@node-core/utils 5.12.2 → 5.14.0

package/README.md

@@ -98,7 +98,7 @@ these commands.
 To obtain the Jenkins API token
 
 1. Open
-   `https://ci.nodejs.org/user/<your-github-username>/configure` (replace
+   `https://ci.nodejs.org/user/<your-github-username>/security` (replace
    \<your-github-username\> with your own GitHub username).
 2. Click on the `ADD NEW TOKEN` button in the `API Token` section.
 3. Enter an identifiable name (for example, `node-core-utils`) for this

package/bin/ncu-ci.js

@@ -114,7 +114,7 @@ const args = yargs(hideBin(process.argv))
           describe: 'ID of the PR',
           type: 'number'
         })
-        .positional('certify-safe', {
+        .option('certify-safe', {
           describe: 'SHA of the commit that is expected to be at the tip of the PR head. ' +
                     'If not provided, the command will use the SHA of the last approved commit.',
           type: 'string'

package/components/git/release.js

@@ -6,7 +6,7 @@ import TeamInfo from '../../lib/team_info.js';
 import Request from '../../lib/request.js';
 import { runPromise } from '../../lib/run.js';
 
-export const command = 'release [prid|options]';
+export const command = 'release [prid..]';
 export const describe = 'Manage an in-progress release or start a new one.';
 
 const PREPARE = 'prepare';
@@ -34,8 +34,13 @@ const releaseOptions = {
     describe: 'Promote new release of Node.js',
     type: 'boolean'
   },
+  fetchFrom: {
+    describe: 'Remote to fetch the release proposal(s) from, if different from the one where to' +
+              'push the tags and commits.',
+    type: 'string',
+  },
   releaseDate: {
-    describe: 'Default relase date when --prepare is used. It must be YYYY-MM-DD',
+    describe: 'Default release date when --prepare is used. It must be YYYY-MM-DD',
     type: 'string'
   },
   run: {
@@ -112,11 +117,6 @@ function release(state, argv) {
 }
 
 async function main(state, argv, cli, dir) {
-  const prID = /^(?:https:\/\/github\.com\/nodejs(-private)?\/node\1\/pull\/)?(\d+)$/.exec(argv.prid);
-  if (prID) {
-    if (prID[1]) argv.security = true;
-    argv.prid = Number(prID[2]);
-  }
   if (state === PREPARE) {
     const release = new ReleasePreparation(argv, cli, dir);
 
@@ -160,6 +160,24 @@ async function main(state, argv, cli, dir) {
       cli.stopSpinner(`${release.username} is a Releaser`);
     }
 
-    return release.promote();
+    const releases = [];
+    for (const pr of argv.prid) {
+      const match = /^(?:https:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/)?(\d+)(?:#.*)?$/.exec(pr);
+      if (!match) throw new Error('Invalid PR ID or URL', { cause: pr });
+      const [,owner, repo, prid] = match;
+
+      if (
+        owner &&
+        (owner !== release.owner || repo !== release.repo) &&
+        !argv.fetchFrom
+      ) {
+        console.warn('The configured owner/repo does not match the PR URL.');
+        console.info('You should either pass `--fetch-from` flag or check your configuration');
+        console.info(`E.g. --fetch-from=git@github.com:${owner}/${repo}.git`);
+        throw new Error('You need to tell what remote use to fetch security release proposal.');
+      }
+      releases.push(await release.preparePromotion({ owner, repo, prid: Number(prid) }));
+    }
+    return release.promote(releases);
   }
 }

package/components/git/wpt.js

@@ -47,7 +47,8 @@ async function main(argv) {
   const statusFolder = path.join(nodedir, 'test', 'wpt', 'status');
   let supported = [
     'dom',
-    'html'
+    'html',
+    'webcrypto'
   ];
   if (fs.existsSync(statusFolder)) {
     const jsons = fs.readdirSync(statusFolder);

package/lib/cherry_pick.js

@@ -1,23 +1,13 @@
-import os from 'node:os';
 import path from 'node:path';
 import { getMetadata } from '../components/metadata.js';
 
 import {
-  runAsync, runSync, forceRunAsync
+  runAsync, runSync
 } from './run.js';
-import { writeFile } from './file.js';
-import {
-  shortSha, getEditor
-} from './utils.js';
 import { getNcuDir } from './config.js';
+import LandingSession, { LINT_RESULTS } from './landing_session.js';
 
-const LINT_RESULTS = {
-  SKIPPED: 'skipped',
-  FAILED: 'failed',
-  SUCCESS: 'success'
-};
-
-export default class CheckPick {
+export default class CherryPick {
   constructor(prid, dir, cli, {
     owner,
     repo,
@@ -46,11 +36,6 @@ export default class CheckPick {
     return this.options.lint;
   }
 
-  getUpstreamHead() {
-    const { upstream, branch } = this;
-    return runSync('git', ['rev-parse', `${upstream}/${branch}`]).trim();
-  }
-
   getCurrentRev() {
     return runSync('git', ['rev-parse', 'HEAD']).trim();
   }
@@ -73,16 +58,6 @@ export default class CheckPick {
     return path.resolve(this.ncuDir, `${this.prid}`);
   }
 
-  getMessagePath(rev) {
-    return path.resolve(this.pullDir, `${shortSha(rev)}.COMMIT_EDITMSG`);
-  }
-
-  saveMessage(rev, message) {
-    const file = this.getMessagePath(rev);
-    writeFile(file, message);
-    return file;
-  }
-
   async start() {
     const { cli } = this;
 
