dgit.raspbian.org Git - nodejs.git/log

Merge version 20.19.2+dfsg-1+rpi1+deb13u1 and 20.19.2+dfsg-1+deb13u2 to produce 20.19.2+dfsg-1+rpi1+deb13u2

Merge nodejs (20.19.2+dfsg-1+deb13u2) import into refs/heads/workingbranch

[PATCH] tls: wrap SNICallback invocation in try/catch

Wrap the owner._SNICallback() invocation in loadSNI() with try/catch
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This completes the fix from CVE-2026-21637
which added try/catch protection to callALPNCallback,
onPskServerCallback, and onPskClientCallback but missed loadSNI().

Without this fix, a remote unauthenticated attacker can crash any
Node.js TLS server whose SNICallback may throw on unexpected input
by sending a single TLS ClientHello with a crafted server_name value.

Fixes: https://hackerone.com/reports/3556769
Refs: https://hackerone.com/reports/3473882
CVE-ID: CVE-2026-21637
PR-URL: https://github.com/nodejs-private/node-private/pull/839
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2026-21637

Gbp-Pq: Topic sec
Gbp-Pq: Name 56-tls-wrap-SNICallback-invocation-in-try-catch.patch

[PATCH] src: handle NGHTTP2_ERR_FLOW_CONTROL error code

Refs: https://hackerone.com/reports/3531737
PR-URL: https://github.com/nodejs-private/node-private/pull/832
CVE-ID: CVE-2026-21714

Gbp-Pq: Topic sec
Gbp-Pq: Name 55-handle-NGHTTP2_ERR_FLOW_CONTROL-error-code.patch

[PATCH] permission: add permission check to realpath.native

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/838
CVE-ID: CVE-2026-21715

Gbp-Pq: Topic sec
Gbp-Pq: Name 54-add-permission-check-to-realpath-native.patch

[PATCH] permission: include permission check on lib/fs/promises

PR-URL: https://github.com/nodejs-private/node-private/pull/840
CVE-ID: CVE-2026-21716

Gbp-Pq: Topic sec
Gbp-Pq: Name 53-include-permission-check-on-lib-fs-promises.patch

[PATCH] http: use null prototype for headersDistinct/trailersDistinct

Use { __proto__: null } instead of {} when initializing the
headersDistinct and trailersDistinct destination objects.

A plain {} inherits from Object.prototype, so when a __proto__
header is received, dest["__proto__"] resolves to Object.prototype
(truthy), causing _addHeaderLineDistinct to call .push() on it,
which throws an uncaught TypeError and crashes the process.

Ref: https://hackerone.com/reports/3560402
PR-URL: https://github.com/nodejs-private/node-private/pull/821
Refs: https://hackerone.com/reports/3560402
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2026-21710

Gbp-Pq: Topic sec
Gbp-Pq: Name 52-http-use-null-prototype-for-headersDistinct-trailersDistinct.patch

[PATCH] deps,build,test: fix array index hash collision

This enables v8_enable_seeded_array_index_hash and add a test for it.

Fixes: https://hackerone.com/reports/3511792
deps: V8: backport 0a8b1cdcc8b2

Original commit message:

    implement rapidhash secret generation

    Bug: 409717082
    Change-Id: I471f33d66de32002f744aeba534c1d34f71e27d2
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6733490
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Commit-Queue: snek <snek@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#101499}

Refs: https://github.com/v8/v8/commit/0a8b1cdcc8b243c62cf045fa8beb50600e11758a
Co-authored-by: Joyee Cheung <joyeec9h3@gmail.com>
deps: V8: backport 185f0fe09b72

Original commit message:

    [numbers] Refactor HashSeed as a lightweight view over ByteArray

    Instead of copying the seed and secrets into a struct with value
    fields, HashSeed now stores a pointer pointing either into the
    read-only ByteArray, or the static default seed for off-heap
    HashSeed::Default() calls. The underlying storage is always
    8-byte aligned so we can cast it directly into a struct.

    Change-Id: I5896a7f2ae24296eb4c80b757a5d90ac70a34866
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7609720
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Commit-Queue: Joyee Cheung <joyee@igalia.com>
    Cr-Commit-Position: refs/heads/main@{#105531}

Refs: https://github.com/v8/v8/commit/185f0fe09b72fb869fdcf9a89f40ff2295436bca
Co-authored-by: Joyee Cheung <joyeec9h3@gmail.com>
deps: V8: backport 1361b2a49d02

Original commit message:

    [strings] improve array index hash distribution

    Previously, the hashes stored in a Name's raw_hash_field for decimal
    numeric strings (potential array indices) consist of the literal
    integer value along with the length of the string. This means
    consecutive numeric strings can have consecutive hash values, which
    can lead to O(n^2) probing for insertion in the worst case when e.g.
    a non-numeric string happen to land in the these buckets.

    This patch adds a build-time flag v8_enable_seeded_array_index_hash that
    scrambles the 24-bit array-index value stored in a Name's raw_hash_field
    to improve the distribution.

    x ^= x >> kShift; x = (x * m1) & kMask;    // round 1
    x ^= x >> kShift; x = (x * m2) & kMask;    // round 2
    x ^= x >> kShift;                          // finalize

    To decode, apply the same steps with the modular inverses of m1 and m2
    in reverse order.

    x ^= x >> kShift; x = (x * m2_inv) & kMask;    // round 1
    x ^= x >> kShift; x = (x * m1_inv) & kMask;    // round 2
    x ^= x >> kShift;                              // finalize

    where kShift = kArrayIndexValueBits / 2, kMask = kArrayIndexValueMask,
    m1, m2 (both odd) are the lower bits of the rapidhash secrets, m1_inv,
    m2_inv (modular inverses) are precomputed modular inverse of m1 and m2.
    The pre-computed values are appended to the hash_seed ByteArray in
    ReadOnlyRoots and accessed in generated code to reduce overhead.
    In call sites that don't already have access to the seeds, we read them
    from the current isolate group/isolate's read only roots.

    To consolidate the code that encode/decode these hashes, this patch
    adds MakeArrayIndexHash/DecodeArrayIndexFromHashField in C++ and CSA
    that perform seeding/unseeding if enabled, and updates places where
    encoding/decoding of array index is needed to use them.

    Bug: 477515021
    Change-Id: I350afe511951a54c4378396538152cc56565fd55
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7564330
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Commit-Queue: Joyee Cheung <joyee@igalia.com>
    Cr-Commit-Position: refs/heads/main@{#105596}

Refs: https://github.com/v8/v8/commit/1361b2a49d020a718dc5495713eae0fa67d697b9
Co-authored-by: Joyee Cheung <joyeec9h3@gmail.com>
deps: V8: cherry-pick aac14dd95e5b

Original commit message:

    [string] add 3rd round to seeded array index hash

    Since we already have 3 derived secrets, and arithmetics are
    relatively cheap, add a 3rd round to the xorshift-multiply
    seeding scheme. This brings the bias from ~3.4 to ~0.4.

    Bug: 477515021
    Change-Id: I1ef48954bcee8768d8c90db06ac8adb02f06cebf
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7655117
Reviewed-by: Chengzhong Wu <cwu631@bloomberg.net>
    Commit-Queue: Joyee Cheung <joyee@igalia.com>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#105824}

Refs: https://github.com/v8/v8/commit/aac14dd95e5be0d487eba6bcdaf9cef4f8bd806c
PR-URL: https://github.com/nodejs-private/node-private/pull/834
CVE-ID: CVE-2026-21717

Gbp-Pq: Topic sec
Gbp-Pq: Name 51-fix-array-index-hash-collision.patch

[PATCH] crypto: use timing-safe comparison in Web Cryptography HMAC

Use `CRYPTO_memcmp` instead of `memcmp` in `HMAC`
Web Cryptography algorithm implementations.

Ref: https://hackerone.com/reports/3533945
PR-URL: https://github.com/nodejs-private/node-private/pull/831
Refs: https://hackerone.com/reports/3533945
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
CVE-ID: CVE-2026-21713

Gbp-Pq: Topic sec
Gbp-Pq: Name 50-crypto-use-timing-safe-comparison-HMAC.patch

[PATCH] deps: V8: backport 6a0a25abaed3

Original commit message:

    [riscv] Fix sp handling in MacroAssembler::LeaveFrame

    Keep sp <= fp to ensure that data right above fp doesn't get clobbered
    by an inopportune signal and its handler.

    Such clobbering can happen in e.g. Node.js when JIT-compiled code is
    interrupted by a SIGCHLD handler.

    Bug: None
    Change-Id: Ief0836032ada7942e89f081f7605f61632c4d414
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7540554
Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn>
    Commit-Queue: Yahan Lu (LuYahan) <yahan@iscas.ac.cn>
Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#105069}

Refs: https://github.com/v8/v8/commit/6a0a25abaed397f83eb0d92e4b33a5e18204f8bc
Co-authored-by: kxxt <rsworktech@outlook.com>
PR-URL: https://github.com/nodejs/node/pull/61687
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Richard Lau <richard.lau@ibm.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 44-v8-riscv-fix-sp-handling-in-macroassembler-leave-frame.patch

[PATCH] src,lib: refactor unsafe buffer creation to remove zero-fill toggle

This removes the zero-fill toggle mechanism that allowed JavaScript
to control ArrayBuffer initialization via shared memory. Instead,
unsafe buffer creation now uses a dedicated C++ API.

Refs: https://hackerone.com/reports/3405778
Co-Authored-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Co-Authored-By: Joyee Cheung <joyeec9h3@gmail.com>
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/759
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/799
CVE-ID: CVE-2025-55131

Gbp-Pq: Topic sec
Gbp-Pq: Name 38-refactor-unsafe-buffer-creation-to-remove-zero-fill-toggle.patch

[PATCH] src: rethrow stack overflow exceptions in async_hooks

When a stack overflow exception occurs during async_hooks callbacks
(which use TryCatchScope::kFatal), detect the specific "Maximum call
stack size exceeded" RangeError and re-throw it instead of immediately
calling FatalException. This allows user code to catch the exception
with try-catch blocks instead of requiring uncaughtException handlers.

The implementation adds IsStackOverflowError() helper to detect stack
overflow RangeErrors and re-throws them in TryCatchScope destructor
instead of calling FatalException.

This fixes the issue where async_hooks would cause stack overflow
exceptions to exit with code 7 (kExceptionInFatalExceptionHandler)
instead of being catchable.

Fixes: https://github.com/nodejs/node/issues/37989
Ref: https://hackerone.com/reports/3456295
PR-URL: https://github.com/nodejs-private/node-private/pull/773
Refs: https://hackerone.com/reports/3456295
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59466

Gbp-Pq: Topic sec
Gbp-Pq: Name 37-rethrow-stack-overflow-exceptions-in-async-hooks.patch

[PATCH] lib,permission: require full read and write to symlink APIs

Refs: https://hackerone.com/reports/3417819
PR-URL: https://github.com/nodejs-private/node-private/pull/760
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2025-55130
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 36-lib-permission-require-full-read-and-write-to-symlink-apis.patch

[PATCH] lib: disable futimes when permission model is enabled

Refs: https://hackerone.com/reports/3390084
PR-URL: https://github.com/nodejs-private/node-private/pull/748
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-55132
PR-URL: https://github.com/nodejs-private/node-private/pull/802
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2025-55132

Gbp-Pq: Topic sec
Gbp-Pq: Name 35-lib-disable-futimes-when-permission-model-is-enabled.patch

[PATCH] lib: add TLSSocket default error handler

This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:

```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
  socket.on('error', err => {
    console.log(err)
  })
})
```

PR-URL: https://github.com/nodejs-private/node-private/pull/797
Fixes: https://github.com/nodejs/node/issues/44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59465

Gbp-Pq: Topic sec
Gbp-Pq: Name 34-lib-add-tlssocket-default-error-handler.patch

[PATCH] tls: route callback exceptions through error handlers

Wrap pskCallback and ALPNCallback invocations in try-catch blocks
to route exceptions through owner.destroy() instead of letting them
become uncaught exceptions. This prevents remote attackers from
crashing TLS servers or causing resource exhaustion.

Fixes: https://hackerone.com/reports/3473882
PR-URL: https://github.com/nodejs-private/node-private/pull/782
PR-URL: https://github.com/nodejs-private/node-private/pull/796
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2026-21637

Gbp-Pq: Topic sec
Gbp-Pq: Name 33-tls-route-callback-exceptions-through-error-handlers.patch

[PATCH] src: fix order of CHECK_NOT_NULL/dereference

`ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS` may dereference
`req_wrap_async`, so `CHECK_NOT_NULL(req_wrap_async)` should be used
before and not after.

PR-URL: https://github.com/nodejs/node/pull/59487
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Richard Lau <richard.lau@ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 29-fix-order-of-check-not-null.patch

[PATCH] http2: do not crash on mismatched ping buffer length

PR-URL: https://github.com/nodejs/node/pull/60135
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 28-http2-do-not-crash-on-mismatched-ping-buffer-length.patch

[PATCH] deps: V8: cherry-pick 6b1b9bca2a8

Origin commit message:

    [loong64][codegen] Avoid memory access under stack pointer

    According to LoongArch ABI doc chapter 8.2:
      "Procedures must not assume the persistence on-stack data of which
       the addresses lie below the stack pointer."

