diff --git a/.gitignore b/.gitignore
index 0b6d40a..a6e94a4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,6 @@
 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 SOURCES/icu4c-71_1-src.tgz
-SOURCES/node-v16.17.1-stripped.tar.gz
-SOURCES/undici-5.8.0.tar.gz
+SOURCES/node-v16.18.1-stripped.tar.gz
+SOURCES/undici-5.10.0.tar.gz
 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
diff --git a/.nodejs.metadata b/.nodejs.metadata
index ba29bc3..c58aefc 100644
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@@ -1,6 +1,6 @@
 b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
-b121cbaced686489dce040cacd91b652b0a2dfb8 SOURCES/node-v16.17.1-stripped.tar.gz
-0ad2dd058ce40f08ae2c0fe1e0226b613def8dd1 SOURCES/undici-5.8.0.tar.gz
+0e8bf36bf0ed737011cc49026a1e7b82d7a1f638 SOURCES/node-v16.18.1-stripped.tar.gz
+a2668423c8ed5321e39ce08e239141b084563bb5 SOURCES/undici-5.10.0.tar.gz
 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
 900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
diff --git a/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch b/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch
new file mode 100644
index 0000000..f055d91
--- /dev/null
+++ b/SOURCES/0002-install-keep-installing-dtrace-and-systemtap-files.patch
@@ -0,0 +1,31 @@
+From 9872b897d6a9a39e3392c39bca70cfd9dd084558 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Mon, 26 Sep 2022 16:02:39 +0200
+Subject: [PATCH] install: keep installing dtrace and systemtap files
+
+Partly reverts commit e27e709d3ca93b3e7036ddc4f4d28dfde228bfb6.
+
+Signed-off-by: rpm-build <rpm-build>
+---
+ tools/install.py | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/tools/install.py b/tools/install.py
+index 4b01d67..dc16797 100755
+--- a/tools/install.py
++++ b/tools/install.py
+@@ -178,6 +178,11 @@ def files(action):
+       output_lib = 'libnode.' + variables.get('shlib_suffix')
+       action([output_prefix + output_lib], variables.get('libdir') + '/' + output_lib)
+ 
++  if 'true' == variables.get('node_use_dtrace'):
++    action(['out/Release/node.d'], variables.get('libdir') + '/dtrace/node.d')
++
++  action(['src/node.stp'], 'share/systemtap/tapset/')
++
+   action(['deps/v8/tools/gdbinit'], 'share/doc/node/')
+   action(['deps/v8/tools/lldb_commands.py'], 'share/doc/node/')
+ 
+-- 
+2.37.3
+
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index c8f2607..e0fe410 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -35,7 +35,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 3
 
 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
 
@@ -46,7 +46,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 16
-%global nodejs_minor 17
+%global nodejs_minor 18
 %global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@@ -79,7 +79,7 @@
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_major 6
 %global llhttp_minor 0
-%global llhttp_patch 9
+%global llhttp_patch 10
 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
 
 # libuv - from deps/uv/include/uv/version.h
@@ -96,14 +96,14 @@
 
 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_major 0
-%global nghttp3_minor 1
-%global nghttp3_patch 0-DEV
+%global nghttp3_minor 7
+%global nghttp3_patch 0
 %global nghttp3_version %{nghttp3_major}.%{nghttp3_minor}.%{nghttp3_patch}
 
 # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
 %global ngtcp2_major 0
-%global ngtcp2_minor 1
-%global ngtcp2_patch 0-DEV
+%global ngtcp2_minor 8
+%global ngtcp2_patch 1
 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
 
 # ICU - from tools/icu/current_ver.dep
@@ -139,20 +139,20 @@
 # npm - from deps/npm/package.json
 %global npm_epoch 1
 %global npm_major 8
-%global npm_minor 15
-%global npm_patch 0
+%global npm_minor 19
+%global npm_patch 2
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
 %global uvwasi_major 0
 %global uvwasi_minor 0
-%global uvwasi_patch 12
+%global uvwasi_patch 13
 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
 
 # histogram_c - assumed from timestamps
 %global histogram_major 0
-%global histogram_minor 9
-%global histogram_patch 7
+%global histogram_minor 11
+%global histogram_patch 2
 %global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}
 
 # In order to avoid needing to keep incrementing the release version for the
@@ -200,15 +200,16 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
 Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz
 
