From: Volker Schlecht <openbsd-ports@schlecht.dev>
Subject: [Maintainer Update] lang/node v20.15.1
To: ports@openbsd.org
Date: Mon, 15 Jul 2024 20:53:28 +0200

Attached is a security update to node v20.15.1, addressing

CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High, Windows-Only!)
CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
CVE-2024-22018 - fs.lstat bypasses permission model (Low)
CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
CVE-2024-37372 - Permission model improperly processes UNC paths (Low)

Very small diff, fixing only these issues. Built and tested on amd64.

ok?
Index: Makefile
===================================================================
RCS file: /cvs/ports/lang/node/Makefile,v
diff -u -p -r1.136 Makefile
--- Makefile	22 Jun 2024 07:01:03 -0000	1.136
+++ Makefile	15 Jul 2024 18:44:20 -0000
@@ -5,7 +5,7 @@ USE_WXNEEDED =		Yes
 
 COMMENT = JavaScript runtime built on Chrome's V8 JavaScript engine
 
-NODE_VERSION =		v20.15.0
+NODE_VERSION =		v20.15.1
 PLEDGE_VER =		1.1.3
 DISTFILES =		${DISTNAME}-headers.tar.gz \
 			${DISTNAME}.tar.xz
Index: distinfo
===================================================================
RCS file: /cvs/ports/lang/node/distinfo,v
diff -u -p -r1.77 distinfo
--- distinfo	22 Jun 2024 07:01:03 -0000	1.77
+++ distinfo	15 Jul 2024 18:44:20 -0000
@@ -1,6 +1,6 @@
 SHA256 (node-pledge-1.1.3.tar.gz) = fEaXvLg6hYEJ69K+mgQFizf8DiJY2/DtyFJB/pEanVU=
-SHA256 (node-v20.15.0-headers.tar.gz) = DO3j602M+4hVcFM62vhg1TWGA2ocqqeXCTshcjIG/vY=
-SHA256 (node-v20.15.0.tar.xz) = D0p6BRw12V65BejLKqQ8XUArExIDkI/mM+s8+gUO+Qc=
+SHA256 (node-v20.15.1-headers.tar.gz) = jCMFxt9dFFJeBxHw2jgpVgCYffTCcQxzjAFACGKhdrQ=
+SHA256 (node-v20.15.1.tar.xz) = /dU6VynZNmkaKhFRBG+0iXchy4sPyir5V4I6m0D+DDQ=
 SIZE (node-pledge-1.1.3.tar.gz) = 3167
-SIZE (node-v20.15.0-headers.tar.gz) = 8773750
-SIZE (node-v20.15.0.tar.xz) = 41868532
+SIZE (node-v20.15.1-headers.tar.gz) = 8773669
+SIZE (node-v20.15.1.tar.xz) = 41880412