node: January 21, 2025 Security Releases

This is a security release.

Notable Changes

    CVE-2025-23083 - src,loader,permission: throw on InternalWorker use when permission model is enabled (High)
    CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
    CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

    CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>

lang/node/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=node
-PKG_VERSION:=22.11.0
-PKG_RELEASE:=4
+PKG_VERSION:=22.13.1
+PKG_RELEASE:=1
 NODE_MODULE_VERSION:=127
 
 PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://nodejs.org/dist/v$(PKG_VERSION)
-PKG_HASH:=24e5130fa7bc1eaab218a0c9cb05e03168fa381bb9e3babddc6a11f655799222
+PKG_HASH:=e7d5b1e84e7f3c3cebda81e2b138469eef41ba4ecf16a87fd15fc3f7afa3f701
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-v$(PKG_VERSION)
 HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/$(PKG_NAME)-v$(PKG_VERSION)
 

lang/node/patches/003-path.patch

@@ -1,6 +1,6 @@
 --- a/lib/internal/modules/cjs/loader.js
 +++ b/lib/internal/modules/cjs/loader.js
-@@ -1779,7 +1779,8 @@ Module._initPaths = function() {
+@@ -1789,7 +1789,8 @@ Module._initPaths = function() {
      path.resolve(process.execPath, '..') :
      path.resolve(process.execPath, '..', '..');
  

lang/node/patches/200-uv_gyp.patch

@@ -1,6 +1,6 @@
 --- a/deps/uv/uv.gyp
 +++ b/deps/uv/uv.gyp
-@@ -155,6 +155,7 @@
+@@ -156,6 +156,7 @@
        'target_name': 'libuv',
        'toolsets': ['host', 'target'],
        'type': '<(uv_library)',

lang/node/patches/202-node_gyp.patch

@@ -1,10 +1,18 @@
 --- a/node.gyp
 +++ b/node.gyp
-@@ -1350,6 +1350,7 @@
-       'dependencies': [
-         'deps/simdutf/simdutf.gyp:simdutf#host',
+@@ -1138,6 +1138,7 @@
+       'includes': [
+         'node.gypi'
        ],
 +      'libraries!':[ '-licui18n', '-licuuc', '-licudata', '-lcrypto', '-lssl', '-lz', '-lhttp_parser', '-luv', '-lnghttp2', '-lcares' ],
        'include_dirs': [
+         'src',
+         'tools/msvs/genfiles',
+@@ -1354,6 +1355,7 @@
          'tools',
          'src',
+       ],
++      'libraries!':[ '-licui18n', '-licuuc', '-licudata', '-lcrypto', '-lssl', '-lz', '-lhttp_parser', '-luv', '-lnghttp2', '-lcares' ],
+       'sources': [
+         'tools/js2c.cc',
+         'tools/executable_wrapper.h',

