aboutsummaryrefslogtreecommitdiffstats
path: root/main/nodejs/APKBUILD
diff options
context:
space:
mode:
Diffstat (limited to 'main/nodejs/APKBUILD')
-rw-r--r--main/nodejs/APKBUILD243
1 files changed, 190 insertions, 53 deletions
diff --git a/main/nodejs/APKBUILD b/main/nodejs/APKBUILD
index d025612fd4c..d163530c6e6 100644
--- a/main/nodejs/APKBUILD
+++ b/main/nodejs/APKBUILD
@@ -6,6 +6,76 @@
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
#
# secfixes:
+# 20.12.1-r0:
+# - CVE-2024-27982
+# - CVE-2024-27983
+# 18.18.2-r0:
+# - CVE-2023-45143
+# - CVE-2023-38552
+# - CVE-2023-39333
+# 18.17.1-r0:
+# - CVE-2023-32002
+# - CVE-2023-32006
+# - CVE-2023-32559
+# 18.14.1-r0:
+# - CVE-2023-23918
+# - CVE-2023-23919
+# - CVE-2023-23920
+# - CVE-2023-23936
+# - CVE-2023-24807
+# 18.12.1-r0:
+# - CVE-2022-3602
+# - CVE-2022-3786
+# - CVE-2022-43548
+# 16.17.1-r0:
+# - CVE-2022-32213
+# - CVE-2022-32214
+# - CVE-2022-32215
+# - CVE-2022-35255
+# - CVE-2022-35256
+# 16.13.2-r0:
+# - CVE-2021-44531
+# - CVE-2021-44532
+# - CVE-2021-44533
+# - CVE-2022-21824
+# 14.18.1-r0:
+# - CVE-2021-22959
+# - CVE-2021-22960
+# 14.17.6-r0:
+# - CVE-2021-37701
+# - CVE-2021-37712
+# - CVE-2021-37713
+# - CVE-2021-39134
+# - CVE-2021-39135
+# 14.17.5-r0:
+# - CVE-2021-3672
+# - CVE-2021-22931
+# - CVE-2021-22939
+# 14.17.4-r0:
+# - CVE-2021-22930
+# 14.16.1-r0:
+# - CVE-2020-7774
+# 14.16.0-r0:
+# - CVE-2021-22883
+# - CVE-2021-22884
+# 14.15.5-r0:
+# - CVE-2021-21148
+# 14.15.4-r0:
+# - CVE-2020-8265
+# - CVE-2020-8287
+# 14.15.1-r0:
+# - CVE-2020-8277
+# 12.18.4-r0:
+# - CVE-2020-8201
+# - CVE-2020-8252
+# 12.18.0-r0:
+# - CVE-2020-8172
+# - CVE-2020-11080
+# - CVE-2020-8174
+# 12.15.0-r0:
+# - CVE-2019-15606
+# - CVE-2019-15605
+# - CVE-2019-15604
# 10.16.3-r0:
# - CVE-2019-9511
# - CVE-2019-9512
@@ -40,60 +110,136 @@
# - CVE-2017-14919
# 6.11.1-r0:
# - CVE-2017-1000381
-#
+# 0:
+# - CVE-2021-43803
+# - CVE-2022-32212
+# - CVE-2023-44487
pkgname=nodejs
# Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)!
# Odd-numbered versions are supported only for 9 months by upstream.
-pkgver=10.16.3
+pkgver=20.12.2
pkgrel=0
pkgdesc="JavaScript runtime built on V8 engine - LTS version"
url="https://nodejs.org/"
-arch="all !mips64 !mips64el"
+arch="all"
license="MIT"
depends="ca-certificates"
-depends_dev="libuv"
-# gold is needed for mksnapshot
-makedepends="$depends_dev python2 openssl-dev zlib-dev libuv-dev linux-headers
- paxmark binutils-gold http-parser-dev ca-certificates c-ares-dev"
-subpackages="$pkgname-dev $pkgname-doc npm::noarch"
-provides="nodejs-lts=$pkgver" # for backward compatibility
+makedepends="
+ ada-dev
+ base64-dev
+ brotli-dev
+ c-ares-dev
+ icu-dev
+ linux-headers
+ nghttp2-dev
+ openssl-dev
+ py3-jinja2
+ python3
+ samurai
+ zlib-dev
+ "
+install="$pkgname.post-upgrade"
+subpackages="
+ $pkgname-dev
+ $pkgname-libs
+ $pkgname-doc
+ "
+provider_priority=100 # highest priority (other provider is nodejs-current)
+provides="nodejs-lts=$pkgver-r$pkgrel" # for backward compatibility
replaces="nodejs-current nodejs-lts" # nodejs-lts for backward compatibility
source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz
- dont-run-gyp-files-for-bundled-deps.patch
- link-with-libatomic-on-mips32.patch
+ disable-running-gyp-on-shared-deps.patch
+ system-ada.patch
+ system-base64.patch
+ base64.gyp
+ $pkgname.pc.in
"
builddir="$srcdir/node-v$pkgver"
prepare() {
default_prepare
+ # openssl.cnf is required for build.
