# Contributor: Jose-Luis Rivas # Contributor: Jakub Jirutka # Contributor: Dave Esaias # Contributor: Tadahisa Kamijo # Contributor: Eivind Uggedal # Maintainer: Jakub Jirutka pkgname=nodejs # Note: Update only to even-numbered versions (e.g. 6.y.z, 8.y.z)! # Odd-numbered versions are supported only for 9 months by upstream. pkgver=22.13.1 pkgrel=2 pkgdesc="JavaScript runtime built on V8 engine - LTS version" url="https://nodejs.org/" arch="all" license="MIT" depends="ca-certificates" makedepends=" ada-dev brotli-dev c-ares-dev icu-dev linux-headers nghttp2-dev openssl-dev py3-jinja2 python3 samurai simdjson-dev simdutf-dev sqlite-dev zlib-dev " install="$pkgname.post-upgrade" subpackages=" $pkgname-dev $pkgname-libs $pkgname-doc " provider_priority=100 # highest priority (other provider is nodejs-current) provides="nodejs-lts=$pkgver-r$pkgrel" # for backward compatibility replaces="nodejs-current nodejs-lts" # nodejs-lts for backward compatibility source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz ncrypto-include-openssl-rand.h.patch v8-ppc64le-compat.patch v8-riscv-trap-handler.patch v8-no-static-zlib.patch v8-disable-trap-handler-on-riscv-sv39.patch $pkgname.pc.in " builddir="$srcdir/node-v$pkgver" # secfixes: # 22.13.1-r0: # - CVE-2025-23083 # - CVE-2025-23085 # - CVE-2025-23085 # - CVE-2025-22150 # 20.15.1-r0: # - CVE-2024-22018 # - CVE-2024-22020 # - CVE-2024-36137 # 20.12.1-r0: # - CVE-2024-27982 # - CVE-2024-27983 # 18.18.2-r0: # - CVE-2023-45143 # - CVE-2023-38552 # - CVE-2023-39333 # 18.17.1-r0: # - CVE-2023-32002 # - CVE-2023-32006 # - CVE-2023-32559 # 18.14.1-r0: # - CVE-2023-23918 # - CVE-2023-23919 # - CVE-2023-23920 # - CVE-2023-23936 # - CVE-2023-24807 # 18.12.1-r0: # - CVE-2022-3602 # - CVE-2022-3786 # - CVE-2022-43548 # 16.17.1-r0: # - CVE-2022-32213 # - CVE-2022-32214 # - CVE-2022-32215 # - CVE-2022-35255 # - CVE-2022-35256 # 16.13.2-r0: # - CVE-2021-44531 # - CVE-2021-44532 # - CVE-2021-44533 # - CVE-2022-21824 # 14.18.1-r0: # - CVE-2021-22959 # - CVE-2021-22960 # 14.17.6-r0: # - CVE-2021-37701 # - CVE-2021-37712 # - CVE-2021-37713 # - CVE-2021-39134 # - CVE-2021-39135 # 14.17.5-r0: # - CVE-2021-3672 # - CVE-2021-22931 # - CVE-2021-22939 # 14.17.4-r0: # - CVE-2021-22930 # 14.16.1-r0: # - CVE-2020-7774 # 14.16.0-r0: # - CVE-2021-22883 # - CVE-2021-22884 # 14.15.5-r0: # - CVE-2021-21148 # 14.15.4-r0: # - CVE-2020-8265 # - CVE-2020-8287 # 14.15.1-r0: # - CVE-2020-8277 # 12.18.4-r0: # - CVE-2020-8201 # - CVE-2020-8252 # 12.18.0-r0: # - CVE-2020-8172 # - CVE-2020-11080 # - CVE-2020-8174 # 12.15.0-r0: # - CVE-2019-15606 # - CVE-2019-15605 # - CVE-2019-15604 # 10.16.3-r0: # - CVE-2019-9511 # - CVE-2019-9512 # - CVE-2019-9513 # - CVE-2019-9514 # - CVE-2019-9515 # - CVE-2019-9516 # - CVE-2019-9517 # - CVE-2019-9518 # 10.15.3-r0: # - CVE-2019-5737 # 10.14.0-r0: # - CVE-2018-12121 # - CVE-2018-12122 # - CVE-2018-12123 # - CVE-2018-0735 # - CVE-2018-0734 # 8.11.4-r0: # - CVE-2018-12115 # 8.11.3-r0: # - CVE-2018-7167 # - CVE-2018-7161 # - CVE-2018-1000168 # 8.11.0-r0: # - CVE-2018-7158 # - CVE-2018-7159 # - CVE-2018-7160 # 8.9.3-r0: # - CVE-2017-15896 # - CVE-2017-15897 # 6.11.5-r0: # - CVE-2017-14919 # 6.11.1-r0: # - CVE-2017-1000381 # 0: # - CVE-2021-43803 # - CVE-2022-32212 # - CVE-2023-44487 # - CVE-2024-36138 # - CVE-2024-37372 prepare() { default_prepare # openssl.cnf is required for build. mv deps/openssl/nodejs-openssl.cnf . # Remove bundled dependencies that we're not using. # # NOTE: nghttp3 and ngtcp2 are only used when building with OpenSSL # that supports QUIC. After the QUIC support is added to openssl, add # options --shared-nghttp3 and --shared-ngtcp2. rm -rf deps/ada \ deps/amaro \ deps/brotli \ deps/cares \ deps/corepack \ deps/nghttp2 \ deps/nghttp3 \ deps/ngtcp2 \ deps/openssl/* \ deps/simdjson \ deps/simdutf \ deps/sqlite \ deps/v8/third_party/jinja2 \ deps/zlib \ tools/inspector_protocol/jinja2 mv nodejs-openssl.cnf deps/openssl/ } build() { # Add defines recommended in libuv readme. local common_flags="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" # Disable use of OpenSSL ENGINE API - it's deprecated since OpenSSL 3.0 # (https://issues.redhat.com/browse/RHEL-33743). common_flags="$common_flags -DOPENSSL_NO_ENGINE" # -Os overwrites the optimizations enabled by BUILDTYPE=Release. # Compiling with O2 instead of Os increases binary size by ~10% # (53.1 MiB -> 58.6 MiB), but also increases performance by ~20% # according to v8/web-tooling-benchmark. Node.js is quite huge anyway; # there are better options for size constrained environments. export CFLAGS="${CFLAGS/-Os} $common_flags" export CXXFLAGS="${CXXFLAGS/-Os} $common_flags" export CPPFLAGS="${CPPFLAGS/-Os} $common_flags" # When building shared libnode.so, the resulting package size is +15 % # (~8 MiB), so we rather build it twice to keep the node binary smaller # (there are currently no packages using libnode.so). msg 'Building node binary' _build cp out/Release/node out/ msg 'Building libnode.so' _build --shared cp out/Release/lib/libnode.so* out/Release/ sed "s/@VERSION@/$pkgver/" "$srcdir"/$pkgname.pc.in > out/Release/$pkgname.pc } _build() { # NOTE: We use bundled libuv because they don't care much about backward # compatibility and it has happened several times in past that we # couldn't upgrade nodejs package in stable branches to fix CVEs due to # libuv incompatibility. # # NOTE: We don't package the bundled npm - it's a separate project with # its own release cycle and version numbering, so it's better to keep # it in a standalone aport. # # TODO: Fix and enable corepack. # TODO: Create aport for amaro and use --shared-builtin-amaro (amaro # contains pre-built wasm binary). python3 configure.py \ --prefix=/usr \ --ninja \ --enable-lto \ --shared-ada \ --shared-brotli \ --shared-zlib \ --shared-openssl \ --shared-cares \ --shared-nghttp2 \ --shared-simdjson \ --shared-simdutf \ --shared-sqlite \ --openssl-use-def-ca-store \ --with-icu-default-data-dir=$(icu-config --icudatadir) \ --with-intl=system-icu \ --without-amaro \ --without-corepack \ --without-npm \ "$@" make BUILDTYPE=Release } # TODO Run provided test suite. check() { cd "$builddir"/out/Release ./node -e 'console.log("Hello, world!")' ./node -e "require('assert').equal(process.versions.node, '$pkgver')" ./node -e 'require("assert").equal( Buffer.from(Buffer.from("foo").toString("base64"), "base64").toString("ascii"), "foo")' } package() { make DESTDIR="$pkgdir" install # node binary built without libnode.so. install -D -m755 out/node -t "$pkgdir"/usr/bin/ install -D -m644 out/Release/$pkgname.pc -t "$pkgdir"/usr/lib/pkgconfig/ (cd "$pkgdir"/usr/lib; ln -sf libnode.so.* libnode.so) } dev() { provides="nodejs-lts-dev=$pkgver" # for backward compatibility default_dev } sha512sums=" d4b9c4203ea7b77be98143d733c593267764d450bd70a60e5a621a8914015195cab48c329623d8e8cb05b79046fb548181c768005135f49843ee9e507d526659 node-v22.13.1.tar.gz 784e692513b9d7d45dce82ac047415b76227770ed5231c57f8ccfb6ae148332cac82a3d8539c33247eeb041cd8d23331fed8dba7c35fad07f6aec6a440b89040 ncrypto-include-openssl-rand.h.patch 37dc38704eae165e6940393c08bb182120dcec119739bda4961706f3aa955bf9669c371bcfa0317269f8f08e01d4c6c204f2c595d583d649433a659a44113bfb v8-ppc64le-compat.patch 37955e69b0548b582a3877df05361d0d5f342f7c0d84b58f2772e8601cd9d6f702f4a016a51023b80dc187b81a0143a5a78e7462f85a7bc7f2474f6c8b5e5fe4 v8-riscv-trap-handler.patch 0c9d3d2f897f4eb5ed2e41dc84a2076bfcac40fb4fbbfdd1256b915574543c40ea4c7d141c29bdce7de72ca4bbfdae074099122643e8e64599f5b5d52bb26548 v8-no-static-zlib.patch 0668bfedb608b3abb3ded8e9a0cef6611cc11dbd0089c6dfadc60a2ba9b78861e3cb18cf3d768b4f7a924d573765f38983bd03485087d1229095296e92177ccc v8-disable-trap-handler-on-riscv-sv39.patch f908fa93f6194ec4f6c5e9d76ed7c918721c7f5d46afcc12de1f84683c185401a27a174b7a7c6a76085a4d0826f964e7088bf5596d4e6901a15bf751846299a6 nodejs.pc.in "