diff --git a/srcpkgs/http-parser/patches/cve_2020_8287.patch b/srcpkgs/http-parser/patches/cve_2020_8287.patch
new file mode 100644
index 0000000000..aa67b87b37
--- /dev/null
+++ b/srcpkgs/http-parser/patches/cve_2020_8287.patch
@@ -0,0 +1,56 @@
+Upstream: no
+Patch from NodeJS's vendored version:
+https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e
+
+--- http_parser.c
++++ http_parser.c
+@@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser,
+               } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) {
+                 parser->header_state = h_transfer_encoding;
+                 parser->uses_transfer_encoding = 1;
++
++                /* Multiple `Transfer-Encoding` headers should be treated as
++                 * one, but with values separate by a comma.
++                 *
++                 * See: https://tools.ietf.org/html/rfc7230#section-3.2.2
++                 */
++                parser->flags &= ~F_CHUNKED;
+               }
+               break;
+ 
+--- test.c
++++ test.c
+@@ -2154,6 +2154,32 @@ const struct message responses[] =
+   ,.body= "2\r\nOK\r\n0\r\n\r\n"
+   ,.num_chunks_complete= 0
+   }
++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30
++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding"
++  ,.type= HTTP_RESPONSE
++  ,.raw= "HTTP/1.1 200 OK\r\n"
++         "Transfer-Encoding: chunked\r\n"
++         "Transfer-Encoding: identity\r\n"
++         "\r\n"
++         "2\r\n"
++         "OK\r\n"
++         "0\r\n"
++         "\r\n"
++  ,.should_keep_alive= FALSE
++  ,.message_complete_on_eof= TRUE
++  ,.http_major= 1
++  ,.http_minor= 1
++  ,.status_code= 200
++  ,.response_status= "OK"
++  ,.content_length= -1
++  ,.num_headers= 2
++  ,.headers=
++    { { "Transfer-Encoding", "chunked" }
++    , { "Transfer-Encoding", "identity" }
++    }
++  ,.body= "2\r\nOK\r\n0\r\n\r\n"
++  ,.num_chunks_complete= 0
++  }
+ };
+ 
+ /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so
+
diff --git a/srcpkgs/http-parser/template b/srcpkgs/http-parser/template
index 9a9e4a626d..a372064d4a 100644
--- a/srcpkgs/http-parser/template
+++ b/srcpkgs/http-parser/template
@@ -1,15 +1,18 @@
 # Template file for 'http-parser'
 pkgname=http-parser
-version=2.9.4
+# 2.9.4, plus upstream commits through ec8b5ee, plus fc70ce0 from nodejs/node
+version=2.9.4.20201223
 revision=1
+_githash=ec8b5ee63f0e51191ea43bb0c6eac7bfbff3141d
+wrksrc="${pkgname}-${_githash}"
 build_style=gnu-makefile
 make_build_target=library
 short_desc="HTTP request/response parser for c"
 maintainer="Enno Boland <gottox@voidlinux.org>"
 license="MIT"
-homepage="https://github.com/joyent/http-parser"
-distfiles="${homepage}/archive/v${version}.tar.gz"
-checksum=467b9e30fd0979ee301065e70f637d525c28193449e1b13fbcb1b1fab3ad224f
+homepage="https://github.com/nodejs/http-parser"
+distfiles="${homepage}/archive/${_githash}.tar.gz"
+checksum=765a21444322ea2476ca1e3cfeb74d280eeb37f4713cf52d2bf398dabf6e4128
 
 pre_install() {
 	vmkdir usr/lib/pkgconfig