@node-core/utils 4.0.0

package/lib/figures.js

@@ -0,0 +1,7 @@
+import chalk from 'chalk';
+import figures from 'figures';
+
+export const warning = chalk.yellow(figures.warning);
+export const error = chalk.red(figures.cross);
+export const info = chalk.blue(figures.info);
+export const success = chalk.green(figures.tick);

package/lib/file.js

@@ -0,0 +1,43 @@
+import fs from 'node:fs';
+import path from 'node:path';
+
+export function appendFile(file, content) {
+  const parts = path.parse(file);
+  if (!fs.existsSync(parts.dir)) {
+    fs.mkdirSync(parts.dir, { recursive: true });
+  }
+  // TODO(joyeecheung): what if the file is a dir?
+  fs.appendFileSync(file, content, 'utf8');
+};
+
+export function writeFile(file, content) {
+  const parts = path.parse(file);
+  if (parts.dir !== '' && !fs.existsSync(parts.dir)) {
+    fs.mkdirSync(parts.dir, { recursive: true });
+  }
+  // TODO(joyeecheung): what if the file is a dir?
+  fs.writeFileSync(file, content, 'utf8');
+};
+
+export function writeJson(file, obj) {
+  writeFile(file, `${JSON.stringify(obj, null, 2)}\n`);
+};
+
+export function readFile(file) {
+  if (fs.existsSync(file)) {
+    return fs.readFileSync(file, 'utf8');
+  }
+  return '';
+};
+
+export function readJson(file) {
+  const content = readFile(file);
+  if (content) {
+    return JSON.parse(content);
+  }
+  return {};
+};
+
+export function removeDirectory(directory) {
+  return fs.promises.rm(directory, { recursive: true, force: true });
+}

package/lib/github/templates/next-security-release.md

@@ -0,0 +1,97 @@
+## Planning
+
+* [X] Open an [issue](https://github.com/nodejs-private/node-private) titled
+  `Next Security Release`, and put this checklist in the description.
+
+* [ ] Get agreement on the list of vulnerabilities to be addressed:
+%REPORTS%
+
+* [ ] PR release announcements in [private](https://github.com/nodejs-private/nodejs.org-private):
+  * [ ] pre-release: %PRE_RELEASE_PRIV%
+  * [ ] post-release: %POS_RELEASE_PRIV%
+    * List vulnerabilities in order of descending severity
+    * Ask the HackerOne reporter if they would like to be credited on the
+      security release blog page
+
+* [ ] Get agreement on the planned date for the release: %RELEASE_DATE%
+
+* [ ] Get release team volunteers for all affected lines:
+%AFFECTED_LINES%
+
+## Announcement (one week in advance of the planned release)
+
+* [ ] Verify that GitHub Actions are working as normal: <https://www.githubstatus.com/>.
+
+* [ ] Check that all vulnerabilities are ready for release integration:
+  * PRs against all affected release lines or cherry-pick clean
+  * Approved
+  * (optional) Approved by the reporter
+    * Build and send the binary to the reporter according to its architecture
+      and ask for a review. This step is important to avoid insufficient fixes
+      between Security Releases.
+  * Have CVEs
+    * Make sure that dependent libraries have CVEs for their issues. We should
+      only create CVEs for vulnerabilities in Node.js itself. This is to avoid
+      having duplicate CVEs for the same vulnerability.
+  * Described in the pre/post announcements
+
+* [ ] Pre-release announcement to nodejs.org blog: TBD
+  (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to
+  nodejs/nodejs.org)
+
+* [ ] Pre-release announcement [email](https://groups.google.com/forum/#!forum/nodejs-sec): TBD
+  * Subject: `Node.js security updates for all active release lines, Month Year`
+
+* [ ] CC `oss-security@lists.openwall.com` on pre-release
+  * [ ] Forward the email you receive to `oss-security@lists.openwall.com`.
+
+* [ ] Create a new issue in [nodejs/tweet](https://github.com/nodejs/tweet/issues)
+
+* [ ] Request releaser(s) to start integrating the PRs to be released.
+
+* [ ] Notify [docker-node](https://github.com/nodejs/docker-node/issues) of upcoming security release date:  TBD
+
+* [ ] Notify build-wg of upcoming security release date by opening an issue
+  in [nodejs/build](https://github.com/nodejs/build/issues) to request WG members are available to fix any CI issues: TBD
+
+## Release day
+
+* [ ] [Lock CI](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#before-the-release)
+
+* [ ] The releaser(s) run the release process to completion.
+
+* [ ] [Unlock CI](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#after-the-release)
+
+* [ ] Post-release announcement to Nodejs.org blog: https://github.com/nodejs/nodejs.org/pull/5447
+  * (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to
+    nodejs/nodejs.org)
+
+* [ ] Post-release announcement in reply email: TBD
+
+* [ ] Create a new issue in nodejs/tweet
+
+* [ ] Comment in [docker-node][] issue that release is ready for integration.
+  The docker-node team will build and release docker image updates.
+
+* [ ] For every H1 report resolved:
+  * Close as Resolved
+  * Request Disclosure
+  * Request publication of H1 CVE requests
+    * (Check that the "Version Fixed" field in the CVE is correct, and provide
+      links to the release blogs in the "Public Reference" section)
+
+* [ ] PR machine-readable JSON descriptions of the vulnerabilities to the
+  [core](https://github.com/nodejs/security-wg/tree/HEAD/vuln/core)
+  vulnerability DB. https://github.com/nodejs/security-wg/pull/1029
+  * For each vulnerability add a `#.json` file, one can copy an existing
+    [json](https://github.com/nodejs/security-wg/blob/0d82062d917cb9ddab88f910559469b2b13812bf/vuln/core/78.json)
+    file, and increment the latest created file number and use that as the name
+    of the new file to be added. For example, `79.json`.
+
+* [ ] Close this issue
+
+* [ ] Make sure the PRs for the vulnerabilities are closed.
+
+* [ ] PR in that you stewarded the release in
+  [Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards).
+  If necessary add the next rotation of the steward rotation.

