Upgrade nodejs to 16.14.0 (#2485)

* upgrade nodejs to 16.14.0

* upgrade nodejs to 16.14.0

* upgrade nodejs to 16.14.0

* upgrade nodejs

Co-authored-by: Nicolas Guibourge <[email protected]>

SPECS/nodejs/clean-source-tarball.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+#
+# The nodejs source tarball contains a copy of the OpenSSL source tree.
+# OpenSSL contains patented algorithms that should not be distributed
+# as part of the SRPM. Since we use the shared OpenSSL libraries, we 
+# can just remove the entire OpenSSL source tree from the tarball.
+
+print_usage() {
+    echo "Usage:"
+    echo "clean-source-tarball.sh {version}"
+    echo "Example: clean-source-tarball.sh 14.18.1"
+    echo
+    exit
+}
+
+VERSION=$1
+
+if [ -z "$1" ]; then
+    print_usage
+fi
+
+
+# Quit on failure
+set -e
+
+namever="node-v${VERSION}"
+upstream_tarball_name="${namever}.tar.xz"
+clean_tarball_name="${namever}-clean.tar.xz"
+download_url="https://nodejs.org/download/release/v${VERSION}/${upstream_tarball_name}"
+
+tmpdir=$(mktemp -d)
+echo "Using temporary directory: $tmpdir"
+pushd $tmpdir > /dev/null
+
+echo "Downloading upstream source tarball..."
+curl -s -O $download_url
+
+echo "Unpacking upstream source tarball..."
+tar -xf $upstream_tarball_name
+
+echo "Removing bad vendored dependencies from source tree..."
+rm -rf ./$namever/deps/openssl/openssl
+
+# Create a reproducible tarball
+# Credit to https://reproducible-builds.org/docs/archives/ for instructions
+# Do not update mtime value for new versions- keep the same value for ease of
+# reproducing old tarball versions in the future if necessary
+echo "Repacking source tarball..."
+tar --sort=name --mtime="2021-11-10 00:00Z" \
+    --owner=0 --group=0 --numeric-owner \
+    --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
+    -cJf $clean_tarball_name ./$namever
+
+popd > /dev/null
+cp "${tmpdir}/${clean_tarball_name}" .
+echo "Clean nodejs source tarball available at $PWD/$clean_tarball_name"
+rm -rf $tmpdir

SPECS/nodejs/disable-tlsv1-tlsv1-1.patch

@@ -0,0 +1,42 @@
+diff -ru node-v16.14.0-orig/src/crypto/crypto_context.cc node-v16.14.0/src/crypto/crypto_context.cc
+--- node-v16.14.0-orig/src/crypto/crypto_context.cc	2022-02-08 04:37:50.000000000 -0800
++++ node-v16.14.0/src/crypto/crypto_context.cc	2022-02-25 09:17:21.964960342 -0800
+@@ -467,28 +467,16 @@
+       min_version = 0;
+       max_version = kMaxSupportedVersion;
+       method = TLS_client_method();
+-    } else if (sslmethod == "TLSv1_method") {
+-      min_version = TLS1_VERSION;
+-      max_version = TLS1_VERSION;
+-    } else if (sslmethod == "TLSv1_server_method") {
+-      min_version = TLS1_VERSION;
+-      max_version = TLS1_VERSION;
+-      method = TLS_server_method();
+-    } else if (sslmethod == "TLSv1_client_method") {
+-      min_version = TLS1_VERSION;
+-      max_version = TLS1_VERSION;
+-      method = TLS_client_method();
+-    } else if (sslmethod == "TLSv1_1_method") {
+-      min_version = TLS1_1_VERSION;
+-      max_version = TLS1_1_VERSION;
+-    } else if (sslmethod == "TLSv1_1_server_method") {
+-      min_version = TLS1_1_VERSION;
+-      max_version = TLS1_1_VERSION;
+-      method = TLS_server_method();
+-    } else if (sslmethod == "TLSv1_1_client_method") {
+-      min_version = TLS1_1_VERSION;
+-      max_version = TLS1_1_VERSION;
+-      method = TLS_client_method();
++    } else if (sslmethod == "TLSv1_method" ||
++               sslmethod == "TLSv1_server_method" ||
++               sslmethod == "TLSv1_client_method") {
++      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "TLSv1 methods disabled");
++      return;
++    } else if (sslmethod == "TLSv1_1_method" ||
++               sslmethod == "TLSv1_1_server_method" ||
++               sslmethod == "TLSv1_1_client_method") {
++      THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "TLSv1_1 methods disabled");
++      return;
+     } else if (sslmethod == "TLSv1_2_method") {
+       min_version = TLS1_2_VERSION;
+       max_version = TLS1_2_VERSION;

SPECS/nodejs/nodejs.signatures.json

@@ -1,5 +1,5 @@
 {
  "Signatures": {
-  "node-v14.17.2.tar.xz": "4f5fb2b87e2255da3b200ed73ab076002e4b088df0027ec85e25541a6830583e"
+  "node-v16.14.0.tar.xz": "6dc499ca9cb9d3f4fa1c08730ce39fc9caafdac1bb5a2f2384389c0072931bba"
  }
 }

SPECS/nodejs/nodejs.spec

@@ -1,56 +1,91 @@
 # Retrieved from 'deps/npm/package.json' inside the sources tarball.
-%define npm_version 6.14.13
+%define npm_version 8.3.1
 