@@ -91,7 +66,7 @@ export default class CheckPick {
       owner: this.owner,
       repo: this.repo
     }, false, cli);
-    const expectedCommitShas =
+    this.expectedCommitShas =
       metadata.data.commits.map(({ commit }) => commit.oid);
 
     const amend = await cli.prompt(
@@ -104,7 +79,7 @@ export default class CheckPick {
     }
 
     try {
-      const commitInfo = await this.downloadAndPatch(expectedCommitShas);
+      const commitInfo = await this.downloadAndPatch();
       const cleanLint = await this.validateLint();
       if (cleanLint === LINT_RESULTS.FAILED) {
         cli.error('Patch still contains lint errors. ' +
@@ -120,68 +95,6 @@ export default class CheckPick {
     }
   }
 
-  async downloadAndPatch(expectedCommitShas) {
-    const { cli, repo, owner, prid } = this;
-
-    cli.startSpinner(`Downloading patch for ${prid}`);
-    // fetch via ssh to handle private repo
-    await runAsync('git', [
-      'fetch', `git@github.com:${owner}/${repo}.git`,
-      `refs/pull/${prid}/merge`]);
-    // We fetched the commit that would result if we used `git merge`.
-    // ^1 and ^2 refer to the PR base and the PR head, respectively.
-    const [base, head] = await runAsync('git',
-      ['rev-parse', 'FETCH_HEAD^1', 'FETCH_HEAD^2'],
-      { captureStdout: 'lines' });
-    const commitShas = await runAsync('git',
-      ['rev-list', `${base}..${head}`],
-      { captureStdout: 'lines' });
-    cli.stopSpinner(`Fetched commits as ${shortSha(base)}..${shortSha(head)}`);
-    cli.separator();
-
-    const mismatchedCommits = [
-      ...commitShas.filter((sha) => !expectedCommitShas.includes(sha))
-        .map((sha) => `Unexpected commit ${sha}`),
-      ...expectedCommitShas.filter((sha) => !commitShas.includes(sha))
-        .map((sha) => `Missing commit ${sha}`)
-    ].join('\n');
-    if (mismatchedCommits.length > 0) {
-      throw new Error(`Mismatched commits:\n${mismatchedCommits}`);
-    }
-
-    const commitInfo = { base, head, shas: commitShas };
-
-    try {
-      await forceRunAsync('git', ['cherry-pick', `${base}..${head}`], {
-        ignoreFailure: false
-      });
-    } catch (ex) {
-      await forceRunAsync('git', ['cherry-pick', '--abort']);
-      throw new Error('Failed to apply patches');
-    }
-
-    cli.ok('Patches applied');
-    return commitInfo;
-  }
-
-  async validateLint() {
-    // The linter is currently only run on non-Windows platforms.
-    if (os.platform() === 'win32') {
-      return LINT_RESULTS.SKIPPED;
-    }
-
-    if (!this.lint) {
-      return LINT_RESULTS.SKIPPED;
-    }
-
-    try {
-      await runAsync('make', ['lint']);
-      return LINT_RESULTS.SUCCESS;
-    } catch {
-      return LINT_RESULTS.FAILED;
-    }
-  }
-
   async amend(metadata, commitInfo) {
     const { cli } = this;
     const subjects = await runAsync('git',
@@ -203,102 +116,23 @@ export default class CheckPick {
       await runAsync('git', ['commit', '--amend', '--no-edit']);
     }
 
-    return this._amend(metadata);
+    return LandingSession.prototype.amend.call(this, metadata);
   }
 
-  async _amend(metadataStr) {
-    const { cli } = this;
-
-    const rev = this.getCurrentRev();
-    const original = runSync('git', [
-      'show', 'HEAD', '-s', '--format=%B'
-    ]).trim();
-    // git has very specific rules about what is a trailer and what is not.
-    // Instead of trying to implement those ourselves, let git parse the
-    // original commit message and see if it outputs any trailers.
-    const originalHasTrailers = runSync('git', [
-      'interpret-trailers', '--parse', '--no-divider'
-    ], {
-      input: `${original}\n`
-    }).trim().length !== 0;
-    const metadata = metadataStr.trim().split('\n');
-    const amended = original.split('\n');
-
-    // If the original commit message already contains trailers (such as
-    // "Co-authored-by"), we simply add our own metadata after those. Otherwise,
-    // we have to add an empty line so that git recognizes our own metadata as
-    // trailers in the amended commit message.
-    if (!originalHasTrailers) {
-      amended.push('');
-    }
-
-    const BACKPORT_RE = /BACKPORT-PR-URL\s*:\s*(\S+)/i;
-    const PR_RE = /PR-URL\s*:\s*(\S+)/i;
-    const REVIEW_RE = /Reviewed-By\s*:\s*(\S+)/i;
-    const CVE_RE = /CVE-ID\s*:\s*(\S+)/i;
-
-    let containCVETrailer = false;
-    for (const line of metadata) {
-      if (line.length !== 0 && original.includes(line)) {
-        if (line.match(CVE_RE)) {
-          containCVETrailer = true;
-        }
-        if (originalHasTrailers) {
-          cli.warn(`Found ${line}, skipping..`);
-        } else {
-          throw new Error(
-            'Git found no trailers in the original commit message, ' +
-            `but '${line}' is present and should be a trailer.`);
-        }
-      } else {
-        if (line.match(BACKPORT_RE)) {
-          let prIndex = amended.findIndex(datum => datum.match(PR_RE));
-          if (prIndex === -1) {
-            prIndex = amended.findIndex(datum => datum.match(REVIEW_RE)) - 1;
-          }
-          amended.splice(prIndex + 1, 0, line);
-        } else {
-          amended.push(line);
-        }
-      }
-    }
-
-    if (!containCVETrailer && this.includeCVE) {
-      const cveID = await cli.prompt(
-        'Git found no CVE-ID trailer in the original commit message. ' +
-        'Please, provide the CVE-ID',
-        { questionType: 'input', defaultAnswer: 'CVE-2023-XXXXX' }
-      );
-      amended.push('CVE-ID: ' + cveID);
-    }
+  readyToAmend() {
+    return true;
+  }
 
