Commit Graph

785 Commits

Author SHA1 Message Date
Stephen Gallagher
481e51b9f3 Re-enable bundling without bootstrap mode
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-05-22 11:00:32 -04:00
Stephen Gallagher
319ba13d75 Temporarily re-enable bundling of cjs-module-lexer and undici
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-05-21 10:43:58 -04:00
Stephen Gallagher
4cec3c6443 Move the default check to the top
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-05-21 10:43:58 -04:00
Stephen Gallagher
55cdb8828c Refactor bundling of undici and cjs-module-lexer
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-05-21 10:42:52 -04:00
Stephen Gallagher
340636e1bf Make Node.js 22 the default for RHEL 11
This will be adjusted as we get closer to release.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-05-21 10:42:47 -04:00
Stephen Gallagher
68df23fd9c Revert "Temporarily add Node.js 20 as default for F41 and RHEL 11+"
This reverts commit 3391b85e23.
2024-05-21 10:00:54 -04:00
Stephen Gallagher
ba3599f538 Use correct macro for built-in modules
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-05-17 15:49:03 -04:00
Stephen Gallagher
236b57da19 Update to 22.2.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-05-16 10:24:12 -04:00
Stephen Gallagher
cc8fe8c3cc Drop -fno-delete-null-pointer-checks
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-05-10 14:18:18 -04:00
Stephen Gallagher
64f2412f69 Update to 22.1.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-05-03 11:41:26 -04:00
Stephen Gallagher
6caf643375 Node.js 22.0.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-05-01 11:06:17 -04:00
Stephen Gallagher
908db65fbd Update to 20.12.2
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-04-10 13:55:57 -04:00
Stephen Gallagher
6225ebcbb0 simdutf: cpu feature detection fixes
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-04-05 13:55:01 -04:00
Jan Staněk
106c020df8
Remove static analysis from required gating tests
We would probably need a rpminspect configuration file to make it
function properly; not a priority right now.
2024-04-05 12:04:02 +02:00
Stephen Gallagher
39e27dd06e Update to 20.12.1
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-04-03 11:02:56 -04:00
Jan Staněk
e5500b6bec Enable gating against centos-stream tests 2024-03-27 21:24:02 +00:00
Stephen Gallagher
a2960c33fe Update to 20.12.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-03-27 13:16:44 -04:00
Stephen Gallagher
96892fbfdb Have default versions provide the versioned name
Special handling is required for nodejs-npm due to the differing
version.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-03-21 08:09:32 -04:00
Stephen Gallagher
3391b85e23 Temporarily add Node.js 20 as default for F41 and RHEL 11+
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-02-15 08:58:03 -05:00
Stephen Gallagher
976a2c3e5e Update to 20.11.1
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-02-14 15:19:04 -05:00
Lukas Javorsky
6fba2c3dad Add missing bundled libraries to the spec template 2024-02-14 15:00:18 +00:00
Lukas Javorsky
d180e34c2b Add helping script for missing bundled packages, fix typo 2024-02-14 15:00:18 +00:00
Honza Horak
e081ba9a28 Update licenses in the template spec 2024-02-09 15:22:34 +01:00
Honza Horak
f2292967e5 Fix typos and add info where to find license-validate 2024-02-09 14:20:18 +01:00
Honza Horak
06bf5fc3d1 SPDX migration and introduction of bundled_licenses.py
The Python script bundled_licenses.py should help identifying
licenses used in the bundled deps. It simply parses package.json
files in the given directory and returns best guess about the
License: RPM tag.

The expected usage is like this:
* run bundled_licenses.py on the binary RPMs to see what is
  bundled in the shipped RPMs
* validate the output of bundled_licenses.py
* add licenses identiefied in the source code of nodejs itself
* validate the resulting License tag suggestion by license-validate tool
2024-02-09 12:20:15 +01:00
Zephyr Lykos
2961a50035
Fix loading unbundled undici builtin (rhbz#2259320) 2024-02-08 01:12:55 +08:00
Fedora Release Engineering
37c03d4ecf Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-25 09:11:17 +00:00
Fedora Release Engineering
52a3d8b3dc Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-21 09:49:22 +00:00
Stephen Gallagher
3d4cbef75d Update to 20.11.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2024-01-10 10:03:36 -05:00
Jan Staněk
ed578ec737 remove bundled WASM blobs
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-29 15:18:42 -05:00
Stephen Gallagher
f523665c4d sitelib is a symlink, not a dir
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-29 12:58:06 -05:00
Stephen Gallagher
9b2e0bcd71 Fix missing %dir
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-27 12:08:28 -05:00
Stephen Gallagher
4c864a0d68 Update to v20.10.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-11-27 10:39:23 -05:00
Stephen Gallagher
5f953c4f03 Bump release to rebuild with newer nodejs-packaging
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-10-26 10:41:52 -04:00
Stephen Gallagher
2ceeb8628f Update to 20.9.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-10-25 14:16:03 -04:00
Stephen Gallagher
8f462ce5d3 Update to 20.8.1
This is a security release.

