diff --git a/.gitignore b/.gitignore
index ee06d4c..e1f0b9c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 SOURCES/node-ssl-shim-6fc0b05.tar.gz
-SOURCES/node-v12.18.4-stripped.tar.gz
+SOURCES/node-v12.19.1-stripped.tar.gz
diff --git a/.rh-nodejs12-nodejs.metadata b/.rh-nodejs12-nodejs.metadata
index aa63d7a..7f0c8fc 100644
--- a/.rh-nodejs12-nodejs.metadata
+++ b/.rh-nodejs12-nodejs.metadata
@@ -1,2 +1,2 @@
 9fe6761bd237af8be0e4d26184c5a01e01d7967d SOURCES/node-ssl-shim-6fc0b05.tar.gz
-002418dc06158c9068be2c4e18847243a6c4d9c5 SOURCES/node-v12.18.4-stripped.tar.gz
+52b6a7856356c8cd8c5ddae0550c4d65238ea33a SOURCES/node-v12.19.1-stripped.tar.gz
diff --git a/SOURCES/0001-Link-with-ssl-shim.patch b/SOURCES/0001-Link-with-ssl-shim.patch
index 6b3f0bf..bf0d6fc 100644
--- a/SOURCES/0001-Link-with-ssl-shim.patch
+++ b/SOURCES/0001-Link-with-ssl-shim.patch
@@ -1,4 +1,4 @@
-From ef86c8e2907c82e956a997e2ed6cbce5e8d33312 Mon Sep 17 00:00:00 2001
+From f2b5ee60b7e1f01a6678ee3172c6fa59c6ce8da1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
 Date: Tue, 28 Apr 2020 11:15:24 +0200
 Subject: [PATCH] Link with ssl-shim
@@ -35,10 +35,10 @@ index 116c1c7149..0e40a2b441 100644
      }],
  
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index c132e6a089..5783500b16 100644
+index db2e122ab0..90df5f25e0 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
-@@ -1142,7 +1142,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
+@@ -1135,7 +1135,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
  
  void SecureContext::SetCipherSuites(const FunctionCallbackInfo<Value>& args) {
    // BoringSSL doesn't allow API config of TLS1.3 cipher suites.
@@ -48,10 +48,10 @@ index c132e6a089..5783500b16 100644
    ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
    Environment* env = sc->env();
 diff --git a/src/node_crypto.h b/src/node_crypto.h
-index 772a34a7da..ec86debfea 100644
+index 38fd806e62..0b9dab833d 100644
 --- a/src/node_crypto.h
 +++ b/src/node_crypto.h
-@@ -40,6 +40,8 @@
+@@ -41,6 +41,8 @@
  #include <openssl/ec.h>
  #include <openssl/rsa.h>
  
@@ -61,5 +61,5 @@ index 772a34a7da..ec86debfea 100644
  namespace crypto {
  
 -- 
-2.26.2
+2.28.0
 
diff --git a/SOURCES/0002-Use-OpenSSL-1.0-API.patch b/SOURCES/0002-Use-OpenSSL-1.0-API.patch
index d7f98be..d672569 100644
--- a/SOURCES/0002-Use-OpenSSL-1.0-API.patch
+++ b/SOURCES/0002-Use-OpenSSL-1.0-API.patch
@@ -1,6 +1,6 @@
-From 338901851f23e9d42b86fe88bed99bada47e099c Mon Sep 17 00:00:00 2001
+From ae4f772872661d6435c27e50937a0c3cbcede43c Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Fri, 2 Oct 2020 13:00:17 +0200
+Date: Mon, 23 Nov 2020 11:56:26 +0100
 Subject: [PATCH] Use OpenSSL 1.0 API
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -23,17 +23,20 @@ Content-Transfer-Encoding: 8bit
   Using `const` prevents passing the method as a function pointer
   to other OpenSSL API functions.
 
+- Provide GetCipherValue wrapper for non-const strings
+
 - Sanitize inputs into PBKDF2
 
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 ---
- src/node_crypto.cc     | 26 ++++++++++++++++++++++++--
- src/node_crypto.h      |  4 ++++
- src/node_crypto_bio.cc |  4 ++++
- 3 files changed, 32 insertions(+), 2 deletions(-)
+ src/node_crypto.cc        | 26 ++++++++++++++++++++++++--
+ src/node_crypto.h         |  4 ++++
+ src/node_crypto_bio.cc    |  4 ++++
+ src/node_crypto_common.cc |  8 ++++++++
+ 4 files changed, 40 insertions(+), 2 deletions(-)
 
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index 5783500b16..23c460ee49 100644
+index 90df5f25e0..7be3f77e1a 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
 @@ -123,7 +123,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
@@ -48,7 +51,7 @@ index 5783500b16..23c460ee49 100644
      int len,
      int* copy);
  template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s,
-@@ -1755,7 +1759,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
+@@ -1746,7 +1750,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
  
  template <class Base>
  SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s,
@@ -60,7 +63,7 @@ index 5783500b16..23c460ee49 100644
                                                 int len,
                                                 int* copy) {
    Base* w = static_cast<Base*>(SSL_get_app_data(s));
-@@ -5845,9 +5853,23 @@ struct PBKDF2Job : public CryptoJob {
+@@ -5917,9 +5925,23 @@ struct PBKDF2Job : public CryptoJob {
    }
  
    inline void DoThreadPoolWork() override {
@@ -87,10 +90,10 @@ index 5783500b16..23c460ee49 100644
      success = Just(ok);
      Cleanse();
 diff --git a/src/node_crypto.h b/src/node_crypto.h
-index ec86debfea..5e8e6ac000 100644
+index 0b9dab833d..7d6417b66f 100644
 --- a/src/node_crypto.h
 +++ b/src/node_crypto.h
-@@ -233,7 +233,11 @@ class SSLWrap {
+@@ -234,7 +234,11 @@ class SSLWrap {
    static void AddMethods(Environment* env, v8::Local<v8::FunctionTemplate> t);
  
    static SSL_SESSION* GetSessionCallback(SSL* s,
@@ -118,6 +121,25 @@ index 55f5e8a5a3..c2a44fdb86 100644
    if (bio && env != nullptr)
      NodeBIO::FromBIO(bio.get())->env_ = env;
    return bio;
+diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
+index 6c3bb0b1b6..d1d9edd6cd 100644
+--- a/src/node_crypto_common.cc
++++ b/src/node_crypto_common.cc
+@@ -392,6 +392,14 @@ MaybeLocal<Value> GetCipherValue(Environment* env,
+ 
+   return OneByteString(env->isolate(), getstr(cipher));
+ }
++MaybeLocal<Value> GetCipherValue(Environment* env,
++    const SSL_CIPHER* cipher,
++    char* (*getstr)(const SSL_CIPHER* cipher)) {
++  if (cipher == nullptr) {
++    return Undefined(env->isolate());
++  }
++  return OneByteString(env->isolate(), const_cast<const char *>(getstr(cipher)));
++}
+ 
+ MaybeLocal<Value> GetCipherName(Environment* env, const SSL_CIPHER* cipher) {
+   return GetCipherValue(env, cipher, SSL_CIPHER_get_name);
 -- 
-2.26.2
+2.28.0
 
diff --git a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
index 20237da..dcff61a 100644
--- a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
+++ b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
@@ -1,6 +1,6 @@
-From b443972d6f464c613eecdd410987eb34d78c3b9c Mon Sep 17 00:00:00 2001
+From 7dc5dae056d1b77a748ebfb8a3e312b4306789b4 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Fri, 2 Oct 2020 13:01:01 +0200
+Date: Mon, 23 Nov 2020 11:57:01 +0100
 Subject: [PATCH] Backport necessary OpenSSL features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -38,15 +38,15 @@ Content-Transfer-Encoding: 8bit
 
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 ---
- src/node_crypto.cc | 192 +++++++++++++++++++++++++++++++++++++++------
+ src/node_crypto.cc | 174 ++++++++++++++++++++++++++++++++++++++++++---
  src/node_crypto.h  |  14 ++++
- 2 files changed, 180 insertions(+), 26 deletions(-)
+ 2 files changed, 180 insertions(+), 8 deletions(-)
 