 Summary:        A JavaScript runtime built on Chrome's V8 JavaScript engine.
 Name:           nodejs
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
-Version:        14.17.2
-Release:        2%{?dist}
+Version:        16.14.0
+Release:        1%{?dist}
 License:        BSD and MIT and Public Domain and naist-2003
 Group:          Applications/System
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://github.com/nodejs/node
+# !!!! Nodejs code has a vendored version of OpenSSL code that must be removed from source tarball 
+# !!!! because it contains patented algorithms.
+# !!!  => use clean-source-tarball.sh script to create a clean and reproducible source tarball.
 Source0:        https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz
-Patch0:         patch_tls_nodejs14.patch
-
-BuildRequires:  coreutils >= 8.22, openssl-devel >= 1.0.1
+Patch0:         disable-tlsv1-tlsv1-1.patch
+
+BuildRequires:  brotli-devel
+BuildRequires:  coreutils >= 8.22
+BuildRequires:  gcc
+BuildRequires:  make
+BuildRequires:  ninja-build
+BuildRequires:  openssl-devel >= 1.1.1
 BuildRequires:  python3
 BuildRequires:  which
+BuildRequires:  zlib-devel
+
+Requires:       brotli
 Requires:       coreutils >= 8.22
-Requires:       openssl >= 1.0.1
+Requires:       openssl >= 1.1.1
 Requires:       python3
 
 Provides:       npm = %{npm_version}.%{version}-%{release}
 
 %description
-Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. The Node.js package ecosystem, npm, is the largest ecosystem of open source libraries in the world.
+Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine.
+Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient.
+The Node.js package ecosystem, npm, is the largest ecosystem of open source libraries in the world.
 
 %package        devel
 Summary:        Development files node
 Group:          System Environment/Base
 Requires:       %{name} = %{version}-%{release}
+Requires:       brotli-devel
+Requires:       openssl-devel >= 1.1.1
+Requires:       zlib-devel
 
 %description    devel
 The nodejs-devel package contains libraries, header files and documentation
 for developing applications that use nodejs.
 
 %prep
-%setup -q -n node-v%{version}
-%patch0 -p1
+%autosetup -p1 -n node-v%{version}
 
 %build
-sh configure --prefix=%{_prefix} \
-           --shared-openssl \
-           --shared-zlib
-
-make %{?_smp_mflags}
+# remove unsupported TLSv1.3 cipher:
+#    Mariner's OpenSSL configuration does not allow for this TLSv1.3
+#    cipher. OpenSSL does not like being asked to use TLSv1.3 ciphers
+#    it doesn't support (despite being fine processing similar cipher
+#    requests for TLS < 1.3). This cipher's presence in the default
+#    cipher list causes failures when initializing secure contexts
+#    in the context of Node's TLS library.
+sed -i '/TLS_CHACHA20_POLY1305_SHA256/d' ./src/node_constants.h
+
+# remove brotli and zlib source code from deps folder
+# keep the .gyp and .gypi files that are still used during configuration
+find deps/zlib -name *.[ch] -delete
+find deps/brotli -name *.[ch] -delete
+
+python3 configure.py \
+  --prefix=%{_prefix} \
+  --ninja \
+  --shared-openssl \
+  --shared-zlib \
+  --shared-brotli \
+  --with-intl=small-icu \
+  --with-icu-source=deps/icu-small \
+  --without-dtrace \
+  --openssl-use-def-ca-store
+
+JOBS=4 make %{?_smp_mflags} V=0
 
 %install
 
 make %{?_smp_mflags} install DESTDIR=$RPM_BUILD_ROOT
-rm -fr %{buildroot}%{_libdir}/dtrace/  # No systemtap support.
 install -m 755 -d %{buildroot}%{_libdir}/node_modules/
 install -m 755 -d %{buildroot}%{_datadir}/%{name}
 
@@ -80,6 +115,17 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+*   Thu Feb 24 2022 Nicolas Guibourge <[email protected]> - 16.14.0-1
+-   Upgrade to 16.14.0.
+*   Thu Nov 18 2021 Thomas Crain <[email protected]> - 14.18.1-1
+-   Update to version 14.18.1 to fix CVE-2021-22959, CVE-2021-22960, CVE-2021-37701,
+    CVE-2021-37712, CVE-2021-37713, CVE-2021-39134, CVE-2021-39135
+-   Add patch to remove problematic cipher from default list
+-   Add config flag to use OpenSSL cert store instead of built-in Mozilla certs
+-   Add script to remove vendored OpenSSL tree from source tarball
+-   Update required OpenSSL version to 1.1.1
+-   Use python configure script directly
+-   Lint spec
 *   Thu Sep 23 2021 Pawel Winogrodzki <[email protected]> - 14.17.2-2
 -   Adding 'Provides' for 'npm'.
 *   Mon Jul 19 2021 Neha Agarwal <[email protected]> - 14.17.2-1

cgmanifest.json

@@ -14463,8 +14463,8 @@
         "type": "other",
         "other": {
           "name": "nodejs",
-          "version": "14.17.2",
-          "downloadUrl": "https://nodejs.org/download/release/v14.17.2/node-v14.17.2.tar.xz"
+          "version": "16.14.0",
+          "downloadUrl": "https://nodejs.org/download/release/v16.14.0/node-v16.14.0.tar.xz"
         }
       }
     },