Update to 18.17.1

** 2023-08-09, Version 18.17.1 'Hydrogen' (LTS), @RafaelGSS

This is a security release.

*** Notable Changes

The following CVEs are fixed in this release:

* [CVE-2023-32002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32002):  Policies can be bypassed via Module.\_load (High)
* [CVE-2023-32006](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32006): Policies can be bypassed by module.constructor.createRequire (Medium)
* [CVE-2023-32559](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32559): Policies can be bypassed via process.binding (Medium)
* OpenSSL Security Releases
  * [OpenSSL security advisory 14th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html).
  * [OpenSSL security advisory 19th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html).
  * [OpenSSL security advisory 31st July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html)

More detailed information on each of the vulnerabilities can be found in [August 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/) blog post.

** 2023-07-18, Version 18.17.0 'Hydrogen' (LTS), @danielleadams

*** Notable Changes

**** Ada 2.0

Node.js v18.17.0 comes with the latest version of the URL parser, Ada. This update brings significant performance improvements
to URL parsing, including enhancements to the url.domainToASCII and url.domainToUnicode functions in node:url.

Ada 2.0 has been integrated into the Node.js codebase, ensuring that all parts of the application can benefit from the
improved performance. Additionally, Ada 2.0 features a significant performance boost over its predecessor, Ada 1.0.4,
while also eliminating the need for the ICU requirement for URL hostname parsing.

Contributed by Yagiz Nizipli and Daniel Lemire in [#47339](https://github.com/nodejs/node/pull/47339)

**** Web Crypto API

Web Crypto API functions' arguments are now coerced and validated as per their WebIDL definitions like in other Web Crypto API implementations.
This further improves interoperability with other implementations of Web Crypto API.

Contributed by Filip Skokan in [#46067](https://github.com/nodejs/node/pull/46067)