-    const message = amended.join('\n');
-    const messageFile = this.saveMessage(rev, message);
-    cli.separator('New Message');
-    cli.log(message.trim());
-    const takeMessage = await cli.prompt('Use this message?');
-    if (takeMessage) {
-      await runAsync('git', ['commit', '--amend', '-F', messageFile]);
-      return true;
-    }
+  startAmending() {
+    // No-op
+  }
 
-    const editor = await getEditor({ git: true });
-    if (editor) {
-      try {
-        await forceRunAsync(
-          editor,
-          [`"${messageFile}"`],
-          { ignoreFailure: false, spawnArgs: { shell: true } }
-        );
-        await runAsync('git', ['commit', '--amend', '-F', messageFile]);
-        return true;
-      } catch {
-        cli.warn(`Please manually edit ${messageFile}, then run\n` +
-          `\`git commit --amend -F ${messageFile}\` ` +
-          'to finish amending the message');
-        throw new Error(
-          'Failed to edit the message using the configured editor');
-      }
-    }
+  saveCommitInfo() {
+    // No-op
   }
 }
+
+CherryPick.prototype.downloadAndPatch = LandingSession.prototype.downloadAndPatch;
+CherryPick.prototype.validateLint = LandingSession.prototype.validateLint;
+CherryPick.prototype.getMessagePath = LandingSession.prototype.getMessagePath;
+CherryPick.prototype.saveMessage = LandingSession.prototype.saveMessage;

package/lib/ci/run_ci.js

@@ -62,7 +62,8 @@ export class RunPRJob {
       parameter: [
         { name: 'GITHUB_ORG', value: this.owner },
         { name: 'REPO_NAME', value: this.repo },
-        { name: 'GIT_REMOTE_REF', value: `refs/pull/${this.prid}/head` }
+        { name: 'GIT_REMOTE_REF', value: `refs/pull/${this.prid}/head` },
+        { name: 'COMMIT_SHA_CHECK', value: this.certifySafe }
       ]
     }));
     return payload;

package/lib/landing_session.js

@@ -10,7 +10,7 @@ import {
 
 const isWindows = process.platform === 'win32';
 
-const LINT_RESULTS = {
+export const LINT_RESULTS = {
   SKIPPED: 'skipped',
   FAILED: 'failed',
   SUCCESS: 'success'
@@ -84,11 +84,11 @@ export default class LandingSession extends Session {
   }
 
   async downloadAndPatch() {
-    const { cli, repo, owner, prid, expectedCommitShas } = this;
+    const { cli, upstream, prid, expectedCommitShas } = this;
 
     cli.startSpinner(`Downloading patch for ${prid}`);
     await runAsync('git', [
-      'fetch', `https://github.com/${owner}/${repo}.git`,
+      'fetch', upstream,
       `refs/pull/${prid}/merge`]);
     // We fetched the commit that would result if we used `git merge`.
     // ^1 and ^2 refer to the PR base and the PR head, respectively.
@@ -315,9 +315,14 @@ export default class LandingSession extends Session {
     const BACKPORT_RE = /BACKPORT-PR-URL\s*:\s*(\S+)/i;
     const PR_RE = /PR-URL\s*:\s*(\S+)/i;
     const REVIEW_RE = /Reviewed-By\s*:\s*(\S+)/i;
+    const CVE_RE = /CVE-ID\s*:\s*(\S+)/i;
 
+    let containCVETrailer = false;
     for (const line of metadata) {
       if (line.length !== 0 && original.includes(line)) {
+        if (line.match(CVE_RE)) {
+          containCVETrailer = true;
+        }
         if (originalHasTrailers) {
           cli.warn(`Found ${line}, skipping..`);
         } else {
@@ -338,6 +343,15 @@ export default class LandingSession extends Session {
       }
     }
 
+    if (!containCVETrailer && this.includeCVE) {
+      const cveID = await cli.prompt(
+        'Git found no CVE-ID trailer in the original commit message. ' +
+        'Please, provide the CVE-ID',
+        { questionType: 'input', defaultAnswer: 'CVE-2023-XXXXX' }
+      );
+      amended.push('CVE-ID: ' + cveID);
+    }
+
     const message = amended.join('\n');
     const messageFile = this.saveMessage(rev, message);
     cli.separator('New Message');

package/lib/pr_checker.js

@@ -30,15 +30,6 @@ const FAST_TRACK_RE = /^Fast-track has been requested by @(.+?)\. Please 👍 to
 const FAST_TRACK_MIN_APPROVALS = 2;
 const GIT_CONFIG_GUIDE_URL = 'https://github.com/nodejs/node/blob/99b1ada/doc/guides/contributing/pull-requests.md#step-1-fork';
 
-// eslint-disable-next-line no-extend-native
-Array.prototype.findLastIndex ??= function findLastIndex(fn) {
-  const reversedIndex = Reflect.apply(
-    Array.prototype.findIndex,
-    this.slice().reverse(),
-    arguments);
-  return reversedIndex === -1 ? -1 : this.length - reversedIndex - 1;
-};
-
 export default class PRChecker {
   /**
    * @param {{}} cli
@@ -49,7 +40,7 @@ export default class PRChecker {
     this.request = request;
     this.data = data;
     const {
-      pr, reviewers, comments, reviews, commits, collaborators
+      pr, reviewers, comments, reviews, commits
     } = data;
     this.reviewers = reviewers;
     this.pr = pr;
@@ -61,9 +52,6 @@ export default class PRChecker {
     this.reviews = reviews;
     this.commits = commits;
     this.argv = argv;
-    this.collaboratorEmails = new Set(
-      Array.from(collaborators).map((c) => c[1].email)
-    );
   }
 
   get waitTimeSingleApproval() {

package/lib/prepare_security.js

@@ -70,7 +70,7 @@ export default class PrepareSecurityRelease extends SecurityRelease {
         { cli: this.cli, repository: this.repository }
       );
     }
-    this.cli.info(`Merge pull request with:
+    this.cli.info(`If the PR is ready (CI is passing): merge pull request with:
         - git checkout main
         - git merge ${NEXT_SECURITY_RELEASE_BRANCH} --no-ff -m "chore: add latest security release"
         - git push origin main`);

package/lib/promote_release.js

@@ -17,16 +17,10 @@ const dryRunMessage = 'You are running in dry-run mode, meaning NCU will not run
 
 export default class ReleasePromotion extends Session {
   constructor(argv, req, cli, dir) {
-    super(cli, dir, argv.prid);
+    super(cli, dir);
     this.req = req;
-    if (argv.security) {
-      this.config.owner = 'nodejs-private';
-      this.config.repo = 'node-private';
-    }
     this.dryRun = !argv.run;
-    this.isLTS = false;
-    this.ltsCodename = '';
-    this.date = '';
+    this.proposalUpstreamRemote = argv.fetchFrom ?? this.upstream;
     this.gpgSign = argv?.['gpg-sign']
       ? (argv['gpg-sign'] === true ? ['-S'] : ['-S', argv['gpg-sign']])
       : [];
@@ -43,8 +37,8 @@ export default class ReleasePromotion extends Session {
     return defaultBranchRef.name;
   }
 
-  async promote() {
-    const { prid, cli } = this;
+  async preparePromotion({ prid, owner, repo }) {
+    const { cli, proposalUpstreamRemote } = this;
 
     // In the promotion stage, we can pull most relevant data
     // from the release commit created in the preparation stage.
@@ -54,9 +48,7 @@ export default class ReleasePromotion extends Session {
       isApproved,
       jenkinsReady,
       releaseCommitSha
-    } = await this.verifyPRAttributes();
-
-    this.releaseCommitSha = releaseCommitSha;
+    } = await this.verifyPRAttributes({ prid, owner, repo });
 
     let localCloneIsClean = true;
     const currentHEAD = await forceRunAsync('git', ['rev-parse', 'HEAD'],
@@ -74,7 +66,7 @@ export default class ReleasePromotion extends Session {
     if (!localCloneIsClean) {
       if (await cli.prompt('Should we reset the local HEAD to be the release proposal?')) {
         cli.startSpinner('Fetching the proposal upstream...');
-        await forceRunAsync('git', ['fetch', this.upstream, releaseCommitSha],
+        await forceRunAsync('git', ['fetch', proposalUpstreamRemote, releaseCommitSha],
           { ignoreFailure: false });
         await forceRunAsync('git', ['reset', releaseCommitSha, '--hard'], { ignoreFailure: false });
         cli.stopSpinner('Local HEAD is now in sync with the proposal');
@@ -84,9 +76,9 @@ export default class ReleasePromotion extends Session {
       }
     }
 
-    await this.parseDataFromReleaseCommit();
+    const releaseData = await this.parseDataFromReleaseCommit(releaseCommitSha);
 
-    const { version } = this;
+    const { version, isLTS, ltsCodename, date, versionComponents } = releaseData;
     cli.startSpinner('Verifying Jenkins CI status');
     if (!jenkinsReady) {
       cli.stopSpinner(
@@ -134,102 +126,79 @@ export default class ReleasePromotion extends Session {
       cli.warn(`Aborting release promotion for version ${version}`);
       throw new Error('Aborted');
     }
-    await this.secureTagRelease();
-    await this.verifyTagSignature();
+    await this.secureTagRelease({ version, isLTS, ltsCodename, releaseCommitSha, date });
+    await this.verifyTagSignature(version);
 
     // Set up for next release.
     cli.startSpinner('Setting up for next release');
-    const workingOnNewReleaseCommit = await this.setupForNextRelease();
+    const workingOnNewReleaseCommit =
+      await this.setupForNextRelease({ prid, owner, repo, versionComponents });
     cli.stopSpinner('Successfully set up for next release');
 
+    const shouldRebaseStagingBranch = await cli.prompt(
+      'Rebase staging branch on top of the release commit?', { defaultAnswer: true });
+    const tipOfStagingBranch = shouldRebaseStagingBranch
+      ? await this.rebaseRemoteBranch(
+          `v${versionComponents.major}.x-staging`,
+          workingOnNewReleaseCommit)
+      : workingOnNewReleaseCommit;
+
+    return { releaseCommitSha, workingOnNewReleaseCommit, tipOfStagingBranch, ...releaseData };
+  }
+
+  async promote(releases) {
+    const { cli } = this;
+
     // Cherry pick release commit to master.
     const shouldCherryPick = await cli.prompt(
-      'Cherry-pick release commit to the default branch?', { defaultAnswer: true });
+      'Cherry-pick release commit(s) to the default branch?', { defaultAnswer: true });
     if (!shouldCherryPick) {
-      cli.warn(`Aborting release promotion for version ${version}`);
       throw new Error('Aborted');
     }
-    const appliedCleanly = await this.cherryPickToDefaultBranch();
-
-    // Ensure `node_version.h`'s `NODE_VERSION_IS_RELEASE` bit is not updated
-    await forceRunAsync('git', ['checkout',
-      appliedCleanly
-        ? 'HEAD^' // In the absence of conflict, the top of the remote branch is the commit before.
-        : 'HEAD', // In case of conflict, HEAD is still the top of the remove branch.
-      '--', 'src/node_version.h'],
-    { ignoreFailure: false });
-
-    if (appliedCleanly) {
-      // There were no conflicts, we have to amend the commit to revert the
-      // `node_version.h` changes.
-      await forceRunAsync('git', ['commit', ...this.gpgSign, '--amend', '--no-edit', '-n'],
-        { ignoreFailure: false });
-    } else {
-      // There will be remaining cherry-pick conflicts the Releaser will
-      // need to resolve, so confirm they've been resolved before
-      // proceeding with next steps.
-      cli.separator();
-      cli.info('Resolve the conflicts and commit the result');
-      cli.separator();
-      const didResolveConflicts = await cli.prompt(
-        'Finished resolving cherry-pick conflicts?', { defaultAnswer: true });
-      if (!didResolveConflicts) {
-        cli.warn(`Aborting release promotion for version ${version}`);
-        throw new Error('Aborted');
-      }
-    }
+    const defaultBranch = await this.checkoutDefaultBranch();
 
-    if (existsSync('.git/CHERRY_PICK_HEAD')) {
-      cli.info('Cherry-pick is still in progress, attempting to continue it.');
-      await forceRunAsync('git', ['cherry-pick', ...this.gpgSign, '--continue'],
-        { ignoreFailure: false });
-    }
-
-    // Validate release commit on the default branch
-    const releaseCommitOnDefaultBranch =
-      await forceRunAsync('git', ['show', 'HEAD', '--name-only', '--pretty=format:%s'],
-        { captureStdout: true, ignoreFailure: false });
-    const [commitTitle, ...modifiedFiles] = releaseCommitOnDefaultBranch.trim().split('\n');
-    await this.validateReleaseCommit(commitTitle);
-    if (modifiedFiles.some(file => !file.endsWith('.md'))) {
-      cli.warn('Some modified files are not markdown, that\'s unusual.');
-      cli.info(`The list of modified files: ${modifiedFiles.map(f => `- ${f}`).join('\n')}`);
-      if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
-        throw new Error('Aborted');
-      }
+    for (const { releaseCommitSha } of releases) {
+      await this.cherryPickReleaseCommit(releaseCommitSha);
     }
 
-    // Push to the remote the release tag, and default, release, and staging branch.
-    await this.pushToRemote(workingOnNewReleaseCommit);
+    // Push to the remote the release tag(s), and default, release, and staging branches.
+    await this.pushToRemote(this.upstream, defaultBranch, ...releases.flatMap(
+      ({ version, versionComponents, workingOnNewReleaseCommit, tipOfStagingBranch }) => [
+        `v${version}`,
+        `${workingOnNewReleaseCommit}:refs/heads/v${versionComponents.major}.x`,
+        `+${tipOfStagingBranch}:refs/heads/v${versionComponents.major}.x-staging`,
+      ]));
 
     // Promote and sign the release builds.
     await this.promoteAndSignRelease();
 
     cli.separator();
-    cli.ok(`Release promotion for ${version} complete.\n`);
+    cli.ok('Release promotion(s) complete.\n');
     cli.info(
       'To finish this release, you\'ll need to: \n' +
-      ` 1. Check the release at: https://nodejs.org/dist/v${version}\n` +
-      ' 2. Create the blog post for nodejs.org.\n' +
-      ' 3. Create the release on GitHub.\n' +
-      ' 4. Optionally, announce the release on your social networks.\n' +
+      ' 1. Check the release(s) at: https://nodejs.org/dist/v{version}\n' +
+      ' 2. Create the blog post(s) for nodejs.org.\n' +
+      ' 3. Create the release(s) on GitHub.\n' +
+      ' 4. Optionally, announce the release(s) on your social networks.\n' +
       ' 5. Tag @nodejs-social-team on #nodejs-release Slack channel.\n');
 
     cli.separator();
-    cli.info('Use the following command to create the GitHub release:');
+    cli.info('Use the following command(s) to create the GitHub release(s):');
     cli.separator();
-    cli.info(
-      'awk \'' +
-      `/^## ${this.date}, Version ${this.version.replaceAll('.', '\\.')} /,` +
-      '/^<a id="[0-9]+\\.[0-9]+\\.[0-9]+"><\\x2fa>$/{' +
-      'print buf; if(firstLine == "") firstLine = $0; else buf = $0' +
-    `}' doc/changelogs/CHANGELOG_V${
-      this.versionComponents.major}.md | gh release create v${this.version} --verify-tag --latest${
-        this.isLTS ? '=false' : ''} --title=${JSON.stringify(this.releaseTitle)} --notes-file -`);
+    for (const { date, version, versionComponents, isLTS, releaseTitle } of releases) {
+      cli.info(
+        'awk \'' +
+        `/^## ${date}, Version ${version.replaceAll('.', '\\.')} /,` +
+        '/^<a id="[0-9]+\\.[0-9]+\\.[0-9]+"><\\x2fa>$/{' +
+        'print buf; if(firstLine == "") firstLine = $0; else buf = $0' +
+        `}' doc/changelogs/CHANGELOG_V${
+          versionComponents.major}.md | gh release create v${version} --verify-tag --latest${
+            isLTS ? '=false' : ''} --title=${JSON.stringify(releaseTitle)} --notes-file -`);
+    }
   }
 
-  async verifyTagSignature() {
-    const { cli, version } = this;
+  async verifyTagSignature(version) {
+    const { cli } = this;
     const verifyTagPattern = /gpg:[^\n]+\ngpg:\s+using RSA key ([^\n]+)\ngpg:\s+issuer "([^"]+)"\ngpg:\s+Good signature from "([^<]+) <\2>"/;
     const [verifyTagOutput, haystack] = await Promise.all([forceRunAsync(
       'git', ['--no-pager',
@@ -258,8 +227,8 @@ export default class ReleasePromotion extends Session {
     }
   }
 
-  async verifyPRAttributes() {
-    const { cli, prid, owner, repo, req } = this;
+  async verifyPRAttributes({ prid, owner, repo }) {
+    const { cli, req } = this;
 
     const data = new PRData({ prid, owner, repo }, cli, req);
     await data.getAll();
@@ -325,8 +294,8 @@ export default class ReleasePromotion extends Session {
     return data;
   }
 
-  async parseDataFromReleaseCommit() {
-    const { cli, releaseCommitSha } = this;
+  async parseDataFromReleaseCommit(releaseCommitSha) {
+    const { cli } = this;
 
     const releaseCommitMessage = await forceRunAsync('git', [
       '--no-pager', 'log', '-1',
@@ -338,26 +307,19 @@ export default class ReleasePromotion extends Session {
 
     const releaseCommitData = await this.validateReleaseCommit(releaseCommitMessage);
 
-    this.date = releaseCommitData.date;
-    this.version = releaseCommitData.version;
-    this.stagingBranch = releaseCommitData.stagingBranch;
-    this.versionComponents = releaseCommitData.versionComponents;
-    this.isLTS = releaseCommitData.isLTS;
-    this.ltsCodename = releaseCommitData.ltsCodename;
-
     // Check if CHANGELOG show the correct releaser for the current release
     const changeLogDiff = await forceRunAsync('git', [
       '--no-pager', 'diff',
-      `${this.releaseCommitSha}^..${this.releaseCommitSha}`,
+      `${releaseCommitSha}^..${releaseCommitSha}`,
       '--',
-      `doc/changelogs/CHANGELOG_V${this.versionComponents.major}.md`
+      `doc/changelogs/CHANGELOG_V${releaseCommitData.versionComponents.major}.md`
     ], { captureStdout: true, ignoreFailure: false });
     const headingLine = /^\+## \d{4}-\d{2}-\d{2}, Version \d.+$/m.exec(changeLogDiff);
     if (headingLine == null) {
       cli.error('Cannot find section for the new release in CHANGELOG');
       throw new Error('Aborted');
     }
-    this.releaseTitle = headingLine[0].slice(4);
+    releaseCommitData.releaseTitle = headingLine[0].slice(4);
     const expectedLine = `+## ${releaseCommitMessage}, @${this.username}`;
     if (headingLine[0] !== expectedLine &&
         !headingLine[0].startsWith(`${expectedLine} prepared by @`)) {
@@ -370,11 +332,11 @@ export default class ReleasePromotion extends Session {
         throw new Error('Aborted');
       }
     }
-  }
 
-  async secureTagRelease() {
-    const { version, isLTS, ltsCodename, releaseCommitSha } = this;
+    return releaseCommitData;
+  }
 
+  async secureTagRelease({ version, isLTS, ltsCodename, releaseCommitSha, date }) {
     const releaseInfo = isLTS ? `${ltsCodename} (LTS)` : '(Current)';
 
     try {
@@ -382,7 +344,7 @@ export default class ReleasePromotion extends Session {
         const api = new gst.API(process.cwd());
         api.sign(`v${version}`, releaseCommitSha, {
           insecure: false,
-          m: `${this.date} Node.js v${version} ${releaseInfo} Release`
+          m: `${date} Node.js v${version} ${releaseInfo} Release`
         }, (err) => err ? reject(err) : resolve());
       });
     } catch (err) {
@@ -401,9 +363,7 @@ export default class ReleasePromotion extends Session {
 
   // Set up the branch so that nightly builds are produced with the next
   // version number and a pre-release tag.
-  async setupForNextRelease() {
-    const { versionComponents, prid, owner, repo } = this;
-
+  async setupForNextRelease({ prid, owner, repo, versionComponents }) {
     // Update node_version.h for next patch release.
     const filePath = path.resolve('src', 'node_version.h');
     const nodeVersionFile = await fs.open(filePath, 'r+');
@@ -440,22 +400,16 @@ export default class ReleasePromotion extends Session {
     return workingOnNewReleaseCommit.trim();
   }
 
-  async pushToRemote(workingOnNewReleaseCommit) {
-    const { cli, dryRun, version, versionComponents, stagingBranch } = this;
-    const releaseBranch = `v${versionComponents.major}.x`;
-    const tagVersion = `v${version}`;
+  async pushToRemote(upstream, ...refs) {
+    const { cli, dryRun } = this;
 
     this.defaultBranch ??= await this.getDefaultBranch();
 
-    let prompt = `Push release tag and commits to ${this.upstream}?`;
+    let prompt = `Push release tag and commits to ${upstream}?`;
     if (dryRun) {
       cli.info(dryRunMessage);
       cli.info('Run the following command to push to remote:');
-      cli.info(`git push ${this.upstream} ${
-        this.defaultBranch} ${
-        tagVersion} ${
-        workingOnNewReleaseCommit}:refs/heads/${releaseBranch} ${
-        workingOnNewReleaseCommit}:refs/heads/${stagingBranch}`);
+      cli.info(`git push ${upstream} ${refs.join(' ')}`);
       cli.warn('Once pushed, you must not delete the local tag');
       prompt = 'Ready to continue?';
     }
@@ -469,12 +423,8 @@ export default class ReleasePromotion extends Session {
     }
 
     cli.startSpinner('Pushing to remote');
-    await forceRunAsync('git', ['push', this.upstream, this.defaultBranch, tagVersion,
-      `${workingOnNewReleaseCommit}:refs/heads/${releaseBranch}`,
-      `${workingOnNewReleaseCommit}:refs/heads/${stagingBranch}`],
-    { ignoreFailure: false });
-    cli.stopSpinner(`Pushed ${tagVersion}, ${this.defaultBranch}, ${
-      releaseBranch}, and ${stagingBranch} to remote`);
+    await forceRunAsync('git', ['push', upstream, ...refs], { ignoreFailure: false });
+    cli.stopSpinner(`Pushed ${JSON.stringify(refs)} to remote`);
     cli.warn('Now that it has been pushed, you must not delete the local tag');
   }
 
@@ -507,21 +457,91 @@ export default class ReleasePromotion extends Session {
     cli.stopSpinner('Release has been signed and promoted');
   }
 
-  async cherryPickToDefaultBranch() {
+  async rebaseRemoteBranch(branchName, workingOnNewReleaseCommit) {
+    const { cli, upstream } = this;
+    cli.startSpinner('Fetch staging branch');
+    await forceRunAsync('git', ['fetch', upstream, branchName], { ignoreFailure: false });
+    cli.updateSpinner('Reset and rebase');
+    await forceRunAsync('git', ['reset', 'FETCH_HEAD', '--hard'], { ignoreFailure: false });
+    await forceRunAsync('git',
+      ['rebase', workingOnNewReleaseCommit, ...this.gpgSign], { ignoreFailure: false });
+    const tipOfStagingBranch = await forceRunAsync('git', ['rev-parse', 'HEAD'],
+      { ignoreFailure: false, captureStdout: true });
+    cli.stopSpinner('Rebased successfully');
+
+    return tipOfStagingBranch.trim();
+  }
+
+  async checkoutDefaultBranch() {
     this.defaultBranch ??= await this.getDefaultBranch();
-    const releaseCommitSha = this.releaseCommitSha;
     await forceRunAsync('git', ['checkout', this.defaultBranch], { ignoreFailure: false });
 
     await this.tryResetBranch();
 
+    return this.defaultBranch;
+  }
+
+  async cherryPick(commit) {
     // There might be conflicts, we do not want to treat this as a hard failure,
     // but we want to retain that information.
     try {
-      await forceRunAsync('git', ['cherry-pick', ...this.gpgSign, releaseCommitSha],
+      await forceRunAsync('git', ['cherry-pick', ...this.gpgSign, commit],
         { ignoreFailure: false });
       return true;
     } catch {
       return false;
     }
   }
+
+  async cherryPickReleaseCommit(releaseCommitSha) {
+    const { cli } = this;
+
+    const appliedCleanly = await this.cherryPick(releaseCommitSha);
+    // Ensure `node_version.h`'s `NODE_VERSION_IS_RELEASE` bit is not updated
+    await forceRunAsync('git', ['checkout',
+      appliedCleanly
+        ? 'HEAD^' // In the absence of conflict, the top of the remote branch is the commit before.
+        : 'HEAD', // In case of conflict, HEAD is still the top of the remove branch.
+      '--', 'src/node_version.h'],
+    { ignoreFailure: false });
+
+    if (appliedCleanly) {
+      // There were no conflicts, we have to amend the commit to revert the
+      // `node_version.h` changes.
+      await forceRunAsync('git', ['commit', ...this.gpgSign, '--amend', '--no-edit', '-n'],
+        { ignoreFailure: false });
+    } else {
+      // There will be remaining cherry-pick conflicts the Releaser will
+      // need to resolve, so confirm they've been resolved before
+      // proceeding with next steps.
+      cli.separator();
+      cli.info('Resolve the conflicts and commit the result');
+      cli.separator();
+      const didResolveConflicts = await cli.prompt(
+        'Finished resolving cherry-pick conflicts?', { defaultAnswer: true });
+      if (!didResolveConflicts) {
+        throw new Error('Aborted');
+      }
+    }
+
+    if (existsSync('.git/CHERRY_PICK_HEAD')) {
+      cli.info('Cherry-pick is still in progress, attempting to continue it.');
+      await forceRunAsync('git', ['cherry-pick', ...this.gpgSign, '--continue'],
+        { ignoreFailure: false });
+    }
+
+    // Validate release commit on the default branch
+    const releaseCommitOnDefaultBranch =
+      await forceRunAsync('git', ['show', 'HEAD', '--name-only', '--pretty=format:%s'],
+        { captureStdout: true, ignoreFailure: false });
+    const [commitTitle, ...modifiedFiles] = releaseCommitOnDefaultBranch.trim().split('\n');
+    await this.validateReleaseCommit(commitTitle);
+    if (modifiedFiles.some(file => !file.endsWith('.md'))) {
+      cli.warn('Some modified files are not markdown, that\'s unusual.');
+      cli.info(`The list of modified files: ${modifiedFiles.map(f => `- ${f}`).join('\n')}`);
+      if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
+        throw new Error('Aborted');
+      }
+    }
+  }
 }