+ mv deps/openssl/nodejs-openssl.cnf .
+
# Remove bundled dependencies that we're not using.
- rm -rf deps/http_parser deps/openssl deps/uv deps/zlib
+ #
+ # NOTE: nghttp3 and ngtcp2 are only used when building with OpenSSL
+ # that supports QUIC. After the QUIC support is added to openssl, add
+ # options --shared-nghttp3 and --shared-ngtcp2.
+ rm -rf deps/ada/*.cpp \
+ deps/base64/* \
+ deps/brotli \
+ deps/cares \
+ deps/corepack \
+ deps/nghttp2 \
+ deps/nghttp3 \
+ deps/ngtcp2 \
+ deps/openssl/* \
+ deps/v8/third_party/jinja2 \
+ deps/zlib \
+ tools/inspector_protocol/jinja2
+
+ mv nodejs-openssl.cnf deps/openssl/
+
+ cp "$srcdir"/base64.gyp deps/base64/
}
build() {
- cd "$builddir"
+ # Add defines recommended in libuv readme.
+ local common_flags="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
+
+ # -Os overwrites the optimizations enabled by BUILDTYPE=Release.
+ # Compiling with O2 instead of Os increases binary size by ~10%
+ # (53.1 MiB -> 58.6 MiB), but also increases performance by ~20%
+ # according to v8/web-tooling-benchmark. Node.js is quite huge anyway;
+ # there are better options for size constrained environments.
+ export CFLAGS="${CFLAGS/-Os} $common_flags"
+ export CXXFLAGS="${CXXFLAGS/-Os} $common_flags"
+ export CPPFLAGS="${CPPFLAGS/-Os} $common_flags"
- case "$CARCH" in
- mips*) _carchflags="--with-mips-arch-variant=r1 --with-mips-float-abi=soft";;
- esac
+ # When building shared libnode.so, the resulting package size is +15 %
+ # (~8 MiB), so we rather build it twice to keep the node binary smaller
+ # (there are currently no packages using libnode.so).
+ msg 'Building node binary'
+ _build
+ cp out/Release/node out/
- ./configure --prefix=/usr \
- $_carchflags \
+ msg 'Building libnode.so'
+ _build --shared
+ cp out/Release/lib/libnode.so* out/Release/
+
+ sed "s/@VERSION@/$pkgver/" "$srcdir"/$pkgname.pc.in > out/Release/$pkgname.pc
+}
+
+_build() {
+ # NOTE: We use bundled libuv because they don't care much about backward
+ # compatibility and it has happened several times in past that we
+ # couldn't upgrade nodejs package in stable branches to fix CVEs due to
+ # libuv incompatibility.
+ #
+ # NOTE: We don't package the bundled npm - it's a separate project with
+ # its own release cycle and version numbering, so it's better to keep
+ # it in a standalone aport.
+ #
+ # TODO: Fix and enable corepack.
+ python3 configure.py \
+ --prefix=/usr \
+ --ninja \
+ --enable-lto \
+ --shared-brotli \
--shared-zlib \
- --shared-libuv \
--shared-openssl \
- --shared-http-parser \
--shared-cares \
- --openssl-use-def-ca-store
-
- # We need run mksnapshot at build time so paxmark it early.
