From 4f80e67a71d46da45ac670cea143466bb55c519a Mon Sep 17 00:00:00 2001
From: Hirokazu MORIKAWA <morikw2@gmail.com>
Date: Sun, 5 Apr 2026 08:10:41 +0900
Subject: [PATCH] node: bump to 20.20.2

This is a security release.
Notable Changes
* (CVE-2026-21717) fix array index hash collision (Joyee Cheung)
* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan)
* (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina)
* (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS)pull/795>
* (CVE-2026-21715) add permission check to realpath.native (RafaelGSS)
* (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS)
* (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina)

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
---
 lang/node/Makefile                      |  4 ++--
 lang/node/patches/999-llhttp-neon.patch | 25 -------------------------
 2 files changed, 2 insertions(+), 27 deletions(-)
 delete mode 100644 lang/node/patches/999-llhttp-neon.patch

diff --git a/lang/node/Makefile b/lang/node/Makefile
index d748d1b8b9..29476193dc 100644
--- a/lang/node/Makefile
+++ b/lang/node/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=node
-PKG_VERSION:=20.20.0
+PKG_VERSION:=20.20.2
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://nodejs.org/dist/v$(PKG_VERSION)
-PKG_HASH:=cafc92e90917c17869d982fdff10104c2eb328437ed9bbf03fdda78ebc0accdd
+PKG_HASH:=8cb85a81f75169eb811f7b2512cf17a646826430debbe016a7461f31e286fdef
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-v$(PKG_VERSION)
 HOST_BUILD_DIR:=$(BUILD_DIR_HOST)/$(PKG_NAME)-v$(PKG_VERSION)
 
diff --git a/lang/node/patches/999-llhttp-neon.patch b/lang/node/patches/999-llhttp-neon.patch
deleted file mode 100644
index 0e7a3e14e1..0000000000
--- a/lang/node/patches/999-llhttp-neon.patch
+++ /dev/null
@@ -1,25 +0,0 @@
---- a/deps/llhttp/src/llhttp.c
-+++ b/deps/llhttp/src/llhttp.c
-@@ -2639,17 +2639,17 @@ static llparse_state_t llhttp__internal_
-         /* Find first character that does not match `ranges` */
-         single = vceqq_u8(input, vdupq_n_u8(0x9));
-         mask = single;
--        single = vandq_u16(
-+        single = vandq_u8(
-           vcgeq_u8(input, vdupq_n_u8(' ')),
-           vcleq_u8(input, vdupq_n_u8('~'))
-         );
--        mask = vorrq_u16(mask, single);
--        single = vandq_u16(
-+        mask = vorrq_u8(mask, single);
-+        single = vandq_u8(
-           vcgeq_u8(input, vdupq_n_u8(0x80)),
-           vcleq_u8(input, vdupq_n_u8(0xff))
-         );
--        mask = vorrq_u16(mask, single);
--        narrow = vshrn_n_u16(mask, 4);
-+        mask = vorrq_u8(mask, single);
-+        narrow = vshrn_n_u16(vreinterpretq_u16_u8(mask), 4);
-         match_mask = ~vget_lane_u64(vreinterpret_u64_u8(narrow), 0);
-         match_len = __builtin_ctzll(match_mask) >> 2;
-         if (match_len != 16) {