microsoft
diff --git a/‎LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md‎
Lines changed: 1 addition & 1 deletion b/‎LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎LICENSES-AND-NOTICES/SPECS/data/licenses.json‎
Lines changed: 1 addition & 0 deletions b/‎LICENSES-AND-NOTICES/SPECS/data/licenses.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎SPECS/nodejs/nodejs.spec‎
Lines changed: 5 additions & 1 deletion b/‎SPECS/nodejs/nodejs.spec‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎SPECS/nodejs24/CVE-2019-10906.patch‎
Lines changed: 197 additions & 0 deletions b/‎SPECS/nodejs24/CVE-2019-10906.patch‎
Lines changed: 197 additions & 0 deletions
diff --git a/‎SPECS/nodejs24/CVE-2020-28493.patch‎
Lines changed: 134 additions & 0 deletions b/‎SPECS/nodejs24/CVE-2020-28493.patch‎
Lines changed: 134 additions & 0 deletions
@@ -2947,6 +2947,7 @@
                 "nginx",
                 "ninja-build",
                 "nodejs",
+                "nodejs24",
                 "npth",
                 "nspr",
                 "nss",
 
@@ -5,7 +5,7 @@ Name:           nodejs
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        20.14.0
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -49,6 +49,7 @@ Requires:       brotli
 Requires:       c-ares
 Requires:       coreutils >= 8.22
 Requires:       openssl >= 1.1.1
+Provides:       nodejs
 
 %description
 Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine.
@@ -146,6 +147,9 @@ make cctest
 %{_prefix}/lib/node_modules/*
 
 %changelog
+* Thr Jan 29 2026 Sandeep Karambelkar <skarambelkar@microsoft.com> - 20.14.0-12
+- Add nodejs provides to manage co existence with nodejs24
+
 * Wed Jan 28 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20.14.0-11
 - Patch for CVE-2026-21637, CVE-2025-59466, CVE-2025-59465, CVE-2025-55132, CVE-2025-55131
 
 
@@ -0,0 +1,197 @@
+From ce71e5f5911b12ebc36711a7d86dab0a11bd1c4d Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <sthelkar@microsoft.com>
+Date: Fri, 20 Sep 2024 09:55:21 +0530
+Subject: [PATCH] Changed needed to upgrade jinja2 to 2.10.1
+
+---
+ .../jinja2/Jinja2-2.10.1.tar.gz.md5           |  1 +
+ .../jinja2/Jinja2-2.10.1.tar.gz.sha512        |  1 +
+ .../jinja2/Jinja2-2.10.tar.gz.md5             |  1 -
+ .../jinja2/Jinja2-2.10.tar.gz.sha512          |  1 -
+ tools/inspector_protocol/jinja2/LICENSE       | 62 +++++++++----------
+ tools/inspector_protocol/jinja2/__init__.py   |  2 +-
+ tools/inspector_protocol/jinja2/get_jinja2.sh |  4 +-
+ tools/inspector_protocol/jinja2/sandbox.py    | 17 ++++-
+ 8 files changed, 50 insertions(+), 39 deletions(-)
+ create mode 100644 tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.md5
+ create mode 100644 tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.sha512
+ delete mode 100644 tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.md5
+ delete mode 100644 tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.sha512
+
+diff --git a/tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.md5 b/tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.md5
+new file mode 100644
+index 00000000..254f4371
+--- /dev/null
++++ b/tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.md5
+@@ -0,0 +1 @@
++0ae535be40fd215a8114a090c8b68e5a  Jinja2-2.10.1.tar.gz
+\ No newline at end of file
+diff --git a/tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.sha512 b/tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.sha512
+new file mode 100644
+index 00000000..7c379ff1
+--- /dev/null
++++ b/tools/inspector_protocol/jinja2/Jinja2-2.10.1.tar.gz.sha512
+@@ -0,0 +1 @@
++a00153a0e07bb7d67f301b4eaf7af657726a1985e9ffc7ae2d76bdbb4c062d672efc8065e398767e1039b18a483a0092e206deac91e4047aad64920b56869623  Jinja2-2.10.1.tar.gz
+\ No newline at end of file
+diff --git a/tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.md5 b/tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.md5
+deleted file mode 100644
+index 9137ee12..00000000
+--- a/tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.md5
++++ /dev/null
+@@ -1 +0,0 @@
+-61ef1117f945486472850819b8d1eb3d  Jinja2-2.10.tar.gz
+diff --git a/tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.sha512 b/tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.sha512
+deleted file mode 100644
+index 087d24c1..00000000
+--- a/tools/inspector_protocol/jinja2/Jinja2-2.10.tar.gz.sha512
++++ /dev/null
+@@ -1 +0,0 @@
+-0ea7371be67ffcf19e46dfd06523a45a0806e678a407d54f5f2f3e573982f0959cf82ec5d07b203670309928a62ef71109701ab16547a9bba2ebcdc178cb67f2  Jinja2-2.10.tar.gz
+diff --git a/tools/inspector_protocol/jinja2/LICENSE b/tools/inspector_protocol/jinja2/LICENSE
+index 31bf900e..10145a26 100644
+--- a/tools/inspector_protocol/jinja2/LICENSE
++++ b/tools/inspector_protocol/jinja2/LICENSE
+@@ -1,31 +1,31 @@
+-Copyright (c) 2009 by the Jinja Team, see AUTHORS for more details.
+-
+-Some rights reserved.
+-
+-Redistribution and use in source and binary forms, with or without
+-modification, are permitted provided that the following conditions are
+-met:
+-
+-    * Redistributions of source code must retain the above copyright
+-      notice, this list of conditions and the following disclaimer.
+-
+-    * Redistributions in binary form must reproduce the above
+-      copyright notice, this list of conditions and the following
+-      disclaimer in the documentation and/or other materials provided
+-      with the distribution.
+-
+-    * The names of the contributors may not be used to endorse or
+-      promote products derived from this software without specific
+-      prior written permission.
+-
+-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++Copyright (c) 2009 by the Jinja Team, see AUTHORS for more details.
++
++Some rights reserved.
++
++Redistribution and use in source and binary forms, with or without
++modification, are permitted provided that the following conditions are
++met:
++
++    * Redistributions of source code must retain the above copyright
++      notice, this list of conditions and the following disclaimer.
++
++    * Redistributions in binary form must reproduce the above
++      copyright notice, this list of conditions and the following
++      disclaimer in the documentation and/or other materials provided
++      with the distribution.
++
++    * The names of the contributors may not be used to endorse or
++      promote products derived from this software without specific
++      prior written permission.
++
++THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
++A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
++OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
++LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+diff --git a/tools/inspector_protocol/jinja2/__init__.py b/tools/inspector_protocol/jinja2/__init__.py
+index 42aa763d..15e13b6f 100644
+--- a/tools/inspector_protocol/jinja2/__init__.py
++++ b/tools/inspector_protocol/jinja2/__init__.py
+@@ -27,7 +27,7 @@
+     :license: BSD, see LICENSE for more details.
