nodejs

user/nodejs/APKBUILD

@@ -6,6 +6,48 @@
 # Maintainer: Jakub Jirutka <jakub@jirutka.cz>
 #
 # secfixes:
+#   14.21.3-r0:
+#     - CVE-2023-23918
+#     - CVE-2023-23920
+#   14.20.1-r0:
+#     - CVE-2022-32213
+#     - CVE-2022-32214
+#     - CVE-2022-32215
+#     - CVE-2022-35256
+#   14.19.0-r0:
+#     - CVE-2022-21824
+#     - CVE-2021-44533
+#     - CVE-2021-44532
+#     - CVE-2021-44531
+#   14.18.1-r0:
+#     - CVE-2021-22959
+#     - CVE-2021-22960
+#   14.17.6-r0:
+#     - CVE-2021-37701
+#     - CVE-2021-37712
+#     - CVE-2021-37713
+#     - CVE-2021-39134
+#     - CVE-2021-39135
+#   14.17.5-r0:
+#     - CVE-2021-3672
+#     - CVE-2021-22931
+#     - CVE-2021-22939
+#   14.17.4-r0:
+#     - CVE-2021-22930
+#   14.17.3-r0:
+#     - CVE-2021-22918
+#   14.16.1-r0:
+#     - CVE-2020-7774
+#   14.16.0-r0:
+#     - CVE-2021-22883
+#     - CVE-2021-22884
+#   14.15.5-r0:
+#     - CVE-2021-21148
+#   14.15.4-r0:
+#     - CVE-2020-8265
+#     - CVE-2020-8287
+#   14.15.1-r0:
+#     - CVE-2020-8277
 #   12.18.4-r0:
 #     - CVE-2020-8201
 #     - CVE-2020-8252
@@ -51,35 +93,39 @@
 #     - CVE-2017-14919
 #   6.11.1-r0:
 #     - CVE-2017-1000381
+#   0:
+#     - CVE-2022-32212
+#     - CVE-2022-32223
 #
 pkgname=nodejs
 # Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)!
 # Odd-numbered versions are supported only for 9 months by upstream.
-pkgver=12.22.12
+pkgver=14.21.3
 pkgrel=0
 pkgdesc="JavaScript runtime built on V8 engine - LTS version"
 url="https://nodejs.org/"
-arch="all !mips64 !mips64el"
+arch="all !mips64 !mips64el !riscv64"
 license="MIT"
 depends="ca-certificates nghttp2-libs>=1.41"
-depends_dev="libuv"
 makedepends="
 	brotli-dev
 	c-ares-dev
-	libuv-dev
+	icu-dev
 	linux-headers
 	nghttp2-dev
 	openssl-dev
 	python3
 	zlib-dev
 	"
-subpackages="$pkgname-dev $pkgname-doc npm::noarch"
+install="$pkgname.post-upgrade"
+subpackages="$pkgname-dev $pkgname-doc"
+provider_priority=100  # highest priority (other provider is nodejs-current)
 provides="nodejs-lts=$pkgver"  # for backward compatibility
 replaces="nodejs-current nodejs-lts"  # nodejs-lts for backward compatibility
 source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz
-	dont-run-gyp-files-for-bundled-deps.patch
+	disable-running-gyp-on-shared-deps.patch
-	unbundle-uv.patch
 	link-with-libatomic-on-mips32.patch
+	fix-build-with-system-c-ares.patch
 	"
 builddir="$srcdir/node-v$pkgver"
 
@@ -87,27 +133,48 @@ prepare() {
 	default_prepare
 
 	# Remove bundled dependencies that we're not using.
-	rm -rf deps/brotli deps/cares deps/openssl deps/uv deps/zlib
+	rm -rf deps/brotli deps/cares deps/openssl deps/zlib
 }
 
 build() {
 	# Add defines recommended in libuv readme.
-	export CFLAGS="$CFLAGS -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
+	local common_flags="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
-	export CXXFLAGS="$CXXFLAGS -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
+
+	# Compiling with O2 instead of Os increases binary size by ~10%
+	# (53.1 MiB -> 58.6 MiB), but also increases performance by ~20%
+	# according to v8/web-tooling-benchmark. Node.js is quite huge anyway;
+	# there are better options for size constrained environments.
+	export CFLAGS="${CFLAGS/-Os/-O2} $common_flags"
+	export CXXFLAGS="${CXXFLAGS/-Os/-O2} $common_flags"
+	export CPPFLAGS="${CPPFLAGS/-Os/-O2} $common_flags"
 
 	case "$CARCH" in
 	mips*) _carchflags="--with-mips-arch-variant=r1 --with-mips-float-abi=soft";;
 	esac
 
