From c73d1006a216134713593a54686bca21976b443e Mon Sep 17 00:00:00 2001
From: Mario Rodas <marsam@users.noreply.github.com>
Date: Wed, 4 Aug 2021 08:22:00 -0500
Subject: [PATCH] nodejs-16_x: add patch for CVE-2021-22930

---
 pkgs/development/web/nodejs/v16.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/web/nodejs/v16.nix b/pkgs/development/web/nodejs/v16.nix
index 766df734a4aa..494edc1e997b 100644
--- a/pkgs/development/web/nodejs/v16.nix
+++ b/pkgs/development/web/nodejs/v16.nix
@@ -1,4 +1,4 @@
-{ callPackage, openssl, python3, enableNpm ? true }:
+{ callPackage, openssl, python3, fetchpatch, enableNpm ? true }:
 
 let
   buildNodejs = callPackage ./nodejs.nix {
@@ -10,4 +10,12 @@ in
     inherit enableNpm;
     version = "16.5.0";
     sha256 = "16dapj5pm2y1m3ldrjjlz8rq9axk85nn316iz02nk6qjs66y6drz";
+    patches = [
+      # Fix CVE-2021-22930 https://github.com/nodejs/node/pull/39423.
+      # It should be fixed by Node.js 16.6.0, but currently it fails to build on Darwin
+      (fetchpatch {
+        url = "https://github.com/nodejs/node/commit/9d950a0956bf2c3dd87bacb56807f37e16a91db4.patch";
+        sha256 = "1narhk5dqdkbndh9hg0dn5ghhgrd6gsamjqszpivmp33nl5hgsx3";
+      })
+    ];
   }