Debian Patches
Status for nodejs/20.19.2+dfsg-1+deb13u1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| build/more_shareable_builtins.patch | add acorn, walk to shared builtins | Jérémy Lal <kapouer@melix.org> | yes | 2022-09-28 | ||
| build/builtins_module_paths_not_shareable.patch | disable shared builtins when loading deps on demand This is to avoid preloading potentially missing files. | Jérémy Lal <kapouer@melix.org> | invalid | 2023-12-10 | ||
| build/doc.patch | build doc using marked and js-yaml While waiting for unified/remarked/rehyped modules to be available in debian | Jérémy Lal <kapouer@melix.org> | not-needed | 2021-03-03 | ||
| build/flag_atomic.patch | Link to -latomic by default This avoids surprises on mips*el/ppc*el | Jérémy Lal <kapouer@melix.org> | not-needed | upstream | 2019-10-25 | |
| build/test_ci.patch | adapt tools/test.py * log to stdout * increase timeout multipliers * rename --flaky-tests to --flaky-tests-mode and use --flaky-tests like --skip-tests |
Jérémy Lal <kapouer@melix.org> | not-needed | 2025-02-12 | ||
| deps/cares.patch | keep nodejs compatible with libc-ares public headers | Jérémy Lal <kapouer@melix.org> | not-needed | 2021-10-20 | ||
| deps/localhost-no-addrconfig.patch | do not use dns.ADDRCONFIG for localhost it fails on IPv6-only systems. Setting it with libc fails on linux. https://github.com/nodejs/node/issues/33279 https://lists.debian.org/debian-devel/2023/12/msg00011.html |
Jérémy Lal <kapouer@melix.org> | yes | debian | 2020-06-11 | |
| deps/node_gyp.patch | use system-installed node-gyp for building test modules | Jérémy Lal <kapouer@melix.org> | not-needed | 2015-09-09 | ||
| dfsg/benchmark_without_alice.patch | a test uses a benchmark that read alice.html, dfsg excluded | Jérémy Lal <kapouer@melix.org> | not-needed | 2020-03-04 | ||
| dfsg/multilib_modules.patch | Multiarch search path, arch triplet, DFHS path for modules | "Bastien ROUCARIÈS" <roucaries.bastien@gmail.com> | yes | 2020-03-04 | ||
| dfsg/privacy_breach.patch | remove google font from template.html, and link to local | Jérémy Lal <kapouer@melix.org> | not-needed | 2015-09-09 | ||
| build/skip-buffer-nan-internal-check.patch | skip buffer NaN internal representation check this fails on whatever archs having other internal representations of NaN. | Jérémy Lal <kapouer@melix.org> | yes | 2022-05-02 | ||
| armel/configure.patch | allow vfp2 and allow setting arm_version option | Jérémy Lal <kapouer@melix.org> | yes | 2022-08-29 | ||
| build/doc_template_home.html | fix link to home in html api | Jérémy Lal <kapouer@melix.org> | not-needed | 2022-11-06 | ||
| build/test_process_versions.patch | Use system paths for builtins | Jérémy Lal <kapouer@melix.org> | not-needed | 2023-02-22 | ||
| arm64/stacksize.patch | Harmonize V8 stack sizes on ARM architectures to match almost all other architectures | James Addison <jay@jp-hosting.net> | yes | 2023-02-28 | ||
| build/ada.patch | build using ada upstream tarball component | Jérémy Lal <kapouer@melix.org> | not-needed | 2023-11-30 | ||
| deps/v8-no-static-zlib.patch | compile v8 without zlib static lib it should have a minor performance impact | Jérémy Lal <kapouer@melix.org> | yes | 2023-12-16 | ||
| build/no-deps.patch | skip useless files in build target | Jérémy Lal <kapouer@melix.org> | yes | |||
| sec/10-zlib-fix-pointer-alignment.patch | zlib: fix pointer alignment The function AllocForBrotli prefixes the allocated memory with its size, and returns a pointer to the region after it. This pointer can however no longer be suitably aligned. Correct this by allocating the maximum of the the size of the size_t and the max alignment. On Arm 32bits the size_t is 4 bytes long, but the alignment is 8 for some NEON instructions. When Brotli is compiled with optimizations enabled newer GCC versions will use the NEON instructions and trigger a bus error killing node. see https://github.com/google/brotli/issues/1159 |
jhofstee <jeroen@myspectrum.nl> | no | 2025-04-09 | ||
| sec/12-http2-fix-check-for-frame-type-goaway.patch | http2: fix check for `frame->hd.type` Related to CVE-2025-23085 According to the comment, this should be checking whether `frame->hd.type` is `NGHTTP2_GOAWAY`, i.e. `0x07` and not `0x03`. |
hanguanqiang <hanguanqiang@kylinos.cn> | no | 2025-04-09 | ||
| sec/15-fix-os-getinterface-addresses-leak.patch | os: fix GetInterfaceAddresses memory lieaky | theanarkh <theratliter@gmail.com> | no | 2025-07-06 | ||
| sec/17-fix-possible-dereference-of-null-pointer.patch | src: fix possible dereference of null pointer There is a CHECK_NOT_NULL check before dereferencing node_env on line 710 in the "if" block, but there is no CHECK_NOT_NULL check before dereferencing node_env on line 721. Maybe it makes sense to put CHECK_NOT_NULL right after calling the Environment::GetCurrent function. |
Eusgor <100363036+Eusgor@users.noreply.github.com> | no | 2025-05-30 | ||
| sec/19-v8-fix-missing-callback-in-heap-utils-destroy.patch | v8: fix missing callback in heap utils destroy This fixes the v8.getHeapSnapshot() calls not properly being destroyed. Pipeline calls would for example not properly end without the callback being in place. |