+	# NOTE: We use bundled libuv because they don't care much about backward
+	# compatibility and it has happened several times in past that we
+	# couldn't upgrade nodejs package in stable branches to fix CVEs due to
+	# libuv incompatibility.
+	#
+	# NOTE: We don't package the bundled npm - it's a separate project with
+	# its own release cycle and version numbering, so it's better to keep
+	# it in a standalone aport.
+	#
+	# TODO: After icu package is modified to split data into multiple
+	# variants, change --with-intl to "system-icu".
 	python3 configure.py --prefix=/usr \
 		$_carchflags \
 		--shared-brotli \
 		--shared-zlib \
-		--shared-libuv \
 		--shared-openssl \
 		--shared-cares \
 		--shared-nghttp2 \
-		--openssl-use-def-ca-store
+		--openssl-use-def-ca-store \
+		--with-icu-default-data-dir=$(icu-config --icudatadir) \
+		--with-intl=small-icu \
+		--without-corepack \
+		--without-npm
 
 	make BUILDTYPE=Release
 }
@@ -122,19 +189,6 @@ check() {
 
 package() {
 	make DESTDIR="$pkgdir" install
-
-	cp -pr "$pkgdir"/usr/lib/node_modules/npm/man "$pkgdir"/usr/share
-	local d; for d in docs man; do
-		rm -r "$pkgdir"/usr/lib/node_modules/npm/$d
-	done
-
-	# XXX: Workaround for https://github.com/npm/cli/issues/780.
-	(cd "$pkgdir"/usr/share/man/man5 && find * \
-		-type f ! \( -name 'package-json.*' -or -name 'npmrc.*' -or -name 'npm-*' \) \
-		-exec mv {} npm-{} \;)
-	(cd "$pkgdir"/usr/share/man/man7 && find * \
-		-type f ! \( -name 'semver.*' -or -name 'npm-*' \) \
-		-exec mv {} npm-{} \;)
 }
 
 dev() {
@@ -142,23 +196,9 @@ dev() {
 	default_dev
 }
 
-npm() {
-	pkgdesc="A package manager for JavaScript"
-	depends="$pkgname"
-	# for backward compatibility
-	provides="nodejs-npm=$pkgver-r$pkgrel nodejs-current-npm=$pkgver-r$pkgrel"
-	replaces="nodejs-npm nodejs-current-npm $pkgname"
-
-	mkdir -p "$subpkgdir"/usr/bin
-	mv "$pkgdir"/usr/bin/np[mx] "$subpkgdir"/usr/bin/
-
-	mkdir -p "$subpkgdir"/usr/lib/node_modules
-	mv "$pkgdir"/usr/lib/node_modules/npm "$subpkgdir"/usr/lib/node_modules/
-}
-
 sha512sums="
-cb45e8d0aa1808439def6b0e770bf5c15c7a03b4d399efee604b10e11c706a241d780d867597dc209d856bcbc66cf737cb2a996bad6f2737b4d912c96d8e1cd9  node-v12.22.12.tar.gz
+36e91d15f8e3687deb74f05e4e635c824410b586ebe9b7a410006d1e864093a45d0d350fa9b8536ff9d48d81907ac5f551c17a010707f9776a2f53d5711be0cb  node-v14.21.3.tar.gz
-3c536776e2ecb5dc677bf711a09418085b3c5e931a6eaf647f47c28e194d5c6dec354d4e7a039a5805b30fc7e83140594851e18d9120f523eec2f93539eac4db  dont-run-gyp-files-for-bundled-deps.patch
+8033162669e01a1cd6d5103e5b86c3a6cc49d9a40c1715538be08a181d2c30eb588b251ef7520e73bf6ca8fccb90d81d139ba933927a0869f02546489e3df281  disable-running-gyp-on-shared-deps.patch
-a4e1e7bd4f32ee30ebd319ac0c2fc751166f8fdd27f491709003dfebda51cbece9412630f0b98f0b85253ccc4f066c82997ad68abb9b87dc0b47c24d09a0643a  unbundle-uv.patch
+44e81fbf254bd79e38b813f7f5a1336df854588939cba50aaec600660495f9b7745a7049a99eb59d15a51100b3a44f66892a902d7fc32e1399b51883ad4c02cf  link-with-libatomic-on-mips32.patch
-a63b42c08b55139c1c363f6ba8aba9d85a0621b383ed514f7562cfa02f0cc290785d7cfe09892ac39962980d1b318957511f57b3f9b9d1fbc8704c0603597c9a  link-with-libatomic-on-mips32.patch
+30ca1ce7f9512c943950b8eec98bca99d24c740ebaa14619292fe5ed931dcf603ca90afb1d704ca7f545e421752ba4dde81c0c5bbb5242eb1726739ca627e15f  fix-build-with-system-c-ares.patch
 "

user/nodejs/link-with-libatomic-on-mips32.patch

@@ -1,6 +1,6 @@
 --- a/tools/v8_gypfiles/v8.gyp
 +++ b/tools/v8_gypfiles/v8.gyp
-@@ -1168,6 +1168,11 @@
+@@ -1266,6 +1266,11 @@
          ['want_separate_host_toolset', {
            'toolsets': ['host', 'target'],
          }],
@@ -14,7 +14,7 @@
              'defines': ['USING_V8_PLATFORM_SHARED'],
 --- a/node.gyp
 +++ b/node.gyp
-@@ -350,6 +350,11 @@
+@@ -381,6 +381,11 @@
        'msvs_disabled_warnings!': [4244],
  
        'conditions': [
@@ -23,6 +23,6 @@
 +            'libraries': [ '-latomic' ],
 +          },
 +        }],
-         [ 'node_intermediate_lib_type=="static_library" and '
+         [ 'error_on_warn=="true"', {
-             'node_shared=="true" and OS=="aix"', {
+           'cflags': ['-Werror'],
-           # For AIX, shared lib is linked by static lib and .exp. In the
+           'xcode_settings': {