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index 23c460ee49..3cee36d62c 100644
+index 7be3f77e1a..c2b5aaa1a1 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
-@@ -517,6 +517,11 @@ inline void SecureContext::Reset() {
+@@ -518,6 +518,11 @@ inline void SecureContext::Reset() {
    ctx_.reset();
    cert_.reset();
    issuer_.reset();
@@ -58,7 +58,7 @@ index 23c460ee49..3cee36d62c 100644
  }
  
  SecureContext::~SecureContext() {
-@@ -530,7 +535,11 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
+@@ -531,7 +536,11 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
  
  // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that
  // Node.js doesn't, so pin the max to what we do support.
@@ -70,55 +70,53 @@ index 23c460ee49..3cee36d62c 100644
  
  void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
    SecureContext* sc;
-@@ -593,38 +602,23 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
-       max_version = MAX_SUPPORTED_VERSION;
-       method = TLS_client_method();
-     } else if (strcmp(*sslmethod, "TLSv1_method") == 0) {
--      min_version = TLS1_VERSION;
--      max_version = TLS1_VERSION;
+@@ -588,36 +597,39 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
+     } else if (sslmethod == "TLSv1_method") {
+       min_version = TLS1_VERSION;
+       max_version = TLS1_VERSION;
 +      method = TLSv1_method();
-     } else if (strcmp(*sslmethod, "TLSv1_server_method") == 0) {
--      min_version = TLS1_VERSION;
--      max_version = TLS1_VERSION;
+     } else if (sslmethod == "TLSv1_server_method") {
+       min_version = TLS1_VERSION;
+       max_version = TLS1_VERSION;
 -      method = TLS_server_method();
 +      method = TLSv1_server_method();
-     } else if (strcmp(*sslmethod, "TLSv1_client_method") == 0) {
--      min_version = TLS1_VERSION;
--      max_version = TLS1_VERSION;
+     } else if (sslmethod == "TLSv1_client_method") {
+       min_version = TLS1_VERSION;
+       max_version = TLS1_VERSION;
 -      method = TLS_client_method();
 +      method = TLSv1_client_method();
-     } else if (strcmp(*sslmethod, "TLSv1_1_method") == 0) {
--      min_version = TLS1_1_VERSION;
--      max_version = TLS1_1_VERSION;
+     } else if (sslmethod == "TLSv1_1_method") {
+       min_version = TLS1_1_VERSION;
+       max_version = TLS1_1_VERSION;
 +      method = TLSv1_1_method();
-     } else if (strcmp(*sslmethod, "TLSv1_1_server_method") == 0) {
--      min_version = TLS1_1_VERSION;
--      max_version = TLS1_1_VERSION;
+     } else if (sslmethod == "TLSv1_1_server_method") {
+       min_version = TLS1_1_VERSION;
+       max_version = TLS1_1_VERSION;
 -      method = TLS_server_method();
 +      method = TLSv1_1_server_method();
-     } else if (strcmp(*sslmethod, "TLSv1_1_client_method") == 0) {
--      min_version = TLS1_1_VERSION;
--      max_version = TLS1_1_VERSION;
+     } else if (sslmethod == "TLSv1_1_client_method") {
+       min_version = TLS1_1_VERSION;
+       max_version = TLS1_1_VERSION;
 -      method = TLS_client_method();
 +      method = TLSv1_1_client_method();
-     } else if (strcmp(*sslmethod, "TLSv1_2_method") == 0) {
--      min_version = TLS1_2_VERSION;
--      max_version = TLS1_2_VERSION;
+     } else if (sslmethod == "TLSv1_2_method") {
+       min_version = TLS1_2_VERSION;
+       max_version = TLS1_2_VERSION;
 +      method = TLSv1_2_method();
-     } else if (strcmp(*sslmethod, "TLSv1_2_server_method") == 0) {
--      min_version = TLS1_2_VERSION;
--      max_version = TLS1_2_VERSION;
+     } else if (sslmethod == "TLSv1_2_server_method") {
+       min_version = TLS1_2_VERSION;
+       max_version = TLS1_2_VERSION;
 -      method = TLS_server_method();
 +      method = TLSv1_2_server_method();
-     } else if (strcmp(*sslmethod, "TLSv1_2_client_method") == 0) {
--      min_version = TLS1_2_VERSION;
--      max_version = TLS1_2_VERSION;
+     } else if (sslmethod == "TLSv1_2_client_method") {
+       min_version = TLS1_2_VERSION;
+       max_version = TLS1_2_VERSION;
 -      method = TLS_client_method();
 +      method = TLSv1_2_client_method();
      } else {
        const std::string msg("Unknown method: ");
        THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, (msg + * sslmethod).c_str());
-@@ -654,8 +648,14 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
+@@ -647,8 +659,14 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
                                   SSL_SESS_CACHE_NO_INTERNAL |
                                   SSL_SESS_CACHE_NO_AUTO_CLEAR);
  
@@ -133,7 +131,7 @@ index 23c460ee49..3cee36d62c 100644
  
    // OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
    // exposed in the public API. To retain compatibility, install a callback
-@@ -1251,6 +1251,65 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
+@@ -1244,6 +1262,65 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
      return env->ThrowTypeError("Error setting temp DH parameter");
  }
  
@@ -199,7 +197,7 @@ index 23c460ee49..3cee36d62c 100644
  
  void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
    SecureContext* sc;
-@@ -1261,7 +1320,12 @@ void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1254,7 +1331,12 @@ void SecureContext::SetMinProto(const FunctionCallbackInfo<Value>& args) {
  
    int version = args[0].As<Int32>()->Value();
  
@@ -212,7 +210,7 @@ index 23c460ee49..3cee36d62c 100644
  }
  
  
-@@ -1274,7 +1338,12 @@ void SecureContext::SetMaxProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1267,7 +1349,12 @@ void SecureContext::SetMaxProto(const FunctionCallbackInfo<Value>& args) {
  
    int version = args[0].As<Int32>()->Value();
  
@@ -225,7 +223,7 @@ index 23c460ee49..3cee36d62c 100644
  }
  
  
-@@ -1285,7 +1354,11 @@ void SecureContext::GetMinProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1278,7 +1365,11 @@ void SecureContext::GetMinProto(const FunctionCallbackInfo<Value>& args) {
    CHECK_EQ(args.Length(), 0);
  
    long version =  // NOLINT(runtime/int)
@@ -237,7 +235,7 @@ index 23c460ee49..3cee36d62c 100644
    args.GetReturnValue().Set(static_cast<uint32_t>(version));
  }
  
-@@ -1297,11 +1370,14 @@ void SecureContext::GetMaxProto(const FunctionCallbackInfo<Value>& args) {
+@@ -1290,11 +1381,14 @@ void SecureContext::GetMaxProto(const FunctionCallbackInfo<Value>& args) {
    CHECK_EQ(args.Length(), 0);
  
    long version =  // NOLINT(runtime/int)
@@ -253,7 +251,7 @@ index 23c460ee49..3cee36d62c 100644
  void SecureContext::SetOptions(const FunctionCallbackInfo<Value>& args) {
    SecureContext* sc;
    ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
-@@ -6797,8 +6873,72 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
+@@ -6892,8 +6986,72 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
        CRYPTO_memcmp(buf1.data(), buf2.data(), buf1.length()) == 0);
  }
  
@@ -328,10 +326,10 @@ index 23c460ee49..3cee36d62c 100644
  
    // --openssl-config=...
 diff --git a/src/node_crypto.h b/src/node_crypto.h
-index 5e8e6ac000..d165b5f194 100644
+index 7d6417b66f..746a2a3fc7 100644
 --- a/src/node_crypto.h
 +++ b/src/node_crypto.h
-@@ -181,6 +181,20 @@ class SecureContext final : public BaseObject {
+@@ -182,6 +182,20 @@ class SecureContext final : public BaseObject {
  
    SecureContext(Environment* env, v8::Local<v8::Object> wrap);
    void Reset();
@@ -353,5 +351,5 @@ index 5e8e6ac000..d165b5f194 100644
  
  // SSLWrap implicitly depends on the inheriting class' handle having an
 -- 
-2.26.2
+2.28.0
 
diff --git a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
index 799d660..67a2a97 100644
--- a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
+++ b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
@@ -1,6 +1,6 @@
-From a081a5fc3d039d1863fed4b0aa07cdbc27f92dc3 Mon Sep 17 00:00:00 2001
+From 77cbd12e600a599351ec3b0b0302c7fcd1f9ec0b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Fri, 2 Oct 2020 13:01:37 +0200
+Date: Mon, 23 Nov 2020 11:57:32 +0100
 Subject: [PATCH] Disable unsupported OpenSSL features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -41,10 +41,10 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  rename test/{parallel => known_issues}/test-tls-cli-min-version-1.3.js (100%)
 
 diff --git a/doc/api/cli.md b/doc/api/cli.md
-index 27ab46d555..60fcf6b592 100644
+index e6d49feef6..47976c670b 100644
 --- a/doc/api/cli.md
 +++ b/doc/api/cli.md
-@@ -770,14 +770,6 @@ added: v12.0.0
+@@ -810,14 +810,6 @@ added: v12.0.0
  Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
  TLSv1.3.
  
