3 changed files with 82 additions and 121 deletions
--- a/user/nodejs/APKBUILD
+++ b/user/nodejs/APKBUILD
@ -6,56 +6,9 @@
 # Maintainer: Jakub Jirutka <jakub@jirutka.cz>
 #
 # secfixes:
-#   14.21.3-r0:
-#     - CVE-2023-23918
-#     - CVE-2023-23920
-#   14.20.1-r0:
-#     - CVE-2022-32213
-#     - CVE-2022-32214
-#     - CVE-2022-32215
-#     - CVE-2022-35256
-#   14.19.0-r0:
-#     - CVE-2022-21824
-#     - CVE-2021-44533
-#     - CVE-2021-44532
-#     - CVE-2021-44531
-#   14.18.1-r0:
-#     - CVE-2021-22959
-#     - CVE-2021-22960
-#   14.17.6-r0:
-#     - CVE-2021-37701
-#     - CVE-2021-37712
-#     - CVE-2021-37713
-#     - CVE-2021-39134
-#     - CVE-2021-39135
-#   14.17.5-r0:
-#     - CVE-2021-3672
-#     - CVE-2021-22931
-#     - CVE-2021-22939
-#   14.17.4-r0:
-#     - CVE-2021-22930
-#   14.17.3-r0:
-#     - CVE-2021-22918
-#   14.16.1-r0:
+#   10.24.1-r0:
 #     - CVE-2020-7774
-#   14.16.0-r0:
-#     - CVE-2021-22883
-#     - CVE-2021-22884
-#   14.15.5-r0:
-#     - CVE-2021-21148
-#   14.15.4-r0:
-#     - CVE-2020-8265
-#     - CVE-2020-8287
-#   14.15.1-r0:
-#     - CVE-2020-8277
-#   12.18.4-r0:
-#     - CVE-2020-8201
-#     - CVE-2020-8252
-#   12.18.0-r0:
-#     - CVE-2020-8172
-#     - CVE-2020-11080
-#     - CVE-2020-8174
-#   12.15.0-r0:
+#   10.19.0-r0:
 #     - CVE-2019-15606
 #     - CVE-2019-15605
 #     - CVE-2019-15604
@ -93,39 +46,26 @@
 #     - CVE-2017-14919
 #   6.11.1-r0:
 #     - CVE-2017-1000381
-#   0:
-#     - CVE-2022-32212
-#     - CVE-2022-32223
 #
 pkgname=nodejs
 # Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)!
 # Odd-numbered versions are supported only for 9 months by upstream.
-pkgver=14.21.3
+pkgver=10.24.1
 pkgrel=0
 pkgdesc="JavaScript runtime built on V8 engine - LTS version"
 url="https://nodejs.org/"
-arch="all !mips64 !mips64el !riscv64"
+arch="all !mips64 !mips64el"
 license="MIT"
-depends="ca-certificates nghttp2-libs>=1.41"
-makedepends="
-	brotli-dev
-	c-ares-dev
-	icu-dev
-	linux-headers
-	nghttp2-dev
-	openssl-dev
-	python3
-	zlib-dev
-	"
-install="$pkgname.post-upgrade"
-subpackages="$pkgname-dev $pkgname-doc"
-provider_priority=100  # highest priority (other provider is nodejs-current)
+depends="ca-certificates"
+# gold is needed for mksnapshot
+makedepends="$depends_dev python2 openssl-dev zlib-dev libuv-dev linux-headers
+	paxmark binutils-gold http-parser-dev ca-certificates c-ares-dev"
+subpackages="$pkgname-dev $pkgname-doc npm::noarch"
 provides="nodejs-lts=$pkgver"  # for backward compatibility
 replaces="nodejs-current nodejs-lts"  # nodejs-lts for backward compatibility
 source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz
-	disable-running-gyp-on-shared-deps.patch
+	dont-run-gyp-files-for-bundled-deps.patch
 	link-with-libatomic-on-mips32.patch
-	fix-build-with-system-c-ares.patch
 	"
 builddir="$srcdir/node-v$pkgver"

