Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Node.js HTTP/2 server crashes with unhandled error when receiving malformed HEADERS frame. (CVE-2025-59465)

Uncatchable "Maximum call stack size exceeded" error on Node.js via async_hooks leads to process crashes bypassing error handlers. (CVE-2025-59466)

Bypass File System Permissions using crafted symlinks. (CVE-2025-55130)

Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled. (CVE-2025-55131)

fs.futimes() Bypasses Read-Only Permission Model. (CVE-2025-55132)

TLS PSK/ALPN Callback Exceptions Bypass Error Handlers, Causing DoS and FD Leak. (CVE-2026-21637)

References:
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
https://nodejs.org/en/blog/release/v22.22.0
========================

Updated packages in core/updates_testing:
========================
nodejs-22.22.0-1.mga9
nodejs-devel-22.22.0-1.mga9
nodejs-docs-22.22.0-1.mga9
nodejs-libs-22.22.0-1.mga9
npm-10.9.4-1.22.22.0.1.mga9
v8-devel-12.4.254.21.mga9-6.mga9

from SRPM:
nodejs-22.22.0-1.mga9.src.rpm

Version: Cauldron => 9
Flags: affects_mga9+ => (none)
Whiteboard: MGA9TOO => (none)
Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED
Source RPM: nodejs-22.16.0-1.mga10.src.rpm, nodejs-22.16.0-4.mga9.src.rpm => nodejs-22.16.0-4.mga9.src.rpm

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bugs 34995 and 33033 (has test file) for tests.
$ npm ls -g
/usr/lib
├── corepack@0.34.0
└── npm@10.9.4

npm notice
npm notice New major version of npm available! 10.9.4 -> 11.7.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v11.7.0
npm notice To update run: npm install -g npm@11.7.0
npm notice

$ npm ls
tester9@1.0.0 /home/tester9
├── express@5.1.0
└── express5@1.0.0

$ npm install express

removed 1 package, changed 7 packages, and audited 112 packages in 11s

21 packages are looking for funding
  run `npm fund` for details

4 low severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

$ npm install express5

up to date, audited 112 packages in 5s

21 packages are looking for funding
  run `npm fund` for details

4 low severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

$ ls node_modules
 abstract-logging/          es-errors/                    get-intrinsic/          parseurl/                 semver-store/
 accepts/                   es-object-atoms/              get-proto/              path-to-regexp/           send/
 ajv/                       etag/                         gopd/                   pino/                     serve-static/
 archy/                     express/                      hasown/                 pino-std-serializers/     set-cookie-parser/
 atomic-sleep/              express5/                     has-symbols/            process-warning/          setprototypeof/
 avvio/                     fast-content-type-parse/      http-errors/            proxy-addr/               side-channel/
 body-parser/               fast-decode-uri-component/    iconv-lite/             punycode/                 side-channel-list/
 bytes/                     fast-deep-equal/              inherits/               qs/                       side-channel-map/
 call-bind-apply-helpers/  '@fastify'/                    ipaddr.js/              queue-microtask/          side-channel-weakmap/
 call-bound/                fastify/                      is-promise/             quick-format-unescaped/   sonic-boom/
 content-disposition/       fast-json-stable-stringify/   json-schema-traverse/   range-parser/             statuses/
 content-type/              fast-json-stringify/          light-my-request/       raw-body/                 string-similarity/
 cookie/                    fastq/                        math-intrinsics/        require-from-string/      tiny-lru/
 cookie-signature/          fast-redact/                  media-typer/            ret/                      toidentifier/
 debug/                     fast-safe-stringify/          merge-descriptors/      reusify/                  type-is/
 deepmerge/                 fast-uri/                     mime-db/                rfdc/                     unpipe/
 depd/                      finalhandler/                 mime-types/             router/                   uri-js/
 dunder-proto/              find-my-way/                  ms/                     safe-buffer/              vary/
 ee-first/                  flatstr/                      negotiator/             safer-buffer/             wrappy/
 encodeurl/                 forwarded/                    object-inspect/         safe-regex2/
 escape-html/               fresh/                        once/                   secure-json-parse/
 es-define-property/        function-bind/                on-finished/            semver/

[tester9@mach3 nodejs]$ node server.js 
Server running at http://127.0.0.1:3000/

Displays: Hello World

$ node
Welcome to Node.js v22.22.0.
Type ".help" for more information.
> 1+1
2
> a=2
2
> b=4
4
> a*b
8
> 

All OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0009.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED