Assigning this to Joseph who mostly maintains nodejs, CC'ing neoclust who has also helped with it recently.

CC: (none) => mageia
Assignee: bugsquad => joequant

Fedora has issued an advisory for this on October 29 (with both CVEs):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MFLYHRQPDF6ZMESCI3HRNOP6D6GELPFR/

updated in mga8

src:
    - nodejs-14.18.1-1.mga8

Status comment: Fixed upstream in 14.18.1 => (none)
CC: (none) => joequant
Assignee: joequant => qa-bugs

nodejs-docs-14.18.1-1.mga8
nodejs-libs-14.18.1-1.mga8
nodejs-devel-14.18.1-1.mga8
nodejs-14.18.1-1.mga8
v8-devel-8.4.371.23.mga8-1.mga8
npm-6.14.15-1.14.18.1.1.mga8

from nodejs-14.18.1-1.mga8.src.rpm

MGA8-64 Plasma on Lenovo B50
Installation: when I select the v8-devel-8.4.371.23.mga8-1.mga8, I get
"Sorry, the following package cannot selected:
- v8-devel-8.4.371.23.mga8-1.mga8.x86_64 (because of missing nodejs-devel[== 1:14.17.3-1.mga8])
Continued the installation without the v8-devel without problems.
Tested along bug 29028 Comment 8, and that worked OK.
Issue with the v8-devel had to be resolved before OK'ing this update I guess????

CC: (none) => herman.viaene

mga8, x64
Tried this to confirm Herman's observation.
All the Core packages were either installed or could be installed before updating except for v8-devel, which must be something new.
Used qarepo to populate the local repository with all six rpms then MageiaUpdate to install the updates.  Since v8-devel was not currently installed it was ignored so this does look like a missing dependency.  There is no problem installing it directly using urpmi.

CC: (none) => tarazed25

Is v8 an alias of some kind?
$ sudo urpmi v8
Package nodejs-libs-14.18.1-1.mga8.x86_64 is already installed
$ locate v8 | grep nodejs
/usr/share/doc/nodejs/html/api/v8.html
/usr/share/doc/nodejs/html/api/v8.json
/usr/share/doc/nodejs/html/api/v8.md
The last file reads:
# V8

<!--introduced_in=v4.0.0-->

<!-- source_link=lib/v8.js -->

The `v8` module exposes APIs that are specific to the version of [V8][]
built into the Node.js binary. It can be accessed using:
...................

I doing things a little different from Len's:
I use qarepo to populate the local repository with all six rpms , but then use MCC - Software - Add and remove ,and so select the v8-devel-8.4.371.23.mga8-1.mga8 package. The reported missing nodejs-devel was not present in any version in my installation before running the installation of the updates.

@Herman regarding comment 8:

Yeah, I had tried to use MCC to finish the installation but could not find any nodejs packages listed, none at all even though the core packages were present on the system and the updates available.

@Herman - adding feedback marker because I think this still needs clarification.

Keywords: (none) => feedback

(In reply to Len Lawrence from comment #9)
> @Herman regarding comment 8:
> 
> Yeah, I had tried to use MCC to finish the installation but could not find
> any nodejs packages listed, none at all even though the core packages were
> present on the system and the updates available.

Make sure rpmdrake is set to show all packages, not just those with a gui.
Removing the feedback tag

CC: (none) => davidwhodgins
Keywords: feedback => (none)

Thanks Dave.  The trouble is I cannot recall waht I did - but chose "all" at some point.  Better go back to the beginning and try again.

Nope.  Too much time wasted on this.  If it works for Herman then let it roll.

So is v8-devel installable or is it not?  It isn't clear that Herman was able to install it either.

# urpmi nodejs-devel
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  nodejs-packaging               23           3.mga8        noarch  
(medium "Core Updates Testing (distrib5)")
  nodejs-devel                   14.18.1      1.mga8        x86_64  
1005KB of additional disk space will be used.
200KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


    http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/release/nodejs-packaging-23-3.mga8.noarch.rpm
    http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/updates_testing/nodejs-devel-14.18.1-1.mga8.x86_64.rpm                                                                               
installing nodejs-packaging-23-3.mga8.noarch.rpm nodejs-devel-14.18.1-1.mga8.x86_64.rpm from /var/cache/urpmi/rpms                                                                                               
Preparing...                     ###############################################################################################################################################################################
      1/2: nodejs-packaging      ###############################################################################################################################################################################
      2/2: nodejs-devel          ###############################################################################################################################################################################

That was on an install where I didn't have the prior version installed.

Testing using qarepo as an update for existing packages now.

Herman was able to install it using drakrpm - I was not.  However it was simple to install separately after the other packages were installed.

Sorry, wrong devel package above.

On one install it installed ok. On another ...

chosen v8-devel-8.4.371.23.mga8-1.mga8.x86_64 for v8-devel|v8-devel|v8-devel|v8-devel|v8-devel
selecting v8-devel-8.4.371.23.mga8-1.mga8.x86_64
requiring nodejs-devel[== 1:14.17.3-1.mga8] for v8-devel-8.4.371.23.mga8-1.mga8.x86_64
chosen nodejs-devel-14.17.3-1.mga8.x86_64 for nodejs-devel[== 1:14.17.3-1.mga8]
the more recent nodejs-devel-14.18.1-1.mga8.x86_64 is installed, but does not provide nodejs-devel[== 1:14.17.3-1.mga8] whereas nodejs-devel-14.17.3-1.mga8.x86_64 does

Looking into the differences more.

I think the princeton mirror may be under a ddos attack again. I'm getting a lot
of wget failures. I'll try switching to kernel.org.

This makes no sense. I've switched to the kernel.org mirror which is working
well.

I downloaded http://mirrors.kernel.org/mageia/distrib/8/x86_64/media/core/updates_testing/v8-devel-8.4.371.23.mga8-1.mga8.x86_64.rpm

[root@x3 ~]# urpmi ./v8-devel-8.4.371.23.mga8-1.mga8.x86_64.rpm 


installing v8-devel-8.4.371.23.mga8-1.mga8.x86_64.rpm from .
Preparing...                     ###############################################################################################################################################################################
      1/1: v8-devel              ###############################################################################################################################################################################
[root@x3 ~]# urpme v8-devel
removing v8-devel-8.4.371.23.mga8-1.mga8.x86_64
removing package v8-devel-2:8.4.371.23.mga8-1.mga8.x86_64
      1/1: removing v8-devel-2:8.4.371.23.mga8-1.mga8.x86_64
                                 ###############################################################################################################################################################################
[root@x3 ~]# urpmi v8-devel
The following package cannot be installed because it depends on packages
that are older than the installed ones:
v8-devel-8.4.371.23.mga8-1.mga8

So the package itself appears to be ok, but there is something wrong with the hdlist file urpmi is using.

Why it worked on one of my vb installs using qarepo, I don't understand yet.

That is the sort of thing I have been seeing which is why it seemed wise to investigate further.  All I know is that v8-devel has to match the version of v8 compiled into nodejs.

What doesn't make sense is why urpmi can install using ./
v8-devel-8.4.371.23.mga8-1.mga8.x86_64.rpm
but when using urpmi v8-devel, can't install
v8-devel-8.4.371.23.mga8-1.mga8

I downloaded the package from the same mirror being used by urpmi. The only
difference I can see is that when using v8-devel instead of using the
package that's been manually downloaded is that urpmi is using the
synthesis.hdlist.cz or hdlist.cz file from the mirror instead of using
the requires/provides that are actually in the package.

Adding the sysadmin team to the cc list

In the package downloaded from kernel.org, it has ...
# rpm -q --requires ./v8-devel-8.4.371.23.mga8-1.mga8.x86_64.rpm |grep nodejs-devel
nodejs-devel = 1:14.18.1-1.mga8

As per comment 18, the error shows it's requiring the wrong version with ...
requiring nodejs-devel[== 1:14.17.3-1.mga8]
when using the repo data.

CC: (none) => sysadmin-bugs

The max version v8-devel package present on server is 8.4.371.23.mga8 (nodejs-14.17.3-1.mga8.src.rpm)

Where for nodejs and nodejs-devel it is 14.17.6 (nodejs-14.17.6-1.mga8.src.rpm)

For some reason the v8-devel package was not included in the hdlist by the process (dunno why).

Did you try to increase release version and rebuild it again to see if it reach the mirrors correctly ?

# urpmq -i --media 'Core Release,Core Updates,Core Updates Testing' v8-devel
Name        : v8-devel
Epoch       : 2
Version     : 8.4.371.19.mga8
Release     : 10.mga8
Group       : Development/Other
Size        : 592                          Architecture: x86_64
Source RPM  : nodejs-14.15.1-3.mga8.src.rpm
URL         : https://nodejs.org/
Summary     : v8 - development headers
Description :
Development headers for the v8 runtime.

Name        : v8-devel
Epoch       : 2
Version     : 8.4.371.19.mga8
Release     : 1.mga8
Group       : Development/Other
Size        : 592                          Architecture: x86_64
Source RPM  : nodejs-14.16.0-1.mga8.src.rpm
URL         : https://nodejs.org/
Summary     : v8 - development headers
Description :
Development headers for the v8 runtime.

Name        : v8-devel
Epoch       : 2
Version     : 8.4.371.19.mga8
Release     : 11.mga8
Group       : Development/Other
Size        : 592                          Architecture: x86_64
Source RPM  : nodejs-14.16.0-2.mga8.src.rpm
URL         : https://nodejs.org/
Summary     : v8 - development headers
Description :
Development headers for the v8 runtime.

Name        : v8-devel
Epoch       : 2
Version     : 8.4.371.23.mga8
Release     : 1.mga8
Group       : Development/Other
Size        : 592                          Architecture: x86_64
Source RPM  : nodejs-14.17.3-1.mga8.src.rpm
URL         : https://nodejs.org/
Summary     : v8 - development headers
Description :
Development headers for the v8 runtime.

CC: (none) => mageia

Adding Nicolas back to cc list.
Please bump the release and resubmit nodejs.

installed this and set up small game that uses node-js.

$ node -v
v14.18.1


I played the game, kind of like asteriods.

works as expected no errors on console.


I've giving this the okay.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => brtians1

fyi  - I also used the npm utility to download required modules, that works as well.

I have not validated this because of the v8-devel issue. I checked with qarepo and MCC and it boils down to this: The version of v8-devel under test in this update is the same one that is currently in the core_updates repo. As was requested in Comment 24, v8-devel needs to be bumped a version and resubmitted.

Removing the OK because of this, and re-assigning to Nicolas.

Whiteboard: MGA8-64-OK => (none)
CC: (none) => andrewsfarm

just pushed a rebuild of this nodejs.

nodejs-docs-14.18.1-1.1.mga8
nodejs-libs-14.18.1-1.1.mga8
nodejs-devel-14.18.1-1.1.mga8
nodejs-14.18.1-1.1.mga8
v8-devel-8.4.371.23.1.mga8-1.1.mga8
npm-6.14.15-1.14.18.1.1.1.mga8

from nodejs-14.18.1-1.1.mga8.src.rpm

CC: sysadmin-bugs => (none)
Assignee: mageia => qa-bugs

Mageia X64 Gnome
No Installation issues.

Pour satisfaire les dépendances, les paquetages suivants vont être installés :
  Paquetage                      Version      Révision      Arch    
(média « Core Updates Testing »)
  nodejs                         14.18.1      1.1.mga8      x86_64  
  nodejs-libs                    14.18.1      1.1.mga8      x86_64  
  npm                            6.14.15      1.14.18.1.1.> x86_64  
un espace additionnel de 57Mo sera utilisé.
14Mo de paquets seront récupérés.


$node
Welcome to Node.js v14.18.1.
Type ".help" for more information.
> 


Tested with this script:
https://nodejs.org/en/docs/guides/getting-started-guide/


All seems to be ok.

CC: (none) => hdetavernier

MGA8-64 Plasma on Lenovo B50
No installation issues
ref bug 29028 Comment 8 for test
at CLI

$ cd Documenten
$ node main.js 
Server running at http://127.0.0.1:8081/
Then pointing browser to it displays "Hello world"
and pointing to Hugues above:
$ node
Welcome to Node.js v14.18.1.
Type ".help" for more information.
> .help
.break    Sometimes you get stuck, this gets you out
.clear    Alias for .break
.editor   Enter editor mode
.exit     Exit the REPL
.help     Print this help message
.load     Load JS from a file into the REPL session
.save     Save all evaluated commands in this REPL session to a file

Press Ctrl+C to abort current expression, Ctrl+D to exit the REPL

OK for me.

Whiteboard: (none) => MGA8-64-OK

Used qarepo in VirtualBox to download the packages in Comment 29, then used drakrpm to install all of them as a new install, as described in Comment 8. This time there were no installation issues, confirming that v8-devel can now be installed.

Validating.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0592.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED