From 9500a84da2f33da72b2a113610847d1ce3e9b8b8 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 06 2022 18:29:49 +0000
Subject: import rh-nodejs14-nodejs-14.18.2-1.el7


---

diff --git a/.gitignore b/.gitignore
index 1b97368..1472b88 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 SOURCES/node-ssl-shim-70e39fd.tar.gz
-SOURCES/node-v14.17.5-stripped.tar.gz
+SOURCES/node-v14.18.2-stripped.tar.gz
diff --git a/.rh-nodejs14-nodejs.metadata b/.rh-nodejs14-nodejs.metadata
index 3b3af77..a010fee 100644
--- a/.rh-nodejs14-nodejs.metadata
+++ b/.rh-nodejs14-nodejs.metadata
@@ -1,2 +1,2 @@
 a49b02166a7bdba54fb45cba26a18fa48928ca0e SOURCES/node-ssl-shim-70e39fd.tar.gz
-a1399887c30332381bbcbcaac21035c0b301619f SOURCES/node-v14.17.5-stripped.tar.gz
+2fbd74467b816a6319c33e0df147817a87b6bd39 SOURCES/node-v14.18.2-stripped.tar.gz
diff --git a/SOURCES/0001-Link-with-ssl-shim.patch b/SOURCES/0001-Link-with-ssl-shim.patch
index b026050..30ff22f 100644
--- a/SOURCES/0001-Link-with-ssl-shim.patch
+++ b/SOURCES/0001-Link-with-ssl-shim.patch
@@ -1,7 +1,7 @@
-From 17d303f0b77132f0676c259515abef8e83a688e3 Mon Sep 17 00:00:00 2001
+From ac25a4c4c88d234b52bdc3d47d5d8d5d9783aaa0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
 Date: Tue, 28 Apr 2020 11:15:24 +0200
-Subject: [PATCH] Link with ssl-shim
+Subject: [PATCH 1/7] Link with ssl-shim
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -35,7 +35,7 @@ index 43dbda7bbf..070f212d96 100644
      }],
  
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index bd40705e6b..dbef9d42f0 100644
+index 61db9f04bb..798568bb8f 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
 @@ -1158,7 +1158,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
@@ -61,5 +61,5 @@ index bef98b3e24..d46730c9ba 100644
  namespace crypto {
  
 -- 
-2.31.1
+2.33.1
 
diff --git a/SOURCES/0002-Use-OpenSSL-1.0-API.patch b/SOURCES/0002-Use-OpenSSL-1.0-API.patch
index bbdc0af..24d2554 100644
--- a/SOURCES/0002-Use-OpenSSL-1.0-API.patch
+++ b/SOURCES/0002-Use-OpenSSL-1.0-API.patch
@@ -1,7 +1,7 @@
-From ea610f38a05ca2b256e1f8b1d0dd8b33abc521ec Mon Sep 17 00:00:00 2001
+From e3830b75429a24e10939323941074ce9fa938e73 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
 Date: Wed, 7 Jul 2021 13:37:46 +0200
-Subject: [PATCH] Use OpenSSL 1.0 API
+Subject: [PATCH 2/7] Use OpenSSL 1.0 API
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -36,7 +36,7 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  4 files changed, 41 insertions(+), 3 deletions(-)
 
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index dbef9d42f0..c9de7d8a19 100644
+index 798568bb8f..d246132209 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
 @@ -127,7 +127,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
@@ -143,5 +143,5 @@ index 6473b652ac..da1033fdef 100644
  
  StackOfX509 CloneSSLCerts(X509Pointer&& cert,
 -- 
-2.31.1
+2.33.1
 
diff --git a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
index fd3dc6b..35735a2 100644
--- a/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
+++ b/SOURCES/0003-Backport-necessary-OpenSSL-features.patch
@@ -1,7 +1,7 @@
-From 68c182525ba6d8289fcc58536373c51f9d20f07e Mon Sep 17 00:00:00 2001
+From 8c2d8893a51440e20c2e3c22f8981b64cf4fd643 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
 Date: Wed, 7 Jul 2021 13:37:47 +0200
-Subject: [PATCH] Backport necessary OpenSSL features
+Subject: [PATCH 3/7] Backport necessary OpenSSL features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -52,7 +52,7 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  2 files changed, 184 insertions(+), 26 deletions(-)
 
 diff --git a/src/node_crypto.cc b/src/node_crypto.cc
-index c9de7d8a19..31e8276e97 100644
+index d246132209..81ac3b5dd4 100644
 --- a/src/node_crypto.cc
 +++ b/src/node_crypto.cc
 @@ -541,6 +541,11 @@ inline void SecureContext::Reset() {
@@ -373,5 +373,5 @@ index dbc46fbec8..d27125042b 100644
  
  // SSLWrap implicitly depends on the inheriting class' handle having an
 -- 
-2.31.1
+2.33.1
 
diff --git a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
index 11588db..dbec230 100644
--- a/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
+++ b/SOURCES/0004-Disable-unsupported-OpenSSL-features.patch
@@ -1,7 +1,7 @@
-From e7e0a4fc073b3d17fcdee6cebea74f1aae4e6f69 Mon Sep 17 00:00:00 2001
+From 76a36980372b8dbf82a0ada18a1ebae3d94c5fa0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
 Date: Wed, 7 Jul 2021 13:37:48 +0200
-Subject: [PATCH] Disable unsupported OpenSSL features
+Subject: [PATCH 4/7] Disable unsupported OpenSSL features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -24,27 +24,35 @@ Content-Transfer-Encoding: 8bit
 
 - Remove TLSv1.3 CLI options
 
+- Remove usage of OPENSSL_secure_{malloc,clear_free}
+
+  Unsupported in OpenSSL 1.0.
+
+  The expected semantics is the same as using the regular versions,
+  so the possibility of using the secure heap was simply removed.
+
 Signed-off-by: Jan Staněk <jstanek@redhat.com>
 ---
  doc/api/cli.md                                 | 18 ------------------
  doc/api/tls.md                                 | 15 +++++++--------
  src/env.h                                      | 11 ++++++++++-
+ src/node_crypto.cc                             |  8 ++++++--
  src/node_crypto_common.cc                      | 12 ++++++++++++
  src/node_crypto_common.h                       |  6 ++++++
  src/node_options.cc                            | 10 +++++++++-
  .../test-tls-cli-max-version-1.3.js            |  0
  .../test-tls-cli-min-max-conflict.js           |  0
  .../test-tls-cli-min-version-1.3.js            |  0
- 9 files changed, 44 insertions(+), 28 deletions(-)
+ 10 files changed, 50 insertions(+), 30 deletions(-)
  rename test/{parallel => known_issues}/test-tls-cli-max-version-1.3.js (100%)
  rename test/{parallel => known_issues}/test-tls-cli-min-max-conflict.js (100%)
  rename test/{parallel => known_issues}/test-tls-cli-min-version-1.3.js (100%)
 
 diff --git a/doc/api/cli.md b/doc/api/cli.md
-index 6e0702498a..a8ef339430 100644
+index 3f3e5e4eeb..48e51fcdfa 100644
 --- a/doc/api/cli.md
 +++ b/doc/api/cli.md
-@@ -813,14 +813,6 @@ added:
+@@ -893,14 +893,6 @@ added:
  Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
  TLSv1.3.
  
@@ -59,7 +67,7 @@ index 6e0702498a..a8ef339430 100644
  ### `--tls-min-v1.0`
  <!-- YAML
  added:
-@@ -852,14 +844,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
+@@ -932,14 +924,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
  12.x and later, but the option is supported for compatibility with older Node.js
  versions.
  
@@ -74,7 +82,7 @@ index 6e0702498a..a8ef339430 100644
  ### `--trace-atomics-wait`
  <!-- YAML
  added: v14.3.0
-@@ -1298,11 +1282,9 @@ Node.js options that are allowed are:
+@@ -1381,11 +1365,9 @@ Node.js options that are allowed are:
  * `--tls-cipher-list`
  * `--tls-keylog`
  * `--tls-max-v1.2`
@@ -87,10 +95,10 @@ index 6e0702498a..a8ef339430 100644
  * `--trace-deprecation`
  * `--trace-event-categories`
 diff --git a/doc/api/tls.md b/doc/api/tls.md
-index 055ba472b5..f286e9f7ee 100644
+index b40273a83a..cff62d0fd6 100644
 --- a/doc/api/tls.md
 +++ b/doc/api/tls.md
-@@ -1970,10 +1970,10 @@ added: v11.4.0
+@@ -1977,10 +1977,10 @@ added: v11.4.0
  
  * {string} The default value of the `maxVersion` option of
    [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
@@ -105,7 +113,7 @@ index 055ba472b5..f286e9f7ee 100644
    highest maximum is used.
  
  ## `tls.DEFAULT_MIN_VERSION`
-@@ -1983,12 +1983,11 @@ added: v11.4.0
+@@ -1990,12 +1990,11 @@ added: v11.4.0
  
  * {string} The default value of the `minVersion` option of
    [`tls.createSecureContext()`][]. It can be assigned any of the supported TLS
@@ -122,7 +130,7 @@ index 055ba472b5..f286e9f7ee 100644
  [Chrome's 'modern cryptography' setting]: https://www.chromium.org/Home/chromium-security/education/tls#TOC-Cipher-Suites
  [DHE]: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
 diff --git a/src/env.h b/src/env.h
-index 1e930170bc..d990212241 100644
+index b6967afb89..1f8c3b3eff 100644
 --- a/src/env.h
 +++ b/src/env.h
 @@ -50,6 +50,8 @@
@@ -148,7 +156,7 @@ index 1e930170bc..d990212241 100644
  // Private symbols are per-isolate primitives but Environment proxies them
  // for the sake of convenience.  Strings should be ASCII-only and have a
  // "node:" prefix to avoid name clashes with third-party code.
-@@ -363,7 +372,7 @@ constexpr size_t kFsStatsBufferLength =
+@@ -368,7 +377,7 @@ constexpr size_t kFsStatsBufferLength =
    V(sni_context_string, "sni_context")                                         \
    V(source_string, "source")                                                   \
    V(stack_string, "stack")                                                     \
@@ -157,6 +165,36 @@ index 1e930170bc..d990212241 100644
    V(start_time_string, "startTime")                                            \
    V(status_string, "status")                                                   \
    V(stdio_string, "stdio")                                                     \
+diff --git a/src/node_crypto.cc b/src/node_crypto.cc
+index 81ac3b5dd4..b0affa1fe9 100644
+--- a/src/node_crypto.cc
++++ b/src/node_crypto.cc
+@@ -7119,11 +7119,15 @@ namespace {
+ // make use of secure heap, this has the same semantics as
+ // using OPENSSL_malloc. However, if the secure heap is
+ // initialized, SecureBuffer will automatically use it.
++//
++// RHEL 7 Note: secure_{malloc,clear_free} is not available in OpenSSL 1.0
++// As in this case the expected behaviour is to fall back to their
++// "regular" counterparts, the "secure" calls were replaced with them.
+ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
+   CHECK(args[0]->IsUint32());
+   Environment* env = Environment::GetCurrent(args);
+   uint32_t len = args[0].As<Uint32>()->Value();
+-  char* data = static_cast<char*>(OPENSSL_secure_malloc(len));
++  char* data = static_cast<char*>(OPENSSL_malloc(len));
+   if (data == nullptr) {
+     // There's no memory available for the allocation.
+     // Return nothing.
+@@ -7135,7 +7139,7 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
+           data,
+           len,
+           [](void* data, size_t len, void* deleter_data) {
+-            OPENSSL_secure_clear_free(data, len);
++            OPENSSL_clear_free(data, len);
+           },
+           data);
+   Local<ArrayBuffer> buffer = ArrayBuffer::New(env->isolate(), store);
 diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
 index da1033fdef..89f01990f0 100644
 --- a/src/node_crypto_common.cc
@@ -285,7 +323,7 @@ index c373a97e47..220cb109bc 100644
  v8::MaybeLocal<v8::Value> GetCipherVersion(
      Environment* env,
 diff --git a/src/node_options.cc b/src/node_options.cc
-index 3c9fe815df..010232940a 100644
+index cee6fc1773..fbe408e12b 100644
 --- a/src/node_options.cc
 +++ b/src/node_options.cc
 @@ -9,6 +9,8 @@
@@ -308,9 +346,9 @@ index 3c9fe815df..010232940a 100644
    }
 +#endif // !OPENSSL_IS_LEGACY
  
- #if HAVE_INSPECTOR
-   if (!cpu_prof) {
-@@ -537,14 +541,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
+   if (heap_snapshot_near_heap_limit < 0) {
+     errors->push_back("--heap-snapshot-near-heap-limit must not be negative");
+@@ -558,14 +562,17 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
              "set default TLS minimum to TLSv1.2 (default: TLSv1.2)",
              &EnvironmentOptions::tls_min_v1_2,
              kAllowedInEnvironment);
@@ -329,7 +367,7 @@ index 3c9fe815df..010232940a 100644
    // Current plan is:
    // - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3
    // - 12.x: TLS1.3 is opt-out with --tls-max-v1.2
-@@ -553,6 +560,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
+@@ -574,6 +581,7 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
              "set default TLS maximum to TLSv1.3 (default: TLSv1.3)",
              &EnvironmentOptions::tls_max_v1_3,
              kAllowedInEnvironment);
@@ -350,5 +388,5 @@ similarity index 100%
 rename from test/parallel/test-tls-cli-min-version-1.3.js
 rename to test/known_issues/test-tls-cli-min-version-1.3.js
 -- 
-2.31.1
+2.33.1
 
diff --git a/SOURCES/0005-Adjust-tests-expectations.patch b/SOURCES/0005-Adjust-tests-expectations.patch
index 951251b..9088bc5 100644
--- a/SOURCES/0005-Adjust-tests-expectations.patch
+++ b/SOURCES/0005-Adjust-tests-expectations.patch
@@ -1,7 +1,7 @@
-From 457d00cf1d7d4e60f8986c3ec0c1da8afb58e7f6 Mon Sep 17 00:00:00 2001
+From 777b49d1623b2de845b14331a2ffa51b28783dff Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
 Date: Wed, 7 Jul 2021 13:37:49 +0200
-Subject: [PATCH] Adjust tests expectations
+Subject: [PATCH 5/7] Adjust tests expectations
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -32,7 +32,7 @@ Signed-off-by: Jan Staněk <jstanek@redhat.com>
  9 files changed, 55 insertions(+), 21 deletions(-)
 
 diff --git a/test/parallel/test-crypto.js b/test/parallel/test-crypto.js
-index 6b72dbd21c..b02e957efc 100644
+index 6b65af5a39..1b1cf76088 100644
 --- a/test/parallel/test-crypto.js
 +++ b/test/parallel/test-crypto.js
 @@ -240,9 +240,9 @@ assert.throws(() => {
@@ -239,7 +239,7 @@ index 7ef0f12426..4fcb9247d3 100644
      // TLS1.3 client hellos are are not understood by TLS1.1 or below.
      test(U, U, U, U, U, 'TLSv1_method',
 diff --git a/test/parallel/test-util-inspect.js b/test/parallel/test-util-inspect.js
-index ee67d2e79a..f11bfc20b5 100644
+index dbec153cf9..e72abbcc56 100644
 --- a/test/parallel/test-util-inspect.js
 +++ b/test/parallel/test-util-inspect.js
 @@ -148,7 +148,7 @@ assert.strictEqual(
@@ -252,5 +252,5 @@ index ee67d2e79a..f11bfc20b5 100644
  {
    const regexp = /regexp/;
 -- 
-2.31.1
+2.33.1
 
diff --git a/SOURCES/0006-Disable-tests-for-unsupported-features.patch b/SOURCES/0006-Disable-tests-for-unsupported-features.patch
index c943aa9..71bac72 100644
--- a/SOURCES/0006-Disable-tests-for-unsupported-features.patch
+++ b/SOURCES/0006-Disable-tests-for-unsupported-features.patch
@@ -1,7 +1,7 @@
-From 8ee31149e63d15d26d4262eb0292bd81e389fbc8 Mon Sep 17 00:00:00 2001
+From de4db36e7e1c0b1c84cbfbea2d6fc068c9c573f6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
 Date: Wed, 7 Jul 2021 13:37:50 +0200
-Subject: [PATCH] Disable tests for unsupported features
+Subject: [PATCH 6/7] Disable tests for unsupported features
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -155,7 +155,7 @@ index 6fe35258f7..7639ec632d 100644
      iv: '3fd838af4093d749',
      text: '12345678123456781234567812345678'
 diff --git a/test/parallel/test-crypto-authenticated.js b/test/parallel/test-crypto-authenticated.js
-index 863907bafd..8c10b350c0 100644
+index 1375095d1c..13c6aa7652 100644
 --- a/test/parallel/test-crypto-authenticated.js
 +++ b/test/parallel/test-crypto-authenticated.js
 @@ -405,6 +405,11 @@ for (const test of TEST_CASES) {
@@ -204,7 +204,7 @@ index 863907bafd..8c10b350c0 100644
      function H(length) { return '00'.repeat(length); }
    }
 diff --git a/test/parallel/test-crypto-dh-stateless.js b/test/parallel/test-crypto-dh-stateless.js
-index b01cea76b2..b91d15fcb5 100644
+index e1b02b5c51..6fd3eb40bd 100644
 --- a/test/parallel/test-crypto-dh-stateless.js
 +++ b/test/parallel/test-crypto-dh-stateless.js
 @@ -204,20 +204,3 @@ assert.throws(() => {
@@ -310,7 +310,7 @@ index f3f4df928c..e4db1ba88a 100644
      assert.throws(() => crypto.createHash('sha256', { outputLength }),
                    { code: 'ERR_INVALID_ARG_TYPE' });
 diff --git a/test/parallel/test-crypto-key-objects.js b/test/parallel/test-crypto-key-objects.js
-index d3011db79d..644a52a1c7 100644
+index 5d1e2619a6..93187aeec3 100644
 --- a/test/parallel/test-crypto-key-objects.js
 +++ b/test/parallel/test-crypto-key-objects.js
 @@ -242,18 +242,6 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
@@ -479,7 +479,7 @@ index d3011db79d..644a52a1c7 100644
    // Exporting an encrypted private key requires a cipher
    const privateKey = createPrivateKey(privatePem);
 diff --git a/test/parallel/test-crypto-keygen.js b/test/parallel/test-crypto-keygen.js
-index 5da5715bcb..2f4b1ab407 100644
+index dd106004fa..7b26f0fc5c 100644
 --- a/test/parallel/test-crypto-keygen.js
 +++ b/test/parallel/test-crypto-keygen.js
 @@ -257,41 +257,6 @@ const sec1EncExp = (cipher) => getRegExpForPEM('EC PRIVATE KEY', cipher);
@@ -546,7 +546,7 @@ index 5da5715bcb..2f4b1ab407 100644
  // Test classic Diffie-Hellman key generation.
  {
 diff --git a/test/parallel/test-crypto-sign-verify.js b/test/parallel/test-crypto-sign-verify.js
-index ff410dcf00..a7a293a740 100644
+index 02bb169a4d..72029e68f2 100644
 --- a/test/parallel/test-crypto-sign-verify.js
 +++ b/test/parallel/test-crypto-sign-verify.js
 @@ -425,14 +425,6 @@ assert.throws(
@@ -577,7 +577,7 @@ index ff410dcf00..a7a293a740 100644
 -    [
 -      crypto.createSign('sha1').update(data).sign(privKey),
 -      crypto.sign('sha1', data, privKey),
--      crypto.sign('sha1', data, { key: privKey, dsaEncoding: 'der' })
+-      crypto.sign('sha1', data, { key: privKey, dsaEncoding: 'der' }),
 -    ].forEach((sig) => {
 -      // Signature length variability due to DER encoding
 -      assert(sig.length >= length + 4 && sig.length <= length + 8);
@@ -807,5 +807,5 @@ index 4bcdf36860..0642e18d5e 100644
  test({ psk: USERS.UserB, identity: 'UserC' }, {}, DISCONNECT_MESSAGE);
  // Recognized user but incorrect secret should fail handshake
 -- 
-2.31.1
+2.33.1
 
diff --git a/SOURCES/0007-Disable-tests-for-known-issues.patch b/SOURCES/0007-Disable-tests-for-known-issues.patch
index a1c6861..69d9f77 100644
--- a/SOURCES/0007-Disable-tests-for-known-issues.patch
+++ b/SOURCES/0007-Disable-tests-for-known-issues.patch
@@ -1,7 +1,7 @@
-From efc423d824250592d2236d9ff7f3b46b9ba9f909 Mon Sep 17 00:00:00 2001
+From 73a1675fce4fe76a76f3da62968cf9addc1ebb68 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
 Date: Wed, 7 Jul 2021 13:37:50 +0200
-Subject: [PATCH] Disable tests for known issues
+Subject: [PATCH 7/7] Disable tests for known issues
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -216,5 +216,5 @@ index 8fb15d3ba5..2fc22ca477 100644
    expect(opt, want, command, wantsError, false);
  }
 -- 
-2.31.1
+2.33.1
 
