From ec2c9a7032e98f08f60573a7a29c9716c1375315 Mon Sep 17 00:00:00 2001
From: Jacob Wang <jacob.wang@openanolis.org>
Date: Tue, 18 Feb 2025 10:17:35 +0800
Subject: [PATCH] [CVE]update to nodejs-18.20.6-1.src.rpm

to #IBMYDJ

update to nodejs-18.20.6-1.src.rpm for CVE-2025-22150 CVE-2025-23085

Project: TC2024080204
Signed-off-by: Jacob Wang <jacob.wang@openanolis.org>
---
 download    |  4 ++--
 nodejs.spec | 33 +++++++++++++++++++--------------
 2 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/download b/download
index 1a0300c..3daa12a 100644
--- a/download
+++ b/download
@@ -1,4 +1,4 @@
 5808c204e2942e7bf56d6d7971d4f5d4  cjs-module-lexer-1.2.2.tar.gz
-728ca188ae8c9d056dfced4f57e1d861  node-v18.20.4-stripped.tar.gz
-7aa750dbe225ee4ca9c993d4e904f254  undici-5.28.4.tar.gz
+d3e306dae9ceac2800f31f826a54de2d  node-v18.20.6-stripped.tar.gz
+80659ba6e47d04b803542e853c2a36c3  undici-5.28.5.tar.gz
 d80d3731d039b0944b405044dabd5f93  wasi-sdk-11.0-linux.tar.gz
diff --git a/nodejs.spec b/nodejs.spec
index c679774..893a67b 100644
--- a/nodejs.spec
+++ b/nodejs.spec
@@ -42,7 +42,7 @@
 %global nodejs_epoch 1
 %global nodejs_major 18
 %global nodejs_minor 20
-%global nodejs_patch 4
+%global nodejs_patch 6
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 108
@@ -66,16 +66,13 @@
 
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
-%global c_ares_version 1.28.1
+%global c_ares_version 1.29.0
 
 # llhttp - from deps/llhttp/include/llhttp.h
 %global llhttp_version 6.1.1
 
 # libuv - from deps/uv/include/uv/version.h
-%global libuv_major 1
-%global libuv_minor 44
-%global libuv_patch 2
-%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
+%global libuv_version 1.44.2
 
 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
 %global nghttp2_version 1.61.0
@@ -113,12 +110,12 @@
 
 # simduft from deps/simdutf/simdutf.h
 %global simduft_major 5
-%global simduft_minor 2
-%global simduft_patch 4
+%global simduft_minor 6
+%global simduft_patch 0
 %global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
 
 # ada from deps/ada/ada.h
-%global ada_version 2.7.8
+%global ada_version 2.8.0
 
 # OpenSSL minimum version
 %global openssl_minimum 1:1.1.1
@@ -133,7 +130,7 @@
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 10.7.0
+%global npm_version 10.8.2
 
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@@ -185,16 +182,18 @@ Source8: npmrc.builtin.in
 # Version: jq '.version' deps/cjs-module-lexer/package.json
 # Original: https://github.com/nodejs/cjs-module-lexer/archive/refs/tags/1.2.2.tar.gz
 # Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm
+# wasi-sdk version can be found in Makefile
+# https://github.com/nodejs/cjs-module-lexer/blob/1.2.2/Makefile
 Source101: cjs-module-lexer-1.2.2.tar.gz
 # The WASM blob was made using wasi-sdk v11; compiler libraries are linked in.
 # Version source: Makefile
 Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
 
 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz
-# Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.5.tar.gz
+# Adjustments: rm -f undici-5.28.5/lib/llhttp/llhttp*.wasm
 # Build uses alpine image, see alpine for sources for wasi-sdk
-Source111: undici-5.28.4.tar.gz
+Source111: undici-5.28.5.tar.gz
 
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
@@ -463,7 +462,7 @@ make BUILDTYPE=Release %{?_smp_mflags}
 
 # Extract the ICU data and convert it to the appropriate endianness
 pushd deps/
-tar xfz %{SOURCE3}
+tar -xzf %{SOURCE3}
 
 pushd icu/source
 
@@ -739,6 +738,11 @@ end
 
 
 %changelog
+* Fri Feb 07 2025 Andrei Radchenko <aradchen@redhat.com> - 1:18.20.6-1
+- Update to version 18.20.6
+  Resolves: RHEL-78326
+  Fixes: CVE-2025-23085 CVE-2025-22150
+
 * Mon Aug 05 2024 Honza Horak <hhorak@redhat.com> - 1:18.20.4-1
 - Update to 18.20.4
   Fixes: CVE-2024-22020 CVE-2024-28863
@@ -1150,3 +1154,4 @@ end
 - Update to v8.1.2
 - remove GCC 7 patch, as it is now fixed in node >= 6.12
 
+
-- 
Gitee