* **crypto**:
  * update root certificates to NSS 3.89 (Node.js GitHub Bot) [#47659](https://github.com/nodejs/node/pull/47659)
* **dns**:
  * **(SEMVER-MINOR)** expose getDefaultResultOrder (btea) [#46973](https://github.com/nodejs/node/pull/46973)
* **doc**:
  * add ovflowd to collaborators (Claudio Wunder) [#47844](https://github.com/nodejs/node/pull/47844)
  * add KhafraDev to collaborators (Matthew Aitken) [#47510](https://github.com/nodejs/node/pull/47510)
* **events**:
  * **(SEMVER-MINOR)** add getMaxListeners method (Matthew Aitken) [#47039](https://github.com/nodejs/node/pull/47039)
* **fs**:
  * **(SEMVER-MINOR)** add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) [#47084](https://github.com/nodejs/node/pull/47084)
  * **(SEMVER-MINOR)** add recursive option to readdir and opendir (Ethan Arrowood) [#41439](https://github.com/nodejs/node/pull/41439)
  * **(SEMVER-MINOR)** add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) [#47084](https://github.com/nodejs/node/pull/47084)
  * **(SEMVER-MINOR)** implement byob mode for readableWebStream() (Debadree Chatterjee) [#46933](https://github.com/nodejs/node/pull/46933)
* **http**:
  * **(SEMVER-MINOR)** prevent writing to the body when not allowed by HTTP spec (Gerrard Lindsay) [#47732](https://github.com/nodejs/node/pull/47732)
  * **(SEMVER-MINOR)** remove internal error in assignSocket (Matteo Collina) [#47723](https://github.com/nodejs/node/pull/47723)
  * **(SEMVER-MINOR)** add highWaterMark opt in http.createServer (HinataKah0) [#47405](https://github.com/nodejs/node/pull/47405)
* **lib**:
  * **(SEMVER-MINOR)** add webstreams to Duplex.from() (Debadree Chatterjee) [#46190](https://github.com/nodejs/node/pull/46190)
  * **(SEMVER-MINOR)** implement AbortSignal.any() (Chemi Atlow) [#47821](https://github.com/nodejs/node/pull/47821)
* **module**:
  * change default resolver to not throw on unknown scheme (Gil Tayar) [#47824](https://github.com/nodejs/node/pull/47824)
* **node-api**:
  * **(SEMVER-MINOR)** define version 9 (Chengzhong Wu) [#48151](https://github.com/nodejs/node/pull/48151)
  * **(SEMVER-MINOR)** deprecate napi\_module\_register (Vladimir Morozov) [#46319](https://github.com/nodejs/node/pull/46319)
* **stream**:
  * **(SEMVER-MINOR)** preserve object mode in compose (Raz Luvaton) [#47413](https://github.com/nodejs/node/pull/47413)
  * **(SEMVER-MINOR)** add setter & getter for default highWaterMark (#46929) (Robert Nagy) [#46929](https://github.com/nodejs/node/pull/46929)
* **test**:
  * unflake test-vm-timeout-escape-nexttick (Santiago Gimeno) [#48078](https://github.com/nodejs/node/pull/48078)
* **test\_runner**:
  * **(SEMVER-MINOR)** add shorthands to `test` (Chemi Atlow) [#47909](https://github.com/nodejs/node/pull/47909)
  * **(SEMVER-MINOR)** support combining coverage reports (Colin Ihrig) [#47686](https://github.com/nodejs/node/pull/47686)
  * **(SEMVER-MINOR)** execute before hook on test (Chemi Atlow) [#47586](https://github.com/nodejs/node/pull/47586)
  * **(SEMVER-MINOR)** expose reporter for use in run api (Chemi Atlow) [#47238](https://github.com/nodejs/node/pull/47238)
* **tools**:
  * update LICENSE and license-builder.sh (Santiago Gimeno) [#48078](https://github.com/nodejs/node/pull/48078)
* **url**:
  * **(SEMVER-MINOR)** implement URL.canParse (Matthew Aitken) [#47179](https://github.com/nodejs/node/pull/47179)
* **wasi**:
  * **(SEMVER-MINOR)** no longer require flag to enable wasi (Michael Dawson) [#47286](https://github.com/nodejs/node/pull/47286)

Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>

nodejs18.spec

@@ -26,7 +26,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 18
-%global nodejs_minor 16
+%global nodejs_minor 17
 %global nodejs_patch 1
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 108
@@ -61,7 +61,7 @@
 %global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
 
 # zlib - from deps/zlib/zlib.h
-%global zlib_version 1.2.13
+%global zlib_version 1.2.13.1-motley
 
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
@@ -77,7 +77,7 @@
 %global nghttp2_version 1.52.0
 
 # ICU - from tools/icu/current_ver.dep
-%global icu_major 72
+%global icu_major 73
 %global icu_minor 1
 %global icu_version %{icu_major}.%{icu_minor}
 
@@ -97,7 +97,7 @@
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 9.5.1
+%global npm_version 9.6.7
 
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@@ -108,7 +108,7 @@
 %global npm_envr %{npm_epoch}:%{npm_version}-%{npm_release}
 
 # uvwasi - from deps/uvwasi/include/uvwasi.h
-%global uvwasi_version 0.0.15
+%global uvwasi_version 0.0.18
 
 # histogram_c - assumed from timestamps
 %global histogram_version 0.9.7
@@ -145,8 +145,8 @@ Source203: v8.pc.in
 # These are generated by nodejs-sources.sh
 Source101: cjs-module-lexer-1.2.2-stripped.tar.gz
 Source102: wasi-sdk-11.0-linux.tar.gz
-Source111: undici-5.21.0-stripped.tar.gz
-Source112: wasi-sdk-14.0-linux.tar.gz
+Source111: undici-5.22.1-stripped.tar.gz
+Source112: wasi-sdk-20.0-linux.tar.gz
 