@ -133,20 +73,11 @@ prepare() {
 	default_prepare

 	# Remove bundled dependencies that we're not using.
-	rm -rf deps/brotli deps/cares deps/openssl deps/zlib
+	rm -rf deps/http_parser deps/openssl deps/zlib
 }

 build() {
-	# Add defines recommended in libuv readme.
-	local common_flags="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
-
-	# Compiling with O2 instead of Os increases binary size by ~10%
-	# (53.1 MiB -> 58.6 MiB), but also increases performance by ~20%
-	# according to v8/web-tooling-benchmark. Node.js is quite huge anyway;
-	# there are better options for size constrained environments.
-	export CFLAGS="${CFLAGS/-Os/-O2} $common_flags"
-	export CXXFLAGS="${CXXFLAGS/-Os/-O2} $common_flags"
-	export CPPFLAGS="${CPPFLAGS/-Os/-O2} $common_flags"
+	cd "$builddir"

 	case "$CARCH" in
 	mips*) _carchflags="--with-mips-arch-variant=r1 --with-mips-float-abi=soft";;
@ -156,27 +87,21 @@ build() {
 	# compatibility and it has happened several times in past that we
 	# couldn't upgrade nodejs package in stable branches to fix CVEs due to
 	# libuv incompatibility.
-	#
-	# NOTE: We don't package the bundled npm - it's a separate project with
-	# its own release cycle and version numbering, so it's better to keep
-	# it in a standalone aport.
-	#
-	# TODO: After icu package is modified to split data into multiple
-	# variants, change --with-intl to "system-icu".
-	python3 configure.py --prefix=/usr \
+	./configure --prefix=/usr \
 		$_carchflags \
-		--shared-brotli \
 		--shared-zlib \
 		--shared-openssl \
+		--shared-http-parser \
 		--shared-cares \
-		--shared-nghttp2 \
-		--openssl-use-def-ca-store \
-		--with-icu-default-data-dir=$(icu-config --icudatadir) \
-		--with-intl=small-icu \
-		--without-corepack \
-		--without-npm
+		--openssl-use-def-ca-store

-	make BUILDTYPE=Release
+	# We need run mksnapshot at build time so paxmark it early.
+	make -C out mksnapshot BUILDTYPE=Release
+	paxmark -m out/Release/mksnapshot
+	make
+
+	# paxmark so JIT works
+	paxmark -m out/Release/node
 }

 # TODO Run provided test suite.
@ -188,7 +113,25 @@ check() {
 }

 package() {
+	cd "$builddir"
+
 	make DESTDIR="$pkgdir" install
+
+	# It's strange, but it really needs to be paxmarked again...
+	paxmark -m "$pkgdir"/usr/bin/node
+
+	cp -pr "$pkgdir"/usr/lib/node_modules/npm/man "$pkgdir"/usr/share
+	local d; for d in docs man; do
+		rm -r "$pkgdir"/usr/lib/node_modules/npm/$d
+	done
+
+	# XXX: Workaround for https://github.com/npm/cli/issues/780.
+	(cd "$pkgdir"/usr/share/man/man5 && find * \
+		-type f ! \( -name 'package-json.*' -or -name 'npmrc.*' -or -name 'npm-*' \) \
+		-exec mv {} npm-{} \;)
+	(cd "$pkgdir"/usr/share/man/man7 && find * \
+		-type f ! \( -name 'semver.*' -or -name 'npm-*' \) \
+		-exec mv {} npm-{} \;)
 }