lang/node/patches/204-v8_gyp.patch

@@ -44,7 +44,7 @@
        ],
        'sources': [
          '<!@pymod_do_main(GN-scraper "<(V8_ROOT)/BUILD.gn"  "\\"v8_initializers.*?sources = ")',
-@@ -820,6 +826,7 @@
+@@ -825,6 +831,7 @@
        'toolsets': ['host', 'target'],
        'direct_dependent_settings': {
          'sources': ['<!@pymod_do_main(GN-scraper "<(V8_ROOT)/BUILD.gn"  "v8_compiler_sources = ")'],
@@ -52,7 +52,7 @@
          'conditions': [
            ['v8_target_arch=="ia32"', {
              'sources': [
-@@ -929,6 +936,8 @@
+@@ -939,6 +946,8 @@
        'target_name': 'v8_turboshaft',
        'type': 'static_library',
        'toolsets': ['host', 'target'],
@@ -61,7 +61,7 @@
        'dependencies': [
          'generate_bytecode_builtins_list',
          'run_torque',
-@@ -968,6 +977,7 @@
+@@ -978,6 +987,7 @@
          'run_torque',
          'v8_maybe_icu',
        ],
@@ -69,7 +69,7 @@
        'conditions': [
          ['(is_component_build and not v8_optimized_debug and v8_enable_fast_mksnapshot) or v8_enable_turbofan==0', {
            'dependencies': [
-@@ -1010,6 +1020,7 @@
+@@ -1020,6 +1030,7 @@
        ],
        'includes': ['inspector.gypi'],
        'direct_dependent_settings': {
@@ -77,7 +77,7 @@
          'include_dirs': [
            '<(generate_bytecode_output_root)',
            '<(SHARED_INTERMEDIATE_DIR)',
-@@ -1647,6 +1658,7 @@
+@@ -1674,6 +1685,7 @@
          }],
        ],
        'direct_dependent_settings': {
@@ -85,7 +85,7 @@
          'include_dirs': [
            '<(V8_ROOT)/include',
          ],
-@@ -1667,6 +1679,7 @@
+@@ -1694,6 +1706,7 @@
      {
        'target_name': 'bytecode_builtins_list_generator',
        'type': 'executable',
@@ -93,7 +93,7 @@
        'conditions': [
          ['want_separate_host_toolset', {
            'toolsets': ['host'],
-@@ -1695,6 +1708,9 @@
+@@ -1722,6 +1735,9 @@
      {
        'target_name': 'mksnapshot',
        'type': 'executable',
@@ -103,7 +103,7 @@
        'dependencies': [
          'v8_base_without_compiler',
          'v8_compiler_for_mksnapshot',
-@@ -1723,6 +1739,7 @@
+@@ -1750,6 +1766,7 @@
      {
        'target_name': 'torque',
        'type': 'executable',
@@ -111,7 +111,7 @@
        'dependencies': [
          'torque_base',
          # "build/win:default_exe_manifest",
-@@ -1765,6 +1782,7 @@
+@@ -1792,6 +1809,7 @@
      {
        'target_name': 'torque-language-server',
        'type': 'executable',
@@ -119,7 +119,7 @@
        'conditions': [
          ['want_separate_host_toolset', {
            'toolsets': ['host'],
-@@ -1796,6 +1814,8 @@
+@@ -1823,6 +1841,8 @@
      {
        'target_name': 'gen-regexp-special-case',
        'type': 'executable',
@@ -128,7 +128,7 @@
        'dependencies': [
          'v8_libbase',
          # "build/win:default_exe_manifest",
-@@ -2036,6 +2056,7 @@
+@@ -2063,6 +2083,7 @@
           }],
        ],
        'direct_dependent_settings': {
@@ -136,7 +136,7 @@
          'include_dirs': [
            '<(V8_ROOT)/include',
          ],
-@@ -2175,15 +2196,19 @@
+@@ -2202,15 +2223,19 @@
          }],
        ],
        'direct_dependent_settings': {
@@ -156,7 +156,7 @@
        ],
        'sources': [
          '<(V8_ROOT)/third_party/zlib/adler32.c',
-@@ -2228,6 +2253,7 @@
+@@ -2255,6 +2280,7 @@
        'variables': {
          'ABSEIL_ROOT': '../../deps/v8/third_party/abseil-cpp',
        },

lang/node/patches/999-fix_building_with_system_icu_76.patch

@@ -1,25 +0,0 @@
-From 54299ac3a3d4e4520b8604dce43c2584092ccde2 Mon Sep 17 00:00:00 2001
-From: Michael Cho <michael@michaelcho.dev>
-Date: Sun, 27 Oct 2024 10:08:07 -0400
-Subject: [PATCH] build: fix building with system icu 76
-
-ICU 76 decided to reduce overlinking[^1] thus `icu-i18n` will no longer
-add `icu-uc` when linking to shared libraries. This results in undefined
-symbols/references when trying to build with system ICU 76.
-
-[^1]: unicode-org/icu@199bc82
----
- configure.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/configure.py
-+++ b/configure.py
-@@ -1876,7 +1876,7 @@ def configure_intl(o):
-   elif with_intl == 'system-icu':
-     # ICU from pkg-config.
-     o['variables']['v8_enable_i18n_support'] = 1
--    pkgicu = pkg_config('icu-i18n')
-+    pkgicu = pkg_config(['icu-i18n', 'icu-uc'])
-     if not pkgicu[0]:
-       error('''Could not load pkg-config data for "icu-i18n".
-        See above errors or the README.md.''')

lang/node/patches/999-localhost-no-addrconfig.patch

@@ -13,7 +13,7 @@ Forwarded: https://github.com/nodejs/node/issues/33816
  //
  // Permission is hereby granted, free of charge, to any person obtaining a
  // copy of this software and associated documentation files (the
-@@ -1342,13 +1343,6 @@ function lookupAndConnect(self, options)
+@@ -1368,13 +1369,6 @@ function lookupAndConnect(self, options)
      hints: options.hints || 0,
    };
  

lang/node/patches/999-revert_enable_pointer_authentication_on_arm64.patch

@@ -1,10 +1,10 @@
 --- a/node.gyp
 +++ b/node.gyp
-@@ -1351,6 +1351,7 @@
-         'deps/simdutf/simdutf.gyp:simdutf#host',
+@@ -1139,6 +1139,7 @@
+         'node.gypi'
        ],
        'libraries!':[ '-licui18n', '-licuuc', '-licudata', '-lcrypto', '-lssl', '-lz', '-lhttp_parser', '-luv', '-lnghttp2', '-lcares' ],
 +      'cflags!': ['-mbranch-protection=standard'],
        'include_dirs': [
-         'tools',
          'src',
+         'tools/msvs/genfiles',