diff --git a/SOURCES/CVE-2021-23343-path-parse-redos.patch b/SOURCES/CVE-2021-23343-path-parse-redos.patch
deleted file mode 100644
index d5bffc9..0000000
--- a/SOURCES/CVE-2021-23343-path-parse-redos.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-https://github.com/jbgutierrez/path-parse/pull/10
-
-From 75e6a130a111dc6c72d9f55ec5540dd6350f1e77 Mon Sep 17 00:00:00 2001
-From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
-Date: Thu, 13 May 2021 10:53:50 -0400
-Subject: [PATCH] fixed regexes to avoid ReDoS attacks
-
-Signed-off-by: rpm-build <rpm-build>
----
- deps/npm/node_modules/path-parse/index.js |  6 +++---
- deps/npm/node_modules/path-parse/redos.js | 20 ++++++++++++++++++++
- 2 files changed, 23 insertions(+), 3 deletions(-)
- create mode 100644 deps/npm/node_modules/path-parse/redos.js
-
-diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js
-index 3b7601f..e6b2af1 100644
---- a/deps/npm/node_modules/path-parse/index.js
-+++ b/deps/npm/node_modules/path-parse/index.js
-@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32';
- // Regex to split a windows path into three parts: [*, device, slash,
- // tail] windows-only
- var splitDeviceRe =
--    /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/;
-+    /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
-
- // Regex to split the tail part of the above into [*, dir, basename, ext]
- var splitTailRe =
--    /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
-+    /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
-
- var win32 = {};
-
-@@ -51,7 +51,7 @@ win32.parse = function(pathString) {
- // Split a filename into [root, dir, basename, ext], unix version
- // 'root' is just a slash, or nothing.
- var splitPathRe =
--    /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
-+    /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
- var posix = {};
-
-
-diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js
-new file mode 100644
-index 0000000..261947f
---- /dev/null
-+++ b/deps/npm/node_modules/path-parse/redos.js
-@@ -0,0 +1,20 @@
-+var pathParse = require('.');
-+
-+function build_attack(n) {
-+    var ret = ""
-+    for (var i = 0; i < n; i++) {
-+        ret += "/"
-+    }
-+    return ret + "◎";
-+}
-+
-+for(var i = 1; i <= 5000000; i++) {
-+    if (i % 10000 == 0) {
-+        var time = Date.now();
-+        var attack_str = build_attack(i)
-+        pathParse.posix(attack_str);
-+        pathParse.win32(attack_str);
-+        var time_cost = Date.now() - time;
-+        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
-+    }
-+}
---
-2.31.1
-
-
-From ad13f8003dfa6c15ecad2b5aadf2faad3fae1435 Mon Sep 17 00:00:00 2001
-From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com>
-Date: Thu, 13 May 2021 11:51:45 -0400
-Subject: [PATCH] streamlined regexes, simplified parse() returns
-
-Signed-off-by: rpm-build <rpm-build>
----
- deps/npm/node_modules/path-parse/index.js | 52 ++++++++---------------
- 1 file changed, 17 insertions(+), 35 deletions(-)
-
-diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js
-index e6b2af1..f062d0a 100644
---- a/deps/npm/node_modules/path-parse/index.js
-+++ b/deps/npm/node_modules/path-parse/index.js
-@@ -2,29 +2,14 @@
-
- var isWindows = process.platform === 'win32';
-
--// Regex to split a windows path into three parts: [*, device, slash,
--// tail] windows-only
--var splitDeviceRe =
--    /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s;
--
--// Regex to split the tail part of the above into [*, dir, basename, ext]
--var splitTailRe =
--    /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/;
-+// Regex to split a windows path into into [dir, root, basename, name, ext]
-+var splitWindowsRe =
-+    /^(((?:[a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/]*[\\\/])*)((\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))[\\\/]*$/;
-
- var win32 = {};
-
--// Function to split a filename into [root, dir, basename, ext]
- function win32SplitPath(filename) {
--  // Separate device+slash from tail
--  var result = splitDeviceRe.exec(filename),
--      device = (result[1] || '') + (result[2] || ''),
--      tail = result[3] || '';
--  // Split the tail into dir, basename and extension
--  var result2 = splitTailRe.exec(tail),
--      dir = result2[1],
--      basename = result2[2],
--      ext = result2[3];
--  return [device, dir, basename, ext];
-+  return splitWindowsRe.exec(filename).slice(1);
- }
-
- win32.parse = function(pathString) {
-@@ -34,24 +19,24 @@ win32.parse = function(pathString) {
-     );
-   }
-   var allParts = win32SplitPath(pathString);
--  if (!allParts || allParts.length !== 4) {
-+  if (!allParts || allParts.length !== 5) {
-     throw new TypeError("Invalid path '" + pathString + "'");
-   }
-   return {
--    root: allParts[0],
--    dir: allParts[0] + allParts[1].slice(0, -1),
-+    root: allParts[1],
-+    dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1),
-     base: allParts[2],
--    ext: allParts[3],
--    name: allParts[2].slice(0, allParts[2].length - allParts[3].length)
-+    ext: allParts[4],
-+    name: allParts[3]
-   };
- };
-
-
-
--// Split a filename into [root, dir, basename, ext], unix version
-+// Split a filename into [dir, root, basename, name, ext], unix version
- // 'root' is just a slash, or nothing.
- var splitPathRe =
--    /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/;
-+    /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/;
- var posix = {};
-
-
-@@ -67,19 +52,16 @@ posix.parse = function(pathString) {
-     );
-   }
-   var allParts = posixSplitPath(pathString);
--  if (!allParts || allParts.length !== 4) {
-+  if (!allParts || allParts.length !== 5) {
-     throw new TypeError("Invalid path '" + pathString + "'");
-   }
--  allParts[1] = allParts[1] || '';
--  allParts[2] = allParts[2] || '';
--  allParts[3] = allParts[3] || '';
--
-+
-   return {
--    root: allParts[0],
--    dir: allParts[0] + allParts[1].slice(0, -1),
-+    root: allParts[1],
-+    dir: allParts[0].slice(0, -1),
-     base: allParts[2],
--    ext: allParts[3],
--    name: allParts[2].slice(0, allParts[2].length - allParts[3].length)
-+    ext: allParts[4],
-+    name: allParts[3],
-   };
- };
-
---
-2.31.1
-
diff --git a/SOURCES/deps-ansi-regex-fix-potential-ReDoS.patch b/SOURCES/deps-ansi-regex-fix-potential-ReDoS.patch