Ruben Bridgewater <ruben.bridgewater@datadoghq.com> | no | 2025-06-30 | ||
| sec/27-v8-loong64-avoid-memory-access-under-stack-pointer.patch | deps: V8: cherry-pick 6b1b9bca2a8 Origin commit message: [loong64][codegen] Avoid memory access under stack pointer According to LoongArch ABI doc chapter 8.2: "Procedures must not assume the persistence on-stack data of which the addresses lie below the stack pointer." Change-Id: I92735e052227495ac9884c4290b57eaffbf905e1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6786372 Auto-Submit: Zhao Jiazhong <zhaojiazhong-hf@loongson.cn> Reviewed-by: Matthias Liedtke <mliedtke@chromium.org> Commit-Queue: Matthias Liedtke <mliedtke@chromium.org> Cr-Commit-Position: refs/heads/main@{#101634} |
zhoumingtao <zhoumingtao@loongson.cn> | no | 2025-07-30 | ||
| sec/28-http2-do-not-crash-on-mismatched-ping-buffer-length.patch | http2: do not crash on mismatched ping buffer length | René <contact.9a5d6388@renegade334.me.uk> | no | 2025-10-09 | ||
| sec/29-fix-order-of-check-not-null.patch | src: fix order of CHECK_NOT_NULL/dereference `ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS` may dereference `req_wrap_async`, so `CHECK_NOT_NULL(req_wrap_async)` should be used before and not after. |
Tobias Nießen <tniessen@tnie.de> | no | 2025-08-18 | ||
| sec/33-tls-route-callback-exceptions-through-error-handlers.patch | tls: route callback exceptions through error handlers Wrap pskCallback and ALPNCallback invocations in try-catch blocks to route exceptions through owner.destroy() instead of letting them become uncaught exceptions. This prevents remote attackers from crashing TLS servers or causing resource exhaustion. |
Matteo Collina <hello@matteocollina.com> | no | 2025-12-22 | ||
| sec/34-lib-add-tlssocket-default-error-handler.patch | lib: add TLSSocket default error handler This prevents the server from crashing due to an unhandled rejection when a TLSSocket connection is abruptly destroyed during initialization and the user has not attached an error handler to the socket. e.g: ```js const server = http2.createSecureServer({ ... }) server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` |
RafaelGSS <rafael.nunu@hotmail.com> | no | 2025-10-31 | ||
| sec/35-lib-disable-futimes-when-permission-model-is-enabled.patch | lib: disable futimes when permission model is enabled | RafaelGSS <rafael.nunu@hotmail.com> | no | 2025-10-21 | ||
| sec/36-lib-permission-require-full-read-and-write-to-symlink-apis.patch | lib,permission: require full read and write to symlink APIs | RafaelGSS <rafael.nunu@hotmail.com> | no | 2025-11-10 | ||
| sec/37-rethrow-stack-overflow-exceptions-in-async-hooks.patch | src: rethrow stack overflow exceptions in async_hooks When a stack overflow exception occurs during async_hooks callbacks (which use TryCatchScope::kFatal), detect the specific "Maximum call stack size exceeded" RangeError and re-throw it instead of immediately calling FatalException. This allows user code to catch the exception with try-catch blocks instead of requiring uncaughtException handlers. The implementation adds IsStackOverflowError() helper to detect stack overflow RangeErrors and re-throws them in TryCatchScope destructor instead of calling FatalException. This fixes the issue where async_hooks would cause stack overflow exceptions to exit with code 7 (kExceptionInFatalExceptionHandler) instead of being catchable. |
Matteo Collina <hello@matteocollina.com> | no | 2025-12-09 | ||
| sec/38-refactor-unsafe-buffer-creation-to-remove-zero-fill-toggle.patch | src,lib: refactor unsafe buffer creation to remove zero-fill toggle This removes the zero-fill toggle mechanism that allowed JavaScript to control ArrayBuffer initialization via shared memory. Instead, unsafe buffer creation now uses a dedicated C++ API. |
Сковорода | no | 2025-11-07 | ||
| sec/44-v8-riscv-fix-sp-handling-in-macroassembler-leave-frame.patch | deps: V8: backport 6a0a25abaed3 Original commit message: [riscv] Fix sp handling in MacroAssembler::LeaveFrame Keep sp <= fp to ensure that data right above fp doesn't get clobbered by an inopportune signal and its handler. Such clobbering can happen in e.g. Node.js when JIT-compiled code is interrupted by a SIGCHLD handler. Bug: None Change-Id: Ief0836032ada7942e89f081f7605f61632c4d414 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7540554 Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn> Commit-Queue: Yahan Lu (LuYahan) <yahan@iscas.ac.cn> Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@chromium.org> Cr-Commit-Position: refs/heads/main@{#105069} |
Vivian Wang <wangruikang@iscas.ac.cn> | no | 2026-02-03 |
All known versions for source package 'nodejs'
- 24.14.1+dfsg+~cs24.12.0-1 (experimental)
- 22.22.2+dfsg+~cs22.19.15-1 (sid, forky)
- 20.19.2+dfsg-1+deb13u2 (trixie-security)
- 20.19.2+dfsg-1+deb13u1 (trixie-proposed-updates)
- 20.19.2+dfsg-1 (trixie)
- 18.20.4+dfsg-1~deb12u1 (bookworm-security, bookworm)