node: update to v12.18.4

Vulnerabilities fixed:
* CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
* CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).

Imported patches from the debian package.

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>

lang/node/patches/999-localhost-no-addrconfig.patch

@@ -0,0 +1,29 @@
+Description: do not use dns.ADDRCONFIG for localhost
+ it fails on IPv6-only systems. Setting it with libc fails on linux.
+ https://github.com/nodejs/node/issues/33279
+Author: Jérémy Lal <kapouer@melix.org>
+Last-Update: 2020-06-11
+Bug-Debian: https://bugs.debian.org/962318
+Forwarded: https://github.com/nodejs/node/issues/33816
+--- a/lib/net.js
++++ b/lib/net.js
+@@ -1,4 +1,5 @@
+ // Copyright Joyent, Inc. and other Node contributors.
++
+ //
+ // Permission is hereby granted, free of charge, to any person obtaining a
+ // copy of this software and associated documentation files (the
+@@ -1028,13 +1029,6 @@
+     hints: options.hints || 0
+   };
+ 
+-  if (!isWindows &&
+-      dnsopts.family !== 4 &&
+-      dnsopts.family !== 6 &&
+-      dnsopts.hints === 0) {
+-    dnsopts.hints = dns.ADDRCONFIG;
+-  }
+-
+   debug('connect: find host', host);
+   debug('connect: dns options', dnsopts);
+   self._host = host;