diff --git a/.gitignore b/.gitignore
index 2342a22..0898cbf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
SOURCES/icu4c-64_2-src.tgz
-SOURCES/node-v10.21.0-stripped.tar.gz
+SOURCES/node-v10.23.1-stripped.tar.gz
diff --git a/.nodejs.metadata b/.nodejs.metadata
index be7ac38..88bcbc8 100644
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@@ -1,2 +1,2 @@
3127155ecf2b75ab4835f501b7478e39c07bb852 SOURCES/icu4c-64_2-src.tgz
-50f10207f2286ca63abd4f351808dc606891d90b SOURCES/node-v10.21.0-stripped.tar.gz
+21b2943f71c0aa6c9271da21c3f09f52451be8fa SOURCES/node-v10.23.1-stripped.tar.gz
diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
index 79cbc7e..51d360f 100644
--- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
+++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch
@@ -1,19 +1,18 @@
-From def28d29f907050d8bcd94ed2e341d128ffa3fa6 Mon Sep 17 00:00:00 2001
+From 2cd4c12776af3da588231d3eb498e6451c30eae5 Mon Sep 17 00:00:00 2001
From: Zuzana Svetlikova <zsvetlik@redhat.com>
Date: Thu, 27 Apr 2017 14:25:42 +0200
-Subject: [PATCH 1/2] Disable running gyp on shared deps
+Subject: [PATCH] Disable running gyp on shared deps
+Signed-off-by: rpm-build <rpm-build>
---
Makefile | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/Makefile b/Makefile
-index 5fc2bb0c58f5532044a14e9f9595b2316f562726..f1c1545caa220d7442d6d92c49412ec7554de123 100644
+index 73feb4c..45bbceb 100644
--- a/Makefile
+++ b/Makefile
-@@ -121,14 +121,13 @@ with-code-cache:
-
- .PHONY: test-code-cache
+@@ -123,10 +123,9 @@ with-code-cache:
test-code-cache: with-code-cache
$(PYTHON) tools/test.py $(PARALLEL_ARGS) --mode=$(BUILDTYPE_LOWER) code-cache
@@ -27,8 +26,6 @@ index 5fc2bb0c58f5532044a14e9f9595b2316f562726..f1c1545caa220d7442d6d92c49412ec7
$(PYTHON) tools/gyp_node.py -f make
config.gypi: configure configure.py
- @if [ -x config.status ]; then \
- ./config.status; \
--
-2.19.0
+2.26.2
diff --git a/SOURCES/0002-Suppress-NPM-message-to-run-global-update.patch b/SOURCES/0002-Suppress-NPM-message-to-run-global-update.patch
index fd54ee2..e1b721f 100644
--- a/SOURCES/0002-Suppress-NPM-message-to-run-global-update.patch
+++ b/SOURCES/0002-Suppress-NPM-message-to-run-global-update.patch
@@ -1,20 +1,19 @@
-From ab6c18fd9aba942bee3f2f8030273c846b6025a6 Mon Sep 17 00:00:00 2001
+From e7afb2d6e2a6c8f9c9c32e12a10c3c5c4902a251 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Tue, 1 May 2018 08:05:30 -0400
-Subject: [PATCH 2/2] Suppress NPM message to run global update
+Subject: [PATCH] Suppress NPM message to run global update
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+Signed-off-by: rpm-build <rpm-build>
---
deps/npm/bin/npm-cli.js | 54 -----------------------------------------
1 file changed, 54 deletions(-)
diff --git a/deps/npm/bin/npm-cli.js b/deps/npm/bin/npm-cli.js
-index 6f76b23828531e7af98a7e3cd7d5abfaac09b40c..98edb6f45fe073e03794a2ae6e7aa7f5500723ee 100755
+index c0d9be0..0f0892e 100755
--- a/deps/npm/bin/npm-cli.js
+++ b/deps/npm/bin/npm-cli.js
-@@ -67,69 +67,15 @@
- if (conf.usage && npm.command !== 'help') {
- npm.argv.unshift(npm.command)
+@@ -71,65 +71,11 @@
npm.command = 'help'
}
@@ -80,8 +79,6 @@ index 6f76b23828531e7af98a7e3cd7d5abfaac09b40c..98edb6f45fe073e03794a2ae6e7aa7f5
