package/nodejs: security bump to version 22.13.1

Fixes the following security vulnerabilities:

Worker permission bypass via InternalWorker leak in diagnostics
(CVE-2025-23083) - (high)

With the aid of the diagnostics_channel utility, an event can be hooked into
whenever a worker thread is created.  This is not limited only to workers
but also exposes internal workers, where an instance of them can be fetched,
and its constructor can be grabbed and reinstated for malicious usage.

This vulnerability affects Permission Model users (--permission) on Node.js
v20, v22, and v23.

GOAWAY HTTP/2 frames cause memory leak outside heap (CVE-2025-23085) - (medium)

A memory leak could occur when a remote peer abruptly closes the socket
without sending a GOAWAY notification.  Additionally, if an invalid header
was detected by nghttp2, causing the connection to be terminated by the
peer, the same leak was triggered.  This flaw could lead to increased memory
consumption and potential denial of service under certain conditions.

This vulnerability affects HTTP/2 Server users on Node.js v18.x, v20.x, v22.x and v23.x.

For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

Update the LICENSE hash for a an addition of the (MIT licensed) nlohmann
JSON library:

https://github.com/nodejs/node/commit/27bcd103e775e00eb8d03ac37052bbd4ccb6d239

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Julien Olivain <ju.o@free.fr>

package/nodejs/nodejs.hash

@@ -1,8 +1,8 @@
-# From https://nodejs.org/dist/v20.15.1/SHASUMS256.txt.asc
-sha256  6031d04b98f59ff0f7cb98566f65b115ecd893d3b7870821171708cdbaf7ae6e  node-v22.11.0-linux-arm64.tar.xz
-sha256  9de0fdcfb1cccbe03f72f939e4e6f03867aef3da8223f90606cd93757704dae0  node-v22.11.0-linux-armv7l.tar.xz
-sha256  d1d49d7d611b104b6d616e18ac439479d8296aa20e3741432de0e85f4735a81e  node-v22.11.0-linux-ppc64le.tar.xz
-sha256  83bf07dd343002a26211cf1fcd46a9d9534219aad42ee02847816940bf610a72  node-v22.11.0-linux-x64.tar.xz
-sha256  bbf0297761d53aefda9d7855c57c7d2c272b83a7b5bad4fea9cb29006d8e1d35  node-v22.11.0.tar.xz
+# From https://nodejs.org/dist/v22.13.1/SHASUMS256.txt.asc
+sha256  0a237c413ccbab920640438bf6e1a32edb19845bdc21f0e1cd5b91545ce1c126  node-v22.13.1-linux-arm64.tar.xz
+sha256  f2be8dca2a7a518f6d187aa4b18abbeeafd71096a6d95f73f4d8bc0f8d2394ea  node-v22.13.1-linux-armv7l.tar.xz
+sha256  377a7a1ea66f39251e1657f419e9404d526fcca9910620d0ecf0a870c6308f6b  node-v22.13.1-linux-ppc64le.tar.xz
+sha256  0d2a5af33c7deab5555c8309cd3f373446fe1526c1b95833935ab3f019733b3b  node-v22.13.1-linux-x64.tar.xz
+sha256  cfce282119390f7e0c2220410924428e90dadcb2df1744c0c4a0e7baae387cc2  node-v22.13.1.tar.xz
 # Locally calculated
-sha256  f0cb1ad806ba5d681f378a8cc2e539fe4b54839290eda3c814ec8994af2b8422  LICENSE
+sha256  9d72cce9b104ecb67feb8af38618511685190ae5a119cc0488ecae66b221000d  LICENSE

package/nodejs/nodejs.mk

@@ -5,7 +5,7 @@
 ################################################################################
 
 # _VERSION, _SOURCE and _SITE must be kept empty to avoid downloading anything
-NODEJS_COMMON_VERSION = 22.11.0
+NODEJS_COMMON_VERSION = 22.13.1
 NODEJS_COMMON_SOURCE = node-v$(NODEJS_COMMON_VERSION).tar.xz
 NODEJS_COMMON_SITE = http://nodejs.org/dist/v$(NODEJS_COMMON_VERSION)