 dev() {
@ -196,9 +139,20 @@ dev() {
 	default_dev
 }

-sha512sums="
-36e91d15f8e3687deb74f05e4e635c824410b586ebe9b7a410006d1e864093a45d0d350fa9b8536ff9d48d81907ac5f551c17a010707f9776a2f53d5711be0cb  node-v14.21.3.tar.gz
-8033162669e01a1cd6d5103e5b86c3a6cc49d9a40c1715538be08a181d2c30eb588b251ef7520e73bf6ca8fccb90d81d139ba933927a0869f02546489e3df281  disable-running-gyp-on-shared-deps.patch
-44e81fbf254bd79e38b813f7f5a1336df854588939cba50aaec600660495f9b7745a7049a99eb59d15a51100b3a44f66892a902d7fc32e1399b51883ad4c02cf  link-with-libatomic-on-mips32.patch
-30ca1ce7f9512c943950b8eec98bca99d24c740ebaa14619292fe5ed931dcf603ca90afb1d704ca7f545e421752ba4dde81c0c5bbb5242eb1726739ca627e15f  fix-build-with-system-c-ares.patch
-"
+npm() {
+	pkgdesc="A package manager for JavaScript"
+	depends="$pkgname"
+	# for backward compatibility
+	provides="nodejs-npm=$pkgver-r$pkgrel nodejs-current-npm=$pkgver-r$pkgrel"
+	replaces="nodejs-npm nodejs-current-npm $pkgname"
+
+	mkdir -p "$subpkgdir"/usr/bin
+	mv "$pkgdir"/usr/bin/np[mx] "$subpkgdir"/usr/bin/
+
+	mkdir -p "$subpkgdir"/usr/lib/node_modules
+	mv "$pkgdir"/usr/lib/node_modules/npm "$subpkgdir"/usr/lib/node_modules/
+}
+
+sha512sums="1ce82fd404a434e48ebd16dc83792a4b3cff18433c1cce53b09b85dda2fbf1abf372574e3ab113e99c884012caadc13b246698ce071aaa329577bc08cdc2be46  node-v10.24.1.tar.gz
+c27cb338eea8c817042d58b8fbadc234fb586f490020677f28f900ade31d2f4dd7bcdd4e52fddf209d9221b7e1fa57f629bd38787456995413cee79311f9571f  dont-run-gyp-files-for-bundled-deps.patch
+4fd3f10bd82d1e851ed000169c2635c001a4a051283edf96f1efb2260e2d395199dd5843f79f1cff8f2c0c65462c44241c508ea67835dfbd9880d9196fae290a  link-with-libatomic-on-mips32.patch"
--- a/user/nodejs/dont-run-gyp-files-for-bundled-deps.patch
+++ b/user/nodejs/dont-run-gyp-files-for-bundled-deps.patch
@ -0,0 +1,21 @@
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Sat, 26 Nov 2016 01:32:00 +0200
+Subject: Disable running gyp files for bundled deps
+
+Author: Stephen Gallagher <sgallagh@redhat.com>
+
+Modified 2016-11-26 by Jakub Jirutka <jakub@jirutka.cz> to update for
+Node.js 7.2.0
+
+--- a/Makefile
+++ b/Makefile
+@@ -123,8 +123,7 @@
+ test-code-cache: with-code-cache
+ 	$(PYTHON) tools/test.py $(PARALLEL_ARGS) --mode=$(BUILDTYPE_LOWER) code-cache
+ 
+-out/Makefile: common.gypi deps/uv/uv.gyp deps/http_parser/http_parser.gyp \
+-              deps/zlib/zlib.gyp deps/v8/gypfiles/toolchain.gypi \
+out/Makefile: common.gypi deps/uv/uv.gyp deps/v8/gypfiles/toolchain.gypi \
+               deps/v8/gypfiles/features.gypi deps/v8/gypfiles/v8.gyp node.gyp \
+               config.gypi
+ 	$(PYTHON) tools/gyp_node.py -f make
--- a/user/nodejs/link-with-libatomic-on-mips32.patch
+++ b/user/nodejs/link-with-libatomic-on-mips32.patch
@ -1,20 +1,6 @@
--- a/tools/v8_gypfiles/v8.gyp
-+++ b/tools/v8_gypfiles/v8.gyp
-@@ -1266,6 +1266,11 @@
-         ['want_separate_host_toolset', {
-           'toolsets': ['host', 'target'],
-         }],
-+        [ 'host_arch=="mips" or host_arch=="mipsel"', {
-+          'link_settings': {
-+            'libraries': [ '-latomic' ],
-+          },
-+        }],
-         ['component=="shared_library"', {
-           'direct_dependent_settings': {
-             'defines': ['USING_V8_PLATFORM_SHARED'],
 --- a/node.gyp
 +++ b/node.gyp
-@@ -381,6 +381,11 @@
+@@ -478,6 +478,11 @@
       'msvs_disabled_warnings!': [4244],
 
       'conditions': [
@ -23,6 +9,6 @@
 +            'libraries': [ '-latomic' ],
 +          },
 +        }],
-         [ 'error_on_warn=="true"', {
-           'cflags': ['-Werror'],
-           'xcode_settings': {
+         [ 'node_code_cache_path!=""', {
+           'sources': [ '<(node_code_cache_path)' ]
+         }, {