+ """
+ __docformat__ = 'restructuredtext en'
+-__version__ = '2.10'
++__version__ = '2.10.1'
+ 
+ # high level interface
+ from jinja2.environment import Environment, Template
+diff --git a/tools/inspector_protocol/jinja2/get_jinja2.sh b/tools/inspector_protocol/jinja2/get_jinja2.sh
+index bc6c4c30..b0fa6e8e 100755
+--- a/tools/inspector_protocol/jinja2/get_jinja2.sh
++++ b/tools/inspector_protocol/jinja2/get_jinja2.sh
+@@ -7,8 +7,8 @@
+ # Download page:
+ # https://pypi.python.org/pypi/Jinja2
+ PACKAGE='Jinja2'
+-VERSION='2.10'
+-SRC_URL='https://pypi.python.org/packages/56/e6/332789f295cf22308386cf5bbd1f4e00ed11484299c5d7383378cf48ba47/Jinja2-2.10.tar.gz'
++VERSION='2.10.1'
++SRC_URL='https://files.pythonhosted.org/packages/93/ea/d884a06f8c7f9b7afbc8138b762e80479fb17aedbbe2b06515a12de9378d/Jinja2-2.10.1.tar.gz'
+ PACKAGE_DIR='jinja2'
+ 
+ CHROMIUM_FILES="README.chromium OWNERS get_jinja2.sh"
+diff --git a/tools/inspector_protocol/jinja2/sandbox.py b/tools/inspector_protocol/jinja2/sandbox.py
+index 93fb9d45..752e8128 100644
+--- a/tools/inspector_protocol/jinja2/sandbox.py
++++ b/tools/inspector_protocol/jinja2/sandbox.py
+@@ -137,7 +137,7 @@ class _MagicFormatMapping(Mapping):
+ def inspect_format_method(callable):
+     if not isinstance(callable, (types.MethodType,
+                                  types.BuiltinMethodType)) or \
+-       callable.__name__ != 'format':
++       callable.__name__ not in ('format', 'format_map'):
+         return None
+     obj = callable.__self__
+     if isinstance(obj, string_types):
+@@ -402,7 +402,7 @@ class SandboxedEnvironment(Environment):
+             obj.__class__.__name__
+         ), name=attribute, obj=obj, exc=SecurityError)
+ 
+-    def format_string(self, s, args, kwargs):
++    def format_string(self, s, args, kwargs, format_func=None):
+         """If a format call is detected, then this is routed through this
+         method so that our safety sandbox can be used for it.
+         """
+@@ -410,6 +410,17 @@ class SandboxedEnvironment(Environment):
+             formatter = SandboxedEscapeFormatter(self, s.escape)
+         else:
+             formatter = SandboxedFormatter(self)
++
++        if format_func is not None and format_func.__name__ == 'format_map':
++            if len(args) != 1 or kwargs:
++                raise TypeError(
++                    'format_map() takes exactly one argument %d given'
++                    % (len(args) + (kwargs is not None))
++                )
++
++            kwargs = args[0]
++            args = None
++
+         kwargs = _MagicFormatMapping(args, kwargs)
+         rv = formatter.vformat(s, args, kwargs)
+         return type(s)(rv)
+@@ -418,7 +429,7 @@ class SandboxedEnvironment(Environment):
+         """Call an object from sandboxed code."""
+         fmt = inspect_format_method(__obj)
+         if fmt is not None:
+-            return __self.format_string(fmt, args, kwargs)
++            return __self.format_string(fmt, args, kwargs, __obj)
+ 
+         # the double prefixes are to avoid double keyword argument
+         # errors when proxying the call.
+-- 
+2.34.1
+
@@ -0,0 +1,134 @@
+From 1416131a2c937e08dd313f622f6c8b928c64e477 Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <v-klockwood@microsoft.com>
+Date: Wed, 5 Feb 2025 16:33:58 -0800
+Subject: [PATCH] [Medium] Patch nodejs to fix CVE-2020-28493
+
+Link: https://github.com/pallets/jinja/pull/1343/commits/ef658dc3b6389b091d608e710a810ce8b87995b3.patch
+---
+ tools/inspector_protocol/jinja2/utils.py | 93 ++++++++++++++----------
+ 1 file changed, 56 insertions(+), 37 deletions(-)
+
+diff --git a/tools/inspector_protocol/jinja2/utils.py b/tools/inspector_protocol/jinja2/utils.py
+index 502a311c..00664b56 100644
+--- a/tools/inspector_protocol/jinja2/utils.py
++++ b/tools/inspector_protocol/jinja2/utils.py
+@@ -12,24 +12,13 @@ import re
+ import json
+ import errno
+ from collections import deque
++from string import ascii_letters as _letters
++from string import digits as _digits
+ from threading import Lock
+ from jinja2._compat import text_type, string_types, implements_iterator, \
+      url_quote
+ 
+ 
+-_word_split_re = re.compile(r'(\s+)')
+-_punctuation_re = re.compile(
+-    '^(?P<lead>(?:%s)*)(?P<middle>.*?)(?P<trail>(?:%s)*)$' % (
+-        '|'.join(map(re.escape, ('(', '<', '&lt;'))),
+-        '|'.join(map(re.escape, ('.', ',', ')', '>', '\n', '&gt;')))
+-    )
+-)
+-_simple_email_re = re.compile(r'^\S+@[a-zA-Z0-9._-]+\.[a-zA-Z0-9._-]+$')
+-_striptags_re = re.compile(r'(<!--.*?-->|<[^>]*>)')
+-_entity_re = re.compile(r'&([^;]+);')
+-_letters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
+-_digits = '0123456789'
+-
+ # special singleton representing missing values for the runtime
+ missing = type('MissingType', (), {'__repr__': lambda x: 'missing'})()
+ 
+@@ -203,35 +192,65 @@ def urlize(text, trim_url_limit=None, rel=None, target=None):
+     trim_url = lambda x, limit=trim_url_limit: limit is not None \
+                          and (x[:limit] + (len(x) >=limit and '...'
