
- output_lib = 'libnode.' + variables.get('shlib_suffix')
- action([output_prefix + output_lib], variables.get('libdir') + '/' + output_lib)
-
-+ if 'true' == variables.get('node_use_dtrace'):
-+ action(['out/Release/node.d'], variables.get('libdir') + '/dtrace/node.d')
-+
-+ action(['src/node.stp'], 'share/systemtap/tapset/')
-+
- action(['deps/v8/tools/gdbinit'], 'share/doc/node/')
- action(['deps/v8/tools/lldb_commands.py'], 'share/doc/node/')
-
---
-2.37.3
-
diff --git a/SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch b/SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
new file mode 100644
index 0000000..69763ba
--- /dev/null
+++ b/SOURCES/0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
@@ -0,0 +1,53 @@
+From 2c06dc63aa864be8648758e71fa70e3d3f47e06f Mon Sep 17 00:00:00 2001
+From: hopper-vul <118949689+hopper-vul@users.noreply.github.com>
+Date: Wed, 18 Jan 2023 22:14:26 +0800
+Subject: [PATCH] deps(cares): Add str len check in config_sortlist to avoid
+ stack overflow (#497)
+
+In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
+the input str and initialize a sortlist configuration.
+
+However, ares_set_sortlist has not any checks about the validity of the input str.
+It is very easy to create an arbitrary length stack overflow with the unchecked
+`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
+statements in the config_sortlist call, which could potentially cause severe
+security impact in practical programs.
+
+This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
+potential stack overflows.
+
+fixes #496
+
+Fix By: @hopper-vul
+Resolves: CVE-2022-4904
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/cares/src/lib/ares_init.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/deps/cares/src/lib/ares_init.c b/deps/cares/src/lib/ares_init.c
+index de5d86c..d5858f6 100644
+--- a/deps/cares/src/lib/ares_init.c
++++ b/deps/cares/src/lib/ares_init.c
+@@ -2243,6 +2243,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+ q = str;
+ while (*q && *q != '/' && *q != ';' && !ISSPACE(*q))
+ q++;
++ if (q-str >= 16)
++ return ARES_EBADSTR;
+ memcpy(ipbuf, str, q-str);
+ ipbuf[q-str] = '\0';
+ /* Find the prefix */
+@@ -2251,6 +2253,8 @@ static int config_sortlist(struct apattern **sortlist, int *nsort,
+ const char *str2 = q+1;
+ while (*q && *q != ';' && !ISSPACE(*q))
+ q++;
++ if (q-str >= 32)
++ return ARES_EBADSTR;
+ memcpy(ipbufpfx, str, q-str);
+ ipbufpfx[q-str] = '\0';
+ str = str2;
+--
+2.39.2
+
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index e0fe410..f139933 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -35,7 +35,7 @@
# This is used by both the nodejs package and the npm subpackage that
# has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end.
-%global baserelease 3
+%global baserelease 1
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@@ -46,7 +46,7 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 16
-%global nodejs_minor 18
+%global nodejs_minor 19
%global nodejs_patch 1
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -140,7 +140,7 @@
%global npm_epoch 1
%global npm_major 8
%global npm_minor 19
-%global npm_patch 2
+%global npm_patch 3
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# uvwasi - from deps/uvwasi/include/uvwasi.h
@@ -200,16 +200,19 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz
# Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.10.0.tar.gz
-# Adjustments: rm -f undici-5.10.0/lib/llhttp/llhttp*.wasm*
-Source111: undici-5.10.0.tar.gz
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.19.1.tar.gz
+# Adjustments: rm -f undici-5.19.1/lib/llhttp/llhttp*.wasm*
+Source111: undici-5.19.1.tar.gz
# The WASM blob was made using wasi-sdk v14; compiler libraries are linked in.
# Version source: build/Dockerfile
Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz
# Disable running gyp on bundled deps we don't use
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
-Patch2: 0002-install-keep-installing-dtrace-and-systemtap-files.patch
+# CVE-2022-25881
+Patch2: 0002-deps-http-cache-semantics-Don-t-use-regex-to-trim-wh.patch
+# CVE-2022-4904
+Patch3: 0003-deps-cares-Add-str-len-check-in-config_sortlist-to-a.patch
BuildRequires: make
BuildRequires: python3-devel
@@ -703,10 +706,12 @@ end
%doc %{_mandir}/man1/npx.1*
%doc %{_mandir}/man5/folders.5*
%doc %{_mandir}/man5/install.5*
+%doc %{_mandir}/man5/npm-global.5*
+%doc %{_mandir}/man5/npm-json.5*
+%doc %{_mandir}/man5/npm-shrinkwrap-json.5*
%doc %{_mandir}/man5/npmrc.5*
%doc %{_mandir}/man5/package-json.5*
%doc %{_mandir}/man5/package-lock-json.5*
-%doc %{_mandir}/man5/npm-shrinkwrap-json.5*
%doc %{_mandir}/man7/config.7*
%doc %{_mandir}/man7/dependency-selectors.7*
%doc %{_mandir}/man7/developers.7*
@@ -728,6 +733,12 @@ end
%changelog
+* Mon Feb 27 2023 Jan Staněk <jstanek@redhat.com> - 1:16.19.1-1
+- Rebase to 16.19.1
+ Resolves: rhbz#2153713
+ Resolves: CVE-2023-23918 CVE-2023-23919 CVE-2023-23936 CVE-2023-24807 CVE-2023-23920
+ Resolves: CVE-2022-25881 CVE-2022-4904
+
* Wed Dec 07 2022 Jan Staněk <jstanek@redhat.com> - 1:16.18.1-3
- Update sources of undici WASM blobs
Resolves: rhbz#2151546