diff options
Diffstat (limited to 'main/nodejs/APKBUILD')
-rw-r--r-- | main/nodejs/APKBUILD | 243 |
1 files changed, 190 insertions, 53 deletions
diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD index d025612fd4c..d163530c6e6 100644 --- a/main/nodejs/APKBUILD +++ b/main/nodejs/APKBUILD @@ -6,6 +6,76 @@ # Maintainer: Jakub Jirutka <jakub@jirutka.cz> # # secfixes: +# 20.12.1-r0: +# - CVE-2024-27982 +# - CVE-2024-27983 +# 18.18.2-r0: +# - CVE-2023-45143 +# - CVE-2023-38552 +# - CVE-2023-39333 +# 18.17.1-r0: +# - CVE-2023-32002 +# - CVE-2023-32006 +# - CVE-2023-32559 +# 18.14.1-r0: +# - CVE-2023-23918 +# - CVE-2023-23919 +# - CVE-2023-23920 +# - CVE-2023-23936 +# - CVE-2023-24807 +# 18.12.1-r0: +# - CVE-2022-3602 +# - CVE-2022-3786 +# - CVE-2022-43548 +# 16.17.1-r0: +# - CVE-2022-32213 +# - CVE-2022-32214 +# - CVE-2022-32215 +# - CVE-2022-35255 +# - CVE-2022-35256 +# 16.13.2-r0: +# - CVE-2021-44531 +# - CVE-2021-44532 +# - CVE-2021-44533 +# - CVE-2022-21824 +# 14.18.1-r0: +# - CVE-2021-22959 +# - CVE-2021-22960 +# 14.17.6-r0: +# - CVE-2021-37701 +# - CVE-2021-37712 +# - CVE-2021-37713 +# - CVE-2021-39134 +# - CVE-2021-39135 +# 14.17.5-r0: +# - CVE-2021-3672 +# - CVE-2021-22931 +# - CVE-2021-22939 +# 14.17.4-r0: +# - CVE-2021-22930 +# 14.16.1-r0: +# - CVE-2020-7774 +# 14.16.0-r0: +# - CVE-2021-22883 +# - CVE-2021-22884 +# 14.15.5-r0: +# - CVE-2021-21148 +# 14.15.4-r0: +# - CVE-2020-8265 +# - CVE-2020-8287 +# 14.15.1-r0: +# - CVE-2020-8277 +# 12.18.4-r0: +# - CVE-2020-8201 +# - CVE-2020-8252 +# 12.18.0-r0: +# - CVE-2020-8172 +# - CVE-2020-11080 +# - CVE-2020-8174 +# 12.15.0-r0: +# - CVE-2019-15606 +# - CVE-2019-15605 +# - CVE-2019-15604 # 10.16.3-r0: # - CVE-2019-9511 # - CVE-2019-9512 @@ -40,60 +110,136 @@ # - CVE-2017-14919 # 6.11.1-r0: # - CVE-2017-1000381 -# +# 0: +# - CVE-2021-43803 +# - CVE-2022-32212 +# - CVE-2023-44487 pkgname=nodejs # Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)! # Odd-numbered versions are supported only for 9 months by upstream. -pkgver=10.16.3 +pkgver=20.12.2 pkgrel=0 pkgdesc="JavaScript runtime built on V8 engine - LTS version" url="https://nodejs.org/" -arch="all !mips64 !mips64el" +arch="all" license="MIT" depends="ca-certificates" -depends_dev="libuv" -# gold is needed for mksnapshot -makedepends="$depends_dev python2 openssl-dev zlib-dev libuv-dev linux-headers - paxmark binutils-gold http-parser-dev ca-certificates c-ares-dev" -subpackages="$pkgname-dev $pkgname-doc npm::noarch" -provides="nodejs-lts=$pkgver" # for backward compatibility +makedepends=" + ada-dev + base64-dev + brotli-dev + c-ares-dev + icu-dev + linux-headers + nghttp2-dev + openssl-dev + py3-jinja2 + python3 + samurai + zlib-dev + " +install="$pkgname.post-upgrade" +subpackages=" + $pkgname-dev + $pkgname-libs + $pkgname-doc + " +provider_priority=100 # highest priority (other provider is nodejs-current) +provides="nodejs-lts=$pkgver-r$pkgrel" # for backward compatibility replaces="nodejs-current nodejs-lts" # nodejs-lts for backward compatibility source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz - dont-run-gyp-files-for-bundled-deps.patch - link-with-libatomic-on-mips32.patch + disable-running-gyp-on-shared-deps.patch + system-ada.patch + system-base64.patch + base64.gyp + $pkgname.pc.in " builddir="$srcdir/node-v$pkgver" prepare() { default_prepare + # openssl.cnf is required for build. + mv deps/openssl/nodejs-openssl.cnf . + # Remove bundled dependencies that we're not using. - rm -rf deps/http_parser deps/openssl deps/uv deps/zlib + # + # NOTE: nghttp3 and ngtcp2 are only used when building with OpenSSL + # that supports QUIC. After the QUIC support is added to openssl, add + # options --shared-nghttp3 and --shared-ngtcp2. + rm -rf deps/ada/*.cpp \ + deps/base64/* \ + deps/brotli \ + deps/cares \ + deps/corepack \ + deps/nghttp2 \ + deps/nghttp3 \ + deps/ngtcp2 \ + deps/openssl/* \ + deps/v8/third_party/jinja2 \ + deps/zlib \ + tools/inspector_protocol/jinja2 + + mv nodejs-openssl.cnf deps/openssl/ + + cp "$srcdir"/base64.gyp deps/base64/ } build() { - cd "$builddir" + # Add defines recommended in libuv readme. + local common_flags="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" + + # -Os overwrites the optimizations enabled by BUILDTYPE=Release. + # Compiling with O2 instead of Os increases binary size by ~10% + # (53.1 MiB -> 58.6 MiB), but also increases performance by ~20% + # according to v8/web-tooling-benchmark. Node.js is quite huge anyway; + # there are better options for size constrained environments. + export CFLAGS="${CFLAGS/-Os} $common_flags" + export CXXFLAGS="${CXXFLAGS/-Os} $common_flags" + export CPPFLAGS="${CPPFLAGS/-Os} $common_flags" - case "$CARCH" in - mips*) _carchflags="--with-mips-arch-variant=r1 --with-mips-float-abi=soft";; - esac + # When building shared libnode.so, the resulting package size is +15 % + # (~8 MiB), so we rather build it twice to keep the node binary smaller + # (there are currently no packages using libnode.so). + msg 'Building node binary' + _build + cp out/Release/node out/ - ./configure --prefix=/usr \ - $_carchflags \ + msg 'Building libnode.so' + _build --shared + cp out/Release/lib/libnode.so* out/Release/ + + sed "s/@VERSION@/$pkgver/" "$srcdir"/$pkgname.pc.in > out/Release/$pkgname.pc +} + +_build() { + # NOTE: We use bundled libuv because they don't care much about backward + # compatibility and it has happened several times in past that we + # couldn't upgrade nodejs package in stable branches to fix CVEs due to + # libuv incompatibility. + # + # NOTE: We don't package the bundled npm - it's a separate project with + # its own release cycle and version numbering, so it's better to keep + # it in a standalone aport. + # + # TODO: Fix and enable corepack. + python3 configure.py \ + --prefix=/usr \ + --ninja \ + --enable-lto \ + --shared-brotli \ --shared-zlib \ - --shared-libuv \ --shared-openssl \ - --shared-http-parser \ --shared-cares \ - --openssl-use-def-ca-store - - # We need run mksnapshot at build time so paxmark it early. - make -C out mksnapshot BUILDTYPE=Release - paxmark -m out/Release/mksnapshot - make + --shared-nghttp2 \ + --openssl-use-def-ca-store \ + --with-icu-default-data-dir=$(icu-config --icudatadir) \ + --with-intl=system-icu \ + --without-corepack \ + --without-npm \ + "$@" - # paxmark so JIT works - paxmark -m out/Release/node + make BUILDTYPE=Release } # TODO Run provided test suite. @@ -102,20 +248,20 @@ check() { ./node -e 'console.log("Hello, world!")' ./node -e "require('assert').equal(process.versions.node, '$pkgver')" + ./node -e 'require("assert").equal( + Buffer.from(Buffer.from("foo").toString("base64"), "base64").toString("ascii"), + "foo")' } package() { - cd "$builddir" - make DESTDIR="$pkgdir" install - # It's strange, but it really needs to be paxmarked again... - paxmark -m "$pkgdir"/usr/bin/node + # node binary built without libnode.so. + install -D -m755 out/node -t "$pkgdir"/usr/bin/ + + install -D -m644 out/Release/$pkgname.pc -t "$pkgdir"/usr/lib/pkgconfig/ - cp -pr "$pkgdir"/usr/lib/node_modules/npm/man "$pkgdir"/usr/share - local d; for d in doc html man; do - rm -r "$pkgdir"/usr/lib/node_modules/npm/$d - done + (cd "$pkgdir"/usr/lib; ln -sf libnode.so.* libnode.so) } dev() { @@ -123,20 +269,11 @@ dev() { default_dev } -npm() { - pkgdesc="A package manager for JavaScript" - depends="$pkgname" - # for backward compatibility - provides="nodejs-npm=$pkgver-r$pkgrel nodejs-current-npm=$pkgver-r$pkgrel" - replaces="nodejs-npm nodejs-current-npm $pkgname" - - mkdir -p "$subpkgdir"/usr/bin - mv "$pkgdir"/usr/bin/np[mx] "$subpkgdir"/usr/bin/ - - mkdir -p "$subpkgdir"/usr/lib/node_modules - mv "$pkgdir"/usr/lib/node_modules/npm "$subpkgdir"/usr/lib/node_modules/ -} - -sha512sums="c3a95d8810599db8e9a17932c55ff57223cf9e66028e776088420023ab7ba393e9b60518a189fcab46ca2597d213f8a6414abba282a73c9501c294dbc7b041e6 node-v10.16.3.tar.gz -9d09a88074bf0093f35c5b610e73ebf4c5381df2a2b29feb69da1af0b18776a683b13f1276375bbcfc60936cc27769539e1f01b4ba94b22cad2d5f4daae14c46 dont-run-gyp-files-for-bundled-deps.patch -4fd3f10bd82d1e851ed000169c2635c001a4a051283edf96f1efb2260e2d395199dd5843f79f1cff8f2c0c65462c44241c508ea67835dfbd9880d9196fae290a link-with-libatomic-on-mips32.patch" +sha512sums=" +25d35c0be251e557ba8b3115b75f38aa20000e2abcabcfd40143528c64d4db8a1eba338847f90be539e4918e62fb52840ff0ae9a8f5224f03335fc28d575cb36 node-v20.12.2.tar.gz +8c264eefc0bfa9dd57656f9f515e940d5c21b8d836dc549031ee559ba909643f4f2495b8b392ee9976c5eed7c3b4a09db876bbe0f7fcd5b2bf63fafca37bffc2 disable-running-gyp-on-shared-deps.patch +4fc09500212ebc178801e7419c840ccebc239ff06edcb28910315e39bfc772a3967f5ff2abff03845269e730643be161134ac95bab899069fa57dd64be98defa system-ada.patch +94db1f150cb962bf19f42e0ef7cec2c0e007d1909611d03a393095720cc8db58322e638ea3c3280b4412f47615963c88e69c71b4c5adf84292b9fc7f3be3b110 system-base64.patch +bb0f74d8fb1ef07fd457670b9073a3cecadb3ac7d4fea008e8f17c091a62d15ef50646be457a50ac24c4129085d4da21beedd03af0739dded5d636916482f082 base64.gyp +f908fa93f6194ec4f6c5e9d76ed7c918721c7f5d46afcc12de1f84683c185401a27a174b7a7c6a76085a4d0826f964e7088bf5596d4e6901a15bf751846299a6 nodejs.pc.in +" |