package/lib/github/tree.js

@@ -0,0 +1,162 @@
+import { flatten } from '../utils.js';
+
+const COMMIT_QUERY = 'LastCommit';
+const TREE_QUERY = 'TreeEntries';
+
+export default class GitHubTree {
+  constructor(cli, request, argv) {
+    this.cli = cli;
+    this.request = request;
+
+    this.owner = argv.owner;
+    this.repo = argv.repo;
+    this.branch = argv.branch;
+
+    if (argv.path.endsWith('/')) {
+      this.path = argv.path.slice(0, argv.path - 1);
+    } else {
+      this.path = argv.path;
+    }
+
+    this.lastCommit = argv.commit || null;
+  }
+
+  get repoUrl() {
+    const base = 'https://github.com';
+    const { owner, repo } = this;
+    return `${base}/${owner}/${repo}`;
+  }
+
+  async _getLastCommit() {
+    const { request, owner, repo, branch, path } = this;
+    const data = await request.gql(COMMIT_QUERY, {
+      owner,
+      repo,
+      branch,
+      path
+    });
+    return data.repository.ref.target.history.nodes[0].oid;
+  }
+
+  /**
+   * @returns {string} the hash of the last commit in the tree
+   */
+  async getLastCommit() {
+    if (this.lastCommit) {
+      return this.lastCommit;
+    }
+    this.lastCommit = await this._getLastCommit();
+    return this.lastCommit;
+  }
+
+  getPermanentUrl() {
+    if (!this.lastCommit) {
+      throw new Error('Call await tree.getLastCommit() first');
+    }
+    const commit = this.lastCommit;
+    return `${this.repoUrl}/tree/${commit.slice(0, 10)}/${this.path}`;
+  }
+
+  async buffer(assetPath) {
+    await this.getLastCommit();
+    const url = this.getAssetUrl(assetPath);
+    return this.request.buffer(url);
+  }
+
+  /**
+   * Get the url of an asset. If the assetPath starts with `/`,
+   * it will be treated as an absolute path and the
+   * the path of the tree will not be prefixed in the url.
+   * @param {string} assetPath
+   */
+  getAssetUrl(assetPath) {
+    if (!this.lastCommit) {
+      throw new Error('Call await tree.getLastCommit() first');
+    }
+    const base = 'https://raw.githubusercontent.com';
+    const { owner, repo, lastCommit, path } = this;
+    const prefix = `${base}/${owner}/${repo}/${lastCommit}`;
+    if (assetPath.startsWith('/')) {  // absolute
+      return `${prefix}/${assetPath}`;
+    } else {
+      return `${prefix}/${path}/${assetPath}`;
+    }
+  }
+
+  /**
+   * Get a list of files inside the tree (recursively).
+   * The returned file names will be relative to the path of the tree,
+   * e.g. `url/resources/data.json` in a tree with `url` as path
+   * will be `resources/data.json`
+   *
+   * @returns {{name: string, type: string}[]}
+   */
+  async getFiles(path) {
+    if (!path) {
+      path = this.path;
+    }
+    let lastCommit = this.lastCommit;
+    if (!lastCommit) {
+      lastCommit = await this.getLastCommit();
+    }
+    const { request, owner, repo } = this;
+
+    const expression = `${lastCommit}:${path}`;
+    this.cli.updateSpinner(`Querying files for ${path}`);
+    const data = await request.gql(TREE_QUERY, {
+      owner,
+      repo,
+      expression
+    });
+    const files = data.repository.object.entries;
+
+    const dirs = files.filter((file) => file.type === 'tree');
+    const nondirs = files.filter((file) => file.type !== 'tree');
+
+    if (dirs.length) {
+      const expanded = await Promise.all(
+        dirs.map((dir) =>
+          this.getFiles(`${path}/${dir.name}`)
+            .then(files => files.map(
+              ({ name, type }) => ({ name: `${dir.name}/${name}`, type })
+            ))
+        )
+      );
+      return nondirs.concat(flatten(expanded));
+    } else {
+      return nondirs;
+    }
+  }
+
+  getCacheKey() {
+    const { branch, owner, repo, path } = this;
+    return `tree-${owner}-${repo}-${branch}-${clean(path)}`;
+  }
+}
+
+function clean(path) {
+  if (!path) {
+    return '';
+  }
+  return path.replace('/', '-');
+}
+
+// Uncomment this when testing to avoid extra network costs
+// import Cache from '../cache.js';
+// const treeCache = new Cache();
+
+// treeCache.wrap(GitHubTree, {
+//   _getLastCommit() {
+//     return { key: `${this.getCacheKey()}-commit`, ext: '.json' };
+//   },
+//   getFiles(path) {
+//     return {
+//       key: `${this.getCacheKey()}-${clean(path)}-files`,
+//       ext: '.json'
+//     };
+//   },
+//   text(assetPath) {
+//     return { key: `${this.getCacheKey()}-${clean(assetPath)}`, ext: '.txt' };
+//   }
+// });
+// treeCache.enable();