    Change-Id: I92735e052227495ac9884c4290b57eaffbf905e1
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6786372
    Auto-Submit: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn>
Reviewed-by: Matthias Liedtke <mliedtke@chromium.org>
    Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#101634}

Backport-PR-URL: https://github.com/nodejs/node/pull/59662
Refs: https://github.com/v8/v8/commit/6b1b9bca2a8fe9824bcc815a9ce642da904b91c3
PR-URL: https://github.com/nodejs/node/pull/59283
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 27-v8-loong64-avoid-memory-access-under-stack-pointer.patch

[PATCH] v8: fix missing callback in heap utils destroy

This fixes the v8.getHeapSnapshot() calls not properly being
destroyed. Pipeline calls would for example not properly end
without the callback being in place.

PR-URL: https://github.com/nodejs/node/pull/58846
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Shelley Vohr <shelley.vohr@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 19-v8-fix-missing-callback-in-heap-utils-destroy.patch

[PATCH] src: fix possible dereference of null pointer

There is a CHECK_NOT_NULL check before dereferencing node_env on
line 710 in the "if" block, but there is no CHECK_NOT_NULL check before
dereferencing node_env on line 721. Maybe it makes sense to put
CHECK_NOT_NULL right after calling the Environment::GetCurrent function.

PR-URL: https://github.com/nodejs/node/pull/58459
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 17-fix-possible-dereference-of-null-pointer.patch

[PATCH] os: fix GetInterfaceAddresses memory lieaky

PR-URL: https://github.com/nodejs/node/pull/58940
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 15-fix-os-getinterface-addresses-leak.patch

[PATCH] http2: fix check for `frame->hd.type`

Related to CVE-2025-23085
According to the comment, this should be checking whether
`frame->hd.type` is `NGHTTP2_GOAWAY`, i.e. `0x07` and not `0x03`.

PR-URL: https://github.com/nodejs/node/pull/57644
Refs: https://github.com/nodejs/node/commit/1b693fa03a0d36bc1dc9ec8d95060e3e5ceeee7b
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Gbp-Pq: Topic sec
Gbp-Pq: Name 12-http2-fix-check-for-frame-type-goaway.patch

[PATCH] zlib: fix pointer alignment

The function AllocForBrotli prefixes the allocated memory with its
size, and returns a pointer to the region after it. This pointer can
however no longer be suitably aligned. Correct this by allocating
the maximum of the the size of the size_t and the max alignment.

On Arm 32bits the size_t is 4 bytes long, but the alignment is 8 for
some NEON instructions. When Brotli is compiled with optimizations
enabled newer GCC versions will use the NEON instructions and trigger
a bus error killing node.

see https://github.com/google/brotli/issues/1159

PR-URL: https://github.com/nodejs/node/pull/57727
Reviewed-By: Shelley Vohr <shelley.vohr@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Daniel Lemire <daniel@lemire.me>
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
Gbp-Pq: Topic sec
Gbp-Pq: Name 10-zlib-fix-pointer-alignment.patch

skip useless files in build target

Forwarded: https://github.com/nodejs/node/issues/55787

Gbp-Pq: Topic build
Gbp-Pq: Name no-deps.patch

compile v8 without zlib static lib

Last-Update: 2023-12-16
Forwarded: https://github.com/nodejs/node/issues/33848

it should have a minor performance impact

Gbp-Pq: Topic deps
Gbp-Pq: Name v8-no-static-zlib.patch

build using ada upstream tarball component

Last-Update: 2023-11-30
Forwarded: not-needed

Gbp-Pq: Topic build
Gbp-Pq: Name ada.patch

Harmonize V8 stack sizes on ARM architectures to match almost all other architectures

Last-Update: 2023-02-28
Forwarded: https://github.com/nodejs/node/issues/41163

Gbp-Pq: Topic arm64
Gbp-Pq: Name stacksize.patch

Use system paths for builtins

Last-Update: 2023-02-22
Forwarded: not-needed

Gbp-Pq: Topic build
Gbp-Pq: Name test_process_versions.patch

fix link to home in html api

Forwarded: not needed, in conflict with the meaning of home page
Last-Update: 2022-11-06

Gbp-Pq: Topic build
Gbp-Pq: Name doc_template_home.html

allow vfp2 and allow setting arm_version option

Last-Update: 2022-08-29
Forwarded: https://github.com/nodejs/node/issues/44357

Gbp-Pq: Topic armel
Gbp-Pq: Name configure.patch

skip buffer NaN internal representation check this fails on whatever archs having other internal representations of NaN.