 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.8.0.tar.gz
-# Adjustments: rm -f undici-5.8.0/lib/llhttp/llhttp*.wasm*
-Source111: undici-5.8.0.tar.gz
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.10.0.tar.gz
+# Adjustments: rm -f undici-5.10.0/lib/llhttp/llhttp*.wasm*
+Source111: undici-5.10.0.tar.gz
 # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in.
 # Version source: build/Dockerfile
 Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz
 
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
+Patch2: 0002-install-keep-installing-dtrace-and-systemtap-files.patch
 
 BuildRequires: make
 BuildRequires: python3-devel
@@ -394,6 +395,22 @@ rm -rf deps/brotli
 rm -rf deps/v8/third_party/jinja2
 rm -rf tools/inspector_protocol/jinja2
 
+# check for correct versions of dependencies we are bundling
+check_wasm_dep() {
+  local -r name="$1" source="$2" packagejson="$3"
+  local -r expected_version="$(jq -r '.version' "${packagejson}")"
+
+  if ls "${source}"|grep -q --fixed-strings "${expected_version}"; then
+    printf '%s version matches\n' "${name}" >&2
+  else
+    printf '%s version MISMATCH: %s !~ %s\n' "${name}" "${expected_version}" "${source}" >&2
+    return 1
+  fi
+}
+
+check_wasm_dep cjs-module-lexer '%{SOURCE101}' deps/cjs-module-lexer/package.json
+check_wasm_dep undici           '%{SOURCE111}' deps/undici/src/package.json
+
 # Replace any instances of unversioned python' with python3
 %if %{with python3_fixup}
 pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
@@ -691,6 +708,7 @@ end
 %doc %{_mandir}/man5/package-lock-json.5*
 %doc %{_mandir}/man5/npm-shrinkwrap-json.5*
 %doc %{_mandir}/man7/config.7*
+%doc %{_mandir}/man7/dependency-selectors.7*
 %doc %{_mandir}/man7/developers.7*
 %doc %{_mandir}/man7/logging.7*
 %doc %{_mandir}/man7/orgs.7*
@@ -710,30 +728,41 @@ end
 
 
 %changelog
+* Wed Dec 07 2022 Jan Staněk <jstanek@redhat.com> - 1:16.18.1-3
+- Update sources of undici WASM blobs
+  Resolves: rhbz#2151546
+
+* Fri Dec 02 2022 Jan Staněk <jstanek@redhat.com> - 1:16.18.1-2
+- Record CVE references already addressed in this or previous upstream versions
+  Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824
+
+* Wed Nov 16 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.18.1-1
+- Rebase + CVE fixes
+- Resolves: #2142806
+- Resolves: #2142837, #2142851
+
 * Fri Oct 07 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.17.1-1
 - Rebase to version 16.17.1
 - Resolves: CVE-2022-35255 CVE-2022-35256
-- Resolves: #2132004, #2130552
+- Resolves: #2130553
+- Resolves #2132003
 - Resolves #2121095
 
-* Fri Aug 05 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.16.0-3
-- Fix build
-- Resolves: RHBZ#2111416
-
-* Fri Aug 05 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.16.0-2
-- Refactor spec
-- Resolves: RHBZ#2111416
+* Tue Aug 23 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.16.0-1
+- Resolves: #2104754, #2108057, #2108062, #2108067, #2108072
+- Resolves CVE-2022-29244, CVE-2022-32212/3/4/5
+- Resolves: #2106285
+- Rebase to latest release
 
-* Tue Jul 26 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.16.0-1
-- Rebase to latest version
-- Resolves: RHBZ#2106369
-- CVE fixes for CVE-2022-32212/3/4/5
-- Resolves: #2109578, #2109581, #2109584, #2109588
+* Mon Apr 25 2022 Jan Staněk <jstanek@redhat.com> - 1:16.14.0-5
+- Unify configure calls into single command
+- Refactor bootstrap-related parts
+- Decouple dependency bundling from bootstrapping
 
 * Mon Apr 11 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.14.0-4
 - Apply lock file validation fixes
-- Resolves CVE-2021-43616
-- Resolves: RHBZ#2070012
+- Resolves: CVE-2021-43616
+- Resolves: RHBZ#2070013
 
 * Mon Dec 06 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.13.1-3
 - Resolves: RHBZ#2026329