npm.commands[npm.command](npm.argv, function (err) {
// https://genius.com/Lin-manuel-miranda-your-obedient-servant-lyrics
if (
- !err &&
- npm.config.get('ham-it-up') &&
--
-2.19.0
+2.26.2
diff --git a/SOURCES/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch b/SOURCES/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
index 667d6af..14d39ae 100644
--- a/SOURCES/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
+++ b/SOURCES/0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
@@ -1,8 +1,7 @@
-From 9ca4d4aeccf50e6c036e5536ef070a09c1776817 Mon Sep 17 00:00:00 2001
+From 0028cc74dac4dd24b8599ade85cb49fdafa9f559 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Fri, 6 Dec 2019 16:40:25 -0500
-Subject: [PATCH 3/3] build: auto-load ICU data from
- --with-icu-default-data-dir
+Subject: [PATCH] build: auto-load ICU data from --with-icu-default-data-dir
When compiled with `--with-intl=small` and
`--with-icu-default-data-dir=PATH`, Node.js will use PATH as a
@@ -28,6 +27,7 @@ the associated storage costs).
Refs: https://github.com/nodejs/node/issues/3460
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+Signed-off-by: rpm-build <rpm-build>
---
configure.py | 9 +++++++++
node.gypi | 7 +++++++
@@ -35,13 +35,13 @@ Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
3 files changed, 36 insertions(+)
diff --git a/configure.py b/configure.py
-index 48389fbdcb57cbf8d9c11d4921c65f34a1937cc7..063e8748b954a7fed4fe084399e61371c061edab 100755
+index 89f7bf5..d611a88 100755
--- a/configure.py
+++ b/configure.py
@@ -433,6 +433,14 @@ intl_optgroup.add_option('--with-icu-source',
'the icu4c source archive. '
'v%d.x or later recommended.' % icu_versions['minimum_icu'])
-
+
+intl_optgroup.add_option('--with-icu-default-data-dir',
+ action='store',
+ dest='with_icu_default_data_dir',
@@ -53,7 +53,7 @@ index 48389fbdcb57cbf8d9c11d4921c65f34a1937cc7..063e8748b954a7fed4fe084399e61371
parser.add_option('--with-ltcg',
action='store_true',
dest='with_ltcg',
-@@ -1360,6 +1368,7 @@ def configure_intl(o):
+@@ -1359,6 +1367,7 @@ def configure_intl(o):
locs.add('root') # must have root
o['variables']['icu_locales'] = string.join(locs,',')
# We will check a bit later if we can use the canned deps/icu-small
@@ -62,7 +62,7 @@ index 48389fbdcb57cbf8d9c11d4921c65f34a1937cc7..063e8748b954a7fed4fe084399e61371
# full ICU
o['variables']['v8_enable_i18n_support'] = 1
diff --git a/node.gypi b/node.gypi
-index 466a1746811cfac1a8ce4ef604ef1152c6229ff1..65b97d6466a14f4343a948a5fc36f8a2580badfb 100644
+index 466a174..65b97d6 100644
--- a/node.gypi
+++ b/node.gypi
@@ -113,6 +113,13 @@
@@ -80,16 +80,16 @@ index 466a1746811cfac1a8ce4ef604ef1152c6229ff1..65b97d6466a14f4343a948a5fc36f8a2
}],
[ 'node_use_bundled_v8=="true" and \
diff --git a/src/node.cc b/src/node.cc
-index 7c0118758dfd9449283b900209b2ba8df7ddd129..c9840e3e367ca47176a17a7940a1e08eb1f56f78 100644
+index 7c01187..c9840e3 100644
--- a/src/node.cc
+++ b/src/node.cc
@@ -92,6 +92,7 @@
-
+
#if defined(NODE_HAVE_I18N_SUPPORT)
#include <unicode/uvernum.h>
+#include <unicode/utypes.h>
#endif
-
+
#if defined(LEAK_SANITIZER)
@@ -2643,6 +2644,25 @@ void Init(std::vector<std::string>* argv,
// If the parameter isn't given, use the env variable.