 Patch: 0001-Fedora-specific-patches.patch
 
@@ -303,7 +303,7 @@ Provides: bundled(histogram) = %{histogram_version}
 
 # Upstream has added a new URL parser that has no option to build as a shared
 # library (19.7.0+)
-Provides: bundled(ada) = 1.0.4
+Provides: bundled(ada) = 2.5.0
 
 
 %description

sources

@@ -1,7 +1,7 @@
-SHA512 (node-v18.16.1-stripped.tar.gz) = ec70a3629eca963d3ebee1642d0f07281b33a9b12956535d5fbf012dfb2776476a0b854fed1a78acb19bf3f571ec637c874b5a086068529801b096e89405722d
-SHA512 (icu4c-72_1-data-bin-b.zip) = ed0ce3ebd02f81cca7b3808abc72dc99962eb36bd123ebdf45c578b307b674566491191b6f7d261c679b2b5662b7084c61452b98968b35df3f749d413d5d7663
-SHA512 (icu4c-72_1-data-bin-l.zip) = cc9a8cf2a89dacde4fab4a68ca7a7ba1fd106b71ebc23318fb9293ab96001be825bf89b1daf3da02958ba201ca4f714a67a26db3a51dc03653b9970ebdd5ff56
-SHA512 (cjs-module-lexer-1.2.2-stripped.tar.gz) = abe4af6032a36da8669811c3add16b766b20011ef42fd4ac506d98eff2814e78a63713fa78569c0d95d13e5cd6b5dac5d8ad7d9f5b55732cebc5a4ffe262c2e0
+SHA512 (node-v18.17.1-stripped.tar.gz) = 8bcf9f19605567230451fb667e76548da514e2259c53bbd812d4cc3e864d3bce212cbe4990467b43e37c0dd8ffb8178da4024f59f9a17266b2efb7c6391c27ef
+SHA512 (icu4c-73_1-data-bin-b.zip) = 8b11f143021dbbb13f2c64e9558f36442448384ca8653c57b5f6a462f3b801608d8c3fc111c70931215cf8ced182914b2aeb2d159f3b1139eb5a37932efe85c7
+SHA512 (icu4c-73_1-data-bin-l.zip) = 41948aecd3eeb907866c2dec532bde55aed03c45e92668ea8d53ca21cd6fb50b0131e118586245e7a0bd7b728c3f619524437d4ab75b360e2d123a8a8b11d584
+SHA512 (cjs-module-lexer-1.2.2-stripped.tar.gz) = 5b9c65849ea68b7e861cee3a352baa81c785e7fe8ea857a166844a39a0ffae0a1b891d7347034a790cec3a0c18eb1e1c933a2a054dd94d4670487c6fc9fb26e8
 SHA512 (wasi-sdk-11.0-linux.tar.gz) = e3ed4597f7f2290967eef6238e9046f60abbcb8633a4a2a51525d00e7393df8df637a98a5b668217d332dd44fcbf2442ec7efd5e65724e888d90611164451e20
-SHA512 (undici-5.21.0-stripped.tar.gz) = 4b85f28d7f4714178af8157e4395c7e10937525b27a5738d13198fce3b104029f0a7a42a014d369087505aeadc5b3411dea11262cc6b5d2c26490069efeedda9
-SHA512 (wasi-sdk-14.0-linux.tar.gz) = 288a367e051f5b3f5853de97fabaedd3acf2255819d50c24f48f573897518500ea808342fd9aea832b2a5717089807bf1cbcf6d46b156b4eb60cc6b3c02ee997
+SHA512 (undici-5.22.1-stripped.tar.gz) = bff6e3412fa2a27cab3c140271d7a341bc1b7d42be3395239027b92ffb958bcbda549a8727f961220f78e5426edaeef229fb077eb014ba97b2f1954af233299e
+SHA512 (wasi-sdk-20.0-linux.tar.gz) = ff3d368267526887534f50767ff010bd368e9c24178ab2f0cf57a8ed0b3a82fbf85986d620ab2327ac6bb3f456c65adc6edb80626a1289e630dde7e43b191b42