The following CVEs are fixed in this release:

* [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High)
* [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High)
* [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High)
* [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High)
* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552):  Integrity checks according to policies can be circumvented (Medium)
* [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low)

More detailed information on each of the vulnerabilities can be found in [October 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/) blog post.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-10-16 11:59:52 -04:00
Stephen Gallagher
29ba6214c9 Update to 20.8.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-29 07:35:38 -04:00
Stephen Gallagher
8f4100250b Update to 20.7.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-20 13:44:46 -04:00
Stephen Gallagher
302a20ab06 Update to 20.6.1
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-15 10:12:29 -04:00
Stephen Gallagher
52f84b80ec Fix variable substitution
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-07 16:29:05 -04:00
Stephen Gallagher
b64d26c94a Add default Obsoletes: for nodejsXX
This takes its cue from the Python 3.X approach

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-07 14:41:32 -04:00
Stephen Gallagher
f57981cf35 Update to 20.6.0
Starting from Node.js v20.6.0, Node.js supports `.env` files for configuring environment variables.

Your configuration file should follow the INI file format, with each line containing a key-value pair for an environment variable.
To initialize your Node.js application with predefined configurations, use the following CLI command: `node --env-file=config.env index.js`.

For example, you can access the following environment variable using `process.env.PASSWORD` when your application is initialized:

```text
PASSWORD=nodejs
```

In addition to environment variables, this change allows you to define your `NODE_OPTIONS` directly in the `.env` file, eliminating the need to include it in your `package.json`.

This feature was contributed by Yagiz Nizipli in [#48890](https://github.com/nodejs/node/pull/48890).

In ES modules, [`import.meta.resolve(specifier)`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/import.meta/resolve) can be used to get an absolute URL string to which `specifier` resolves, similar to `require.resolve` in CommonJS. This aligns Node.js with browsers and other server-side runtimes.

This feature was contributed by Guy Bedford in <https://github.com/nodejs/node/pull/49028>

There is a new API `register` available on `node:module` to specify a file that exports module customization hooks, and pass data to the hooks, and establish communication channels with them. The “define the file with the hooks” part was previously handled by a flag `--experimental-loader`, but when the hooks moved into a dedicated thread in 20.0.0 there was a need to provide a way to communicate between the main (application) thread and the hooks thread. This can now be done by calling `register` from the main thread and passing data, including `MessageChannel` instances.

We encourage users to migrate to an approach that uses [`--import`](https://nodejs.org/api/cli.html#--importmodule) with `register`, such as:

```bash
node --import ./file-that-calls-register.js ./app.js
```

Using `--import` ensures that the customization hooks are registered before any application code runs, even the entry point.

This feature was contributed by Izaak Schroeder in <https://github.com/nodejs/node/pull/48842> and <https://github.com/nodejs/node/pull/48559>

Authors of module customization hooks can how handle both ES module and CommonJS sources in the `load` hook. This works for CommonJS modules referenced via either `import` or `require`, so long as [the main entry point of the application is handled by the ES module loader](https://nodejs.org/api/cli.html#program-entry-point) (such as because the entry point is an ES module file, or if the `--import` flag is passed). This should simplify the customization of the Node.js module loading process, as package authors can customize more of Node.js without relying on deprecated APIs such as `require.extensions`.

This feature was contributed by Antoine du Hamel in <https://github.com/nodejs/node/pull/47999>

Now when Node.js starts up, it makes sure that there is a `v8::CppHeap` attached to the V8 isolate. This enables users to allocate in the `v8::CppHeap` using `<cppgc/*>` headers from V8, which are now also included into the Node.js headers available to addons. Note that since Node.js only bundles the cppgc library coming from V8, [the ABI stability](https://nodejs.org/en/docs/guides/abi-stability#abi-stability-in-nodejs) of cppgc is currently not guaranteed in semver-minor and -patch updates, but we do not expect the ABI to break often, as it has been stable and battle-tested in Chromium for years. We may consider including cppgc into the ABI stability guarantees when it gets enough adoption internally and externally.

To help addon authors create JavaScript-to-C++ references of which V8's garbage collector can be aware, a helper function [`node::SetCppgcReference(isolate, js_object, cppgc_object)`](https://github.com/nodejs/node/blob/v20.6.0/test/addons/cppgc-object/binding.cc) has been added to `node.h`. V8 may provide a native alternative in the future, which could then replace this Node.js-specific helper. In the mean time, users can use this API to avoid having to hard-code the layout of JavaScript wrapper objects. An example of how to create garbage-collected C++ objects in the unified heap and wrap it in a JavaScript object can be found in the [Node.js addon tests](https://github.com/nodejs/node/blob/v20.6.0/test/addons/cppgc-object/binding.cc).

The existing `node::ObjectWrap` helper would continue to work, while cppgc-based object management serves as an alternative with some advantages mentioned in [the V8 blog post about Oilpan](https://v8.dev/blog/oilpan-library).

This feature was contributed by Daryl Haresign and Joyee Cheung in <https://github.com/nodejs/node/pull/48660> and <https://github.com/nodejs/node/pull/45704>.

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-09-05 10:46:54 -04:00
Stephen Gallagher
e257c9bd18 Add version note to packaging readme
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-08-28 18:43:55 -04:00
Jan Staněk
61dfae6179 Specify openssl configuration section
By default, node does not use the common openssl configuration section,
relying instead on node-specific `nodejs_conf` section.
Since we want node to use the system configuration, the section name
should be changed (back) to `openssl_conf`.

See discussion in https://github.com/nodejs/node/pull/48950
for the reason this change is suggested.
2023-08-28 18:34:01 -04:00
Stephen Gallagher
fd717eb4cc Update to 20.5.1
** 2023-08-09, Version 20.5.1 (Current), @RafaelGSS

This is a security release.

*** Notable Changes

The following CVEs are fixed in this release:

* [CVE-2023-32002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32002):  Policies can be bypassed via Module.\_load (High)
* [CVE-2023-32558](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32558): process.binding() can bypass the permission model through path traversal (High)
* [CVE-2023-32004](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32004): Permission model can be bypassed by specifying a path traversal sequence in a Buffer (High)
* [CVE-2023-32006](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32006): Policies can be bypassed by module.constructor.createRequire (Medium)
* [CVE-2023-32559](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32559): Policies can be bypassed via process.binding (Medium)
* [CVE-2023-32005](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32005): fs.statfs can bypass the permission model (Low)
* [CVE-2023-32003](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32003): fs.mkdtemp() and fs.mkdtempSync() can bypass the permission model (Low)
* OpenSSL Security Releases
  * [OpenSSL security advisory 14th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html).
  * [OpenSSL security advisory 19th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html).
  * [OpenSSL security advisory 31st July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html)

More detailed information on each of the vulnerabilities can be found in [August 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/) blog post.

** 2023-07-18, Version 20.5.0 (Current), @juanarbol

*** Notable Changes

* \[[`45be29d89f`](https://github.com/nodejs/node/commit/45be29d89f)] - **doc**: add atlowChemi to collaborators (atlowChemi) [#48757](https://github.com/nodejs/node/pull/48757)
* \[[`a316808136`](https://github.com/nodejs/node/commit/a316808136)] - **(SEMVER-MINOR)** **events**: allow safely adding listener to abortSignal (Chemi Atlow) [#48596](https://github.com/nodejs/node/pull/48596)
* \[[`986b46a567`](https://github.com/nodejs/node/commit/986b46a567)] - **fs**: add a fast-path for readFileSync utf-8 (Yagiz Nizipli) [#48658](https://github.com/nodejs/node/pull/48658)
* \[[`0ef73ff6f0`](https://github.com/nodejs/node/commit/0ef73ff6f0)] - **(SEMVER-MINOR)** **test\_runner**: add shards support (Raz Luvaton) [#48639](https://github.com/nodejs/node/pull/48639)

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-08-09 16:13:26 -04:00
Fedora Release Engineering
f9d7c9978d Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-07-20 16:47:45 +00:00
Stephen Gallagher
c311390922 sources: Check for node binary
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-07-12 12:50:47 -04:00
Stephen Gallagher
2dee98da40 Release 20.4.0
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-07-12 12:50:28 -04:00
Stephen Gallagher
9d9ff2a528 Update to security release 20.3.1
- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
- https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.3.1

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-06-22 12:54:46 -04:00
Stephen Gallagher
c8a3601325 sources: install jinja2 if needed
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
2023-06-21 10:26:10 -04:00