diff --git a/user/nodejs/APKBUILD b/user/nodejs/APKBUILD index 0dc1a80..4e62b79 100644 --- a/user/nodejs/APKBUILD +++ b/user/nodejs/APKBUILD @@ -6,6 +6,48 @@ # Maintainer: Jakub Jirutka # # secfixes: +# 14.21.3-r0: +# - CVE-2023-23918 +# - CVE-2023-23920 +# 14.20.1-r0: +# - CVE-2022-32213 +# - CVE-2022-32214 +# - CVE-2022-32215 +# - CVE-2022-35256 +# 14.19.0-r0: +# - CVE-2022-21824 +# - CVE-2021-44533 +# - CVE-2021-44532 +# - CVE-2021-44531 +# 14.18.1-r0: +# - CVE-2021-22959 +# - CVE-2021-22960 +# 14.17.6-r0: +# - CVE-2021-37701 +# - CVE-2021-37712 +# - CVE-2021-37713 +# - CVE-2021-39134 +# - CVE-2021-39135 +# 14.17.5-r0: +# - CVE-2021-3672 +# - CVE-2021-22931 +# - CVE-2021-22939 +# 14.17.4-r0: +# - CVE-2021-22930 +# 14.17.3-r0: +# - CVE-2021-22918 +# 14.16.1-r0: +# - CVE-2020-7774 +# 14.16.0-r0: +# - CVE-2021-22883 +# - CVE-2021-22884 +# 14.15.5-r0: +# - CVE-2021-21148 +# 14.15.4-r0: +# - CVE-2020-8265 +# - CVE-2020-8287 +# 14.15.1-r0: +# - CVE-2020-8277 # 12.18.4-r0: # - CVE-2020-8201 # - CVE-2020-8252 @@ -51,35 +93,39 @@ # - CVE-2017-14919 # 6.11.1-r0: # - CVE-2017-1000381 +# 0: +# - CVE-2022-32212 +# - CVE-2022-32223 # pkgname=nodejs # Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)! # Odd-numbered versions are supported only for 9 months by upstream. -pkgver=12.22.12 +pkgver=14.21.3 pkgrel=0 pkgdesc="JavaScript runtime built on V8 engine - LTS version" url="https://nodejs.org/" -arch="all !mips64 !mips64el" +arch="all !mips64 !mips64el !riscv64" license="MIT" depends="ca-certificates nghttp2-libs>=1.41" -depends_dev="libuv" makedepends=" brotli-dev c-ares-dev - libuv-dev + icu-dev linux-headers nghttp2-dev openssl-dev python3 zlib-dev " -subpackages="$pkgname-dev $pkgname-doc npm::noarch" +install="$pkgname.post-upgrade" +subpackages="$pkgname-dev $pkgname-doc" +provider_priority=100 # highest priority (other provider is nodejs-current) provides="nodejs-lts=$pkgver" # for backward compatibility replaces="nodejs-current nodejs-lts" # nodejs-lts for backward compatibility source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz - dont-run-gyp-files-for-bundled-deps.patch - unbundle-uv.patch + disable-running-gyp-on-shared-deps.patch link-with-libatomic-on-mips32.patch + fix-build-with-system-c-ares.patch " builddir="$srcdir/node-v$pkgver" @@ -87,27 +133,48 @@ prepare() { default_prepare # Remove bundled dependencies that we're not using. - rm -rf deps/brotli deps/cares deps/openssl deps/uv deps/zlib + rm -rf deps/brotli deps/cares deps/openssl deps/zlib } build() { # Add defines recommended in libuv readme. - export CFLAGS="$CFLAGS -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" - export CXXFLAGS="$CXXFLAGS -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" + local common_flags="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" + + # Compiling with O2 instead of Os increases binary size by ~10% + # (53.1 MiB -> 58.6 MiB), but also increases performance by ~20% + # according to v8/web-tooling-benchmark. Node.js is quite huge anyway; + # there are better options for size constrained environments. + export CFLAGS="${CFLAGS/-Os/-O2} $common_flags" + export CXXFLAGS="${CXXFLAGS/-Os/-O2} $common_flags" + export CPPFLAGS="${CPPFLAGS/-Os/-O2} $common_flags" case "$CARCH" in mips*) _carchflags="--with-mips-arch-variant=r1 --with-mips-float-abi=soft";; esac + # NOTE: We use bundled libuv because they don't care much about backward + # compatibility and it has happened several times in past that we + # couldn't upgrade nodejs package in stable branches to fix CVEs due to + # libuv incompatibility. + # + # NOTE: We don't package the bundled npm - it's a separate project with + # its own release cycle and version numbering, so it's better to keep + # it in a standalone aport. + # + # TODO: After icu package is modified to split data into multiple + # variants, change --with-intl to "system-icu". python3 configure.py --prefix=/usr \ $_carchflags \ --shared-brotli \ --shared-zlib \ - --shared-libuv \ --shared-openssl \ --shared-cares \ --shared-nghttp2 \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --with-icu-default-data-dir=$(icu-config --icudatadir) \ + --with-intl=small-icu \ + --without-corepack \ + --without-npm make BUILDTYPE=Release } @@ -122,19 +189,6 @@ check() { package() { make DESTDIR="$pkgdir" install - - cp -pr "$pkgdir"/usr/lib/node_modules/npm/man "$pkgdir"/usr/share - local d; for d in docs man; do - rm -r "$pkgdir"/usr/lib/node_modules/npm/$d - done - - # XXX: Workaround for https://github.com/npm/cli/issues/780. - (cd "$pkgdir"/usr/share/man/man5 && find * \ - -type f ! \( -name 'package-json.*' -or -name 'npmrc.*' -or -name 'npm-*' \) \ - -exec mv {} npm-{} \;) - (cd "$pkgdir"/usr/share/man/man7 && find * \ - -type f ! \( -name 'semver.*' -or -name 'npm-*' \) \ - -exec mv {} npm-{} \;) } dev() { @@ -142,23 +196,9 @@ dev() { default_dev } -npm() { - pkgdesc="A package manager for JavaScript" - depends="$pkgname" - # for backward compatibility - provides="nodejs-npm=$pkgver-r$pkgrel nodejs-current-npm=$pkgver-r$pkgrel" - replaces="nodejs-npm nodejs-current-npm $pkgname" - - mkdir -p "$subpkgdir"/usr/bin - mv "$pkgdir"/usr/bin/np[mx] "$subpkgdir"/usr/bin/ - - mkdir -p "$subpkgdir"/usr/lib/node_modules - mv "$pkgdir"/usr/lib/node_modules/npm "$subpkgdir"/usr/lib/node_modules/ -} - sha512sums=" -cb45e8d0aa1808439def6b0e770bf5c15c7a03b4d399efee604b10e11c706a241d780d867597dc209d856bcbc66cf737cb2a996bad6f2737b4d912c96d8e1cd9 node-v12.22.12.tar.gz -3c536776e2ecb5dc677bf711a09418085b3c5e931a6eaf647f47c28e194d5c6dec354d4e7a039a5805b30fc7e83140594851e18d9120f523eec2f93539eac4db dont-run-gyp-files-for-bundled-deps.patch -a4e1e7bd4f32ee30ebd319ac0c2fc751166f8fdd27f491709003dfebda51cbece9412630f0b98f0b85253ccc4f066c82997ad68abb9b87dc0b47c24d09a0643a unbundle-uv.patch -a63b42c08b55139c1c363f6ba8aba9d85a0621b383ed514f7562cfa02f0cc290785d7cfe09892ac39962980d1b318957511f57b3f9b9d1fbc8704c0603597c9a link-with-libatomic-on-mips32.patch +36e91d15f8e3687deb74f05e4e635c824410b586ebe9b7a410006d1e864093a45d0d350fa9b8536ff9d48d81907ac5f551c17a010707f9776a2f53d5711be0cb node-v14.21.3.tar.gz +8033162669e01a1cd6d5103e5b86c3a6cc49d9a40c1715538be08a181d2c30eb588b251ef7520e73bf6ca8fccb90d81d139ba933927a0869f02546489e3df281 disable-running-gyp-on-shared-deps.patch +44e81fbf254bd79e38b813f7f5a1336df854588939cba50aaec600660495f9b7745a7049a99eb59d15a51100b3a44f66892a902d7fc32e1399b51883ad4c02cf link-with-libatomic-on-mips32.patch +30ca1ce7f9512c943950b8eec98bca99d24c740ebaa14619292fe5ed931dcf603ca90afb1d704ca7f545e421752ba4dde81c0c5bbb5242eb1726739ca627e15f fix-build-with-system-c-ares.patch " diff --git a/user/nodejs/link-with-libatomic-on-mips32.patch b/user/nodejs/link-with-libatomic-on-mips32.patch index 64a2d58..ed20033 100644 --- a/user/nodejs/link-with-libatomic-on-mips32.patch +++ b/user/nodejs/link-with-libatomic-on-mips32.patch @@ -1,6 +1,6 @@ --- a/tools/v8_gypfiles/v8.gyp +++ b/tools/v8_gypfiles/v8.gyp -@@ -1168,6 +1168,11 @@ +@@ -1266,6 +1266,11 @@ ['want_separate_host_toolset', { 'toolsets': ['host', 'target'], }], @@ -14,7 +14,7 @@ 'defines': ['USING_V8_PLATFORM_SHARED'], --- a/node.gyp +++ b/node.gyp -@@ -350,6 +350,11 @@ +@@ -381,6 +381,11 @@ 'msvs_disabled_warnings!': [4244], 'conditions': [ @@ -23,6 +23,6 @@ + 'libraries': [ '-latomic' ], + }, + }], - [ 'node_intermediate_lib_type=="static_library" and ' - 'node_shared=="true" and OS=="aix"', { - # For AIX, shared lib is linked by static lib and .exp. In the + [ 'error_on_warn=="true"', { + 'cflags': ['-Werror'], + 'xcode_settings': {