Node v16 can’t build with clang 16 due to `-Wenum-constexpr-conversion`
errors. Since the backport patch from v8 does not apply to Node v14, and
it is likely this will become a hard error in future versions of clang,
use clang 15 when the version in the stdenv is newer.
The version of libc++ used with the clang is made to match the one used
in the stdenv to avoid possible issues with mixing multiple versions of
libc++ in one binary (e.g., icu links against libc++).
Node v14 can’t build with clang 16 due to `-Wenum-constexpr-conversion`
errors. Since the backport patch from v8 does not apply to Node v14, and
it is likely this will become a hard error in future versions of clang,
use clang 15 when the version in the stdenv is newer.
The version of libc++ used with the clang is made to match the one used
in the stdenv to avoid possible issues with mixing multiple versions of
libc++ in one binary (e.g., icu links against libc++).
nodejs produces a static archive in its `postInstall`. It detects if the
`ar` is GNU ar and uses a response file. Otherwise, it adds the files
individually. This is apparently very slow with `llvm-ar`, which Darwin
now uses by default. Fortunately, `llvm-ar` also supports response
files, so detect whether the `ar` is `llvm-ar` and use a response file.
I tested the build on aarch64-darwin. `postInstall` took less than a
minute to generate a 59 MiB static archive. Comparing to the build on
master, the only difference between the two archives is `llvm-ar` zeroes
out the dates, uids, and gids by default. Compared disassembly of the
archives appeared identical.
This fixes the timeouts on staging-next. #241951https://hydra.nixos.org/build/227170390
The following CVEs are fixed in this release:
- CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
- CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High)
- CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High)
- CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium)
- CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium)
- CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium)
- CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
- CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
- CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
https://github.com/nodejs/node/releases/tag/v20.3.1