new file mode 100644
index 0000000..af6706f
--- /dev/null
+++ b/SOURCES/deps-ansi-regex-fix-potential-ReDoS.patch
@@ -0,0 +1,73 @@
+From e040864f2797b9c705bac5862581d5f190510e04 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 9 Dec 2021 15:48:46 +0100
+Subject: [PATCH] deps(ansi-regex): fix potential ReDoS
+
+This is the upstream fix [1] applied to all applicable bundled deps.
+
+[1]: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9
+
+Fixes: CVE-2021-3807
+Signed-off-by: rpm-build <rpm-build>
+---
+ deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js    | 2 +-
+ .../node_modules/string-width/node_modules/ansi-regex/index.js  | 2 +-
+ .../npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js | 2 +-
+ deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js    | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
+index c254480..9e37ec3 100644
+--- a/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
++++ b/deps/npm/node_modules/cliui/node_modules/ansi-regex/index.js
+@@ -6,7 +6,7 @@ module.exports = options => {
+ 	}, options);
+ 
+ 	const pattern = [
+-		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
++		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
+ 	].join('|');
+ 
+diff --git a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
+index c4aaecf..7d32201 100644
+--- a/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
++++ b/deps/npm/node_modules/string-width/node_modules/ansi-regex/index.js
+@@ -2,7 +2,7 @@
+ 
+ module.exports = () => {
+ 	const pattern = [
+-		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)',
++		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))'
+ 	].join('|');
+ 
+diff --git a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
+index c254480..9e37ec3 100644
+--- a/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
++++ b/deps/npm/node_modules/wrap-ansi/node_modules/ansi-regex/index.js
+@@ -6,7 +6,7 @@ module.exports = options => {
+ 	}, options);
+ 
+ 	const pattern = [
+-		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
++		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
+ 	].join('|');
+ 
+diff --git a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
+index c254480..9e37ec3 100644
+--- a/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
++++ b/deps/npm/node_modules/yargs/node_modules/ansi-regex/index.js
+@@ -6,7 +6,7 @@ module.exports = options => {
+ 	}, options);
+ 
+ 	const pattern = [
+-		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
++		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
+ 	].join('|');
+ 
+-- 
+2.33.1
+
diff --git a/SOURCES/deps-json-schema-protect-against-prototype-pollution.patch b/SOURCES/deps-json-schema-protect-against-prototype-pollution.patch
new file mode 100644
index 0000000..429ec97
--- /dev/null
+++ b/SOURCES/deps-json-schema-protect-against-prototype-pollution.patch
@@ -0,0 +1,72 @@
+From 25661e4fc0e7c6a3d47bc189f886af76b1ecafa1 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 9 Dec 2021 13:01:08 +0100
+Subject: [PATCH] deps(json-schema): protect against prototype pollution
+
+Amalgamation of the following upstream patches:
+https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741
+https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a
+https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa
+
+Fixes: CVE-2021-3918
+Signed-off-by: rpm-build <rpm-build>
+---
+ .../node_modules/json-schema/lib/validate.js  |  4 +--
+ .../node_modules/json-schema/test/tests.js    | 28 ++++++++++++++++++-
+ 2 files changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/deps/npm/node_modules/json-schema/lib/validate.js b/deps/npm/node_modules/json-schema/lib/validate.js
+index 4b61088..d05ee86 100644
+--- a/deps/npm/node_modules/json-schema/lib/validate.js
++++ b/deps/npm/node_modules/json-schema/lib/validate.js
+@@ -209,8 +209,8 @@ var validate = exports._validate = function(/*Any*/instance,/*Object*/schema,/*O
+ 			}
+ 
+ 			for(var i in objTypeDef){
+-				if(objTypeDef.hasOwnProperty(i)){
+-					var value = instance[i];
++				if(objTypeDef.hasOwnProperty(i) && i != '__proto__' && i != 'constructor'){
++					var value = instance.hasOwnProperty(i) ? instance[i] : undefined;
+ 					// skip _not_ specified properties
+ 					if (value === undefined && options.existingOnly) continue;
+ 					var propDef = objTypeDef[i];
+diff --git a/deps/npm/node_modules/json-schema/test/tests.js b/deps/npm/node_modules/json-schema/test/tests.js
+index 40eeda5..70f515a 100644
+--- a/deps/npm/node_modules/json-schema/test/tests.js
++++ b/deps/npm/node_modules/json-schema/test/tests.js
+@@ -91,5 +91,31 @@ var suite = vows.describe('JSON Schema').addBatch({
+ 
+     'Json-Ref self-validates': assertSelfValidates('json-ref'),
+     'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'),
+-    'Json-Ref/Core': assertValidates('json-ref', 'schema')
++    'Json-Ref/Core': assertValidates('json-ref', 'schema'),
++    prototypePollution: function() {
++        console.log('testing')
++        const instance = JSON.parse(`
++        {
++        "$schema":{
++            "type": "object",
++            "properties":{
++            "__proto__": {
++                "type": "object",
++                
++                "properties":{
++                "polluted": {
++                    "type": "string",
++                    "default": "polluted"
++                }
++                }
++            }
++            },
++            "__proto__": {}
++        }
++        }`);
++                                            
++        const a = {};
++        validate(instance);
++        assert.equal(a.polluted, undefined);
++    }
+ }).export(module);
+-- 
+2.33.1
+
diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec
index db0a589..9e454c5 100644
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@@ -22,8 +22,8 @@
 # feature releases that are only supported for nine months, which is shorter
 # than a Fedora release lifecycle.
 %global nodejs_major 14
-%global nodejs_minor 17
-%global nodejs_patch 5
+%global nodejs_minor 18
+%global nodejs_patch 2
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 %global nodejs_version %{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}
 %global nodejs_release 1
@@ -40,19 +40,19 @@
 
