@node-core/utils 5.1.0 → 5.2.0

package/components/git/security.js

@@ -12,6 +12,10 @@ const securityOptions = {
     describe: 'Start security release process',
     type: 'boolean'
   },
+  sync: {
+    describe: 'Synchronize an ongoing security release with HackerOne',
+    type: 'boolean'
+  },
   'update-date': {
     describe: 'Updates the target date of the security release',
     type: 'string'
@@ -46,6 +50,10 @@ export function builder(yargs) {
     .example(
       'git node security --start',
       'Prepare a security release of Node.js')
+    .example(
+      'git node security --sync',
+      'Synchronize an ongoing security release with HackerOne'
+    )
     .example(
       'git node security --update-date=YYYY/MM/DD',
       'Updates the target date of the security release'
@@ -76,6 +84,9 @@ export function handler(argv) {
   if (argv.start) {
     return startSecurityRelease(argv);
   }
+  if (argv.sync) {
+    return syncSecurityRelease(argv);
+  }
   if (argv['update-date']) {
     return updateReleaseDate(argv);
   }
@@ -142,6 +153,13 @@ async function startSecurityRelease(argv) {
   return release.start();
 }
 
+async function syncSecurityRelease(argv) {
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const release = new UpdateSecurityRelease(cli);
+  return release.sync();
+}
+
 async function notifyPreRelease() {
   const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
   const cli = new CLI(logStream);

package/lib/github/templates/security-pre-release.md

@@ -18,6 +18,10 @@ releases lines on or shortly after, %RELEASE_DATE% in order to address:
 
 %IMPACT%
 
+It's important to note that End-of-Life versions are always affected when a security release occurs.
+To ensure your system's security, please use an up-to-date version as outlined in our
+[Release Schedule](https://github.com/nodejs/release#release-schedule).
+
 ## Release timing
 
 Releases will be available on, or shortly after, %RELEASE_DATE%.

package/lib/prepare_security.js

@@ -248,8 +248,7 @@ export default class PrepareSecurityRelease {
         });
 
       try {
-        const prUrl = dep.replace('https://github.com/', 'https://api.github.com/repos/').replace('pull', 'pulls');
-        const res = await this.req.getPullRequest(prUrl);
+        const res = await this.req.getPullRequest(dep);
         const { html_url, title } = res;
         deps.push({
           name,

package/lib/request.js

@@ -77,7 +77,8 @@ export default class Request {
     return this.json(url, options);
   }
 
-  async getPullRequest(url) {
+  async getPullRequest(fullUrl) {
+    const prUrl = fullUrl.replace('https://github.com/', 'https://api.github.com/repos/').replace('pull', 'pulls');
     const options = {
       method: 'GET',
       headers: {
@@ -86,7 +87,7 @@ export default class Request {
         Accept: 'application/vnd.github+json'
       }
     };
-    return this.json(url, options);
+    return this.json(prUrl, options);
   }
 
   async createPullRequest(title, body, { owner, repo, head, base }) {

package/lib/security-release/security-release.js

@@ -87,8 +87,8 @@ export async function getSupportedVersions() {
   return supportedVersions;
 }
 
-export async function getSummary(reportId, req) {
-  const { data } = await req.getReport(reportId);
+export function getSummary(report) {
+  const { data } = report;
   const summaryList = data?.relationships?.summaries?.data;
   if (!summaryList?.length) return;
   const summaries = summaryList.filter((summary) => summary?.attributes?.category === 'team');
@@ -139,17 +139,25 @@ export async function createIssue(title, content, repository, { cli, req }) {
   }
 }
 
-export async function pickReport(report, { cli, req }) {
+export function getReportSeverity(report) {
   const {
-    id, attributes: { title, cve_ids },
-    relationships: { severity, weakness, reporter }
+    relationships: { severity, weakness }
   } = report;
-  const link = `https://hackerone.com/reports/${id}`;
   const reportSeverity = {
     rating: severity?.data?.attributes?.rating || '',
     cvss_vector_string: severity?.data?.attributes?.cvss_vector_string || '',
     weakness_id: weakness?.data?.id || ''
   };
+  return reportSeverity;
+}
+
+export async function pickReport(report, { cli, req }) {
+  const {
+    id, attributes: { title, cve_ids },
+    relationships: { reporter, custom_field_values }
+  } = report;
+  const link = `https://hackerone.com/reports/${id}`;
+  const reportSeverity = getReportSeverity(report);
 
   cli.separator();
   cli.info(`Report: ${link} - ${title} (${reportSeverity?.rating})`);
@@ -165,19 +173,27 @@ export async function pickReport(report, { cli, req }) {
     defaultAnswer: await getSupportedVersions()
   });
 
-  let patchAuthors = await cli.prompt(
-    'Add github username of the authors of the patch (split by comma if multiple)', {
-      questionType: 'input',
-      defaultAnswer: ''
-    });
-
-  if (!patchAuthors) {
-    patchAuthors = [];
+  let prURL = '';
+  let patchAuthors = [];
+  if (custom_field_values.data.length) {
+    prURL = custom_field_values.data[0].attributes.value;
+    const { user } = await req.getPullRequest(prURL);
+    patchAuthors = [user.login];
   } else {
-    patchAuthors = patchAuthors.split(',').map((p) => p.trim());
+    patchAuthors = await cli.prompt(
+      'Add github username of the authors of the patch (split by comma if multiple)', {
+        questionType: 'input',
+        defaultAnswer: ''
+      });
+
+    if (!patchAuthors) {
+      patchAuthors = [];
+    } else {
+      patchAuthors = patchAuthors.split(',').map((p) => p.trim());
+    }
   }
 
-  const summaryContent = await getSummary(id, req);
+  const summaryContent = getSummary(report);
 
   return {
     id,
@@ -186,6 +202,7 @@ export async function pickReport(report, { cli, req }) {
     severity: reportSeverity,
     summary: summaryContent ?? '',
     patchAuthors,
+    prURL,
     affectedVersions: versions.split(',').map((v) => v.replace('v', '').trim()),
     link,
     reporter: reporter.data.attributes.username

package/lib/update_security_release.js

@@ -2,9 +2,12 @@ import {
   NEXT_SECURITY_RELEASE_FOLDER,
   NEXT_SECURITY_RELEASE_REPOSITORY,
   checkoutOnSecurityReleaseBranch,
+  checkRemote,
   commitAndPushVulnerabilitiesJSON,
   validateDate,
-  pickReport
+  pickReport,
+  getReportSeverity,
+  getSummary
 } from './security-release/security-release.js';
 import fs from 'node:fs';
 import path from 'node:path';
@@ -18,6 +21,41 @@ export default class UpdateSecurityRelease {
     this.cli = cli;
   }
 
+  async sync() {
+    checkRemote(this.cli, this.repository);
+
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    const credentials = await auth({
+      github: true,
+      h1: true
+    });
+    const req = new Request(credentials);
+    for (let i = 0; i < content.reports.length; ++i) {
+      let report = content.reports[i];
+      const { data } = await req.getReport(report.id);
+      const reportSeverity = getReportSeverity(data);
+      const summaryContent = getSummary(data);
+      const link = `https://hackerone.com/reports/${report.id}`;
+      let prURL = report.prURL;
+      if (data.relationships.custom_field_values.data.length) {
+        prURL = data.relationships.custom_field_values.data[0].attributes.value;
+      }
+
+      report = {
+        ...report,
+        title: data.attributes.title,
+        cveIds: data.attributes.cve_ids,
+        severity: reportSeverity,
+        summary: summaryContent ?? report.summary,
+        link,
+        prURL
+      };
+    }
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+    this.cli.ok('Synced vulnerabilities.json with HackerOne');
+  }
+
   async updateReleaseDate(releaseDate) {
     const { cli } = this;
 

package/lib/voting_session.js

@@ -114,7 +114,7 @@ export default class VotingSession extends Session {
     const body = 'I would like to close this vote, and for this effect, I\'m revealing my ' +
                  `key part:\n\n${'```'}\n${keyPart}\n${'```'}\n`;
     if (this.postComment) {
-      const { html_url } = await this.req.json(`https://api.github.com/repos/${this.owner}/${this.repo}/issues/${this.prid}/comments`, {
+      const { message, html_url } = await this.req.json(`https://api.github.com/repos/${this.owner}/${this.repo}/issues/${this.prid}/comments`, {
         agent: this.req.proxyAgent,
         method: 'POST',
         headers: {
@@ -124,13 +124,23 @@ export default class VotingSession extends Session {
         },
         body: JSON.stringify({ body })
       });
-      this.cli.log('Comment posted at:', html_url);
-    } else if (isGhAvailable()) {
+      if (html_url) {
+        this.cli.log(`Comment posted at: ${html_url}`);
+        return;
+      } else {
+        this.cli.warn(message);
+        this.cli.error('Failed to post comment');
+      }
+    }
+    if (isGhAvailable()) {
       this.cli.log('\nRun the following command to post the comment:\n');
       this.cli.log(
         `gh pr comment ${this.prid} --repo ${this.owner}/${this.repo} ` +
         `--body-file - <<'EOF'\n${body}\nEOF`
       );
+    } else {
+      this.cli.log('\nPost the following comment on the PR thread:\n');
+      this.cli.log(body);
     }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "5.1.0",
+  "version": "5.2.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {