Log message:
Mass-change BUILD_DEPENDS to TOOL_DEPENDS outside mk/.

Almost all uses, if not all of them, are wrong, according to the
semantics of BUILD_DEPENDS (packages built for target available for
use _by_ tools at build-time) and TOOL_DEPEPNDS (packages built for
host available for use _as_ tools at build-time).

No change to BUILD_DEPENDS as used correctly inside buildlink3.

As proposed on tech-pkg:
https://mail-index.netbsd.org/tech-pkg/2023/06/03/msg027632.html

Log message:
*: recursive bump for nghttp3 shlib major change

Log message:
*: recursive bump for ngtcp2 shlib major bump

Log message:
nodejs16: updated to 16.20.0

Version 16.20.0 'Gallium' (LTS)

Notable Changes

deps:
update undici to 5.20.0 (Node.js GitHub Bot)
update c-ares to 1.19.0 (Michaël Zasso)
upgrade npm to 8.19.4 (npm team)
update corepack to 0.17.0 (Node.js GitHub Bot)
(SEMVER-MINOR) src: add support for externally shared js builtins (Michael Dawson)

Log message:
nodejs16: updated to 16.19.1

Version 16.19.1 'Gallium' (LTS)

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

* CVE-2023-23918: Node.js Permissions policies can be bypassed via \ 
process.mainModule (High)
* CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library \ 
(Medium)
* CVE-2023-23920: Node.js insecure loading of ICU data through ICU\_DATA \ 
environment variable (Low)

Log message:
nodejs16: updated to 16.19.0

Version 16.19.0 'Gallium' (LTS)

Notable Changes

OpenSSL 1.1.1s

This OpenSSL version does not address any security vulnerabilities.

Root certificates updated to NSS 3.85

Time zone update to 2022f

Log message:
nodejs16: disable dtrace, depend on nghttp3 and ngtcp2, revision bump

Log message:
nodejs16: updated to 16.18.1

Version 16.18.1 'Gallium' (LTS)

This is a security release.

Notable changes

The following CVEs are fixed in this release:

* \ 
**[CVE-2022-43548](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548)**: \ 
DNS rebinding in --inspect via invalid octal IP address (Medium)

Log message:
lang/nodejs{,16}: as expected by upstream, install corepack (and bump
PKGREVISION). For earlier versions, no change.

Log message:
nodejs16: updated to 16.18.0

Version 16.18.0 'Gallium' (LTS)

Notable changes

- (SEMVER-MINOR) assert: add getCalls and reset to callTracker (Moshe Atlow)
- (SEMVER-MINOR) crypto: allow zero-length secret KeyObject (Filip Skokan)
- (SEMVER-MINOR) crypto: allow zero-length IKM in HKDF and in webcrypto PBKDF2 \ 
(Filip Skokan)
- (SEMVER-MINOR) doc: deprecate modp1, modp2, and modp5 groups (Tobias Nießen)
- (SEMVER-MINOR) http: make idle http parser count configurable (theanarkh)
- (SEMVER-MINOR) http: throw error on content-length mismatch (sidwebworks)
- (SEMVER-MINOR) lib: add diagnostics channel for process and worker (theanarkh)
- (SEMVER-MINOR) net,tls: pass a valid socket on tlsClientError (Daeyeon Jeong)
- (SEMVER-MINOR) net: add local family (theanarkh)
- (SEMVER-MINOR) report: expose report public native apis (Chengzhong Wu)
- (SEMVER-MINOR) src: expose environment RequestInterrupt api (Chengzhong Wu)
- (SEMVER-MINOR) stream: add ReadableByteStream.tee() (Daeyeon Jeong)
- (SEMVER-MINOR) test_runner: add before/after/each hooks (Moshe Atlow)
- (SEMVER-MINOR) util: add maxArrayLength option to Set and Map (Kohei Ueno)