@node-core/utils 4.2.3 → 4.3.0

package/README.md

@@ -1,5 +1,5 @@
 # Node.js Core Utilities
-[![npm](https://img.shields.io/npm/v/node-core-utils.svg?style=flat-square)](https://npmjs.org/package/node-core-utils)
+[![npm](https://img.shields.io/npm/v/@node-core/utils.svg?style=flat-square)](https://npmjs.org/package/@node-core/utils)
 [![Build Status](https://img.shields.io/github/actions/workflow/status/nodejs/node-core-utils/nodejs.yml?branch=main&style=flat-square)](https://github.com/nodejs/node-core-utils/workflows/Node.js%20CI/badge.svg?branch=main)
 [![codecov](https://img.shields.io/codecov/c/github/nodejs/node-core-utils.svg?style=flat-square)](https://codecov.io/gh/nodejs/node-core-utils)
 [![Known Vulnerabilities](https://snyk.io/test/github/nodejs/node-core-utils/badge.svg?style=flat-square)](https://snyk.io/test/github/nodejs/node-core-utils)

package/lib/github/templates/next-security-release.md

@@ -3,13 +3,14 @@
 * [X] Open an [issue](https://github.com/nodejs-private/node-private) titled
   `Next Security Release`, and put this checklist in the description.
 
-* [ ] Get agreement on the list of vulnerabilities to be addressed:
-%REPORTS%
+* [ ] Get agreement on the [list of vulnerabilities](%VULNERABILITIES_PR_URL%) to be addressed.
 
 * [ ] PR release announcements in [private](https://github.com/nodejs-private/nodejs.org-private):
   * [ ] pre-release: %PRE_RELEASE_PRIV%
   * [ ] post-release: %POS_RELEASE_PRIV%
     * List vulnerabilities in order of descending severity
+    * Use the "summary" feature in HackerOne to sync post-release content
+      and CVE requests. Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134)
     * Ask the HackerOne reporter if they would like to be credited on the
       security release blog page
 
@@ -20,10 +21,10 @@
 
 ## Announcement (one week in advance of the planned release)
 
-* [ ] Verify that GitHub Actions are working as normal: <https://www.githubstatus.com/>.
-
 * [ ] Check that all vulnerabilities are ready for release integration:
   * PRs against all affected release lines or cherry-pick clean
+  * PRs with breaking changes have a
+    [--security-revert](#Adding-a-security-revert-option) option if possible.
   * Approved
   * (optional) Approved by the reporter
     * Build and send the binary to the reporter according to its architecture

package/lib/prepare_security.js

@@ -2,6 +2,16 @@ import nv from '@pkgjs/nv';
 import auth from './auth.js';
 import Request from './request.js';
 import fs from 'node:fs';
+import { runSync } from './run.js';
+import path from 'node:path';
+
+export const PLACEHOLDERS = {
+  releaseDate: '%RELEASE_DATE%',
+  vulnerabilitiesPRURL: '%VULNERABILITIES_PR_URL%',
+  preReleasePrivate: '%PRE_RELEASE_PRIV%',
+  postReleasePrivate: '%POS_RELEASE_PRIV%',
+  affectedLines: '%AFFECTED_LINES%'
+};
 
 export default class SecurityReleaseSteward {
   constructor(cli) {
@@ -16,31 +26,100 @@ export default class SecurityReleaseSteward {
     });
 
