nodejs produces a static archive in its `postInstall`. It detects if the
`ar` is GNU ar and uses a response file. Otherwise, it adds the files
individually. This is apparently very slow with `llvm-ar`, which Darwin
now uses by default. Fortunately, `llvm-ar` also supports response
files, so detect whether the `ar` is `llvm-ar` and use a response file.
I tested the build on aarch64-darwin. `postInstall` took less than a
minute to generate a 59 MiB static archive. Comparing to the build on
master, the only difference between the two archives is `llvm-ar` zeroes
out the dates, uids, and gids by default. Compared disassembly of the
archives appeared identical.
This fixes the timeouts on staging-next. #241951https://hydra.nixos.org/build/227170390
The following CVEs are fixed in this release:
- CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
- CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High)
- CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High)
- CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium)
- CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium)
- CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium)
- CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
- CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
- CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
https://github.com/nodejs/node/releases/tag/v20.3.1
The following CVEs are fixed in this release:
- CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
- CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
- CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
- CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
https://github.com/nodejs/node/releases/tag/v18.16.1
The following CVEs are fixed in this release:
- CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
- CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
- CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
- CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
https://github.com/nodejs/node/releases/tag/v16.20.1
