# Contributor: Jose-Luis Rivas <ghostbar@riseup.net>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Contributor: Dave Esaias <dave@containership.io>
# Contributor: Tadahisa Kamijo <kamijin@live.jp>
# Contributor: Eivind Uggedal <eu@eju.no>
# Maintainer: Jakub Jirutka <jakub@jirutka.cz>
pkgname=nodejs
# Note: Update only to LTS versions! Other versions are supported only for
#  9 months by upstream.
pkgver=22.16.0
pkgrel=2
pkgdesc="JavaScript runtime built on V8 engine - LTS version"
url="https://nodejs.org/"
arch="all"
license="MIT"
depends="ca-certificates"
makedepends="
	ada-dev
	brotli-dev
	c-ares-dev
	icu-dev
	linux-headers
	nghttp2-dev
	openssl-dev
	py3-jinja2
	python3
	samurai
	simdjson-dev
	simdutf-dev
	sqlite-dev
	zlib-dev
	zstd-dev
	"
install="$pkgname.post-upgrade"
subpackages="
	$pkgname-dev
	$pkgname-libs
	$pkgname-doc
	"
provider_priority=100  # highest priority (other provider is nodejs-current)
provides="nodejs-lts=$pkgver-r$pkgrel"  # for backward compatibility
replaces="nodejs-current nodejs-lts"  # nodejs-lts for backward compatibility
source="https://nodejs.org/dist/v$pkgver/node-v$pkgver.tar.gz
	ncrypto-include-openssl-rand.h.patch
	v8-ppc64le-compat.patch
	v8-riscv-trap-handler.patch
	v8-no-static-zlib.patch
	v8-disable-trap-handler-on-riscv-sv39.patch
	$pkgname.pc.in
	"
builddir="$srcdir/node-v$pkgver"

# secfixes:
#   22.13.1-r0:
#     - CVE-2025-23083
#     - CVE-2025-23084
#     - CVE-2025-23085
#     - CVE-2025-22150
#   20.15.1-r0:
#     - CVE-2024-22018
#     - CVE-2024-22020
#     - CVE-2024-36137
#   20.12.1-r0:
#     - CVE-2024-27982
#     - CVE-2024-27983
#   18.18.2-r0:
#     - CVE-2023-45143
#     - CVE-2023-38552
#     - CVE-2023-39333
#   18.17.1-r0:
#     - CVE-2023-32002
#     - CVE-2023-32006
#     - CVE-2023-32559
#   18.14.1-r0:
#     - CVE-2023-23918
#     - CVE-2023-23919
#     - CVE-2023-23920
#     - CVE-2023-23936
#     - CVE-2023-24807
#   18.12.1-r0:
#     - CVE-2022-3602
#     - CVE-2022-3786
#     - CVE-2022-43548
#   16.17.1-r0:
#     - CVE-2022-32213
#     - CVE-2022-32214
#     - CVE-2022-32215
#     - CVE-2022-35255
#     - CVE-2022-35256
#   16.13.2-r0:
#     - CVE-2021-44531
#     - CVE-2021-44532
#     - CVE-2021-44533
#     - CVE-2022-21824
#   14.18.1-r0:
#     - CVE-2021-22959
#     - CVE-2021-22960
#   14.17.6-r0:
#     - CVE-2021-37701
#     - CVE-2021-37712
#     - CVE-2021-37713
#     - CVE-2021-39134
#     - CVE-2021-39135
#   14.17.5-r0:
#     - CVE-2021-3672
#     - CVE-2021-22931
#     - CVE-2021-22939
#   14.17.4-r0:
#     - CVE-2021-22930
#   14.16.1-r0:
#     - CVE-2020-7774
#   14.16.0-r0:
#     - CVE-2021-22883
#     - CVE-2021-22884
#   14.15.5-r0:
#     - CVE-2021-21148
#   14.15.4-r0:
#     - CVE-2020-8265
#     - CVE-2020-8287
#   14.15.1-r0:
#     - CVE-2020-8277
#   12.18.4-r0:
#     - CVE-2020-8201
#     - CVE-2020-8252
#   12.18.0-r0:
#     - CVE-2020-8172
#     - CVE-2020-11080
#     - CVE-2020-8174
#   12.15.0-r0:
#     - CVE-2019-15606
#     - CVE-2019-15605
#     - CVE-2019-15604
#   10.16.3-r0:
#     - CVE-2019-9511
#     - CVE-2019-9512
#     - CVE-2019-9513
#     - CVE-2019-9514
#     - CVE-2019-9515
#     - CVE-2019-9516
#     - CVE-2019-9517
#     - CVE-2019-9518
#   10.15.3-r0:
#     - CVE-2019-5737
#   10.14.0-r0:
#     - CVE-2018-12121
#     - CVE-2018-12122
#     - CVE-2018-12123
#     - CVE-2018-0735
#     - CVE-2018-0734
#   8.11.4-r0:
#     - CVE-2018-12115
#   8.11.3-r0:
#     - CVE-2018-7167
#     - CVE-2018-7161
#     - CVE-2018-1000168
#   8.11.0-r0:
#     - CVE-2018-7158
#     - CVE-2018-7159
#     - CVE-2018-7160
#   8.9.3-r0:
#     - CVE-2017-15896
#     - CVE-2017-15897
#   6.11.5-r0:
#     - CVE-2017-14919
#   6.11.1-r0:
#     - CVE-2017-1000381
#   0:
#     - CVE-2021-43803
#     - CVE-2022-32212
#     - CVE-2023-44487
#     - CVE-2024-36138
#     - CVE-2024-37372

prepare() {
	default_prepare

	# openssl.cnf is required for build.
	mv deps/openssl/nodejs-openssl.cnf .

	# Remove bundled dependencies that we're not using.
	#
	# NOTE: nghttp3 and ngtcp2 are only used when building with OpenSSL
	#  that supports QUIC. After the QUIC support is added to openssl, add
	#  options --shared-nghttp3 and --shared-ngtcp2.
	#
	# NOTE: All bundled dependencies are described in
	#  doc/contributing/maintaining/maintaining-dependencies.md.
	rm -rf deps/ada \
		deps/brotli \
		deps/cares \
		deps/corepack \
		deps/nghttp2 \
		deps/nghttp3 \
		deps/ngtcp2 \
		deps/openssl/* \
		deps/simdjson \
		deps/simdutf \
		deps/sqlite \
		deps/v8/third_party/jinja2 \
		deps/zlib \
		deps/zstd \
		tools/inspector_protocol/jinja2

	mv nodejs-openssl.cnf deps/openssl/
}

build() {
	# Add defines recommended in libuv readme.
	local common_flags="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
	# Disable use of OpenSSL ENGINE API - it's deprecated since OpenSSL 3.0
	#   (https://issues.redhat.com/browse/RHEL-33743).
	common_flags="$common_flags -DOPENSSL_NO_ENGINE"

	# -Os overwrites the optimizations enabled by BUILDTYPE=Release.
	# Compiling with O2 instead of Os increases binary size by ~10%
	# (53.1 MiB -> 58.6 MiB), but also increases performance by ~20%
	# according to v8/web-tooling-benchmark. Node.js is quite huge anyway;
	# there are better options for size constrained environments.
	export CFLAGS="${CFLAGS/-Os} $common_flags"
	export CXXFLAGS="${CXXFLAGS/-Os} $common_flags"
	export CPPFLAGS="${CPPFLAGS/-Os} $common_flags"