     const req = new Request(credentials);
-    const create = await cli.prompt(
-      'Create the Next Security Release issue?',
-      { defaultAnswer: true });
-    if (create) {
-      const issue = new SecurityReleaseIssue(req);
-      const content = await issue.buildIssue(cli);
-      const data = await req.createIssue('Next Security Release', content, {
-        owner: 'nodejs-private',
-        repo: 'node-private'
-      });
-      if (data.html_url) {
-        cli.ok('Created: ' + data.html_url);
-      } else {
-        cli.error(data);
-      }
+    const release = new PrepareSecurityRelease(req);
+    const releaseDate = await release.promptReleaseDate(cli);
+    let securityReleasePRUrl = PLACEHOLDERS.vulnerabilitiesPRURL;
+
+    const createVulnerabilitiesJSON = await release.promptVulnerabilitiesJSON(cli);
+    if (createVulnerabilitiesJSON) {
+      securityReleasePRUrl = await this.createVulnerabilitiesJSON(req, release, { cli });
     }
+
+    const createIssue = await release.promptCreateRelaseIssue(cli);
+
+    if (createIssue) {
+      const { content } = release.buildIssue(releaseDate, securityReleasePRUrl);
+      await release.createIssue(content, { cli });
+    };
+
+    cli.ok('Done!');
+  }
+
+  async createVulnerabilitiesJSON(req, release, { cli }) {
+    // checkout on the next-security-release branch
+    release.checkoutOnSecurityReleaseBranch(cli);
+
+    // choose the reports to include in the security release
+    const reports = await release.chooseReports(cli);
+
+    // create the vulnerabilities.json file in the security-release repo
+    const filePath = await release.createVulnerabilitiesJSON(reports, { cli });
+
+    // review the vulnerabilities.json file
+    const review = await release.promptReviewVulnerabilitiesJSON(cli);
+
+    if (!review) {
+      cli.info(`To push the vulnerabilities.json file run:
+        - git add ${filePath}
+        - git commit -m "chore: create vulnerabilities.json for next security release"
+        - git push -u origin next-security-release
+        - open a PR on ${release.repository.owner}/${release.repository.repo}`);
+      return;
+    };
+
+    // commit and push the vulnerabilities.json file
+    release.commitAndPushVulnerabilitiesJSON(filePath, cli);
+
+    const createPr = await release.promptCreatePR(cli);
+
+    if (!createPr) return;
+
+    // create pr on the security-release repo
+    return release.createPullRequest(req, { cli });
   }
 }
 
-class SecurityReleaseIssue {
-  constructor(req) {
+class PrepareSecurityRelease {
+  repository = {
+    owner: 'nodejs-private',
+    repo: 'security-release'
+  };
+
+  title = 'Next Security Release';
+  nextSecurityReleaseBranch = 'next-security-release';
+
+  constructor(req, repository) {
     this.req = req;
-    this.content = '';
-    this.title = 'Next Security Release';
-    this.affectedLines = {};
+    if (repository) {
+      this.repository = repository;
+    }
+  }
+
+  promptCreatePR(cli) {
+    return cli.prompt(
+      'Create the Next Security Release PR?',
+      { defaultAnswer: true });
+  }
+
+  checkRemote(cli) {
+    const remote = runSync('git', ['ls-remote', '--get-url', 'origin']).trim();
+    const { owner, repo } = this.repository;
+    const securityReleaseOrigin = `https://github.com/${owner}/${repo}.git`;
+
+    if (remote !== securityReleaseOrigin) {
+      cli.error(`Wrong repository! It should be ${securityReleaseOrigin}`);
+      process.exit(1);
+    }
+  }
+
+  commitAndPushVulnerabilitiesJSON(filePath, cli) {
+    this.checkRemote(cli);
+
+    runSync('git', ['add', filePath]);
+    const commitMessage = 'chore: create vulnerabilities.json for next security release';
+    runSync('git', ['commit', '-m', commitMessage]);
+    runSync('git', ['push', '-u', 'origin', 'next-security-release']);
+    cli.ok(`Pushed commit: ${commitMessage} to ${this.nextSecurityReleaseBranch}`);
   }
 
   getSecurityIssueTemplate() {
@@ -53,31 +132,58 @@ class SecurityReleaseIssue {
     );
   }
 
-  async buildIssue(cli) {
-    this.content = this.getSecurityIssueTemplate();
-    cli.info('Getting triaged H1 reports...');
-    const reports = await this.req.getTriagedReports();
-    await this.fillReports(cli, reports);
-
-    this.fillAffectedLines(Object.keys(this.affectedLines));
-
-    const target = await cli.prompt('Enter target date in YYYY-MM-DD format:', {
+  async promptReleaseDate(cli) {
+    return cli.prompt('Enter target release date in YYYY-MM-DD format:', {
       questionType: 'input',
       defaultAnswer: 'TBD'
     });
-    this.fillTargetDate(target);
+  }
+
+  async promptVulnerabilitiesJSON(cli) {
+    return cli.prompt(
+      'Create the vulnerabilities.json?',
+      { defaultAnswer: true });
+  }
+
+  async promptCreateRelaseIssue(cli) {
+    return cli.prompt(
+      'Create the Next Security Release issue?',
+      { defaultAnswer: true });
+  }
 
-    return this.content;
+  async promptReviewVulnerabilitiesJSON(cli) {
+    return cli.prompt(
+      'Please review vulnerabilities.json and press enter to proceed.',
+      { defaultAnswer: true });
   }
 
-  async fillReports(cli, reports) {
+  buildIssue(releaseDate, securityReleasePRUrl) {
+    const template = this.getSecurityIssueTemplate();
+    const content = template.replace(PLACEHOLDERS.releaseDate, releaseDate)
+      .replace(PLACEHOLDERS.vulnerabilitiesPRURL, securityReleasePRUrl);
+    return { releaseDate, content, securityReleasePRUrl };
+  }
+
+  async createIssue(content, { cli }) {
+    const data = await this.req.createIssue(this.title, content, this.repository);
+    if (data.html_url) {
+      cli.ok('Created: ' + data.html_url);
+    } else {
+      cli.error(data);
+      process.exit(1);
+    }
+  }
+
+  async chooseReports(cli) {
+    cli.info('Getting triaged H1 reports...');
+    const reports = await this.req.getTriagedReports();
     const supportedVersions = (await nv('supported'))
       .map((v) => v.versionName + '.x')
       .join(',');
+    const selectedReports = [];
 
-    let reportsContent = '';
     for (const report of reports.data) {
-      const { id, attributes: { title }, relationships: { severity } } = report;
+      const { id, attributes: { title, cve_ids }, relationships: { severity } } = report;
       const reportLevel = severity ? severity.data.attributes.rating : 'TBD';
       cli.separator();
       cli.info(`Report: ${id} - ${title} (${reportLevel})`);
@@ -88,30 +194,90 @@ class SecurityReleaseIssue {
         continue;
       }
 
-      reportsContent +=
-        `  * **[${id}](https://hackerone.com/bugs?subject=nodejs&report_id=${id}) - ${title} (TBD) - (${reportLevel})**\n`;
       const versions = await cli.prompt('Which active release lines this report affects?', {
         questionType: 'input',
         defaultAnswer: supportedVersions
       });
-      for (const v of versions.split(',')) {
-        if (!this.affectedLines[v]) this.affectedLines[v] = true;
-        reportsContent += `    * ${v} - TBD\n`;
-      }
+      const summaryContent = await this.getSummary(id);
+
+      selectedReports.push({
+        id,
+        title,
+        cve_ids,
+        severity: reportLevel,
+        summary: summaryContent ?? '',
+        affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim())
+      });
     }
-    this.content = this.content.replace('%REPORTS%', reportsContent);
+    return selectedReports;
+  }
+
+  async getSummary(reportId) {
+    const { data } = await this.req.getReport(reportId);
+    const summaryList = data?.relationships?.summaries?.data;
+    if (!summaryList?.length) return;
+    const summaries = summaryList.filter((summary) => summary?.attributes?.category === 'team');
+    if (!summaries?.length) return;
+    return summaries?.[0].attributes?.content;
   }
 
-  fillAffectedLines(affectedLines) {
-    let affected = '';
-    for (const line of affectedLines) {
-      affected += `  * ${line} - TBD\n`;
+  checkoutOnSecurityReleaseBranch(cli) {
+    this.checkRemote(cli);
+    const currentBranch = runSync('git', ['branch', '--show-current']).trim();
+    cli.info(`Current branch: ${currentBranch} `);
+
+    if (currentBranch !== this.nextSecurityReleaseBranch) {
+      runSync('git', ['checkout', '-B', this.nextSecurityReleaseBranch]);
+      cli.ok(`Checkout on branch: ${this.nextSecurityReleaseBranch} `);
+    };
+  }
+
+  async createVulnerabilitiesJSON(reports, { cli }) {
+    cli.separator('Creating vulnerabilities.json...');
+    const file = JSON.stringify({
+      reports
+    }, null, 2);
+
+    const folderPath = path.join(process.cwd(), 'security-release', 'next-security-release');
+    try {
+      await fs.accessSync(folderPath);
+    } catch (error) {
+      await fs.mkdirSync(folderPath, { recursive: true });
     }
-    this.content =
-      this.content.replace('%AFFECTED_LINES%', affected);
+
+    const fullPath = path.join(folderPath, 'vulnerabilities.json');
+    fs.writeFileSync(fullPath, file);
+    cli.ok(`Created ${fullPath} `);
+
+    return fullPath;
   }
 
-  fillTargetDate(date) {
-    this.content = this.content.replace('%RELEASE_DATE%', date);
+  async createPullRequest(req, { cli }) {
+    const { owner, repo } = this.repository;
+    const response = await req.createPullRequest(
+      this.title,
+      'List of vulnerabilities to be included in the next security release',
+      {
+        owner,
+        repo,
+        base: 'main',
+        head: 'next-security-release'
+      }
+
+    );
+    const url = response?.html_url;
+    if (url) {
+      cli.ok('Created: ' + url);
+      return url;
+    } else {
+      if (response?.errors) {
+        for (const error of response.errors) {
+          cli.error(error.message);
+        }
+      } else {
+        cli.error(response);
+      }
+      process.exit(1);
+    }
   }
 }

package/lib/request.js

@@ -77,6 +77,25 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async createPullRequest(title, body, { owner, repo, head, base }) {
+    const url = `https://api.github.com/repos/${owner}/${repo}/pulls`;
+    const options = {
+      method: 'POST',
+      headers: {
+        Authorization: `Basic ${this.credentials.github}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/vnd.github+json'
+      },
+      body: JSON.stringify({
+        title,
+        body,
+        head,
+        base
+      })
+    };
+    return this.json(url, options);
+  }
+
   async gql(name, variables, path) {
     const query = this.loadQuery(name);
     if (path) {
@@ -113,6 +132,19 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async getReport(reportId) {
+    const url = `https://api.hackerone.com/v1/reports/${reportId}`;
+    const options = {
+      method: 'GET',
+      headers: {
+        Authorization: `Basic ${this.credentials.h1}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/json'
+      }
+    };
+    return this.json(url, options);
+  }
+
   // This is for github v4 API queries, for other types of queries
   // use .text or .json
   async query(query, variables) {

package/lib/update-v8/constants.js

@@ -34,6 +34,10 @@ const abseilIgnore = `!/third_party/abseil-cpp
 /third_party/abseil-cpp/.github
 /third_party/abseil-cpp/ci`;
 
+const fp16Ignore = `!/third_party/fp16
+/third_party/fp16/src/*
+!/third_party/fp16/src/include`;
+
 export const v8Deps = [
   {
     name: 'trace_event',
@@ -92,5 +96,11 @@ export const v8Deps = [
     repo: 'third_party/abseil-cpp',
     gitignore: abseilIgnore,
     since: 121
+  },
+  {
+    name: 'fp16',
+    repo: 'third_party/fp16/src',
+    gitignore: fp16Ignore,
+    since: 124
   }
 ];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "4.2.3",
+  "version": "4.3.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {
@@ -34,35 +34,35 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@listr2/prompt-adapter-enquirer": "^1.0.2",
-    "@node-core/caritat": "^1.2.1",
+    "@listr2/prompt-adapter-enquirer": "^2.0.1",
+    "@node-core/caritat": "^1.3.0",
     "@pkgjs/nv": "^0.2.2",
-    "branch-diff": "^2.1.5",
+    "branch-diff": "^3.0.2",
     "chalk": "^5.3.0",
-    "changelog-maker": "^3.2.6",
+    "changelog-maker": "^4.0.1",
     "cheerio": "^1.0.0-rc.12",
     "clipboardy": "^4.0.0",
     "core-validate-commit": "^4.0.0",
     "figures": "^6.0.1",
-    "ghauth": "^6.0.0",
-    "inquirer": "^9.2.11",
+    "ghauth": "^6.0.1",
+    "inquirer": "^9.2.12",
     "js-yaml": "^4.1.0",
-    "listr2": "^7.0.2",
+    "listr2": "^8.0.1",
     "lodash": "^4.17.21",
     "log-symbols": "^6.0.0",
-    "ora": "^7.0.1",
-    "replace-in-file": "^7.0.2",
-    "undici": "^5.27.2",
+    "ora": "^8.0.1",
+    "replace-in-file": "^7.1.0",
+    "undici": "^6.3.0",
     "which": "^4.0.0",
     "yargs": "^17.7.2"
   },
   "devDependencies": {
-    "@reporters/github": "^1.5.3",
-    "c8": "^8.0.1",
-    "eslint": "^8.53.0",
+    "@reporters/github": "^1.5.4",
+    "c8": "^9.0.0",
+    "eslint": "^8.56.0",
     "eslint-config-standard": "^17.1.0",
-    "eslint-plugin-import": "^2.29.0",
-    "eslint-plugin-n": "^16.2.0",
+    "eslint-plugin-import": "^2.29.1",
+    "eslint-plugin-n": "^16.6.1",
     "eslint-plugin-promise": "^6.1.1",
     "sinon": "^17.0.1"
   }