This is a security release.
Notable Changes
CVE-2025-23083 - src,loader,permission: throw on InternalWorker use when permission model is enabled (High)
CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)
Dependency update:
CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
include $(TOPDIR)/rules.mk
PKG_NAME:=node
-PKG_VERSION:=22.11.0
-PKG_RELEASE:=4
+PKG_VERSION:=22.13.1
+PKG_RELEASE:=1
NODE_MODULE_VERSION:=127
PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://nodejs.org/dist/v$(PKG_VERSION)
-PKG_HASH:=24e5130fa7bc1eaab218a0c9cb05e03168fa381bb9e3babddc6a11f655799222
+PKG_HASH:=e7d5b1e84e7f3c3cebda81e2b138469eef41ba4ecf16a87fd15fc3f7afa3f701
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-v$(PKG_VERSION)
HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/$(PKG_NAME)-v$(PKG_VERSION)
--- a/lib/internal/modules/cjs/loader.js
+++ b/lib/internal/modules/cjs/loader.js
-@@ -1779,7 +1779,8 @@ Module._initPaths = function() {
+@@ -1789,7 +1789,8 @@ Module._initPaths = function() {
path.resolve(process.execPath, '..') :
path.resolve(process.execPath, '..', '..');
--- a/deps/uv/uv.gyp
+++ b/deps/uv/uv.gyp
-@@ -155,6 +155,7 @@
+@@ -156,6 +156,7 @@
'target_name': 'libuv',
'toolsets': ['host', 'target'],
'type': '<(uv_library)',
--- a/node.gyp
+++ b/node.gyp
-@@ -1350,6 +1350,7 @@
- 'dependencies': [
- 'deps/simdutf/simdutf.gyp:simdutf#host',
+@@ -1138,6 +1138,7 @@
+ 'includes': [
+ 'node.gypi'
],
+ 'libraries!':[ '-licui18n', '-licuuc', '-licudata', '-lcrypto', '-lssl', '-lz', '-lhttp_parser', '-luv', '-lnghttp2', '-lcares' ],
'include_dirs': [
+ 'src',
+ 'tools/msvs/genfiles',
+@@ -1354,6 +1355,7 @@
'tools',
'src',
+ ],
++ 'libraries!':[ '-licui18n', '-licuuc', '-licudata', '-lcrypto', '-lssl', '-lz', '-lhttp_parser', '-luv', '-lnghttp2', '-lcares' ],
+ 'sources': [
+ 'tools/js2c.cc',
+ 'tools/executable_wrapper.h',
],
'sources': [
'<!@pymod_do_main(GN-scraper "<(V8_ROOT)/BUILD.gn" "\\"v8_initializers.*?sources = ")',
-@@ -820,6 +826,7 @@
+@@ -825,6 +831,7 @@
'toolsets': ['host', 'target'],
'direct_dependent_settings': {
'sources': ['<!@pymod_do_main(GN-scraper "<(V8_ROOT)/BUILD.gn" "v8_compiler_sources = ")'],
'conditions': [
['v8_target_arch=="ia32"', {
'sources': [
-@@ -929,6 +936,8 @@
+@@ -939,6 +946,8 @@
'target_name': 'v8_turboshaft',
'type': 'static_library',
'toolsets': ['host', 'target'],
'dependencies': [
'generate_bytecode_builtins_list',
'run_torque',
-@@ -968,6 +977,7 @@
+@@ -978,6 +987,7 @@
'run_torque',
'v8_maybe_icu',
],
'conditions': [
['(is_component_build and not v8_optimized_debug and v8_enable_fast_mksnapshot) or v8_enable_turbofan==0', {
'dependencies': [
-@@ -1010,6 +1020,7 @@
+@@ -1020,6 +1030,7 @@
],
'includes': ['inspector.gypi'],
'direct_dependent_settings': {
'include_dirs': [
'<(generate_bytecode_output_root)',
'<(SHARED_INTERMEDIATE_DIR)',
-@@ -1647,6 +1658,7 @@
+@@ -1674,6 +1685,7 @@
}],
],
'direct_dependent_settings': {
'include_dirs': [