	# When building shared libnode.so, the resulting package size is +15 %
	# (~8 MiB), so we rather build it twice to keep the node binary smaller
	# (there are currently no packages using libnode.so).
	msg 'Building node binary'
	_build
	cp out/Release/node out/

	msg 'Building libnode.so'
	_build --shared
	cp out/Release/lib/libnode.so* out/Release/

	sed "s/@VERSION@/$pkgver/" "$srcdir"/$pkgname.pc.in > out/Release/$pkgname.pc
}

_build() {
	# NOTE: We use bundled libuv because they don't care much about backward
	# compatibility and it has happened several times in past that we
	# couldn't upgrade nodejs package in stable branches to fix CVEs due to
	# libuv incompatibility.
	#
	# NOTE: We don't package the bundled npm - it's a separate project with
	# its own release cycle and version numbering, so it's better to keep
	# it in a standalone aport.
	#
	# TODO: Fix and enable corepack.
	# TODO: Create aport for amaro and use --shared-builtin-amaro (amaro
	#   contains pre-built wasm binary).
	python3 configure.py \
		--prefix=/usr \
		--ninja \
		--enable-lto \
		--shared-ada \
		--shared-brotli \
		--shared-zlib \
		--shared-openssl \
		--shared-cares \
		--shared-nghttp2 \
		--shared-simdjson \
		--shared-simdutf \
		--shared-sqlite \
		--shared-zstd \
		--openssl-use-def-ca-store \
		--with-icu-default-data-dir=$(icu-config --icudatadir) \
		--with-intl=system-icu \
		--without-corepack \
		--without-npm \
		"$@"

	make BUILDTYPE=Release
}

# TODO Run provided test suite.
check() {
	cd "$builddir"/out/Release

	./node -e 'console.log("Hello, world!")'
	./node -e "require('assert').equal(process.versions.node, '$pkgver')"
	./node -e 'require("assert").equal(
		Buffer.from(Buffer.from("foo").toString("base64"), "base64").toString("ascii"),
		"foo")'
}

package() {
	make DESTDIR="$pkgdir" install

	# node binary built without libnode.so.
	install -D -m755 out/node -t "$pkgdir"/usr/bin/

	install -D -m644 out/Release/$pkgname.pc -t "$pkgdir"/usr/lib/pkgconfig/

	(cd "$pkgdir"/usr/lib; ln -sf libnode.so.* libnode.so)
}

dev() {
	provides="nodejs-lts-dev=$pkgver"  # for backward compatibility
	default_dev
}

sha512sums="
50a41c315f86a682e9f67c8259d4e1180571ea1d66efe8454662acaa1a5f6ee2297f88ca3dc4b7a6a76885739e0c5de25a1b13ccb4e39e987ae6b3b3f03152ab  node-v22.16.0.tar.gz
784e692513b9d7d45dce82ac047415b76227770ed5231c57f8ccfb6ae148332cac82a3d8539c33247eeb041cd8d23331fed8dba7c35fad07f6aec6a440b89040  ncrypto-include-openssl-rand.h.patch
37dc38704eae165e6940393c08bb182120dcec119739bda4961706f3aa955bf9669c371bcfa0317269f8f08e01d4c6c204f2c595d583d649433a659a44113bfb  v8-ppc64le-compat.patch
37955e69b0548b582a3877df05361d0d5f342f7c0d84b58f2772e8601cd9d6f702f4a016a51023b80dc187b81a0143a5a78e7462f85a7bc7f2474f6c8b5e5fe4  v8-riscv-trap-handler.patch
0c9d3d2f897f4eb5ed2e41dc84a2076bfcac40fb4fbbfdd1256b915574543c40ea4c7d141c29bdce7de72ca4bbfdae074099122643e8e64599f5b5d52bb26548  v8-no-static-zlib.patch
0668bfedb608b3abb3ded8e9a0cef6611cc11dbd0089c6dfadc60a2ba9b78861e3cb18cf3d768b4f7a924d573765f38983bd03485087d1229095296e92177ccc  v8-disable-trap-handler-on-riscv-sv39.patch
f908fa93f6194ec4f6c5e9d76ed7c918721c7f5d46afcc12de1f84683c185401a27a174b7a7c6a76085a4d0826f964e7088bf5596d4e6901a15bf751846299a6  nodejs.pc.in
"