@@ -59,7 +59,7 @@ index 27ab46d555..60fcf6b592 100644
  ### `--tls-min-v1.0`
  <!-- YAML
  added: v12.0.0
-@@ -803,14 +795,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
+@@ -843,14 +835,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
  12.x and later, but the option is supported for compatibility with older Node.js
  versions.
  
@@ -74,7 +74,7 @@ index 27ab46d555..60fcf6b592 100644
  ### `--trace-deprecation`
  <!-- YAML
  added: v0.8.0
-@@ -1192,11 +1176,9 @@ Node.js options that are allowed are:
+@@ -1234,11 +1218,9 @@ Node.js options that are allowed are:
  * `--tls-cipher-list`
  * `--tls-keylog`
  * `--tls-max-v1.2`
@@ -87,10 +87,10 @@ index 27ab46d555..60fcf6b592 100644
  * `--trace-event-categories`
  * `--trace-event-file-pattern`
 diff --git a/doc/api/tls.md b/doc/api/tls.md
-index 41f99c91c8..57bef67b29 100644
+index 12d724e4d4..af3e42fcbe 100644
 --- a/doc/api/tls.md
 +++ b/doc/api/tls.md
-@@ -1810,10 +1810,10 @@ added: v11.4.0
+@@ -1947,10 +1947,10 @@ added: v11.4.0
  
  * {string} The default value of the `maxVersion` option of
    [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
@@ -105,7 +105,7 @@ index 41f99c91c8..57bef67b29 100644
    highest maximum is used.
  
  ## `tls.DEFAULT_MIN_VERSION`
-@@ -1823,12 +1823,11 @@ added: v11.4.0
+@@ -1960,12 +1960,11 @@ added: v11.4.0
  
  * {string} The default value of the `minVersion` option of
    [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
@@ -119,10 +119,10 @@ index 41f99c91c8..57bef67b29 100644
 +  the default to `'TLSv1.1'`. If multiple of the options are provided,
 +  the lowest minimum is used.
  
- ## Deprecated APIs
- 
+ [`'newSession'`]: #tls_event_newsession
+ [`'resumeSession'`]: #tls_event_resumesession
 diff --git a/src/env.h b/src/env.h
-index d22b579b25..52076eb141 100644
+index d0c0a18796..3df8b45532 100644
 --- a/src/env.h
 +++ b/src/env.h
 @@ -51,6 +51,8 @@
@@ -148,7 +148,7 @@ index d22b579b25..52076eb141 100644
  // Private symbols are per-isolate primitives but Environment proxies them
  // for the sake of convenience.  Strings should be ASCII-only and have a
  // "node:" prefix to avoid name clashes with third-party code.
-@@ -359,7 +368,7 @@ constexpr size_t kFsStatsBufferLength =
+@@ -368,7 +377,7 @@ constexpr size_t kFsStatsBufferLength =
    V(sni_context_string, "sni_context")                                         \
    V(source_string, "source")                                                   \
    V(stack_string, "stack")                                                     \
@@ -158,7 +158,7 @@ index d22b579b25..52076eb141 100644
    V(status_string, "status")                                                   \
    V(stdio_string, "stdio")                                                     \
 diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
-index 3b35ee1ff7..e253d1445b 100644
+index d1d9edd6cd..a5724a51fe 100644
 --- a/src/node_crypto_common.cc
 +++ b/src/node_crypto_common.cc
 @@ -210,6 +210,7 @@ long VerifyPeerCertificate(  // NOLINT(runtime/int)
@@ -193,23 +193,21 @@ index 3b35ee1ff7..e253d1445b 100644
  
  const char* GetServerName(SSL* ssl) {
    return SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-@@ -394,6 +398,7 @@ MaybeLocal<Value> GetCipherName(
-   return OneByteString(env->isolate(), SSL_CIPHER_get_name(cipher));
+@@ -405,11 +409,13 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSL_CIPHER* cipher) {
+   return GetCipherValue(env, cipher, SSL_CIPHER_get_name);
  }
  
 +#if !OPENSSL_IS_LEGACY
  MaybeLocal<Value> GetCipherStandardName(
      Environment* env,
      const SSL_CIPHER* cipher) {
-@@ -402,6 +407,7 @@ MaybeLocal<Value> GetCipherStandardName(
- 
-   return OneByteString(env->isolate(), SSL_CIPHER_standard_name(cipher));
+   return GetCipherValue(env, cipher, SSL_CIPHER_standard_name);
  }
-+#endif // !OPENSSL_IS_LEGACY
++#endif  // !OPENSSL_IS_LEGACY
  
- MaybeLocal<Value> GetCipherVersion(
-     Environment* env,
-@@ -758,16 +764,19 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSLPointer& ssl) {
+ MaybeLocal<Value> GetCipherVersion(Environment* env, const SSL_CIPHER* cipher) {
+   return GetCipherValue(env, cipher, SSL_CIPHER_get_version);
+@@ -761,16 +767,19 @@ MaybeLocal<Value> GetCipherName(Environment* env, const SSLPointer& ssl) {
    return GetCipherName(env, SSL_get_current_cipher(ssl.get()));
  }
  
@@ -229,7 +227,7 @@ index 3b35ee1ff7..e253d1445b 100644
  MaybeLocal<Array> GetClientHelloCiphers(
      Environment* env,
      const SSLPointer& ssl) {
-@@ -800,6 +809,7 @@ MaybeLocal<Array> GetClientHelloCiphers(
+@@ -803,6 +812,7 @@ MaybeLocal<Array> GetClientHelloCiphers(
    Local<Array> ret = Array::New(env->isolate(), ciphers.out(), count);
    return scope.Escape(ret);
  }
@@ -237,7 +235,7 @@ index 3b35ee1ff7..e253d1445b 100644
  
  
  MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
-@@ -810,10 +820,12 @@ MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
+@@ -813,10 +823,12 @@ MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
                    info,
                    env->name_string(),
                    GetCipherName(env, ssl)) ||
@@ -287,7 +285,7 @@ index c373a97e47..220cb109bc 100644
  v8::MaybeLocal<v8::Value> GetCipherVersion(
      Environment* env,
 diff --git a/src/node_options.cc b/src/node_options.cc
-index 047237a31e..1e4f5173a1 100644
+index 824004631f..6a4431f59b 100644
 --- a/src/node_options.cc
 +++ b/src/node_options.cc
 @@ -9,6 +9,8 @@
@@ -312,7 +310,7 @@ index 047237a31e..1e4f5173a1 100644
  
