@node-core/utils 4.3.0 → 4.4.0

package/components/git/security.js

@@ -1,5 +1,8 @@
 import CLI from '../../lib/cli.js';
 import SecurityReleaseSteward from '../../lib/prepare_security.js';
+import UpdateSecurityRelease from '../../lib/update_security_release.js';
+import SecurityBlog from '../../lib/security_blog.js';
+import SecurityAnnouncement from '../../lib/security-announcement.js';
 
 export const command = 'security [options]';
 export const describe = 'Manage an in-progress security release or start a new one.';
@@ -8,6 +11,26 @@ const securityOptions = {
   start: {
     describe: 'Start security release process',
     type: 'boolean'
+  },
+  'update-date': {
+    describe: 'Updates the target date of the security release',
+    type: 'string'
+  },
+  'add-report': {
+    describe: 'Extracts data from HackerOne report and adds it into vulnerabilities.json',
+    type: 'string'
+  },
+  'remove-report': {
+    describe: 'Removes a report from vulnerabilities.json',
+    type: 'string'
+  },
+  'pre-release': {
+    describe: 'Create the pre-release announcement',
+    type: 'boolean'
+  },
+  'notify-pre-release': {
+    describe: 'Notify the community about the security release',
+    type: 'boolean'
   }
 };
 
@@ -15,21 +38,94 @@ let yargsInstance;
 
 export function builder(yargs) {
   yargsInstance = yargs;
-  return yargs.options(securityOptions).example(
-    'git node security --start',
-    'Prepare a security release of Node.js');
+  return yargs.options(securityOptions)
+    .example(
+      'git node security --start',
+      'Prepare a security release of Node.js')
+    .example(
+      'git node security --update-date=YYYY/MM/DD',
+      'Updates the target date of the security release'
+    )
+    .example(
+      'git node security --add-report=H1-ID',
+      'Fetches HackerOne report based on ID provided and adds it into vulnerabilities.json'
+    )
+    .example(
+      'git node security --remove-report=H1-ID',
+      'Removes the Hackerone report based on ID provided from vulnerabilities.json'
+    )
+    .example(
+      'git node security --pre-release' +
+      'Create the pre-release announcement on the Nodejs.org repo'
+    ).example(
+      'git node security --notify-pre-release' +
+      'Notifies the community about the security release'
+    );
 }
 
 export function handler(argv) {
   if (argv.start) {
     return startSecurityRelease(argv);
   }
+  if (argv['update-date']) {
+    return updateReleaseDate(argv);
+  }
+  if (argv['pre-release']) {
+    return createPreRelease(argv);
+  }
+  if (argv['add-report']) {
+    return addReport(argv);
+  }
+  if (argv['remove-report']) {
+    return removeReport(argv);
+  }
+  if (argv['notify-pre-release']) {
+    return notifyPreRelease(argv);
+  }
   yargsInstance.showHelp();
 }
 
-async function startSecurityRelease(argv) {
+async function removeReport(argv) {
+  const reportId = argv['remove-report'];
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const update = new UpdateSecurityRelease(cli);
+  return update.removeReport(reportId);
+}
+
+async function addReport(argv) {
+  const reportId = argv['add-report'];
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const update = new UpdateSecurityRelease(cli);
+  return update.addReport(reportId);
+}
+
+async function updateReleaseDate(argv) {
+  const releaseDate = argv['update-date'];
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const update = new UpdateSecurityRelease(cli);
+  return update.updateReleaseDate(releaseDate);
+}
+
+async function createPreRelease() {
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const preRelease = new SecurityBlog(cli);
+  return preRelease.createPreRelease();
+}
+
+async function startSecurityRelease() {
   const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
   const cli = new CLI(logStream);
   const release = new SecurityReleaseSteward(cli);
   return release.start();
 }
+
+async function notifyPreRelease() {
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const preRelease = new SecurityAnnouncement(cli);
+  return preRelease.notifyPreRelease();
+}

package/lib/github/templates/security-pre-release.md

@@ -0,0 +1,30 @@
+---
+date: %ANNOUNCEMENT_DATE%
+category: vulnerability
+title: %RELEASE_DATE% Security Releases
+slug: %SLUG%
+layout: blog-post
+author: The Node.js Project
+---
+
+# Summary
+
+The Node.js project will release new versions of the %AFFECTED_VERSIONS%
+releases lines on or shortly after, %RELEASE_DATE% in order to address:
+
+%VULNERABILITIES%
+%OPENSSL_UPDATES%
+## Impact
+
+%IMPACT%
+
+## Release timing
+
+Releases will be available on, or shortly after, %RELEASE_DATE%.
+
+## Contact and future updates
+
+The current Node.js security policy can be found at https://nodejs.org/en/security/.
+Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.
+
+Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

package/lib/prepare_security.js

@@ -1,19 +1,21 @@
 import nv from '@pkgjs/nv';
-import auth from './auth.js';
-import Request from './request.js';
 import fs from 'node:fs';
-import { runSync } from './run.js';
 import path from 'node:path';
-
-export const PLACEHOLDERS = {
-  releaseDate: '%RELEASE_DATE%',
-  vulnerabilitiesPRURL: '%VULNERABILITIES_PR_URL%',
-  preReleasePrivate: '%PRE_RELEASE_PRIV%',
-  postReleasePrivate: '%POS_RELEASE_PRIV%',
-  affectedLines: '%AFFECTED_LINES%'
-};
+import auth from './auth.js';
+import Request from './request.js';
+import {
+  NEXT_SECURITY_RELEASE_BRANCH,
+  NEXT_SECURITY_RELEASE_FOLDER,
+  NEXT_SECURITY_RELEASE_REPOSITORY,
+  PLACEHOLDERS,
+  checkoutOnSecurityReleaseBranch,
+  commitAndPushVulnerabilitiesJSON,
+  getSummary,
+  validateDate
+} from './security-release/security-release.js';
 
 export default class SecurityReleaseSteward {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
   constructor(cli) {
     this.cli = cli;
   }
@@ -28,9 +30,10 @@ export default class SecurityReleaseSteward {
     const req = new Request(credentials);
     const release = new PrepareSecurityRelease(req);
     const releaseDate = await release.promptReleaseDate(cli);
-    let securityReleasePRUrl = PLACEHOLDERS.vulnerabilitiesPRURL;
-
+    validateDate(releaseDate);
     const createVulnerabilitiesJSON = await release.promptVulnerabilitiesJSON(cli);
+
+    let securityReleasePRUrl;
     if (createVulnerabilitiesJSON) {
       securityReleasePRUrl = await this.createVulnerabilitiesJSON(req, release, { cli });
     }
@@ -38,7 +41,7 @@ export default class SecurityReleaseSteward {
     const createIssue = await release.promptCreateRelaseIssue(cli);
 
     if (createIssue) {
-      const { content } = release.buildIssue(releaseDate, securityReleasePRUrl);
+      const content = await release.buildIssue(releaseDate, securityReleasePRUrl);
       await release.createIssue(content, { cli });
     };
 
@@ -47,7 +50,7 @@ export default class SecurityReleaseSteward {
 
   async createVulnerabilitiesJSON(req, release, { cli }) {
     // checkout on the next-security-release branch
-    release.checkoutOnSecurityReleaseBranch(cli);
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
 
     // choose the reports to include in the security release
     const reports = await release.chooseReports(cli);
@@ -62,13 +65,14 @@ export default class SecurityReleaseSteward {
       cli.info(`To push the vulnerabilities.json file run:
         - git add ${filePath}
         - git commit -m "chore: create vulnerabilities.json for next security release"
-        - git push -u origin next-security-release
+        - git push -u origin ${NEXT_SECURITY_RELEASE_BRANCH}
         - open a PR on ${release.repository.owner}/${release.repository.repo}`);
       return;
     };
 
     // commit and push the vulnerabilities.json file
-    release.commitAndPushVulnerabilitiesJSON(filePath, cli);
+    const commitMessage = 'chore: create vulnerabilities.json for next security release';
+    commitAndPushVulnerabilitiesJSON(filePath, commitMessage, { cli, repository: this.repository });
 
     const createPr = await release.promptCreatePR(cli);
 
@@ -80,13 +84,8 @@ export default class SecurityReleaseSteward {
 }
 
 class PrepareSecurityRelease {
-  repository = {
-    owner: 'nodejs-private',
-    repo: 'security-release'
-  };
-
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
   title = 'Next Security Release';
-  nextSecurityReleaseBranch = 'next-security-release';
 
   constructor(req, repository) {
     this.req = req;
@@ -101,41 +100,31 @@ class PrepareSecurityRelease {
       { defaultAnswer: true });
   }
 
-  checkRemote(cli) {
-    const remote = runSync('git', ['ls-remote', '--get-url', 'origin']).trim();
-    const { owner, repo } = this.repository;
-    const securityReleaseOrigin = `https://github.com/${owner}/${repo}.git`;
-
-    if (remote !== securityReleaseOrigin) {
-      cli.error(`Wrong repository! It should be ${securityReleaseOrigin}`);
-      process.exit(1);
+  async getSecurityIssueTemplate() {
+    const url = 'https://raw.githubusercontent.com/nodejs/node/main/doc/contributing/security-release-process.md';
+    try {
+      // fetch document from nodejs/node main so we dont need to keep a copy
+      const response = await fetch(url);
+      const body = await response.text();
+      // remove everything before the Planning section
+      const index = body.indexOf('## Planning');
+      if (index !== -1) {
+        return body.substring(index);
+      }
+      return body;
+    } catch (error) {
+      this.cli.error(`Could not retrieve the security issue template from ${url}`);
     }
   }
 
-  commitAndPushVulnerabilitiesJSON(filePath, cli) {
-    this.checkRemote(cli);
-
-    runSync('git', ['add', filePath]);
-    const commitMessage = 'chore: create vulnerabilities.json for next security release';
-    runSync('git', ['commit', '-m', commitMessage]);
-    runSync('git', ['push', '-u', 'origin', 'next-security-release']);
-    cli.ok(`Pushed commit: ${commitMessage} to ${this.nextSecurityReleaseBranch}`);
-  }
-
-  getSecurityIssueTemplate() {
-    return fs.readFileSync(
-      new URL(
-        './github/templates/next-security-release.md',
-        import.meta.url
-      ),
-      'utf-8'
-    );
-  }
-
   async promptReleaseDate(cli) {
-    return cli.prompt('Enter target release date in YYYY-MM-DD format:', {
+    const nextWeekDate = new Date();
+    nextWeekDate.setDate(nextWeekDate.getDate() + 7);
+    // Format the date as YYYY/MM/DD
+    const formattedDate = nextWeekDate.toISOString().slice(0, 10).replace(/-/g, '/');
+    return cli.prompt('Enter target release date in YYYY/MM/DD format:', {
       questionType: 'input',
-      defaultAnswer: 'TBD'
+      defaultAnswer: formattedDate
     });
   }
 
@@ -157,17 +146,17 @@ class PrepareSecurityRelease {
       { defaultAnswer: true });
   }
 
-  buildIssue(releaseDate, securityReleasePRUrl) {
-    const template = this.getSecurityIssueTemplate();
+  async buildIssue(releaseDate, securityReleasePRUrl = PLACEHOLDERS.vulnerabilitiesPRURL) {
+    const template = await this.getSecurityIssueTemplate();
     const content = template.replace(PLACEHOLDERS.releaseDate, releaseDate)
       .replace(PLACEHOLDERS.vulnerabilitiesPRURL, securityReleasePRUrl);
-    return { releaseDate, content, securityReleasePRUrl };
+    return content;
   }
 
   async createIssue(content, { cli }) {
     const data = await this.req.createIssue(this.title, content, this.repository);
     if (data.html_url) {
-      cli.ok('Created: ' + data.html_url);
+      cli.ok(`Created: ${data.html_url}`);
     } else {
       cli.error(data);
       process.exit(1);
@@ -178,15 +167,32 @@ class PrepareSecurityRelease {
     cli.info('Getting triaged H1 reports...');
     const reports = await this.req.getTriagedReports();
     const supportedVersions = (await nv('supported'))
-      .map((v) => v.versionName + '.x')
+      .map((v) => `${v.versionName}.x`)
       .join(',');
     const selectedReports = [];
 
     for (const report of reports.data) {
-      const { id, attributes: { title, cve_ids }, relationships: { severity } } = report;
-      const reportLevel = severity ? severity.data.attributes.rating : 'TBD';
+      const {
+        id, attributes: { title, cve_ids, created_at },
+        relationships: { severity, weakness, reporter }
+      } = report;
+      const link = `https://hackerone.com/reports/${id}`;
+      let reportSeverity = {
+        rating: '',
+        cvss_vector_string: '',
+        weakness_id: ''
+      };
+      if (severity?.data?.attributes?.cvss_vector_string) {
+        const { cvss_vector_string, rating } = severity.data.attributes;
+        reportSeverity = {
+          cvss_vector_string,
+          rating,
+          weakness_id: weakness?.data?.id
+        };
+      }
+
       cli.separator();
-      cli.info(`Report: ${id} - ${title} (${reportLevel})`);
+      cli.info(`Report: ${link} - ${title} (${reportSeverity?.rating})`);
       const include = await cli.prompt(
         'Would you like to include this report to the next security release?',
         { defaultAnswer: true });
@@ -198,47 +204,30 @@ class PrepareSecurityRelease {
         questionType: 'input',
         defaultAnswer: supportedVersions
       });
-      const summaryContent = await this.getSummary(id);
+      const summaryContent = await getSummary(id, this.req);
 
       selectedReports.push({
         id,
         title,
         cve_ids,
-        severity: reportLevel,
+        severity: reportSeverity,
         summary: summaryContent ?? '',
-        affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim())
+        affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim()),
+        link,
+        reporter: reporter.data.attributes.username,
+        created_at // when we request CVE we need to input vulnerability_discovered_at
       });
     }
     return selectedReports;
   }
 
-  async getSummary(reportId) {
-    const { data } = await this.req.getReport(reportId);
-    const summaryList = data?.relationships?.summaries?.data;
-    if (!summaryList?.length) return;
-    const summaries = summaryList.filter((summary) => summary?.attributes?.category === 'team');
-    if (!summaries?.length) return;
-    return summaries?.[0].attributes?.content;
-  }
-
-  checkoutOnSecurityReleaseBranch(cli) {
-    this.checkRemote(cli);
-    const currentBranch = runSync('git', ['branch', '--show-current']).trim();
-    cli.info(`Current branch: ${currentBranch} `);
-
-    if (currentBranch !== this.nextSecurityReleaseBranch) {
-      runSync('git', ['checkout', '-B', this.nextSecurityReleaseBranch]);
-      cli.ok(`Checkout on branch: ${this.nextSecurityReleaseBranch} `);
-    };
-  }
-
   async createVulnerabilitiesJSON(reports, { cli }) {
     cli.separator('Creating vulnerabilities.json...');
     const file = JSON.stringify({
       reports
     }, null, 2);
 
-    const folderPath = path.join(process.cwd(), 'security-release', 'next-security-release');
+    const folderPath = path.join(process.cwd(), NEXT_SECURITY_RELEASE_FOLDER);
     try {
       await fs.accessSync(folderPath);
     } catch (error) {
@@ -267,17 +256,16 @@ class PrepareSecurityRelease {
     );
     const url = response?.html_url;
     if (url) {
-      cli.ok('Created: ' + url);
+      cli.ok(`Created: ${url}`);
       return url;
-    } else {
-      if (response?.errors) {
-        for (const error of response.errors) {
-          cli.error(error.message);
-        }
-      } else {
-        cli.error(response);
+    }
+    if (response?.errors) {
+      for (const error of response.errors) {
+        cli.error(error.message);
       }
-      process.exit(1);
+    } else {
+      cli.error(response);
     }
+    process.exit(1);
   }
 }

package/lib/security-announcement.js

@@ -0,0 +1,83 @@
+import {
+  NEXT_SECURITY_RELEASE_REPOSITORY,
+  checkoutOnSecurityReleaseBranch,
+  getVulnerabilitiesJSON,
+  validateDate,
+  formatDateToYYYYMMDD
+} from './security-release/security-release.js';
+import auth from './auth.js';
+import Request from './request.js';
+
+export default class SecurityAnnouncement {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  req;
+  constructor(cli) {
+    this.cli = cli;
+  }
+
+  async notifyPreRelease() {
+    const { cli } = this;
+
+    const credentials = await auth({
+      github: true,
+      h1: true
+    });
+
+    this.req = new Request(credentials);
+
+    // checkout on security release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+    // read vulnerabilities JSON file
+    const content = getVulnerabilitiesJSON(cli);
+    // validate the release date read from vulnerabilities JSON
+    if (!content.releaseDate) {
+      cli.error('Release date is not set in vulnerabilities.json,' +
+        ' run `git node security --update-date=YYYY/MM/DD` to set the release date.');
+      process.exit(1);
+    }
+
+    validateDate(content.releaseDate);
+    const releaseDate = new Date(content.releaseDate);
+
+    await Promise.all([this.createDockerNodeIssue(releaseDate),
+      this.createBuildWGIssue(releaseDate)]);
+  }
+
+  async createBuildWGIssue(releaseDate) {
+    const repository = {
+      owner: 'nodejs',
+      repo: 'build'
+    };
+
+    const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'build');
+    await this.createIssue(title, content, repository);
+  }
+
+  createPreleaseAnnouncementIssue(releaseDate, team) {
+    const title = `[NEXT-SECURITY-RELEASE] Heads up on upcoming Node.js\
+ security release ${formatDateToYYYYMMDD(releaseDate)}`;
+    const content = 'As per security release workflow,' +
+      ` creating issue to give the ${team} team a heads up.`;
+    return { title, content };
+  }
+
+  async createDockerNodeIssue(releaseDate) {
+    const repository = {
+      owner: 'nodejs',
+      repo: 'docker-node'
+    };
+
+    const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'docker');
+    await this.createIssue(title, content, repository);
+  }
+
+  async createIssue(title, content, repository) {
+    const data = await this.req.createIssue(title, content, repository);
+    if (data.html_url) {
+      this.cli.ok(`Created: ${data.html_url}`);
+    } else {
+      this.cli.error(data);
+      process.exit(1);
+    }
+  }
+}

package/lib/security-release/security-release.js

@@ -0,0 +1,109 @@
+import { runSync } from '../run.js';
+import nv from '@pkgjs/nv';
+import fs from 'node:fs';
+import path from 'node:path';
+
+export const NEXT_SECURITY_RELEASE_BRANCH = 'next-security-release';
+export const NEXT_SECURITY_RELEASE_FOLDER = 'security-release/next-security-release';
+
+export const NEXT_SECURITY_RELEASE_REPOSITORY = {
+  owner: 'nodejs-private',
+  repo: 'security-release'
+};
+
+export const PLACEHOLDERS = {
+  releaseDate: '%RELEASE_DATE%',
+  vulnerabilitiesPRURL: '%VULNERABILITIES_PR_URL%',
+  preReleasePrivate: '%PRE_RELEASE_PRIV%',
+  postReleasePrivate: '%POS_RELEASE_PRIV%',
+  affectedLines: '%AFFECTED_LINES%',
+  annoucementDate: '%ANNOUNCEMENT_DATE%',
+  slug: '%SLUG%',
+  affectedVersions: '%AFFECTED_VERSIONS%',
+  openSSLUpdate: '%OPENSSL_UPDATES%',
+  impact: '%IMPACT%',
+  vulnerabilities: '%VULNERABILITIES%'
+};
+
+export function checkRemote(cli, repository) {
+  const remote = runSync('git', ['ls-remote', '--get-url', 'origin']).trim();
+  const { owner, repo } = repository;
+  const securityReleaseOrigin = [
+    `https://github.com/${owner}/${repo}.git`,
+    `git@github.com:${owner}/${repo}.git`
+  ];
+
+  if (!securityReleaseOrigin.includes(remote)) {
+    cli.error(`Wrong repository! It should be ${securityReleaseOrigin}`);
+    process.exit(1);
+  }
+}
+
+export function checkoutOnSecurityReleaseBranch(cli, repository) {
+  checkRemote(cli, repository);
+  const currentBranch = runSync('git', ['branch', '--show-current']).trim();
+  cli.info(`Current branch: ${currentBranch} `);
+
+  if (currentBranch !== NEXT_SECURITY_RELEASE_BRANCH) {
+    runSync('git', ['checkout', '-B', NEXT_SECURITY_RELEASE_BRANCH]);
+    cli.ok(`Checkout on branch: ${NEXT_SECURITY_RELEASE_BRANCH} `);
+  };
+}
+
+export function commitAndPushVulnerabilitiesJSON(filePath, commitMessage, { cli, repository }) {
+  checkRemote(cli, repository);
+
+  if (Array.isArray(filePath)) {
+    for (const path of filePath) {
+      runSync('git', ['add', path]);
+    }
+  } else {
+    runSync('git', ['add', filePath]);
+  }
+
+  runSync('git', ['commit', '-m', commitMessage]);
+  runSync('git', ['push', '-u', 'origin', NEXT_SECURITY_RELEASE_BRANCH]);
+  cli.ok(`Pushed commit: ${commitMessage} to ${NEXT_SECURITY_RELEASE_BRANCH}`);
+}
+
+export async function getSupportedVersions() {
+  const supportedVersions = (await nv('supported'))
+    .map((v) => `${v.versionName}.x`)
+    .join(',');
+  return supportedVersions;
+}
+
+export async function getSummary(reportId, req) {
+  const { data } = await req.getReport(reportId);
+  const summaryList = data?.relationships?.summaries?.data;
+  if (!summaryList?.length) return;
+  const summaries = summaryList.filter((summary) => summary?.attributes?.category === 'team');
+  if (!summaries?.length) return;
+  return summaries?.[0].attributes?.content;
+}
+
+export function getVulnerabilitiesJSON(cli) {
+  const vulnerabilitiesJSONPath = path.join(process.cwd(),
+    NEXT_SECURITY_RELEASE_FOLDER, 'vulnerabilities.json');
+  cli.startSpinner(`Reading vulnerabilities.json from ${vulnerabilitiesJSONPath}..`);
+  const file = JSON.parse(fs.readFileSync(vulnerabilitiesJSONPath, 'utf-8'));
+  cli.stopSpinner(`Done reading vulnerabilities.json from ${vulnerabilitiesJSONPath}`);
+  return file;
+}
+
+export function validateDate(releaseDate) {
+  const value = new Date(releaseDate).valueOf();
+  if (Number.isNaN(value) || value < 0) {
+    throw new Error('Invalid date format');
+  }
+}
+
+export function formatDateToYYYYMMDD(date) {
+  // Get year, month, and day
+  const year = date.getFullYear();
+  const month = String(date.getMonth() + 1).padStart(2, '0'); // Months are zero-based
+  const day = String(date.getDate()).padStart(2, '0');
+
+  // Concatenate year, month, and day with slashes
+  return `${year}/${month}/${day}`;
+}

package/lib/security_blog.js

@@ -0,0 +1,182 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import _ from 'lodash';
+import {
+  PLACEHOLDERS,
+  getVulnerabilitiesJSON,
+  checkoutOnSecurityReleaseBranch,
+  NEXT_SECURITY_RELEASE_REPOSITORY,
+  validateDate
+} from './security-release/security-release.js';
+
+export default class SecurityBlog {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  constructor(cli) {
+    this.cli = cli;
+  }
+
+  async createPreRelease() {
+    const { cli } = this;
+
+    // checkout on security release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+
+    // read vulnerabilities JSON file
+    const content = getVulnerabilitiesJSON(cli);
+    // validate the release date read from vulnerabilities JSON
+    if (!content.releaseDate) {
+      cli.error('Release date is not set in vulnerabilities.json,' +
+        ' run `git node security --update-date=YYYY/MM/DD` to set the release date.');
+      process.exit(1);
+    }
+
+    validateDate(content.releaseDate);
+    const releaseDate = new Date(content.releaseDate);
+
+    const template = this.getSecurityPreReleaseTemplate();
+    const data = {
+      annoucementDate: await this.getAnnouncementDate(cli),
+      releaseDate: this.formatReleaseDate(releaseDate),
+      affectedVersions: this.getAffectedVersions(content),
+      vulnerabilities: this.getVulnerabilities(content),
+      slug: this.getSlug(releaseDate),
+      impact: this.getImpact(content),
+      openSSLUpdate: await this.promptOpenSSLUpdate(cli)
+    };
+    const month = releaseDate.toLocaleString('en-US', { month: 'long' }).toLowerCase();
+    const year = releaseDate.getFullYear();
+    const fileName = `${month}-${year}-security-releases.md`;
+    const preRelease = this.buildPreRelease(template, data);
+    const file = path.join(process.cwd(), fileName);
+    fs.writeFileSync(file, preRelease);
+    cli.ok(`Pre-release announcement file created at ${file}`);
+  }
+
+  promptOpenSSLUpdate(cli) {
+    return cli.prompt('Does this security release containt OpenSSL updates?', {
+      defaultAnswer: true
+    });
+  }
+
+  formatReleaseDate(releaseDate) {
+    const options = {
+      weekday: 'long',
+      month: 'long',
+      day: 'numeric',
+      year: 'numeric'
+    };
+    return releaseDate.toLocaleDateString('en-US', options);
+  }
+
+  buildPreRelease(template, data) {
+    const {
+      annoucementDate,
+      releaseDate,
+      affectedVersions,
+      vulnerabilities,
+      slug,
+      impact,
+      openSSLUpdate
+    } = data;
+    return template.replaceAll(PLACEHOLDERS.annoucementDate, annoucementDate)
+      .replaceAll(PLACEHOLDERS.slug, slug)
+      .replaceAll(PLACEHOLDERS.affectedVersions, affectedVersions)
+      .replaceAll(PLACEHOLDERS.vulnerabilities, vulnerabilities)
+      .replaceAll(PLACEHOLDERS.releaseDate, releaseDate)
+      .replaceAll(PLACEHOLDERS.impact, impact)
+      .replaceAll(PLACEHOLDERS.openSSLUpdate, this.getOpenSSLUpdateTemplate(openSSLUpdate));
+  }
+
+  getOpenSSLUpdateTemplate(openSSLUpdate) {
+    if (openSSLUpdate) {
+      return '\n## OpenSSL Security updates\n\n' +
+        'This security release includes OpenSSL security updates\n';
+    }
+    return '';
+  }
+
+  getSlug(releaseDate) {
+    const month = releaseDate.toLocaleString('en-US', { month: 'long' });
+    const year = releaseDate.getFullYear();
+    return `${month.toLocaleLowerCase()}-${year}-security-releases`;
+  }
+
+  async getAnnouncementDate(cli) {
+    try {
+      const date = await this.promptAnnouncementDate(cli);
+      validateDate(date);
+      return new Date(date).toISOString();
+    } catch (error) {
+      return PLACEHOLDERS.annoucementDate;
+    }
+  }
+
+  promptAnnouncementDate(cli) {
+    const today = new Date().toISOString().substring(0, 10).replace(/-/g, '/');
+    return cli.prompt('When is the security release going to be announced? ' +
+      'Enter in YYYY/MM/DD format:', {
+      questionType: 'input',
+      defaultAnswer: today
+    });
+  }
+
+  getImpact(content) {
+    const impact = content.reports.reduce((acc, report) => {
+      for (const affectedVersion of report.affectedVersions) {
+        if (acc[affectedVersion]) {
+          acc[affectedVersion].push(report);
+        } else {
+          acc[affectedVersion] = [report];
+        }
+      }
+      return acc;
+    }, {});
+
+    const impactText = [];
+    for (const [key, value] of Object.entries(impact)) {
+      const groupedByRating = Object.values(_.groupBy(value, 'severity.rating'))
+        .map(severity => {
+          if (!severity[0]?.severity?.rating) {
+            this.cli.error(`severity.rating not found for the report ${severity[0].id}. \
+              Please add it manually before continuing.`);
+            process.exit(1);
+          }
+          const firstSeverityRating = severity[0].severity.rating.toLocaleLowerCase();
+          return `${severity.length} ${firstSeverityRating} severity issues`;
+        }).join(', ');
+
+      impactText.push(`The ${key} release line of Node.js is vulnerable to ${groupedByRating}.`);
+    }
+
+    return impactText.join('\n');
+  }
+
+  getVulnerabilities(content) {
+    const grouped = _.groupBy(content.reports, 'severity.rating');
+    const text = [];
+    for (const [key, value] of Object.entries(grouped)) {
+      text.push(`- ${value.length} ${key.toLocaleLowerCase()} severity issues.`);
+    }
+    return text.join('\n');
+  }
+
+  getAffectedVersions(content) {
+    const affectedVersions = new Set();
+    for (const report of Object.values(content.reports)) {
+      for (const affectedVersion of report.affectedVersions) {
+        affectedVersions.add(affectedVersion);
+      }
+    }
+    return Array.from(affectedVersions).join(', ');
+  }
+
+  getSecurityPreReleaseTemplate() {
+    return fs.readFileSync(
+      new URL(
+        './github/templates/security-pre-release.md',
+        import.meta.url
+      ),
+      'utf-8'
+    );
+  }
+}

package/lib/update_security_release.js

@@ -0,0 +1,138 @@
+import {
+  NEXT_SECURITY_RELEASE_FOLDER,
+  NEXT_SECURITY_RELEASE_REPOSITORY,
+  checkoutOnSecurityReleaseBranch,
+  commitAndPushVulnerabilitiesJSON,
+  getSupportedVersions,
+  getSummary,
+  validateDate
+} from './security-release/security-release.js';
+import fs from 'node:fs';
+import path from 'node:path';
+import auth from './auth.js';
+import Request from './request.js';
+
+export default class UpdateSecurityRelease {
+  repository = NEXT_SECURITY_RELEASE_REPOSITORY;
+  constructor(cli) {
+    this.cli = cli;
+  }
+
+  async updateReleaseDate(releaseDate) {
+    const { cli } = this;
+
+    try {
+      validateDate(releaseDate);
+    } catch (error) {
+      cli.error('Invalid date format. Please use the format yyyy/mm/dd.');
+      process.exit(1);
+    }
+
+    // checkout on the next-security-release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+
+    // update the release date in the vulnerabilities.json file
+    const updatedVulnerabilitiesFiles = await this.updateVulnerabilitiesJSON(releaseDate, { cli });
+
+    const commitMessage = `chore: update the release date to ${releaseDate}`;
+    commitAndPushVulnerabilitiesJSON(updatedVulnerabilitiesFiles,
+      commitMessage, { cli, repository: this.repository });
+    cli.ok('Done!');
+  }
+
+  readVulnerabilitiesJSON(vulnerabilitiesJSONPath) {
+    const exists = fs.existsSync(vulnerabilitiesJSONPath);
+
+    if (!exists) {
+      this.cli.error(`The file vulnerabilities.json does not exist at ${vulnerabilitiesJSONPath}`);
+      process.exit(1);
+    }
+
+    return JSON.parse(fs.readFileSync(vulnerabilitiesJSONPath, 'utf8'));
+  }
+
+  getVulnerabilitiesJSONPath() {
+    return path.join(process.cwd(),
+      NEXT_SECURITY_RELEASE_FOLDER, 'vulnerabilities.json');
+  }
+
+  async updateVulnerabilitiesJSON(releaseDate) {
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    content.releaseDate = releaseDate;
+
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+
+    this.cli.ok(`Updated the release date in vulnerabilities.json: ${releaseDate}`);
+    return [vulnerabilitiesJSONPath];
+  }
+
+  async addReport(reportId) {
+    const { cli } = this;
+    const credentials = await auth({
+      github: true,
+      h1: true
+    });
+
+    const req = new Request(credentials);
+    // checkout on the next-security-release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+
+    // get h1 report
+    const { data: report } = await req.getReport(reportId);
+    const { id, attributes: { title, cve_ids }, relationships: { severity, reporter } } = report;
+    // if severity is not set on h1, set it to TBD
+    const reportLevel = severity ? severity.data.attributes.rating : 'TBD';
+
+    // get the affected versions
+    const supportedVersions = await getSupportedVersions();
+    const versions = await cli.prompt('Which active release lines this report affects?', {
+      questionType: 'input',
+      defaultAnswer: supportedVersions
+    });
+
+    // get the team summary from h1 report
+    const summaryContent = await getSummary(id, req);
+
+    const entry = {
+      id,
+      title,
+      cve_ids,
+      severity: reportLevel,
+      summary: summaryContent ?? '',
+      affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim()),
+      reporter: reporter.data.attributes.username
+    };
+
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    content.reports.push(entry);
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+    this.cli.ok(`Updated vulnerabilities.json with the report: ${id}`);
+    const commitMessage = `chore: added report ${id} to vulnerabilities.json`;
+    commitAndPushVulnerabilitiesJSON(vulnerabilitiesJSONPath,
+      commitMessage, { cli, repository: this.repository });
+    cli.ok('Done!');
+  }
+
+  removeReport(reportId) {
+    const { cli } = this;
+    // checkout on the next-security-release branch
+    checkoutOnSecurityReleaseBranch(cli, this.repository);
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    const found = content.reports.some((report) => report.id === reportId);
+    if (!found) {
+      cli.error(`Report with id ${reportId} not found in vulnerabilities.json`);
+      process.exit(1);
+    }
+    content.reports = content.reports.filter((report) => report.id !== reportId);
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+    this.cli.ok(`Updated vulnerabilities.json with the report: ${reportId}`);
+
+    const commitMessage = `chore: remove report ${reportId} from vulnerabilities.json`;
+    commitAndPushVulnerabilitiesJSON(vulnerabilitiesJSONPath,
+      commitMessage, { cli, repository: this.repository });
+    cli.ok('Done!');
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "4.3.0",
+  "version": "4.4.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {

package/lib/github/templates/next-security-release.md

@@ -1,98 +0,0 @@
-## Planning
-
-* [X] Open an [issue](https://github.com/nodejs-private/node-private) titled
-  `Next Security Release`, and put this checklist in the description.
-
-* [ ] Get agreement on the [list of vulnerabilities](%VULNERABILITIES_PR_URL%) to be addressed.
-
-* [ ] PR release announcements in [private](https://github.com/nodejs-private/nodejs.org-private):
-  * [ ] pre-release: %PRE_RELEASE_PRIV%
-  * [ ] post-release: %POS_RELEASE_PRIV%
-    * List vulnerabilities in order of descending severity
-    * Use the "summary" feature in HackerOne to sync post-release content
-      and CVE requests. Example [2038134](https://hackerone.com/bugs?subject=nodejs\&report_id=2038134)
-    * Ask the HackerOne reporter if they would like to be credited on the
-      security release blog page
-
-* [ ] Get agreement on the planned date for the release: %RELEASE_DATE%
-
-* [ ] Get release team volunteers for all affected lines:
-%AFFECTED_LINES%
-
-## Announcement (one week in advance of the planned release)
-
-* [ ] Check that all vulnerabilities are ready for release integration:
-  * PRs against all affected release lines or cherry-pick clean
-  * PRs with breaking changes have a
-    [--security-revert](#Adding-a-security-revert-option) option if possible.
-  * Approved
-  * (optional) Approved by the reporter
-    * Build and send the binary to the reporter according to its architecture
-      and ask for a review. This step is important to avoid insufficient fixes
-      between Security Releases.
-  * Have CVEs
-    * Make sure that dependent libraries have CVEs for their issues. We should
-      only create CVEs for vulnerabilities in Node.js itself. This is to avoid
-      having duplicate CVEs for the same vulnerability.
-  * Described in the pre/post announcements
-
-* [ ] Pre-release announcement to nodejs.org blog: TBD
-  (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to
-  nodejs/nodejs.org)
-
-* [ ] Pre-release announcement [email](https://groups.google.com/forum/#!forum/nodejs-sec): TBD
-  * Subject: `Node.js security updates for all active release lines, Month Year`
-
-* [ ] CC `oss-security@lists.openwall.com` on pre-release
-  * [ ] Forward the email you receive to `oss-security@lists.openwall.com`.
-
-* [ ] Create a new issue in [nodejs/tweet](https://github.com/nodejs/tweet/issues)
-
-* [ ] Request releaser(s) to start integrating the PRs to be released.
-
-* [ ] Notify [docker-node](https://github.com/nodejs/docker-node/issues) of upcoming security release date:  TBD
-
-* [ ] Notify build-wg of upcoming security release date by opening an issue
-  in [nodejs/build](https://github.com/nodejs/build/issues) to request WG members are available to fix any CI issues: TBD
-
-## Release day
-
-* [ ] [Lock CI](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#before-the-release)
-
-* [ ] The releaser(s) run the release process to completion.
-
-* [ ] [Unlock CI](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#after-the-release)
-
-* [ ] Post-release announcement to Nodejs.org blog:
-  * (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to
-    nodejs/nodejs.org)
-
-* [ ] Post-release announcement in reply email: TBD
-
-* [ ] Notify `#nodejs-social` about the release.
-
-* [ ] Comment in [docker-node][] issue that release is ready for integration.
-  The docker-node team will build and release docker image updates.
-
-* [ ] For every H1 report resolved:
-  * Close as Resolved
-  * Request Disclosure
-  * Request publication of H1 CVE requests
-    * (Check that the "Version Fixed" field in the CVE is correct, and provide
-      links to the release blogs in the "Public Reference" section)
-
-* [ ] PR machine-readable JSON descriptions of the vulnerabilities to the
-  [core](https://github.com/nodejs/security-wg/tree/HEAD/vuln/core)
-  vulnerability DB.
-  * For each vulnerability add a `#.json` file, one can copy an existing
-    [json](https://github.com/nodejs/security-wg/blob/0d82062d917cb9ddab88f910559469b2b13812bf/vuln/core/78.json)
-    file, and increment the latest created file number and use that as the name
-    of the new file to be added. For example, `79.json`.
-
-* [ ] Close this issue
-
-* [ ] Make sure the PRs for the vulnerabilities are closed.
-
-* [ ] PR in that you stewarded the release in
-  [Security release stewards](https://github.com/nodejs/node/blob/HEAD/doc/contributing/security-release-process.md#security-release-stewards).
-  If necessary add the next rotation of the steward rotation.