- make -C out mksnapshot BUILDTYPE=Release
- paxmark -m out/Release/mksnapshot
- make
+ --shared-nghttp2 \
+ --openssl-use-def-ca-store \
+ --with-icu-default-data-dir=$(icu-config --icudatadir) \
+ --with-intl=system-icu \
+ --without-corepack \
+ --without-npm \
+ "$@"
- # paxmark so JIT works
- paxmark -m out/Release/node
+ make BUILDTYPE=Release
}
# TODO Run provided test suite.
@@ -102,20 +248,20 @@ check() {
./node -e 'console.log("Hello, world!")'
./node -e "require('assert').equal(process.versions.node, '$pkgver')"
+ ./node -e 'require("assert").equal(
+ Buffer.from(Buffer.from("foo").toString("base64"), "base64").toString("ascii"),
+ "foo")'
}
package() {
- cd "$builddir"
-
make DESTDIR="$pkgdir" install
- # It's strange, but it really needs to be paxmarked again...
- paxmark -m "$pkgdir"/usr/bin/node
+ # node binary built without libnode.so.
+ install -D -m755 out/node -t "$pkgdir"/usr/bin/
+
+ install -D -m644 out/Release/$pkgname.pc -t "$pkgdir"/usr/lib/pkgconfig/
- cp -pr "$pkgdir"/usr/lib/node_modules/npm/man "$pkgdir"/usr/share
- local d; for d in doc html man; do
- rm -r "$pkgdir"/usr/lib/node_modules/npm/$d
- done
+ (cd "$pkgdir"/usr/lib; ln -sf libnode.so.* libnode.so)
}
dev() {
@@ -123,20 +269,11 @@ dev() {
default_dev
}
-npm() {
- pkgdesc="A package manager for JavaScript"
- depends="$pkgname"
- # for backward compatibility
- provides="nodejs-npm=$pkgver-r$pkgrel nodejs-current-npm=$pkgver-r$pkgrel"
- replaces="nodejs-npm nodejs-current-npm $pkgname"
-
- mkdir -p "$subpkgdir"/usr/bin
- mv "$pkgdir"/usr/bin/np[mx] "$subpkgdir"/usr/bin/
-
- mkdir -p "$subpkgdir"/usr/lib/node_modules
- mv "$pkgdir"/usr/lib/node_modules/npm "$subpkgdir"/usr/lib/node_modules/
-}
-
-sha512sums="c3a95d8810599db8e9a17932c55ff57223cf9e66028e776088420023ab7ba393e9b60518a189fcab46ca2597d213f8a6414abba282a73c9501c294dbc7b041e6 node-v10.16.3.tar.gz
-9d09a88074bf0093f35c5b610e73ebf4c5381df2a2b29feb69da1af0b18776a683b13f1276375bbcfc60936cc27769539e1f01b4ba94b22cad2d5f4daae14c46 dont-run-gyp-files-for-bundled-deps.patch
-4fd3f10bd82d1e851ed000169c2635c001a4a051283edf96f1efb2260e2d395199dd5843f79f1cff8f2c0c65462c44241c508ea67835dfbd9880d9196fae290a link-with-libatomic-on-mips32.patch"
+sha512sums="
+25d35c0be251e557ba8b3115b75f38aa20000e2abcabcfd40143528c64d4db8a1eba338847f90be539e4918e62fb52840ff0ae9a8f5224f03335fc28d575cb36 node-v20.12.2.tar.gz
+8c264eefc0bfa9dd57656f9f515e940d5c21b8d836dc549031ee559ba909643f4f2495b8b392ee9976c5eed7c3b4a09db876bbe0f7fcd5b2bf63fafca37bffc2 disable-running-gyp-on-shared-deps.patch
+4fc09500212ebc178801e7419c840ccebc239ff06edcb28910315e39bfc772a3967f5ff2abff03845269e730643be161134ac95bab899069fa57dd64be98defa system-ada.patch
+94db1f150cb962bf19f42e0ef7cec2c0e007d1909611d03a393095720cc8db58322e638ea3c3280b4412f47615963c88e69c71b4c5adf84292b9fc7f3be3b110 system-base64.patch
+bb0f74d8fb1ef07fd457670b9073a3cecadb3ac7d4fea008e8f17c091a62d15ef50646be457a50ac24c4129085d4da21beedd03af0739dded5d636916482f082 base64.gyp
+f908fa93f6194ec4f6c5e9d76ed7c918721c7f5d46afcc12de1f84683c185401a27a174b7a7c6a76085a4d0826f964e7088bf5596d4e6901a15bf751846299a6 nodejs.pc.in
+"