  #if HAVE_INSPECTOR
    if (!cpu_prof) {
-@@ -523,14 +527,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
+@@ -541,14 +545,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
              "set default TLS minimum to TLSv1.2 (default: TLSv1.2)",
              &EnvironmentOptions::tls_min_v1_2,
              kAllowedInEnvironment);
@@ -331,7 +329,7 @@ index 047237a31e..1e4f5173a1 100644
    // Current plan is:
    // - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3
    // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2
-@@ -539,6 +546,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
+@@ -557,6 +564,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
              "set default TLS maximum to TLSv1.3 (default: TLSv1.3)",
              &EnvironmentOptions::tls_max_v1_3,
              kAllowedInEnvironment);
@@ -352,5 +350,5 @@ similarity index 100%
 rename from test/parallel/test-tls-cli-min-version-1.3.js
 rename to test/known_issues/test-tls-cli-min-version-1.3.js
 -- 
-2.26.2
+2.28.0
 
diff --git a/SOURCES/0005-Adjust-test-expectations.patch b/SOURCES/0005-Adjust-test-expectations.patch
new file mode 100644
index 0000000..bcfde44
--- /dev/null
+++ b/SOURCES/0005-Adjust-test-expectations.patch
@@ -0,0 +1,240 @@
+From 91103dfdfdc7d34549e831717cf3f430b7f019e1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
+Date: Mon, 23 Nov 2020 11:58:10 +0100
+Subject: [PATCH] Adjust test expectations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+- Modify expected error messages
+
+- https-agent-create-connection: Establish secure connection
+
+- Add back workaround for OpenSSL 1.0
+
+  This reverts commit ba7551cad8abd2e460763b06efa4207be96a7a19.
+
+- tls-dhe: Do not hang on unexpected cipher
+
+Signed-off-by: Jan Staněk <jstanek@redhat.com>
+---
+ test/parallel/test-crypto.js                  |  4 +-
+ .../test-https-agent-create-connection.js     |  2 +-
+ .../test-https-agent-session-eviction.js      | 42 +++++++++++++++----
+ test/parallel/test-tls-alert-handling.js      |  2 +-
+ test/parallel/test-tls-dhe.js                 |  5 ++-
+ test/parallel/test-tls-empty-sni-context.js   |  2 +-
+ test/parallel/test-tls-env-bad-extra-ca.js    |  2 +-
+ test/parallel/test-tls-min-max-version.js     | 15 ++++---
+ 8 files changed, 54 insertions(+), 20 deletions(-)
+
+diff --git a/test/parallel/test-crypto.js b/test/parallel/test-crypto.js
+index 7216523819..0bc35b47ee 100644
+--- a/test/parallel/test-crypto.js
++++ b/test/parallel/test-crypto.js
+@@ -224,9 +224,9 @@ assert.throws(() => {
+ }, (err) => {
+   // Do the standard checks, but then do some custom checks afterwards.
+   assert.throws(() => { throw err; }, {
+-    message: 'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag',
++    message: 'error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag',
+     library: 'asn1 encoding routines',
+-    function: 'asn1_check_tlen',
++    function: 'ASN1_CHECK_TLEN',
+     reason: 'wrong tag',
+     code: 'ERR_OSSL_ASN1_WRONG_TAG',
+   });
+diff --git a/test/parallel/test-https-agent-create-connection.js b/test/parallel/test-https-agent-create-connection.js
+index d4840298aa..dcd1927b57 100644
+--- a/test/parallel/test-https-agent-create-connection.js
++++ b/test/parallel/test-https-agent-create-connection.js
+@@ -145,7 +145,7 @@ function createServer() {
+     };
+ 
+     const socket = agent.createConnection(port, host, options);
+-    socket.on('connect', common.mustCall((data) => {
++    socket.on('secure', common.mustCall((data) => {
+       socket.end();
+     }));
+     socket.on('end', common.mustCall(() => {
+diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js
+index 3f5cd36e8b..8e13b150bb 100644
+--- a/test/parallel/test-https-agent-session-eviction.js
++++ b/test/parallel/test-https-agent-session-eviction.js
+@@ -7,8 +7,10 @@ const { readKey } = require('../common/fixtures');
+ if (!common.hasCrypto)
+   common.skip('missing crypto');
+ 
++const assert = require('assert');
+ const https = require('https');
+-const { SSL_OP_NO_TICKET } = require('crypto').constants;
++const { OPENSSL_VERSION_NUMBER, SSL_OP_NO_TICKET } =
++    require('crypto').constants;
+ 
+ const options = {
+   key: readKey('agent1-key.pem'),
+@@ -58,12 +60,38 @@ function second(server, session) {
+     res.resume();
+   });
+ 
+-  // Although we have a TLS 1.2 session to offer to the TLS 1.0 server,
+-  // connection to the TLS 1.0 server should work.
+-  req.on('response', common.mustCall(function(res) {
+-    // The test is now complete for OpenSSL 1.1.0.
+-    server.close();
+-  }));
++  if (OPENSSL_VERSION_NUMBER >= 0x10100000) {
++    // Although we have a TLS 1.2 session to offer to the TLS 1.0 server,
++    // connection to the TLS 1.0 server should work.
++    req.on('response', common.mustCall(function(res) {
++      // The test is now complete for OpenSSL 1.1.0.
++      server.close();
++    }));
++  } else {
++    // OpenSSL 1.0.x mistakenly locked versions based on the session it was
++    // offering. This causes this sequent request to fail. Let it fail, but
++    // test that this is mitigated on the next try by invalidating the session.
++    req.on('error', common.mustCall(function(err) {
++      assert(/wrong version number/.test(err.message));
++
++      req.on('close', function() {
++        third(server);
++      });
++    }));
++  }
++  req.end();
++}
+ 
++// Try one more time - session should be evicted!
++function third(server) {
++  const req = https.request({
++    port: server.address().port,
++    rejectUnauthorized: false
++  }, function(res) {
++    res.resume();
++    assert(!req.socket.isSessionReused());
++    server.close();
++  });
++  req.on('error', common.mustNotCall());
+   req.end();
+ }
+diff --git a/test/parallel/test-tls-alert-handling.js b/test/parallel/test-tls-alert-handling.js
+index f9f42e2d51..9dc4637ff0 100644
+--- a/test/parallel/test-tls-alert-handling.js
++++ b/test/parallel/test-tls-alert-handling.js
+@@ -33,7 +33,7 @@ let iter = 0;
+ const errorHandler = common.mustCall((err) => {
+   assert.strictEqual(err.code, 'ERR_SSL_WRONG_VERSION_NUMBER');
+   assert.strictEqual(err.library, 'SSL routines');
+-  assert.strictEqual(err.function, 'ssl3_get_record');
++  assert.strictEqual(err.function, 'SSL3_GET_RECORD');
+   assert.strictEqual(err.reason, 'wrong version number');
+   errorReceived = true;
+   if (canCloseServer())
+diff --git a/test/parallel/test-tls-dhe.js b/test/parallel/test-tls-dhe.js
+index ef645ce1b6..737330345b 100644
+--- a/test/parallel/test-tls-dhe.js
++++ b/test/parallel/test-tls-dhe.js
+@@ -81,8 +81,8 @@ function test(keylen, expectedCipher, cb) {
+       const reg = new RegExp(`Cipher    : ${expectedCipher}`);
+       if (reg.test(out)) {
+         nsuccess++;
+-        server.close();
+       }
++      server.close();
+     });
+   });
+ }
+@@ -104,6 +104,7 @@ function test2048() {
+ }
+ 
+ function testError() {
++  // this one fails
+   test('error', 'ECDHE-RSA-AES128-SHA256', test512);
+   ntests++;
+ }
+@@ -111,6 +112,6 @@ function testError() {
+ test1024();
+ 
+ process.on('exit', function() {
+-  assert.strictEqual(ntests, nsuccess);
++  assert.strictEqual(nsuccess, 2);
+   assert.strictEqual(ntests, 3);
+ });
+diff --git a/test/parallel/test-tls-empty-sni-context.js b/test/parallel/test-tls-empty-sni-context.js
+index 9b963e6629..fe8753c602 100644
+--- a/test/parallel/test-tls-empty-sni-context.js
++++ b/test/parallel/test-tls-empty-sni-context.js
+@@ -26,6 +26,6 @@ const server = tls.createServer(options, (c) => {
+   }, common.mustNotCall());
+ 
+   c.on('error', common.mustCall((err) => {
+-    assert(/Client network socket disconnected/.test(err.message));
++    assert(/Client network socket disconnected|handshake failure/.test(err.message));
+   }));
+ }));
+diff --git a/test/parallel/test-tls-env-bad-extra-ca.js b/test/parallel/test-tls-env-bad-extra-ca.js
+index 5ba1e227d2..0af6756dda 100644
+--- a/test/parallel/test-tls-env-bad-extra-ca.js
++++ b/test/parallel/test-tls-env-bad-extra-ca.js
+@@ -37,7 +37,7 @@ fork(__filename, opts)
+     // TODO(addaleax): Make `SafeGetenv` work like `process.env`
+     // encoding-wise
+     if (!common.isWindows) {
+-      const re = /Warning: Ignoring extra certs from.*no-such-file-exists-🐢.* load failed:.*No such file or directory/;
++      const re = /Warning: Ignoring extra certs from.*no-such-file-exists-🐢.* load failed:.*/;
+       assert(re.test(stderr), stderr);
+     }
+   }))
+diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
+index 7ef0f12426..4fcb9247d3 100644
+--- a/test/parallel/test-tls-min-max-version.js
++++ b/test/parallel/test-tls-min-max-version.js
+@@ -52,6 +52,11 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
+       }
+       if (serr) {
+         assert(pair.server.err);
++        // Accept these codes as aliases, the one reported depends on the
++        // OpenSSL version.
++        if (serr === 'ERR_SSL_UNSUPPORTED_PROTOCOL' &&
++            pair.server.err.code === 'ERR_SSL_UNKNOWN_PROTOCOL')
++          serr = 'ERR_SSL_UNKNOWN_PROTOCOL';
+         assert.strictEqual(pair.server.err.code, serr);
+       }
+       return cleanup();
+@@ -131,9 +136,9 @@ if (DEFAULT_MIN_VERSION === 'TLSv1.2') {
+   test(U, U, 'TLSv1_method', U, U, 'SSLv23_method',
+        U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
+   test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method',
+-       U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
++       U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
+   test(U, U, 'SSLv23_method', U, U, 'TLSv1_method',
+-       U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
++       U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
+ }
+ 
+ if (DEFAULT_MIN_VERSION === 'TLSv1.1') {
+@@ -167,9 +172,9 @@ if (DEFAULT_MIN_VERSION === 'TLSv1.2') {
+ 
+   if (DEFAULT_MAX_VERSION === 'TLSv1.2') {
+     test(U, U, U, U, U, 'TLSv1_1_method',
+-         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
++         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
+     test(U, U, U, U, U, 'TLSv1_method',
+-         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
++         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
+   } else {
+     // TLS1.3 client hellos are are not understood by TLS1.1 or below.
+     test(U, U, U, U, U, 'TLSv1_1_method',
+@@ -188,7 +193,7 @@ if (DEFAULT_MIN_VERSION === 'TLSv1.1') {
+ 
+   if (DEFAULT_MAX_VERSION === 'TLSv1.2') {
+     test(U, U, U, U, U, 'TLSv1_method',
+-         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
++         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
+   } else {
+     // TLS1.3 client hellos are are not understood by TLS1.1 or below.
+     test(U, U, U, U, U, 'TLSv1_method',
+-- 
+2.28.0
+
diff --git a/SOURCES/0005-Adjust-tests-expectations.patch b/SOURCES/0005-Adjust-tests-expectations.patch
deleted file mode 100644
index ae6f44d..0000000
--- a/SOURCES/0005-Adjust-tests-expectations.patch
+++ /dev/null
@@ -1,240 +0,0 @@
-From 41c8ca25d09862d473f3e741698c77f007cd0092 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Fri, 2 Oct 2020 13:02:14 +0200
-Subject: [PATCH] Adjust tests expectations
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-- Modify expected error messages
-
-- https-agent-create-connection: Establish secure connection
-
-- Add back workaround for OpenSSL 1.0
-
-  This reverts commit ba7551cad8abd2e460763b06efa4207be96a7a19.
-
-- tls-dhe: Do not hang on unexpected cipher
-
-Signed-off-by: Jan Staněk <jstanek@redhat.com>
----
- test/parallel/test-crypto.js                  |  4 +-
- .../test-https-agent-create-connection.js     |  2 +-
- .../test-https-agent-session-eviction.js      | 42 +++++++++++++++----
- test/parallel/test-tls-alert-handling.js      |  2 +-
- test/parallel/test-tls-dhe.js                 |  5 ++-
- test/parallel/test-tls-empty-sni-context.js   |  2 +-
- test/parallel/test-tls-env-bad-extra-ca.js    |  2 +-
- test/parallel/test-tls-min-max-version.js     | 15 ++++---
- 8 files changed, 54 insertions(+), 20 deletions(-)
-
-diff --git a/test/parallel/test-crypto.js b/test/parallel/test-crypto.js
-index 7216523819..0bc35b47ee 100644
---- a/test/parallel/test-crypto.js
-+++ b/test/parallel/test-crypto.js
-@@ -224,9 +224,9 @@ assert.throws(() => {
- }, (err) => {
-   // Do the standard checks, but then do some custom checks afterwards.
-   assert.throws(() => { throw err; }, {
--    message: 'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag',
-+    message: 'error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag',
-     library: 'asn1 encoding routines',
--    function: 'asn1_check_tlen',
-+    function: 'ASN1_CHECK_TLEN',
-     reason: 'wrong tag',
-     code: 'ERR_OSSL_ASN1_WRONG_TAG',
-   });
-diff --git a/test/parallel/test-https-agent-create-connection.js b/test/parallel/test-https-agent-create-connection.js
-index d4840298aa..dcd1927b57 100644
---- a/test/parallel/test-https-agent-create-connection.js
-+++ b/test/parallel/test-https-agent-create-connection.js
-@@ -145,7 +145,7 @@ function createServer() {
-     };
- 
-     const socket = agent.createConnection(port, host, options);
--    socket.on('connect', common.mustCall((data) => {
-+    socket.on('secure', common.mustCall((data) => {
-       socket.end();
-     }));
-     socket.on('end', common.mustCall(() => {
-diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js
-index 3f5cd36e8b..8e13b150bb 100644
---- a/test/parallel/test-https-agent-session-eviction.js
-+++ b/test/parallel/test-https-agent-session-eviction.js
-@@ -7,8 +7,10 @@ const { readKey } = require('../common/fixtures');
- if (!common.hasCrypto)
-   common.skip('missing crypto');
- 
-+const assert = require('assert');
- const https = require('https');
--const { SSL_OP_NO_TICKET } = require('crypto').constants;
-+const { OPENSSL_VERSION_NUMBER, SSL_OP_NO_TICKET } =
-+    require('crypto').constants;
- 
- const options = {
-   key: readKey('agent1-key.pem'),
-@@ -58,12 +60,38 @@ function second(server, session) {
-     res.resume();
-   });
- 
--  // Although we have a TLS 1.2 session to offer to the TLS 1.0 server,
--  // connection to the TLS 1.0 server should work.
--  req.on('response', common.mustCall(function(res) {
--    // The test is now complete for OpenSSL 1.1.0.
--    server.close();
--  }));
-+  if (OPENSSL_VERSION_NUMBER >= 0x10100000) {
-+    // Although we have a TLS 1.2 session to offer to the TLS 1.0 server,
-+    // connection to the TLS 1.0 server should work.
-+    req.on('response', common.mustCall(function(res) {
-+      // The test is now complete for OpenSSL 1.1.0.
-+      server.close();
-+    }));
-+  } else {
-+    // OpenSSL 1.0.x mistakenly locked versions based on the session it was
-+    // offering. This causes this sequent request to fail. Let it fail, but
-+    // test that this is mitigated on the next try by invalidating the session.
-+    req.on('error', common.mustCall(function(err) {
-+      assert(/wrong version number/.test(err.message));
-+
-+      req.on('close', function() {
-+        third(server);
-+      });
-+    }));
-+  }
-+  req.end();
-+}
- 
-+// Try one more time - session should be evicted!
-+function third(server) {
-+  const req = https.request({
-+    port: server.address().port,
-+    rejectUnauthorized: false
-+  }, function(res) {
-+    res.resume();
-+    assert(!req.socket.isSessionReused());
-+    server.close();
-+  });
-+  req.on('error', common.mustNotCall());
-   req.end();
- }
-diff --git a/test/parallel/test-tls-alert-handling.js b/test/parallel/test-tls-alert-handling.js
-index f9f42e2d51..9dc4637ff0 100644
---- a/test/parallel/test-tls-alert-handling.js
-+++ b/test/parallel/test-tls-alert-handling.js
-@@ -33,7 +33,7 @@ let iter = 0;
- const errorHandler = common.mustCall((err) => {
-   assert.strictEqual(err.code, 'ERR_SSL_WRONG_VERSION_NUMBER');
-   assert.strictEqual(err.library, 'SSL routines');
--  assert.strictEqual(err.function, 'ssl3_get_record');
-+  assert.strictEqual(err.function, 'SSL3_GET_RECORD');
-   assert.strictEqual(err.reason, 'wrong version number');
-   errorReceived = true;
-   if (canCloseServer())
-diff --git a/test/parallel/test-tls-dhe.js b/test/parallel/test-tls-dhe.js
-index ef645ce1b6..737330345b 100644
---- a/test/parallel/test-tls-dhe.js
-+++ b/test/parallel/test-tls-dhe.js
-@@ -81,8 +81,8 @@ function test(keylen, expectedCipher, cb) {
-       const reg = new RegExp(`Cipher    : ${expectedCipher}`);
-       if (reg.test(out)) {
-         nsuccess++;
--        server.close();
-       }
-+      server.close();
-     });
-   });
- }
-@@ -104,6 +104,7 @@ function test2048() {
- }
- 
- function testError() {
-+  // this one fails
-   test('error', 'ECDHE-RSA-AES128-SHA256', test512);
-   ntests++;
- }
-@@ -111,6 +112,6 @@ function testError() {
- test1024();
- 
- process.on('exit', function() {
--  assert.strictEqual(ntests, nsuccess);
-+  assert.strictEqual(nsuccess, 2);
-   assert.strictEqual(ntests, 3);
- });
-diff --git a/test/parallel/test-tls-empty-sni-context.js b/test/parallel/test-tls-empty-sni-context.js
-index 9b963e6629..fe8753c602 100644
---- a/test/parallel/test-tls-empty-sni-context.js
-+++ b/test/parallel/test-tls-empty-sni-context.js
-@@ -26,6 +26,6 @@ const server = tls.createServer(options, (c) => {
-   }, common.mustNotCall());
- 
-   c.on('error', common.mustCall((err) => {
--    assert(/Client network socket disconnected/.test(err.message));
-+    assert(/Client network socket disconnected|handshake failure/.test(err.message));
-   }));
- }));
-diff --git a/test/parallel/test-tls-env-bad-extra-ca.js b/test/parallel/test-tls-env-bad-extra-ca.js
-index 5ba1e227d2..0af6756dda 100644
---- a/test/parallel/test-tls-env-bad-extra-ca.js
-+++ b/test/parallel/test-tls-env-bad-extra-ca.js
-@@ -37,7 +37,7 @@ fork(__filename, opts)
-     // TODO(addaleax): Make `SafeGetenv` work like `process.env`
-     // encoding-wise
-     if (!common.isWindows) {
--      const re = /Warning: Ignoring extra certs from.*no-such-file-exists-🐢.* load failed:.*No such file or directory/;
-+      const re = /Warning: Ignoring extra certs from.*no-such-file-exists-🐢.* load failed:.*/;
-       assert(re.test(stderr), stderr);
-     }
-   }))
-diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
-index 7ef0f12426..4fcb9247d3 100644
---- a/test/parallel/test-tls-min-max-version.js
-+++ b/test/parallel/test-tls-min-max-version.js
-@@ -52,6 +52,11 @@ function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
-       }
-       if (serr) {
-         assert(pair.server.err);
-+        // Accept these codes as aliases, the one reported depends on the
-+        // OpenSSL version.
-+        if (serr === 'ERR_SSL_UNSUPPORTED_PROTOCOL' &&
-+            pair.server.err.code === 'ERR_SSL_UNKNOWN_PROTOCOL')
-+          serr = 'ERR_SSL_UNKNOWN_PROTOCOL';
-         assert.strictEqual(pair.server.err.code, serr);
-       }
-       return cleanup();
-@@ -131,9 +136,9 @@ if (DEFAULT_MIN_VERSION === 'TLSv1.2') {
-   test(U, U, 'TLSv1_method', U, U, 'SSLv23_method',
-        U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL');
-   test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method',
--       U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
-+       U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
-   test(U, U, 'SSLv23_method', U, U, 'TLSv1_method',
--       U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
-+       U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
- }
- 
- if (DEFAULT_MIN_VERSION === 'TLSv1.1') {
-@@ -167,9 +172,9 @@ if (DEFAULT_MIN_VERSION === 'TLSv1.2') {
- 
-   if (DEFAULT_MAX_VERSION === 'TLSv1.2') {
-     test(U, U, U, U, U, 'TLSv1_1_method',
--         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
-+         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
-     test(U, U, U, U, U, 'TLSv1_method',
--         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
-+         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
-   } else {
-     // TLS1.3 client hellos are are not understood by TLS1.1 or below.
-     test(U, U, U, U, U, 'TLSv1_1_method',
-@@ -188,7 +193,7 @@ if (DEFAULT_MIN_VERSION === 'TLSv1.1') {
- 
-   if (DEFAULT_MAX_VERSION === 'TLSv1.2') {
-     test(U, U, U, U, U, 'TLSv1_method',
--         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER');
-+         U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ECONNRESET');
-   } else {
-     // TLS1.3 client hellos are are not understood by TLS1.1 or below.
-     test(U, U, U, U, U, 'TLSv1_method',
--- 
-2.26.2
-
diff --git a/SOURCES/0006-Disable-tests-for-unsupported-features.patch b/SOURCES/0006-Disable-tests-for-unsupported-features.patch
index d846462..816ec4d 100644
--- a/SOURCES/0006-Disable-tests-for-unsupported-features.patch
+++ b/SOURCES/0006-Disable-tests-for-unsupported-features.patch
@@ -1,6 +1,6 @@
-From 6aa48d282cc734b264ec2172b3ab84d47a853215 Mon Sep 17 00:00:00 2001
+From e135e79baadde7e26c18b7fc898af950ee870f84 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Fri, 2 Oct 2020 13:03:07 +0200
+Date: Mon, 23 Nov 2020 11:59:40 +0100
 Subject: [PATCH] Disable tests for unsupported features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -810,5 +810,5 @@ index 4bcdf36860..0642e18d5e 100644
  test({ psk: USERS.UserB, identity: 'UserC' }, {}, DISCONNECT_MESSAGE);
  // Recognized user but incorrect secret should fail handshake
 -- 
-2.26.2
+2.28.0
 
diff --git a/SOURCES/0007-Disable-tests-for-known-issues.patch b/SOURCES/0007-Disable-tests-for-known-issues.patch
index 878f914..de41f4e 100644
--- a/SOURCES/0007-Disable-tests-for-known-issues.patch
+++ b/SOURCES/0007-Disable-tests-for-known-issues.patch
@@ -1,6 +1,6 @@
-From 70d092bee389cf181616e7db3aabbd373c7dc8d8 Mon Sep 17 00:00:00 2001
+From 03bd2c4427a04d2affb16fe035d613723c31dc03 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Fri, 2 Oct 2020 13:03:30 +0200
+Date: Mon, 23 Nov 2020 12:00:05 +0100
 Subject: [PATCH] Disable tests for known issues
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -162,5 +162,5 @@ similarity index 100%
 rename from test/parallel/test-tls-set-sigalgs.js
 rename to test/known_issues/test-tls-set-sigalgs.js
 -- 
-2.26.2
+2.28.0
 
diff --git a/SOURCES/0008-Disable-architecture-specific-failing-tests.patch b/SOURCES/0008-Disable-architecture-specific-failing-tests.patch
index 8edc364..881b38a 100644
--- a/SOURCES/0008-Disable-architecture-specific-failing-tests.patch
+++ b/SOURCES/0008-Disable-architecture-specific-failing-tests.patch
@@ -1,12 +1,14 @@
-From c070ff6fe8a5dda6965e293e25b86bec877c1cc0 Mon Sep 17 00:00:00 2001
+From 1720f9c816214e849daa8e14e3502038817a04f3 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
-Date: Wed, 7 Oct 2020 09:34:26 +0200
+Date: Mon, 23 Nov 2020 12:00:52 +0100
 Subject: [PATCH] Disable architecture-specific failing tests
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
-- sequential/test-worker-prof: Times out on s390x.
+- Disable sequential/test-worker-prof
+
+  It times out on s390x.
 
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 ---
@@ -19,5 +21,5 @@ similarity index 100%
 rename from test/sequential/test-worker-prof.js
 rename to test/known_issues/test-worker-prof.js
 -- 
-2.26.2
+2.28.0
 
diff --git a/SOURCES/deps-Remove-statx-from-libuv.patch b/SOURCES/deps-Remove-statx-from-libuv.patch
index 86d1161..d4835e2 100644
--- a/SOURCES/deps-Remove-statx-from-libuv.patch
+++ b/SOURCES/deps-Remove-statx-from-libuv.patch
@@ -1,4 +1,4 @@
-From f8d6f549073709287fa26f3306b850d9030bb5c5 Mon Sep 17 00:00:00 2001
+From cf239aeb9b24ac397a3a9a3c20f000c31c3e3a77 Mon Sep 17 00:00:00 2001
 From: Zuzana Svetlikova <zsvetlik@redhat.com>
 Date: Wed, 19 Feb 2020 10:32:33 +0000
 Subject: [PATCH] deps: Remove statx from libuv
@@ -11,10 +11,10 @@ Signed-off-by: rpm-build <rpm-build>
  3 files changed, 158 deletions(-)
 
 diff --git a/deps/uv/src/unix/fs.c b/deps/uv/src/unix/fs.c
-index 5f5d36a..856dc4e 100644
+index 87cb8b8..0a85307 100644
 --- a/deps/uv/src/unix/fs.c
 +++ b/deps/uv/src/unix/fs.c
-@@ -1341,93 +1341,10 @@ static void uv__to_stat(struct stat* src, uv_stat_t* dst) {
+@@ -1370,93 +1370,10 @@ static void uv__to_stat(struct stat* src, uv_stat_t* dst) {
  }
  
  
@@ -32,7 +32,7 @@ index 5f5d36a..856dc4e 100644
 -  int mode;
 -  int rc;
 -
--  if (no_statx)
+-  if (uv__load_relaxed(&no_statx))
 -    return UV_ENOSYS;
 -
 -  dirfd = AT_FDCWD;
@@ -65,7 +65,7 @@ index 5f5d36a..856dc4e 100644
 -     * implemented, rc might return 1 with 0 set as the error code in which
 -     * case we return ENOSYS.
 -     */
--    no_statx = 1;
+-    uv__store_relaxed(&no_statx, 1);
 -    return UV_ENOSYS;
 -  }
 -
@@ -108,7 +108,7 @@ index 5f5d36a..856dc4e 100644
    ret = stat(path, &pbuf);
    if (ret == 0)
      uv__to_stat(&pbuf, buf);
-@@ -1440,10 +1357,6 @@ static int uv__fs_lstat(const char *path, uv_stat_t *buf) {
+@@ -1469,10 +1386,6 @@ static int uv__fs_lstat(const char *path, uv_stat_t *buf) {
    struct stat pbuf;
    int ret;
  
@@ -119,7 +119,7 @@ index 5f5d36a..856dc4e 100644
    ret = lstat(path, &pbuf);
    if (ret == 0)
      uv__to_stat(&pbuf, buf);
-@@ -1456,10 +1369,6 @@ static int uv__fs_fstat(int fd, uv_stat_t *buf) {
+@@ -1485,10 +1398,6 @@ static int uv__fs_fstat(int fd, uv_stat_t *buf) {
    struct stat pbuf;
    int ret;
  
@@ -131,12 +131,12 @@ index 5f5d36a..856dc4e 100644
    if (ret == 0)
      uv__to_stat(&pbuf, buf);
 diff --git a/deps/uv/src/unix/linux-syscalls.c b/deps/uv/src/unix/linux-syscalls.c
-index 742f26a..2c949f0 100644
+index 160056b..e41f8c9 100644
 --- a/deps/uv/src/unix/linux-syscalls.c
 +++ b/deps/uv/src/unix/linux-syscalls.c
-@@ -94,22 +94,6 @@
+@@ -112,22 +112,6 @@
  # endif
- #endif /* __NR_pwritev */
+ #endif /* __NR_copy_file_range */
  
 -#ifndef __NR_statx
 -# if defined(__x86_64__)
@@ -157,7 +157,7 @@ index 742f26a..2c949f0 100644
  #ifndef __NR_getrandom
  # if defined(__x86_64__)
  #  define __NR_getrandom 318
-@@ -180,22 +164,6 @@ int uv__dup3(int oldfd, int newfd, int flags) {
+@@ -220,22 +204,6 @@ uv__fs_copy_file_range(int fd_in,
  }
  
  
@@ -181,10 +181,10 @@ index 742f26a..2c949f0 100644
  #if defined(__NR_getrandom)
    return syscall(__NR_getrandom, buf, buflen, flags);
 diff --git a/deps/uv/src/unix/linux-syscalls.h b/deps/uv/src/unix/linux-syscalls.h
-index 2e8fa2a..2f1bc11 100644
+index 761ff32..5dcf3a3 100644
 --- a/deps/uv/src/unix/linux-syscalls.h
 +++ b/deps/uv/src/unix/linux-syscalls.h
-@@ -31,44 +31,9 @@
+@@ -31,36 +31,6 @@
  #include <sys/time.h>
  #include <sys/socket.h>
  
@@ -221,6 +221,10 @@ index 2e8fa2a..2f1bc11 100644
  ssize_t uv__preadv(int fd, const struct iovec *iov, int iovcnt, int64_t offset);
  ssize_t uv__pwritev(int fd, const struct iovec *iov, int iovcnt, int64_t offset);
  int uv__dup3(int oldfd, int newfd, int flags);
+@@ -71,11 +41,6 @@ uv__fs_copy_file_range(int fd_in,
+                        ssize_t* off_out,
+                        size_t len,
+                        unsigned int flags);
 -int uv__statx(int dirfd,
 -              const char* path,
 -              int flags,
@@ -230,5 +234,5 @@ index 2e8fa2a..2f1bc11 100644
  
  #endif /* UV_LINUX_SYSCALL_H_ */
 -- 
-2.26.2
+2.28.0
 
diff --git a/SOURCES/deps-ajv-ignore-proto-properties.patch b/SOURCES/deps-ajv-ignore-proto-properties.patch
new file mode 100644
index 0000000..d10b9c8
--- /dev/null
+++ b/SOURCES/deps-ajv-ignore-proto-properties.patch
@@ -0,0 +1,26 @@
+From d06e33cc159627e45205b99fdedb9df22d51f0ee Mon Sep 17 00:00:00 2001
+From: Evgeny Poberezkin <2769109+epoberezkin@users.noreply.github.com>
+Date: Wed, 1 Jul 2020 11:56:05 +0100
+Subject: [PATCH] deps(ajv): ignore proto properties
+
+Fixes: CVE-2020-15366
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/ajv/lib/dot/dependencies.jst | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/deps/npm/node_modules/ajv/lib/dot/dependencies.jst b/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
+index c41f334..7403105 100644
+--- a/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
++++ b/deps/npm/node_modules/ajv/lib/dot/dependencies.jst
+@@ -19,6 +19,7 @@
+     , $ownProperties = it.opts.ownProperties;
+ 
+   for ($property in $schema) {
++    if ($property == '__proto__') continue;
+     var $sch = $schema[$property];
+     var $deps = Array.isArray($sch) ? $propertyDeps : $schemaDeps;
+     $deps[$property] = $sch;
+-- 
+2.28.0
+
diff --git a/SOURCES/deps-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-81.patch b/SOURCES/deps-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-81.patch
deleted file mode 100644
index b4a023b..0000000
--- a/SOURCES/deps-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-81.patch
+++ /dev/null
@@ -1,103 +0,0 @@
-From 72e3450a325ee7b9f181cccb586bdf56c83aab84 Mon Sep 17 00:00:00 2001
-From: Marco Carini <cmdcarini@gmail.com>
-Date: Mon, 3 Aug 2020 17:16:07 -0500
-Subject: [PATCH] deps(dot-prop): patch 4.2.0 with fixes for CVE-2020-8116
-
-Signed-off-by: rpm-build <rpm-build>
----
- deps/npm/node_modules/dot-prop/index.js     | 18 ++++++++++++++++++
- deps/npm/node_modules/dot-prop/package.json |  6 +++---
- deps/npm/node_modules/dot-prop/readme.md    |  2 ++
- 3 files changed, 23 insertions(+), 3 deletions(-)
-
-diff --git a/deps/npm/node_modules/dot-prop/index.js b/deps/npm/node_modules/dot-prop/index.js
-index 15282bb..189831c 100644
---- a/deps/npm/node_modules/dot-prop/index.js
-+++ b/deps/npm/node_modules/dot-prop/index.js
-@@ -1,6 +1,14 @@
- 'use strict';
- const isObj = require('is-obj');
- 
-+const disallowedKeys = [
-+	'__proto__',
-+	'prototype',
-+	'constructor'
-+];
-+
-+const isValidPath = pathSegments => !pathSegments.some(segment => disallowedKeys.includes(segment));
-+
- function getPathSegments(path) {
- 	const pathArr = path.split('.');
- 	const parts = [];
-@@ -16,6 +24,10 @@ function getPathSegments(path) {
- 		parts.push(p);
- 	}
- 
-+	if (!isValidPath(parts)) {
-+		return [];
-+	}
-+
- 	return parts;
- }
- 
-@@ -26,6 +38,9 @@ module.exports = {
- 		}
- 
- 		const pathArr = getPathSegments(path);
-+		if (pathArr.length === 0) {
-+			return;
-+		}
- 
- 		for (let i = 0; i < pathArr.length; i++) {
- 			if (!Object.prototype.propertyIsEnumerable.call(obj, pathArr[i])) {
-@@ -58,6 +73,9 @@ module.exports = {
- 
- 		const root = obj;
- 		const pathArr = getPathSegments(path);
-+		if (pathArr.length === 0) {
-+			return;
-+		}
- 
- 		for (let i = 0; i < pathArr.length; i++) {
- 			const p = pathArr[i];
-diff --git a/deps/npm/node_modules/dot-prop/package.json b/deps/npm/node_modules/dot-prop/package.json
-index 40fefa3..93daf7d 100644
---- a/deps/npm/node_modules/dot-prop/package.json
-+++ b/deps/npm/node_modules/dot-prop/package.json
-@@ -37,9 +37,9 @@
-   "deprecated": false,
-   "description": "Get, set, or delete a property from a nested object using a dot path",
-   "devDependencies": {
--    "ava": "*",
-+    "ava": "1.4.1",
-     "matcha": "^0.7.0",
--    "xo": "*"
-+    "xo": "0.24.0"
-   },
-   "engines": {
-     "node": ">=4"
-@@ -73,7 +73,7 @@
-     "bench": "matcha bench.js",
-     "test": "xo && ava"
-   },
--  "version": "4.2.0",
-+  "version": "4.2.1",
-   "xo": {
-     "esnext": true
-   }
-diff --git a/deps/npm/node_modules/dot-prop/readme.md b/deps/npm/node_modules/dot-prop/readme.md
-index fab3b7a..0e18f78 100644
---- a/deps/npm/node_modules/dot-prop/readme.md
-+++ b/deps/npm/node_modules/dot-prop/readme.md
-@@ -85,6 +85,8 @@ Path of the property in the object, using `.` to separate each nested key.
- 
- Use `\\.` if you have a `.` in the key.
- 
-+The following path components are invalid and results in `undefined` being returned: `__proto__`, `prototype`, `constructor`.
-+
- #### value
- 
- Type: `any`
--- 
-2.26.2
-
diff --git a/SOURCES/deps-y18n-address-prototype-pollution-issue.patch b/SOURCES/deps-y18n-address-prototype-pollution-issue.patch
new file mode 100644
index 0000000..ef06ee2
--- /dev/null
+++ b/SOURCES/deps-y18n-address-prototype-pollution-issue.patch
@@ -0,0 +1,27 @@
+From f6321dad88a280ac7fa24afa2aa07c868d395586 Mon Sep 17 00:00:00 2001
+From: bcoe <bencoe@google.com>
+Date: Sat, 24 Oct 2020 19:15:20 -0700
+Subject: [PATCH] deps(y18n): address prototype pollution issue
+
+Fixes: CVE-2020-7774
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/y18n/index.js | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js
+index d720681..727362a 100644
+--- a/deps/npm/node_modules/y18n/index.js
++++ b/deps/npm/node_modules/y18n/index.js
+@@ -11,7 +11,7 @@ function Y18N (opts) {
+   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
+ 
+   // internal stuff.
+-  this.cache = {}
++  this.cache = Object.create(null)
+   this.writeQueue = []
+ }
+ 
+-- 
+2.28.0
+
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index 43e37ad..66ba952 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -22,11 +22,11 @@
 # feature releases that are only supported for nine months, which is shorter
 # than a Fedora release lifecycle.
 %global nodejs_major 12
-%global nodejs_minor 18
-%global nodejs_patch 4
+%global nodejs_minor 19
+%global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
-%global nodejs_release 3
+%global nodejs_release 2
 
 # == Bundled Dependency Versions ==
 # v8 - from deps/v8/include/v8-version.h
@@ -58,7 +58,7 @@
 
 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
-%global libuv_minor 38
+%global libuv_minor 39
 %global libuv_patch 0
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
 
@@ -80,13 +80,13 @@
 # npm - from deps/npm/package.json
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 6
+%global npm_patch 8
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
 %global uvwasi_major 0
 %global uvwasi_minor 0
-%global uvwasi_patch 9
+%global uvwasi_patch 10
 %global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
 
 # zlib version - from deps/zlib/zlib.h
@@ -138,7 +138,7 @@ Patch01: 0001-Link-with-ssl-shim.patch
 Patch02: 0002-Use-OpenSSL-1.0-API.patch
 Patch03: 0003-Backport-necessary-OpenSSL-features.patch
 Patch04: 0004-Disable-unsupported-OpenSSL-features.patch
-Patch05: 0005-Adjust-tests-expectations.patch
+Patch05: 0005-Adjust-test-expectations.patch
 Patch06: 0006-Disable-tests-for-unsupported-features.patch
 Patch07: 0007-Disable-tests-for-known-issues.patch
 # See rhbz#1888605 for details
@@ -146,10 +146,12 @@ Patch08: 0008-Disable-architecture-specific-failing-tests.patch
 
 # Remove libuv attempts to use statx syscall – rhbz#1760184
 Patch10: deps-Remove-statx-from-libuv.patch
-# Patch bundled dot-prop with CVE-2020-8116 fixes
-Patch11: deps-dot-prop-patch-4.2.0-with-fixes-for-CVE-2020-81.patch
 # Fix test suite decoding of test outputs
-Patch12: tools-test-Replace-malformed-input-from-tests.patch
+Patch11: tools-test-Replace-malformed-input-from-tests.patch
+
+# Backport upstream fixes
+Patch20: deps-ajv-ignore-proto-properties.patch
+Patch21: deps-y18n-address-prototype-pollution-issue.patch
 
 
 %{?scl:Requires: %{scl}-runtime}
@@ -480,8 +482,11 @@ python2 tools/test.py "${RUN_SUITES[@]}"
 
 
 %changelog
-* Mon Oct 19 2020 Jan Staněk <jstanek@redhat.com> - 12.18.4-3
-- Rebuilt in correct target
+* Tue Nov 24 2020 Jan Staněk <jstanek@redhat.com> - 12.19.1-2
+- Backport patches for CVE-2020-15366 and CVE-2020-7774
+
+* Thu Nov 19 2020 Jan Staněk <jstanek@redhat.com> - 12.19.1-1
+- Rebase to 12.19.1
 
 * Thu Oct 15 2020 Jan Staněk <jstanek@redhat.com> - 12.18.4-2
 - Rebuild with adjusted arch-specific tests