diff --git a/download b/download
index e3fa3b71b5565c07272a996fbffa89ab484039fb..9d710d1391a745b1445a2eaf96d05ae49b9af853 100644
--- a/download
+++ b/download
@@ -1,4 +1,4 @@
 202bcb573b72c91238010bec571db597  cjs-module-lexer-1.2.2.tar.gz
-fd8dbfdf21cd14b7b6ddc0eaf044623a  node-v18.17.1-stripped.tar.gz
-2874a2ccbe36eee688bd9cea51cb1ed3  undici-5.22.1.tar.gz
+ae54410d48c20be18ac7474d0dc9c451  node-v18.18.2-stripped.tar.gz
+4a2f048ebe5917a52940738d88396e8e  undici-5.26.3.tar.gz
 d80d3731d039b0944b405044dabd5f93  wasi-sdk-11.0-linux.tar.gz
diff --git a/icu4c-73_1-src.zip b/icu4c-73_2-src.tgz
similarity index 70%
rename from icu4c-73_1-src.zip
rename to icu4c-73_2-src.tgz
index 8b78b922843f9c79ca09940136f0de3d6c0f7130..997d513ef1a9e81771387a0bac1e18d5e8dc980b 100644
Binary files a/icu4c-73_1-src.zip and b/icu4c-73_2-src.tgz differ
diff --git a/nodejs-tarball.sh b/nodejs-tarball.sh
index 6a94b29db54b160948dcbea9fd41b75e2f410d2c..f59d5c2823177ee29f2bef4c8ff9a331de201acf 100755
--- a/nodejs-tarball.sh
+++ b/nodejs-tarball.sh
@@ -120,10 +120,10 @@ rm -rf node-v${version}/deps/openssl
 tar -zcf node-v${version}-stripped.tar.gz node-v${version}
 
 # Download the matching version of ICU
-rm -f icu4c*-src.zip icu.md5
+rm -f icu4c*-src.tgz icu.md5
 ICUMD5=$(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].md5')
 wget $(cat node-v${version}/tools/icu/current_ver.dep |jq -r '.[0].url')
-ICUTARBALL=$(ls -1 icu4c*-src.zip)
+ICUTARBALL=$(ls -1 icu4c*-src.tgz)
 echo "$ICUMD5  $ICUTARBALL" > icu.md5
 md5sum -c icu.md5
 rm -f icu.md5 SHASUMS256.txt
diff --git a/nodejs.spec b/nodejs.spec
index e2ffd6a05a6745cbf9b01096bbbe592a8b9f399d..b611871584bcb9184fec30a535fccb7b6e78d8e5 100644
--- a/nodejs.spec
+++ b/nodejs.spec
@@ -1,4 +1,4 @@
-%define anolis_release .0.2
+%define anolis_release .0.1
 %global with_debug 0
 
 # PowerPC, s390x and aarch64 segfault during Debug builds
@@ -42,8 +42,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 18
-%global nodejs_minor 17
-%global nodejs_patch 1
+%global nodejs_minor 18
+%global nodejs_patch 2
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 108
@@ -79,7 +79,7 @@
 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
 
 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_version 1.52.0
+%global nghttp2_version 1.57.0
 
 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_major 0
@@ -95,7 +95,7 @@
 
 # ICU - from tools/icu/current_ver.dep
 %global icu_major 73
-%global icu_minor 1
+%global icu_minor 2
 %global icu_version %{icu_major}.%{icu_minor}
 
 %global icudatadir %{nodejs_datadir}/icudata
@@ -115,11 +115,11 @@
 # simduft from deps/simdutf/simdutf.h
 %global simduft_major 3
 %global simduft_minor 2
-%global simduft_patch 12
+%global simduft_patch 14
 %global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
 
 # ada from deps/ada/ada.h
-%global ada_version 2.5.0
+%global ada_version 2.6.0
 
 # OpenSSL minimum version
 %global openssl_minimum 1:1.1.1
@@ -134,7 +134,7 @@
 
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 9.6.7
+%global npm_version 9.8.1
 
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@@ -149,7 +149,7 @@
 %global uvwasi_version 0.0.18
 
 # histogram_c - assumed from timestamps
-%global histogram_version 0.11.2
+%global histogram_version 0.11.8
 
 Name: nodejs
 Epoch: %{nodejs_epoch}
@@ -168,7 +168,7 @@ ExclusiveArch: %{nodejs_arches}
 Source0: node-v%{nodejs_version}-stripped.tar.gz
 Source1: npmrc
 Source2: btest402.js
-Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-src.zip
+Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-src.tgz
 Source100: %{name}-tarball.sh
 
 # The native module Requires generator remains in the nodejs SRPM, so it knows
@@ -192,10 +192,10 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
 Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
 
 # Version: jq '.version' deps/undici/src/package.json
-# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.22.1.tar.gz
-# Adjustments: rm -f undici-5.22.1/lib/llhttp/llhttp*.wasm
+# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.26.3.tar.gz
+# Adjustments: rm -f undici-5.26.3/lib/llhttp/llhttp*.wasm
 # Build uses alpine image, see alpine for sources for wasi-sdk
-Source111: undici-5.22.1.tar.gz
+Source111: undici-5.26.3.tar.gz
 
 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
@@ -463,7 +463,7 @@ make BUILDTYPE=Release %{?_smp_mflags}
 
 # Extract the ICU data and convert it to the appropriate endianness
 pushd deps/
-unzip -a %{SOURCE3}
+tar xzf %{SOURCE3}
 
 pushd icu/source
 
@@ -733,11 +733,14 @@ end
 
 
 %changelog
-* Sat Oct 07 2023 Zhao Hang <liubo03@inspur.com> -1:18.17.1-1.0.2
-- update requires and recommands
-
-* Fri Sep 29 2023 Bo Liu <liubo03@inspur.com> -1:18.17.1-1.0.1
+* Mon Oct 23 2023 Bo Liu <liubo03@inspur.com> -1:18.18.2-1.0.1
 - Fixes CVE-2022-25883
+- update requires and recommands (wb-zh951434@alibaba-inc.com)
+
+* Sat Oct 14 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.18.2-1
+- Rebase to 18.18.2 (Security release)
+- Switch icu from zip to tgz
+- Fixes #2228925, CVE-2023-45143, CVE-2023-44487, CVE-2023-38552, CVE-2023-39333
 
 * Wed Aug 23 2023 Jan Staněk <jstanek@redhat.com> - 1:18.17.1-1
 - Rebase to version 18.17.1