+                          or '')) or x
+-    words = _word_split_re.split(text_type(escape(text)))
++    words = re.split(r"(\s+)", text_type(escape(text)))
+     rel_attr = rel and ' rel="%s"' % text_type(escape(rel)) or ''
+     target_attr = target and ' target="%s"' % escape(target) or ''
+ 
+     for i, word in enumerate(words):
+-        match = _punctuation_re.match(word)
++        head, middle, tail = "", word, ""
++        match = re.match(r"^([(<]|&lt;)+", middle)
++
+         if match:
+-            lead, middle, trail = match.groups()
+-            if middle.startswith('www.') or (
+-                '@' not in middle and
+-                not middle.startswith('http://') and
+-                not middle.startswith('https://') and
+-                len(middle) > 0 and
+-                middle[0] in _letters + _digits and (
+-                    middle.endswith('.org') or
+-                    middle.endswith('.net') or
+-                    middle.endswith('.com')
+-                )):
+-                middle = '<a href="http://%s"%s%s>%s</a>' % (middle,
+-                    rel_attr, target_attr, trim_url(middle))
+-            if middle.startswith('http://') or \
+-               middle.startswith('https://'):
+-                middle = '<a href="%s"%s%s>%s</a>' % (middle,
+-                    rel_attr, target_attr, trim_url(middle))
+-            if '@' in middle and not middle.startswith('www.') and \
+-               not ':' in middle and _simple_email_re.match(middle):
+-                middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
+-            if lead + middle + trail != word:
+-                words[i] = lead + middle + trail
++            head = match.group()
++            middle = middle[match.end() :]
++
++        # Unlike lead, which is anchored to the start of the string,
++        # need to check that the string ends with any of the characters
++        # before trying to match all of them, to avoid backtracking.
++        if middle.endswith((")", ">", ".", ",", "\n", "&gt;")):
++            match = re.search(r"([)>.,\n]|&gt;)+$", middle)
++
++            if match:
++                tail = match.group()
++                middle = middle[: match.start()]
++
++        if middle.startswith("www.") or (
++            "@" not in middle
++            and not middle.startswith("http://")
++            and not middle.startswith("https://")
++            and len(middle) > 0
++            and middle[0] in _letters + _digits
++            and (
++                middle.endswith(".org")
++                or middle.endswith(".net")
++                or middle.endswith(".com")
++            )
++        ):
++            middle = '<a href="http://%s"%s%s>%s</a>' % (
++                middle,
++                rel_attr,
++                target_attr,
++                trim_url(middle),
++            )
++
++        if middle.startswith("http://") or middle.startswith("https://"):
++            middle = '<a href="%s"%s%s>%s</a>' % (
++                middle,
++                rel_attr,
++                target_attr,
++                trim_url(middle),
++            )
++
++        if (
++            "@" in middle
++            and not middle.startswith("www.")
++            and ":" not in middle
++            and re.match(r"^\S+@\w[\w.-]*\.\w+$", middle)
++        ):
++            middle = '<a href="mailto:%s">%s</a>' % (middle, middle)
++
++        words[i] = head + middle + tail
++
+     return u''.join(words)
+ 
+ 
+-- 
+2.34.1
+