 # c-ares - from deps/cares/include/ares_version.h
 %global c_ares_major 1
-%global c_ares_minor 17
-%global c_ares_patch 2
+%global c_ares_minor 18
+%global c_ares_patch 1
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}
 
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_major 2
 %global llhttp_minor 1
-%global llhttp_patch 3
+%global llhttp_patch 4
 %global llhttp_version %{llhttp_major}.%{llhttp_minor}.%{llhttp_patch}
 
 # libuv - from deps/uv/include/uv/version.h
 %global libuv_major 1
-%global libuv_minor 41
+%global libuv_minor 42
 %global libuv_patch 0
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
 
@@ -71,7 +71,7 @@
 # npm - from deps/npm/package.json
 %global npm_major 6
 %global npm_minor 14
-%global npm_patch 14
+%global npm_patch 15
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
@@ -140,7 +140,9 @@ Patch11: Make-icutrim.py-Python-2-compatible.patch
 # Always defer to OS when it comes to FIPS
 Patch13: always-available-fips-options.patch
 
-Patch15: CVE-2021-23343-path-parse-redos.patch
+# Address various CVEs in bundled deps
+Patch20: deps-json-schema-protect-against-prototype-pollution.patch
+Patch21: deps-ansi-regex-fix-potential-ReDoS.patch
 
 
 %{?scl:Requires: %{scl}-runtime}
@@ -468,6 +470,22 @@ python2 tools/test.py "${RUN_SUITES[@]}" || :  # FIXME – disable all failing t
 
 
 %changelog
+* Thu Dec 09 2021 Jan Staněk <jstanek@redhat.com> - 14.18.2-1
+- Rebase to 14.18.2
+  Resolves: rhbz#2031770 rhbz#2031774
+
+* Mon Nov 01 2021 Jan Staněk <jstanek@redhat.com> - 14.18.1-1
+- Rebase to 14.18.1
+  Resolves: rhbz#2031773 rhbz#2031772
+
+* Wed Sep 01 2021 Jan Staněk <jstanek@redhat.com> - 14.17.6-1
+- Rebase to 14.17.6
+  Resolves: rhbz#2031767 rhbz#2031769
+- Drop CVE-2021-23343-path-parse-redos.patch: fixed upstream
+
+* Thu Aug 19 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 14.17.5-1.1
+- Fix parallel builds
+
 * Thu Aug 12 2021 Jan Staněk <jstanek@redhat.com> - 14.17.5-1
 - Rebase to 14.17.5
   Resolves: CVE-2021-22931 CVE-2021-22939 CVE-2021-22940