linux/meta-openembedded.git/meta-oe/recipes-devtools/nodejs, branch wrynose

nodejs: mark CVE-2026-21710 patched

2026-04-13T22:28:25+00:00

Details: https://nvd.nist.gov/vuln/detail/CVE-2026-21710 The CVE is fixed in the current recipe version[1], but NVD tracks it without verison info. Mark it as patched in the recipe. [1]: https://github.com/nodejs/node/blob/v22.x/doc/changelogs/CHANGELOG_V22.md Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj

nodejs: ignore fixed CVEs

2026-04-06T16:46:31+00:00

All these CVEs are fixed in v22.22.2[1], except for CVE-2026-21712, which does not affect v22 series, because it was introduced in a later version[2]. All these CVEs are tracked without version info by NVD at the time of creating this patch. [1]: https://github.com/nodejs/node/blob/v22.x/doc/changelogs/CHANGELOG_V22.md [2]: https://nodejs.org/en/blog/vulnerability/march-2026-security-releases Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj

nodejs: upgrade 22.22.1 -> 22.22.2

2026-03-25T06:32:48+00:00

This is the March 2026 security release. 2 high severity issues. 5 medium severity issues. 2 low severity issues. High priority fixes: CVE-2026-21637 CVE-2026-21710 Medium priority fixes: CVE-2026-21711 (affects only nodejs v25) CVE-2026-21712 (affects only nodejs v24 & v25) CVE-2026-21713 CVE-2026-21714 CVE-2026-21717 Low priority fixes: CVE-2026-21715 CVE-2026-21716 https://nodejs.org/en/blog/vulnerability/march-2026-security-releases Changelog: https://github.com/nodejs/node/releases/tag/v22.22.2 Signed-off-by: Jason Schonberg Signed-off-by: Khem Raj

nodejs: upgrade 22.22.0 -> 22.22.1

2026-03-17T20:25:14+00:00

License Update: Add sorttable.js under the MIT license - https://github.com/nodejs/node/pull/61348/files Update minimatch to the Blue Oak Model License - https://github.com/nodejs/node/commit/e72da8c7544727f90b857ba86b8c7755e631fe96 Changelog: https://github.com/nodejs/node/releases/tag/v22.22.1 Signed-off-by: Jason Schonberg Signed-off-by: Khem Raj

nodejs: fix NEON llhttp ctzll undefined behavior

2026-03-03T03:26:02+00:00

The NEON SIMD fast path in the bundled llhttp calls __builtin_ctzll(match_mask) without checking if match_mask is zero. When all 16 bytes in a NEON register are valid header value characters, match_mask is 0. Calling __builtin_ctzll(0) is undefined behavior. GCC at -O2 exploits this by optimizing "if (match_len != 16)" to always-true, causing HTTP 400 Bad Request for any header value longer than 16 characters on ARM targets with NEON enabled. Fix by explicitly checking for match_mask == 0 and setting match_len = 16. This bug affects both aarch64 and armv7 NEON targets. The code this patch modifies is generated, so the patch itself isn't suitable for upstream submission, as the root cause of the error is in the generator itself. The fix has been merged upstream[1] in llparse 7.3.1 and is included in llhttp 9.3.1. This patch can be dropped when nodejs updates its bundled llhttp to >= 9.3.1. [1]: https://github.com/nodejs/llparse/pull/83 Signed-off-by: Telukula Jeevan Kumar Sahu Signed-off-by: Khem Raj

nodejs: detect NEON correctly for aarch64

2026-02-16T08:34:02+00:00

The llhttp vendored dependency of nodejs takes advantage of Arm NEON instructions when they are available, however they are detected by checking for an outdated CPU feature macro: it checks for __ARM_NEON__, however it is not defined by new compilers for aarch64, rather they set __ARM_NEON. The Arm C extension guide[1] refers to __ARM_NEON macro aswell. This patch changes the detection to check for both macros when detecting the availability of NEON instructions. The code this patch modifies is generated, so the patch itself isn't suitable for upstream submission, as the root cause of the error is in the generator itself. A PR has been submitted[2] to the generator project to rectify this issue. [1]: https://developer.arm.com/documentation/ihi0053/d/ - pdf, section 6.9 [2]: https://github.com/nodejs/llparse/pull/84 Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj

nodejs: patch incorrect NEON intrinsics

2026-02-16T08:34:01+00:00

The llhttp dependency of nodejs uses NEON intrinsics when they are available, however some of these calls are incorrect: they the call they use don't match the parameters passed, and so the compilation fail (unless the error is suppressed): | ../deps/llhttp/src/llhttp.c: In function 'llhttp__internal__run': | ../deps/llhttp/src/llhttp.c:2645:9: note: use '-flax-vector-conversions' to permit conversions between vectors with differing element types or numbers of subparts | 2645 | ); | | ^ | ../deps/llhttp/src/llhttp.c:2643:11: error: incompatible type for argument 1 of 'vandq_u16' | 2643 | vcgeq_u8(input, vdupq_n_u8(' ')), There is a patch upstream that fixes it (though it is not merged yet). This patch is a port of that fix. This allows us to remove the extra CFLAGS also from the recipe that suppressed this error. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj

nodejs: add missing native nghttp2 and libuv dependencies

2026-02-11T05:11:45+00:00

In case nghttp2 and/or libuv PACKAGECONFIGs are enabled, nodejs will build some binaries for the build system also, linking to native binaries and using headers from the native sysroot. However in case the dependencies are missing from the native sysroot, then it falls back to the build system's sysroot, and use the files that it can find there. If the build system doesn't have nghttp2/libuv installed, then compilation fails: libuv: ../tools/executable_wrapper.h:5:10: fatal error: uv.h: No such file or directory ngtthp2: <...snip...>/build/tmp/hosttools/ld: cannot find -lnghttp2: No such file or directory To avoid falling back to the build system's sysroot, add the missing libuv-native and nghttp2-native dependencies. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj

nodejs: extend libatomic patch to x86

2026-02-06T18:06:18+00:00

This patch isn't intended to introduce new behavior, rather it changes the order of some existing LDFLAGS to fix a workaround that stopped working at some point in the past. LDFLAGS:x86 contains libatomic, because linking with this library is required for this platform. However when gyp links, it invokes the following (pseudo-)command: $LD $LDFLAGS $RESOURCES_TO_LINK $EXTRA_LIBS $EXTRA_LDFLAGS The EXTRA* arguments are coming from the gyp config. Since LDFLAGS appears very early in the command, libatomic also appears early amongst the resources, and the linker couldn't find the relevant symbols when compiled for x86 platform (as it was processed the very last): | [...] undefined reference to `__atomic_compare_exchange' Using this patch the library appears at the end, along with the other EXTRA_LIBS, after the list of linked resources, allowing linking to succeed. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj

nodejs: Make prune_sources execute at do_patch phase

2026-01-14T17:00:38+00:00

Fixes: ERROR: nodejs-22.21.1-r0 do_patch: Applying patch '0001-deps-disable-io_uring-support-in-libuv.patch' on target directory '/build/tmp/work/core2-32-poky-linux/nodejs/22.21.1/sources/node-v22.21.1' CmdError('quilt --quiltrc /build/tmp/work/core2-32-poky-linux/nodejs/22.21.1/recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch 0001-deps-disable-io_uring-support-in-libuv.patch can't find file to patch at input line 27 The sources which related to libuv as deps/uv/ are removed in prune_sources when depends on libuv. So postpone prune_sources execute at do_patch phase to fix the gap. Signed-off-by: Mingli Yu Signed-off-by: Khem Raj