'<(V8_ROOT)/include',
],
-@@ -1667,6 +1679,7 @@
+@@ -1694,6 +1706,7 @@
{
'target_name': 'bytecode_builtins_list_generator',
'type': 'executable',
'conditions': [
['want_separate_host_toolset', {
'toolsets': ['host'],
-@@ -1695,6 +1708,9 @@
+@@ -1722,6 +1735,9 @@
{
'target_name': 'mksnapshot',
'type': 'executable',
'dependencies': [
'v8_base_without_compiler',
'v8_compiler_for_mksnapshot',
-@@ -1723,6 +1739,7 @@
+@@ -1750,6 +1766,7 @@
{
'target_name': 'torque',
'type': 'executable',
'dependencies': [
'torque_base',
# "build/win:default_exe_manifest",
-@@ -1765,6 +1782,7 @@
+@@ -1792,6 +1809,7 @@
{
'target_name': 'torque-language-server',
'type': 'executable',
'conditions': [
['want_separate_host_toolset', {
'toolsets': ['host'],
-@@ -1796,6 +1814,8 @@
+@@ -1823,6 +1841,8 @@
{
'target_name': 'gen-regexp-special-case',
'type': 'executable',
'dependencies': [
'v8_libbase',
# "build/win:default_exe_manifest",
-@@ -2036,6 +2056,7 @@
+@@ -2063,6 +2083,7 @@
}],
],
'direct_dependent_settings': {
'include_dirs': [
'<(V8_ROOT)/include',
],
-@@ -2175,15 +2196,19 @@
+@@ -2202,15 +2223,19 @@
}],
],
'direct_dependent_settings': {
],
'sources': [
'<(V8_ROOT)/third_party/zlib/adler32.c',
-@@ -2228,6 +2253,7 @@
+@@ -2255,6 +2280,7 @@
'variables': {
'ABSEIL_ROOT': '../../deps/v8/third_party/abseil-cpp',
},
+++ /dev/null
-From 54299ac3a3d4e4520b8604dce43c2584092ccde2 Mon Sep 17 00:00:00 2001
-From: Michael Cho <michael@michaelcho.dev>
-Date: Sun, 27 Oct 2024 10:08:07 -0400
-Subject: [PATCH] build: fix building with system icu 76
-
-ICU 76 decided to reduce overlinking[^1] thus `icu-i18n` will no longer
-add `icu-uc` when linking to shared libraries. This results in undefined
-symbols/references when trying to build with system ICU 76.
-
-[^1]: unicode-org/icu@199bc82
----
- configure.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/configure.py
-+++ b/configure.py
-@@ -1876,7 +1876,7 @@ def configure_intl(o):
- elif with_intl == 'system-icu':
- # ICU from pkg-config.
- o['variables']['v8_enable_i18n_support'] = 1
-- pkgicu = pkg_config('icu-i18n')
-+ pkgicu = pkg_config(['icu-i18n', 'icu-uc'])
- if not pkgicu[0]:
- error('''Could not load pkg-config data for "icu-i18n".
- See above errors or the README.md.''')
//
// Permission is hereby granted, free of charge, to any person obtaining a
// copy of this software and associated documentation files (the
-@@ -1342,13 +1343,6 @@ function lookupAndConnect(self, options)
+@@ -1368,13 +1369,6 @@ function lookupAndConnect(self, options)
hints: options.hints || 0,
};
--- a/node.gyp
+++ b/node.gyp
-@@ -1351,6 +1351,7 @@
- 'deps/simdutf/simdutf.gyp:simdutf#host',
+@@ -1139,6 +1139,7 @@
+ 'node.gypi'
],
'libraries!':[ '-licui18n', '-licuuc', '-licudata', '-lcrypto', '-lssl', '-lz', '-lhttp_parser', '-luv', '-lnghttp2', '-lcares' ],
+ 'cflags!': ['-mbranch-protection=standard'],
'include_dirs': [
- 'tools',
'src',
+ 'tools/msvs/genfiles',
projects / feed / packages.git / commitdiff