azurelinux icon indicating copy to clipboard operation
azurelinux copied to clipboard
verified publisher icon microsoft

BUG 59200539: Upgrade nodejs to 20.19.5 and add support for passing runtime internationalization data.

Open CBL-Mariner-Bot opened this issue 4 months ago • 1 comments

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • [x] The toolchain has been rebuilt successfully (or no changes were made to it)
  • [x] The toolchain/worker package manifests are up-to-date
  • [x] Any updated packages successfully build (or no packages were changed)
  • [x] Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • [x] Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • [x] All package sources are available
  • [x] cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • [x] LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • [x] All source files have up-to-date hashes in the *.signatures.json files
  • [x] sudo make go-tidy-all and sudo make go-test-coverage pass
  • [x] Documentation has been updated to match any changes to the build system
  • [ ] Ready to merge
Summary

What does the PR accomplish, why was it needed? Upgrade nodejs to 20.19.5 and add support for passing runtime internationalization data.

Change Log
  • Auto-upgrade to 20.19.5
Does this affect the toolchain?

NO

Associated issues
  • https://microsoft.visualstudio.com/OS/_workitems/edit/59200539
Links to CVEs
Test Methodology
  • Pipeline build id: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1004819&view=results
  • Locally checked the failing commands
image

CBL-Mariner-Bot avatar Sep 20 '25 08:09 CBL-Mariner-Bot

✅ PR Check Passed

No critical issues detected in spec file changes.

🤖 AI Analysis Summary:

Brief Analysis: The spec file has been updated to version 20.19.5 and the patch list has been trimmed so that only seven patches remain. The new patch set is consistent with the files available on disk, but the changelog still refers to several older CVE patches that have been dropped in the new version.

Critical Issues Found: • Changelog entries still mention CVE patches (e.g. CVE-2025-22150, CVE-2025-23085, CVE-2024-22020, CVE-2025-23083, CVE-2025-23165/66, CVE-2025-47279) which are no longer referenced.

Recommended Actions: • Update the changelog to accurately reflect only the patches now applied in 20.19.5.
• Verify that upstream fixes covering the omitted CVEs are integrated into the new Node.js release.
• Ensure patch numbering and references in the spec file remain clear and sequential.

📋 For detailed analysis and recommendations, check the Azure DevOps pipeline logs.

CBL-Mariner-Bot avatar Sep 20 '25 08:09 CBL-Mariner-Bot