@@ -117,6 +117,6 @@ index 7c0118758dfd9449283b900209b2ba8df7ddd129..c9840e3e367ca47176a17a7940a1e08e
// Initialize ICU.
// If icu_data_dir is empty here, it will load the 'minimal' data.
if (!i18n::InitializeICUDirectory(per_process_opts->icu_data_dir)) {
---
-2.24.1
+--
+2.26.2
diff --git a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
new file mode 100644
index 0000000..88a9d75
--- /dev/null
+++ b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
@@ -0,0 +1,13 @@
+diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
+index d720681628..727362aac0 100644
+--- a/deps/npm/node_modules/y18n/index.js
++++ b/deps/npm/node_modules/y18n/index.js
+@@ -11,7 +11,7 @@ function Y18N (opts) {
+ this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
+
+ // internal stuff.
+- this.cache = {}
++ this.cache = Object.create(null)
+ this.writeQueue = []
+ }
+
diff --git a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
new file mode 100644
index 0000000..b7270a0
--- /dev/null
+++ b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
@@ -0,0 +1,99 @@
+From cdd56e89bf13b495e5b97cc4416f61638617d7f4 Mon Sep 17 00:00:00 2001
+From: isaacs <i@izs.me>
+Date: Tue, 8 Dec 2020 14:21:50 -0800
+Subject: [PATCH] do not allow invalid hazardous string as section name
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/ini/ini.js | 8 +++++
+ deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+)
+ create mode 100644 deps/npm/node_modules/ini/test/proto.js
+
+diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js
+index 590195d..0401258 100644
+--- a/deps/npm/node_modules/ini/ini.js
++++ b/deps/npm/node_modules/ini/ini.js
+@@ -80,6 +80,12 @@ function decode (str) {
+ if (!match) return
+ if (match[1] !== undefined) {
+ section = unsafe(match[1])
++ if (section === '__proto__') {
++ // not allowed
++ // keep parsing the section, but don't attach it.
++ p = {}
++ return
++ }
+ p = out[section] = out[section] || {}
+ return
+ }
+@@ -94,6 +100,7 @@ function decode (str) {
+ // Convert keys with '[]' suffix to an array
+ if (key.length > 2 && key.slice(-2) === '[]') {
+ key = key.substring(0, key.length - 2)
++ if (key === '__proto__') return
+ if (!p[key]) {
+ p[key] = []
+ } else if (!Array.isArray(p[key])) {
+@@ -125,6 +132,7 @@ function decode (str) {
+ var l = parts.pop()
+ var nl = l.replace(/\\\./g, '.')
+ parts.forEach(function (part, _, __) {
++ if (part === '__proto__') return
+ if (!p[part] || typeof p[part] !== 'object') p[part] = {}
+ p = p[part]
+ })
+diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js
+new file mode 100644
+index 0000000..ab35533
+--- /dev/null
++++ b/deps/npm/node_modules/ini/test/proto.js
+@@ -0,0 +1,45 @@
++var ini = require('../')
++var t = require('tap')
++
++var data = `
++__proto__ = quux
++foo = baz
++[__proto__]
++foo = bar
++[other]
++foo = asdf
++[kid.__proto__.foo]
++foo = kid
++[arrproto]
++hello = snyk
++__proto__[] = you did a good job
++__proto__[] = so you deserve arrays
++thanks = true
++`
++var res = ini.parse(data)
++t.deepEqual(res, {
++ foo: 'baz',
++ other: {
++ foo: 'asdf',
++ },
++ kid: {
++ foo: {
++ foo: 'kid',
++ },
++ },
++ arrproto: {
++ hello: 'snyk',
++ thanks: true,
++ },
++})
++t.equal(res.__proto__, Object.prototype)
++t.equal(res.kid.__proto__, Object.prototype)
++t.equal(res.kid.foo.__proto__, Object.prototype)
++t.equal(res.arrproto.__proto__, Object.prototype)
++t.equal(Object.prototype.foo, undefined)
++t.equal(Object.prototype[0], undefined)
++t.equal(Object.prototype['0'], undefined)
++t.equal(Object.prototype[1], undefined)
++t.equal(Object.prototype['1'], undefined)
++t.equal(Array.prototype[0], undefined)
++t.equal(Array.prototype[1], undefined)
+--
+2.29.2
+
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index e1a6e02..e0b85f4 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -13,7 +13,7 @@
# This is used by both the nodejs package and the npm subpackage that
# has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end.
-%global baserelease 3
+%global baserelease 1
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@@ -24,8 +24,8 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 10
-%global nodejs_minor 21
-%global nodejs_patch 0
+%global nodejs_minor 23
+%global nodejs_patch 1
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 64
@@ -57,7 +57,7 @@
# http-parser - from deps/http_parser/http_parser.h
%global http_parser_major 2
%global http_parser_minor 9
-%global http_parser_patch 3
+%global http_parser_patch 4
%global http_parser_version %{http_parser_major}.%{http_parser_minor}.%{http_parser_patch}
# libuv - from deps/uv/include/uv/version.h
@@ -94,7 +94,7 @@
%global npm_epoch 1
%global npm_major 6
%global npm_minor 14
-%global npm_patch 4
+%global npm_patch 10
%global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
# In order to avoid needing to keep incrementing the release version for the
@@ -103,7 +103,7 @@
# base npm version number is increasing.
%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
-# brotli - from deps/brotli/common/version.h
+# brotli - from deps/brotli/c/common/version.h
# v10.x doesn't have --shared-brotli configure option, so we have to bundle it
%global brotli_major 1
%global brotli_minor 0
@@ -146,6 +146,12 @@ Patch2: 0002-Suppress-NPM-message-to-run-global-update.patch
# https://github.com/nodejs/node/pull/30825
Patch3: 0003-build-auto-load-ICU-data-from-with-icu-default-data-.patch
+# CVE-2020-7774
+Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch
+
+# CVE-2020-7788
+Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch
+
BuildRequires: python2-devel
BuildRequires: python3-devel
BuildRequires: zlib-devel
@@ -619,17 +625,29 @@ end
%changelog
+* Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.23.1-1
+- January Security release
+- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
+- Rebase to 10.23.1
+- Resolves: RHBZ#1916461, RHBZ#1914789
+- Resolves: RHBZ#1914783, RHBZ#1916462, RHBZ#1916395, RHBZ#1916459
+- Resolves: RHBZ#1916691, RHBZ#1916689, RHBZ#1916388
+- Remove dot-prop patch, as it is fixed by npm rebase
+
+* Tue Sep 22 2020 Jan Staněk <jstanek@redhat.com> - 1:10.22.1-1
+- Security rebase to 10.22.1
+
* Wed Jun 17 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.21.0-3
-- Resolves: RHBZ#1845306
+- Resolves: RHBZ#1845307
- Remove brotli-devel requires from nodejs-devel
* Tue Jun 16 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.21.0-2
-- Resolves: RHBZ#1845306
+- Resolves: RHBZ#1845307
- Turn off debug builds
* Mon Jun 15 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.21.0-1
- Security update to 10.21.0
-- Resolves: RHBZ#1845306
+- Resolves: RHBZ#1845307
- Fixes CVE-2020-11080, CVE-2020-8174, CVE-2020-10531
- Bundle brotli, because --shared-brotli configure option is missing
- Add i18n subpackage