Last-Update: 2022-05-02
Forwarded: https://github.com/nodejs/node/issues/42945

Gbp-Pq: Topic build
Gbp-Pq: Name skip-buffer-nan-internal-check.patch

remove google font from template.html, and link to local

Last-Update: 2015-09-09
Forwarded: not-needed

Gbp-Pq: Topic dfsg
Gbp-Pq: Name privacy_breach.patch

Multiarch search path, arch triplet, DFHS path for modules

Last-Update: 2018-09-30
Last-Update: 2020-03-04
Forwarded: https://github.com/nodejs/node/issues/22745
Reviewed-By: Xavier Guimard <yadd@debian.org>
Gbp-Pq: Topic dfsg
Gbp-Pq: Name multilib_modules.patch

a test uses a benchmark that read alice.html, dfsg excluded

Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2020-03-04

Gbp-Pq: Topic dfsg
Gbp-Pq: Name benchmark_without_alice.patch

use system-installed node-gyp for building test modules

Last-Update: 2015-09-09
Forwarded: not-needed

Gbp-Pq: Topic deps
Gbp-Pq: Name node_gyp.patch

do not use dns.ADDRCONFIG for localhost

Last-Update: 2020-06-11
Bug-Debian: https://bugs.debian.org/962318
Forwarded: https://github.com/nodejs/node/issues/33816

it fails on IPv6-only systems. Setting it with libc fails on linux.
https://github.com/nodejs/node/issues/33279
https://lists.debian.org/debian-devel/2023/12/msg00011.html

Gbp-Pq: Topic deps
Gbp-Pq: Name localhost-no-addrconfig.patch

keep nodejs compatible with libc-ares public headers

Forwarded: not-needed
Last-Update: 2021-10-20

Gbp-Pq: Topic deps
Gbp-Pq: Name cares.patch

adapt tools/test.py

Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2025-02-12

* log to stdout
* increase timeout multipliers
* rename --flaky-tests to --flaky-tests-mode and use --flaky-tests like --skip-tests

Gbp-Pq: Topic build
Gbp-Pq: Name test_ci.patch

Link to -latomic by default

Last-Update: 2019-10-25
Forwarded: not-needed
Bug: https://github.com/nodejs/node/pull/28532
Bug: https://github.com/nodejs/node/issues/30093

This avoids surprises on mips*el/ppc*el

Gbp-Pq: Topic build
Gbp-Pq: Name flag_atomic.patch

build doc using marked and js-yaml

Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2021-03-03

While waiting for unified/remarked/rehyped modules to be available in debian

Gbp-Pq: Topic build
Gbp-Pq: Name doc.patch

disable shared builtins when loading deps on demand

Last-Update: 2023-12-10
Forwarded: no, todo

This is to avoid preloading potentially missing files.

Gbp-Pq: Topic build
Gbp-Pq: Name builtins_module_paths_not_shareable.patch

add acorn, walk to shared builtins

Last-Update: 2022-09-28
Forwarded: https://github.com/nodejs/node/pull/44376

Gbp-Pq: Topic build
Gbp-Pq: Name more_shareable_builtins.patch

nodejs (20.19.2+dfsg-1+deb13u2) trixie-security; urgency=medium

  * Upstream security patches:
    + CVE-2026-21713: use timing-safe comparison in Web Cryptography HMAC
    + CVE-2026-21717: fix array index hash collision
    + CVE-2026-21710: http: use null prototype for headersDistinct/trailersDistinct
    + CVE-2026-21716: include permission check on lib/fs/promises
    + CVE-2026-21715: add permission check to realpath.native
    + CVE-2026-21714: handle NGHTTP2_ERR_FLOW_CONTROL error code
    + CVE-2026-21637: tls wrap SNICallback invocation in try/catch
  * copyright: add rapidhash from sec/51 patch

[dgit import unpatched nodejs 20.19.2+dfsg-1+deb13u2]

Import nodejs_20.19.2+dfsg-1+deb13u2.debian.tar.xz

[dgit import tarball nodejs 20.19.2+dfsg-1+deb13u2 nodejs_20.19.2+dfsg-1+deb13u2.debian.tar.xz]

Merge version 20.19.2+dfsg-1+rpi1 and 20.19.2+dfsg-1+deb13u1 to produce 20.19.2+dfsg-1+rpi1+deb13u1

Merge nodejs (20.19.2+dfsg-1+deb13u1) import into refs/heads/workingbranch