Nicolas has just updated new version 22.22.2 in Cauldron; leaves Mageia 9 to do.

Assignee: bugsquad => pkg-bugs
Version: Cauldron => 9

For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated packages fix a security vulnerability:

Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS. (CVE-2026-21637)

Denial of Service via __proto__ header name in req.headersDistinct (Uncaught TypeError crashes Node.js process). (CVE-2026-21710)

Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery. (CVE-2026-21713)

Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion. (CVE-2026-21714)

Permission Model Bypass in realpathSync.native Allows File Existence Disclosure. (CVE-2026-21715)

CVE-2024-36137 Patch Bypass - FileHandle.chmod/chown. (CVE-2026-21716)

HashDoS in V8. (CVE-2026-21717)

References:
https://nodejs.org/en/blog/vulnerability/march-2026-security-releases
========================

Updated packages in core/updates_testing:
========================
nodejs-22.22.2-1.mga9
nodejs-devel-22.22.2-1.mga9
nodejs-docs-22.22.2-1.mga9
nodejs-libs-22.22.2-1.mga9
npm-10.9.7-1.22.22.2.1.mga9
v8-devel-12.4.254.21.mga9-7.mga9

from SRPM:
nodejs-22.22.2-1.mga9.src.rpm

Status comment: Fixed upstream in 22.22.2 => (none)
Source RPM: nodejs-22.22.0-1.mga10.src.rpm, nodejs-22.22.0-1.mga9.src.rpm => nodejs-22.22.0-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
Flags: affects_mga9+ => (none)

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bugs 34995 and 33033 (has test file) for tests.
$ npm ls -g
/usr/lib
├── corepack@0.34.6
└── npm@10.9.7

npm notice
npm notice New major version of npm available! 10.9.7 -> 11.12.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v11.12.0
npm notice To update run: npm install -g npm@11.12.0
npm notice

$ npm ls
tester9@1.0.0 /home/tester9
├── express@5.2.1
└── express5@1.0.0

[tester9@mach3 ~]$ npm install express

up to date, audited 112 packages in 8s

21 packages are looking for funding
  run `npm fund` for details

6 vulnerabilities (4 low, 1 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

$ npm install express5

up to date, audited 112 packages in 6s

21 packages are looking for funding
  run `npm fund` for details

6 vulnerabilities (4 low, 1 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

$ ls node_modules
 abstract-logging/          es-errors/                    get-intrinsic/          parseurl/                 semver-store/
 accepts/                   es-object-atoms/              get-proto/              path-to-regexp/           send/
 ajv/                       etag/                         gopd/                   pino/                     serve-static/
 archy/                     express/                      hasown/                 pino-std-serializers/     set-cookie-parser/
 atomic-sleep/              express5/                     has-symbols/            process-warning/          setprototypeof/
 avvio/                     fast-content-type-parse/      http-errors/            proxy-addr/               side-channel/
 body-parser/               fast-decode-uri-component/    iconv-lite/             punycode/                 side-channel-list/
 bytes/                     fast-deep-equal/              inherits/               qs/                       side-channel-map/
 call-bind-apply-helpers/  '@fastify'/                    ipaddr.js/              queue-microtask/          side-channel-weakmap/
 call-bound/                fastify/                      is-promise/             quick-format-unescaped/   sonic-boom/
 content-disposition/       fast-json-stable-stringify/   json-schema-traverse/   range-parser/             statuses/
 content-type/              fast-json-stringify/          light-my-request/       raw-body/                 string-similarity/
 cookie/                    fastq/                        math-intrinsics/        require-from-string/      tiny-lru/
 cookie-signature/          fast-redact/                  media-typer/            ret/                      toidentifier/
 debug/                     fast-safe-stringify/          merge-descriptors/      reusify/                  type-is/
 deepmerge/                 fast-uri/                     mime-db/                rfdc/                     unpipe/
 depd/                      finalhandler/                 mime-types/             router/                   uri-js/
 dunder-proto/              find-my-way/                  ms/                     safe-buffer/              vary/
 ee-first/                  flatstr/                      negotiator/             safer-buffer/             wrappy/
 encodeurl/                 forwarded/                    object-inspect/         safe-regex2/
 escape-html/               fresh/                        once/                   secure-json-parse/
 es-define-property/        function-bind/                on-finished/            semver/

$ node server.js
Server running at http://127.0.0.1:3000/
Displays: Hello World
^C
$ node
Welcome to Node.js v22.22.2.
Type ".help" for more information.
> 1+1
2
> a=2
2
> b=4
4
> a+b
6
> a*b
8
All OK.

Whiteboard: (none) => MGA9-64-OK
Flags: (none) => test_passed_mga9_64+
CC: (none) => herman.viaene

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0071.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED