@node-core/utils 5.0.2 → 5.2.0

package/components/git/security.js

@@ -12,6 +12,10 @@ const securityOptions = {
     describe: 'Start security release process',
     type: 'boolean'
   },
+  sync: {
+    describe: 'Synchronize an ongoing security release with HackerOne',
+    type: 'boolean'
+  },
   'update-date': {
     describe: 'Updates the target date of the security release',
     type: 'string'
@@ -46,6 +50,10 @@ export function builder(yargs) {
     .example(
       'git node security --start',
       'Prepare a security release of Node.js')
+    .example(
+      'git node security --sync',
+      'Synchronize an ongoing security release with HackerOne'
+    )
     .example(
       'git node security --update-date=YYYY/MM/DD',
       'Updates the target date of the security release'
@@ -76,6 +84,9 @@ export function handler(argv) {
   if (argv.start) {
     return startSecurityRelease(argv);
   }
+  if (argv.sync) {
+    return syncSecurityRelease(argv);
+  }
   if (argv['update-date']) {
     return updateReleaseDate(argv);
   }
@@ -142,6 +153,13 @@ async function startSecurityRelease(argv) {
   return release.start();
 }
 
+async function syncSecurityRelease(argv) {
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const release = new UpdateSecurityRelease(cli);
+  return release.sync();
+}
+
 async function notifyPreRelease() {
   const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
   const cli = new CLI(logStream);

package/components/git/v8.js

@@ -81,6 +81,7 @@ export function handler(argv) {
   options.execGitNode = function execGitNode(cmd, args, input) {
     args.unshift(cmd);
     return forceRunAsync('git', args, {
+      ignoreFailure: false,
       input,
       spawnArgs: {
         cwd: options.nodeDir,
@@ -91,6 +92,7 @@ export function handler(argv) {
 
   options.execGitV8 = function execGitV8(...args) {
     return forceRunAsync('git', args, {
+      ignoreFailure: false,
       captureStdout: true,
       spawnArgs: { cwd: options.v8Dir, stdio: ['ignore', 'pipe', 'ignore'] }
     });

package/lib/ci/run_ci.js

@@ -27,7 +27,7 @@ export class RunPRJob {
     this.certifySafe =
       certifySafe ||
       Promise.all([this.prData.getReviews(), this.prData.getPR()]).then(() =>
-        new PRChecker(cli, this.prData, request, {}).checkCommitsAfterReview()
+        new PRChecker(cli, this.prData, request, {}).checkCommitsAfterReviewOrLabel()
       );
   }
 

package/lib/github/templates/security-pre-release.md

@@ -18,6 +18,10 @@ releases lines on or shortly after, %RELEASE_DATE% in order to address:
 
 %IMPACT%
 
+It's important to note that End-of-Life versions are always affected when a security release occurs.
+To ensure your system's security, please use an up-to-date version as outlined in our
+[Release Schedule](https://github.com/nodejs/release#release-schedule).
+
 ## Release timing
 
 Releases will be available on, or shortly after, %RELEASE_DATE%.

package/lib/pr_checker.js

@@ -523,6 +523,32 @@ export default class PRChecker {
     return true;
   }
 
+  async checkCommitsAfterReviewOrLabel() {
+    if (this.checkCommitsAfterReview()) return true;
+
+    await Promise.all([this.data.getLabeledEvents(), this.data.getCollaborators()]);
+
+    const {
+      cli, data, pr
+    } = this;
+
+    const { updatedAt } = pr.timelineItems;
+    const requestCiLabels = data.labeledEvents.findLast(
+      ({ createdAt, label: { name } }) => name === 'request-ci' && createdAt > updatedAt
+    );
+    if (requestCiLabels == null) return false;
+
+    const { actor: { login } } = requestCiLabels;
+    const collaborators = Array.from(data.collaborators.values(),
+      (c) => c.login.toLowerCase());
+    if (collaborators.includes(login.toLowerCase())) {
+      cli.info('request-ci label was added by a Collaborator after the last push event.');
+      return true;
+    }
+
+    return false;
+  }
+
   checkCommitsAfterReview() {
     const {
       commits, reviews, cli, argv

package/lib/pr_data.js

@@ -5,6 +5,7 @@ import {
 } from './user_status.js';
 
 // lib/queries/*.gql file names
+const LABELED_EVENTS_QUERY = 'PRLabeledEvents';
 const PR_QUERY = 'PR';
 const REVIEWS_QUERY = 'Reviews';
 const COMMENTS_QUERY = 'PRComments';
@@ -33,6 +34,7 @@ export default class PRData {
     this.comments = [];
     this.commits = [];
     this.reviewers = [];
+    this.labeledEvents = [];
   }
 
   getThread() {
@@ -90,6 +92,14 @@ export default class PRData {
     ]);
   }
 
+  async getLabeledEvents() {
+    const { prid, owner, repo, cli, request, prStr } = this;
+    const vars = { prid, owner, repo };
+    cli.updateSpinner(`Getting labels from ${prStr}`);
+    this.labeledEvents = (await request.gql(LABELED_EVENTS_QUERY, vars))
+      .repository.pullRequest.timelineItems.nodes;
+  }
+
   async getComments() {
     const { prid, owner, repo, cli, request, prStr } = this;
     const vars = { prid, owner, repo };

package/lib/prepare_security.js

@@ -248,8 +248,7 @@ export default class PrepareSecurityRelease {
         });
 
       try {
-        const prUrl = dep.replace('https://github.com/', 'https://api.github.com/repos/').replace('pull', 'pulls');
-        const res = await this.req.getPullRequest(prUrl);
+        const res = await this.req.getPullRequest(dep);
         const { html_url, title } = res;
         deps.push({
           name,

package/lib/queries/PRLabeledEvents.gql

@@ -0,0 +1,19 @@
+query PRLabeledEvents($prid: Int!, $owner: String!, $repo: String!, $after: String) {
+  repository(owner: $owner, name: $repo) {
+    pullRequest(number: $prid) {
+      timelineItems(itemTypes: LABELED_EVENT, after: $after, last: 100) {
+        nodes { 
+          ... on LabeledEvent {
+            actor {
+              login
+            }
+            label {
+              name
+            }
+            createdAt
+          }
+        }
+      }
+    }
+  }
+}

package/lib/request.js

@@ -77,7 +77,8 @@ export default class Request {
     return this.json(url, options);
   }
 
-  async getPullRequest(url) {
+  async getPullRequest(fullUrl) {
+    const prUrl = fullUrl.replace('https://github.com/', 'https://api.github.com/repos/').replace('pull', 'pulls');
     const options = {
       method: 'GET',
       headers: {
@@ -86,7 +87,7 @@ export default class Request {
         Accept: 'application/vnd.github+json'
       }
     };
-    return this.json(url, options);
+    return this.json(prUrl, options);
   }
 
   async createPullRequest(title, body, { owner, repo, head, base }) {

package/lib/security-release/security-release.js

@@ -87,8 +87,8 @@ export async function getSupportedVersions() {
   return supportedVersions;
 }
 
-export async function getSummary(reportId, req) {
-  const { data } = await req.getReport(reportId);
+export function getSummary(report) {
+  const { data } = report;
   const summaryList = data?.relationships?.summaries?.data;
   if (!summaryList?.length) return;
   const summaries = summaryList.filter((summary) => summary?.attributes?.category === 'team');
@@ -139,17 +139,25 @@ export async function createIssue(title, content, repository, { cli, req }) {
   }
 }
 
-export async function pickReport(report, { cli, req }) {
+export function getReportSeverity(report) {
   const {
-    id, attributes: { title, cve_ids },
-    relationships: { severity, weakness, reporter }
+    relationships: { severity, weakness }
   } = report;
-  const link = `https://hackerone.com/reports/${id}`;
   const reportSeverity = {
     rating: severity?.data?.attributes?.rating || '',
     cvss_vector_string: severity?.data?.attributes?.cvss_vector_string || '',
     weakness_id: weakness?.data?.id || ''
   };
+  return reportSeverity;
+}
+
+export async function pickReport(report, { cli, req }) {
+  const {
+    id, attributes: { title, cve_ids },
+    relationships: { reporter, custom_field_values }
+  } = report;
+  const link = `https://hackerone.com/reports/${id}`;
+  const reportSeverity = getReportSeverity(report);
 
   cli.separator();
   cli.info(`Report: ${link} - ${title} (${reportSeverity?.rating})`);
@@ -165,19 +173,27 @@ export async function pickReport(report, { cli, req }) {
     defaultAnswer: await getSupportedVersions()
   });
 
-  let patchAuthors = await cli.prompt(
-    'Add github username of the authors of the patch (split by comma if multiple)', {
-      questionType: 'input',
-      defaultAnswer: ''
-    });
-
-  if (!patchAuthors) {
-    patchAuthors = [];
+  let prURL = '';
+  let patchAuthors = [];
+  if (custom_field_values.data.length) {
+    prURL = custom_field_values.data[0].attributes.value;
+    const { user } = await req.getPullRequest(prURL);
+    patchAuthors = [user.login];
   } else {
-    patchAuthors = patchAuthors.split(',').map((p) => p.trim());
+    patchAuthors = await cli.prompt(
+      'Add github username of the authors of the patch (split by comma if multiple)', {
+        questionType: 'input',
+        defaultAnswer: ''
+      });
+
+    if (!patchAuthors) {
+      patchAuthors = [];
+    } else {
+      patchAuthors = patchAuthors.split(',').map((p) => p.trim());
+    }
   }
 
-  const summaryContent = await getSummary(id, req);
+  const summaryContent = getSummary(report);
 
   return {
     id,
@@ -186,6 +202,7 @@ export async function pickReport(report, { cli, req }) {
     severity: reportSeverity,
     summary: summaryContent ?? '',
     patchAuthors,
+    prURL,
     affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim()),
     link,
     reporter: reporter.data.attributes.username

package/lib/update-v8/majorUpdate.js

@@ -14,7 +14,7 @@ import {
 } from './util.js';
 import applyNodeChanges from './applyNodeChanges.js';
 import { chromiumGit, v8Deps } from './constants.js';
-import { runAsync } from '../run.js';
+import { forceRunAsync } from '../run.js';
 
 export default function majorUpdate() {
   return {
@@ -83,7 +83,8 @@ function cloneLocalV8() {
   return {
     title: 'Clone branch to deps/v8',
     task: (ctx) =>
-      runAsync('git', ['clone', '-b', ctx.branch, ctx.v8Dir, 'deps/v8'], {
+      forceRunAsync('git', ['clone', '-b', ctx.branch, ctx.v8Dir, 'deps/v8'], {
+        ignoreFailure: false,
         spawnArgs: { cwd: ctx.nodeDir, stdio: 'ignore' }
       })
   };
@@ -101,7 +102,8 @@ function addDepsV8() {
     title: 'Track all files in deps/v8',
     // Add all V8 files with --force before updating DEPS. We have to do this
     // because some files are checked in by V8 despite .gitignore rules.
-    task: (ctx) => runAsync('git', ['add', '--force', 'deps/v8'], {
+    task: (ctx) => forceRunAsync('git', ['add', '--force', 'deps/v8'], {
+      ignoreFailure: false,
       spawnArgs: { cwd: ctx.nodeDir, stdio: 'ignore' }
     })
   };
@@ -164,6 +166,9 @@ async function fetchFromGit(cwd, repo, commit) {
   await removeDirectory(path.join(cwd, '.git'));
 
   function exec(...options) {
-    return runAsync('git', options, { spawnArgs: { cwd, stdio: 'ignore' } });
+    return forceRunAsync('git', options, {
+      ignoreFailure: false,
+      spawnArgs: { cwd, stdio: 'ignore' }
+    });
   }
 }

package/lib/update-v8/minorUpdate.js

@@ -6,7 +6,7 @@ import { Listr } from 'listr2';
 
 import { getCurrentV8Version } from './common.js';
 import { isVersionString } from './util.js';
-import { runAsync } from '../run.js';
+import { forceRunAsync } from '../run.js';
 
 export default function minorUpdate() {
   return {
@@ -27,7 +27,8 @@ function getLatestV8Version() {
     task: async(ctx) => {
       const version = ctx.currentVersion;
       const currentV8Tag = `${version.major}.${version.minor}.${version.build}`;
-      const result = await runAsync('git', ['tag', '-l', `${currentV8Tag}.*`], {
+      const result = await forceRunAsync('git', ['tag', '-l', `${currentV8Tag}.*`], {
+        ignoreFailure: false,
         captureStdout: true,
         spawnArgs: {
           cwd: ctx.v8Dir,
@@ -68,7 +69,8 @@ async function applyPatch(ctx, latestStr) {
     { cwd: ctx.v8Dir, stdio: ['ignore', 'pipe', 'ignore'] }
   );
   try {
-    await runAsync('git', ['apply', '--directory', 'deps/v8'], {
+    await forceRunAsync('git', ['apply', '--directory', 'deps/v8'], {
+      ignoreFailure: false,
       spawnArgs: {
         cwd: ctx.nodeDir,
         stdio: [diff.stdout, 'ignore', 'ignore']

package/lib/update-v8/updateV8Clone.js

@@ -20,6 +20,7 @@ function fetchOrigin() {
     task: async(ctx, task) => {
       try {
         await forceRunAsync('git', ['fetch', 'origin'], {
+          ignoreFailure: false,
           spawnArgs: { cwd: ctx.v8Dir, stdio: 'ignore' }
         });
       } catch (e) {
@@ -40,6 +41,7 @@ function createClone() {
     task: async(ctx) => {
       await fs.mkdir(ctx.baseDir, { recursive: true });
       await forceRunAsync('git', ['clone', v8Git, ctx.v8Dir], {
+        ignoreFailure: false,
         spawnArgs: { stdio: 'ignore' }
       });
     },

package/lib/update_security_release.js

@@ -2,9 +2,12 @@ import {
   NEXT_SECURITY_RELEASE_FOLDER,
   NEXT_SECURITY_RELEASE_REPOSITORY,
   checkoutOnSecurityReleaseBranch,
+  checkRemote,
   commitAndPushVulnerabilitiesJSON,
   validateDate,
-  pickReport
+  pickReport,
+  getReportSeverity,
+  getSummary
 } from './security-release/security-release.js';
 import fs from 'node:fs';
 import path from 'node:path';
@@ -18,6 +21,41 @@ export default class UpdateSecurityRelease {
     this.cli = cli;
   }
 
+  async sync() {
+    checkRemote(this.cli, this.repository);
+
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    const credentials = await auth({
+      github: true,
+      h1: true
+    });
+    const req = new Request(credentials);
+    for (let i = 0; i < content.reports.length; ++i) {
+      let report = content.reports[i];
+      const { data } = await req.getReport(report.id);
+      const reportSeverity = getReportSeverity(data);
+      const summaryContent = getSummary(data);
+      const link = `https://hackerone.com/reports/${report.id}`;
+      let prURL = report.prURL;
+      if (data.relationships.custom_field_values.data.length) {
+        prURL = data.relationships.custom_field_values.data[0].attributes.value;
+      }
+
+      report = {
+        ...report,
+        title: data.attributes.title,
+        cveIds: data.attributes.cve_ids,
+        severity: reportSeverity,
+        summary: summaryContent ?? report.summary,
+        link,
+        prURL
+      };
+    }
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+    this.cli.ok('Synced vulnerabilities.json with HackerOne');
+  }
+
   async updateReleaseDate(releaseDate) {
     const { cli } = this;
 

package/lib/voting_session.js

@@ -114,7 +114,7 @@ export default class VotingSession extends Session {
     const body = 'I would like to close this vote, and for this effect, I\'m revealing my ' +
                  `key part:\n\n${'```'}\n${keyPart}\n${'```'}\n`;
     if (this.postComment) {
-      const { html_url } = await this.req.json(`https://api.github.com/repos/${this.owner}/${this.repo}/issues/${this.prid}/comments`, {
+      const { message, html_url } = await this.req.json(`https://api.github.com/repos/${this.owner}/${this.repo}/issues/${this.prid}/comments`, {
         agent: this.req.proxyAgent,
         method: 'POST',
         headers: {
@@ -124,13 +124,23 @@ export default class VotingSession extends Session {
         },
         body: JSON.stringify({ body })
       });
-      this.cli.log('Comment posted at:', html_url);
-    } else if (isGhAvailable()) {
+      if (html_url) {
+        this.cli.log(`Comment posted at: ${html_url}`);
+        return;
+      } else {
+        this.cli.warn(message);
+        this.cli.error('Failed to post comment');
+      }
+    }
+    if (isGhAvailable()) {
       this.cli.log('\nRun the following command to post the comment:\n');
       this.cli.log(
         `gh pr comment ${this.prid} --repo ${this.owner}/${this.repo} ` +
         `--body-file - <<'EOF'\n${body}\nEOF`
       );
+    } else {
+      this.cli.log('\nPost the following comment on the PR thread:\n');
+      this.cli.log(body);
     }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "5.0.2",
+  "version": "5.2.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {
@@ -34,36 +34,36 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@listr2/prompt-adapter-enquirer": "^2.0.1",
-    "@node-core/caritat": "^1.3.0",
+    "@listr2/prompt-adapter-enquirer": "^2.0.8",
+    "@node-core/caritat": "^1.3.1",
     "@pkgjs/nv": "^0.2.2",
-    "branch-diff": "^3.0.2",
+    "branch-diff": "^3.0.4",
     "chalk": "^5.3.0",
-    "changelog-maker": "^4.0.1",
+    "changelog-maker": "^4.1.1",
     "cheerio": "^1.0.0-rc.12",
     "clipboardy": "^4.0.0",
     "core-validate-commit": "^4.0.0",
-    "figures": "^6.0.1",
-    "ghauth": "^6.0.1",
-    "inquirer": "^9.2.12",
+    "figures": "^6.1.0",
+    "ghauth": "^6.0.4",
+    "inquirer": "^9.2.22",
     "js-yaml": "^4.1.0",
-    "listr2": "^8.0.1",
+    "listr2": "^8.2.1",
     "lodash": "^4.17.21",
     "log-symbols": "^6.0.0",
     "ora": "^8.0.1",
     "replace-in-file": "^7.1.0",
-    "undici": "^6.3.0",
+    "undici": "^6.18.0",
     "which": "^4.0.0",
     "yargs": "^17.7.2"
   },
   "devDependencies": {
-    "@reporters/github": "^1.5.4",
-    "c8": "^9.0.0",
-    "eslint": "^8.56.0",
+    "@reporters/github": "^1.7.0",
+    "c8": "^9.1.0",
+    "eslint": "^8.57.0",
     "eslint-config-standard": "^17.1.0",
     "eslint-plugin-import": "^2.29.1",
-    "eslint-plugin-n": "^16.6.1",
+    "eslint-plugin-n": "^16.6.2",
     "eslint-plugin-promise": "^6.1.1",
-    "sinon": "^17.0.1"
+    "sinon": "^18.0.0"
   }
 }