package/lib/session.js

@@ -347,7 +347,8 @@ export default class Session {
     const { cli, upstream, branch } = this;
     const branchName = `${upstream}/${branch}`;
     cli.startSpinner(`Bringing ${branchName} up to date...`);
-    await runAsync('git', ['fetch', upstream, branch]);
+    const maybeUnshallow = fs.existsSync('.git/shallow') ? ['--unshallow'] : [];
+    await runAsync('git', ['fetch', ...maybeUnshallow, upstream, branch]);
     cli.stopSpinner(`${branchName} is now up-to-date`);
     const stray = this.getStrayCommits(true);
     if (!stray.length) {

package/lib/update-v8/constants.js

@@ -44,6 +44,9 @@ const fastFloatReplace = `/third_party/fast_float/src/*
 const highwayIgnore = `/third_party/highway/src/*
 !/third_party/highway/src/hwy`;
 
+const dragonboxIgnore = `/third_party/dragonbox/src/*
+!/third_party/dragonbox/src/include`;
+
 export const v8Deps = [
   {
     name: 'trace_event',
@@ -133,5 +136,14 @@ export const v8Deps = [
     repo: 'third_party/simdutf',
     gitignore: '!/third_party/simdutf',
     since: 134
-  }
+  },
+  {
+    name: 'dragonbox',
+    repo: 'third_party/dragonbox/src',
+    gitignore: {
+      match: '/third_party/dragonbox/src',
+      replace: dragonboxIgnore
+    },
+    since: 138
+  },
 ];

package/lib/update_security_release.js

@@ -46,6 +46,10 @@ export default class UpdateSecurityRelease extends SecurityRelease {
     }
     const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
     fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+
+    const commitMessage = 'chore: git node security --sync';
+    commitAndPushVulnerabilitiesJSON([vulnerabilitiesJSONPath],
+      commitMessage, { cli: this.cli, repository: this.repository });
     this.cli.ok('Synced vulnerabilities.json with HackerOne');
   }
 

package/lib/wpt/index.js

@@ -79,9 +79,13 @@ export class WPTUpdater {
     await removeDirectory(this.fixtures(this.path));
 
     this.cli.startSpinner('Pulling assets...');
-    await Promise.all(assets.map(
-      (asset) => this.pullTextFile(fixtures, asset.name)
-    ));
+    // See https://github.com/nodejs/node-core-utils/issues/810
+    for (let i = 0; i < assets.length; i += 10) {
+      const chunk = assets.slice(i, i + 10);
+      await Promise.all(chunk.map(
+        (asset) => this.pullTextFile(fixtures, asset.name)
+      ));
+    }
     this.cli.stopSpinner(`Downloaded ${assets.length} assets.`);
 
     return assets;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "5.12.2",
+  "version": "5.14.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {
@@ -34,40 +34,40 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@inquirer/prompts": "^7.2.3",
+    "@inquirer/prompts": "^7.4.1",
     "@listr2/prompt-adapter-enquirer": "^2.0.12",
     "@node-core/caritat": "^1.6.0",
     "@pkgjs/nv": "^0.2.2",
     "branch-diff": "^3.1.1",
     "chalk": "^5.4.1",
-    "changelog-maker": "^4.3.2",
+    "changelog-maker": "^4.4.1",
     "cheerio": "^1.0.0",
     "clipboardy": "^4.0.0",
     "core-validate-commit": "^4.1.0",
     "figures": "^6.1.0",
-    "ghauth": "^6.0.10",
+    "ghauth": "^6.0.12",
     "git-secure-tag": "^2.3.1",
     "js-yaml": "^4.1.0",
     "listr2": "^8.2.5",
     "lodash": "^4.17.21",
     "log-symbols": "^7.0.0",
-    "ora": "^8.1.1",
+    "ora": "^8.2.0",
     "replace-in-file": "^8.3.0",
-    "semver": "^7.6.3",
-    "undici": "^7.3.0",
+    "semver": "^7.7.1",
+    "undici": "^7.7.0",
     "which": "^5.0.0",
     "yargs": "^17.7.2"
   },
   "devDependencies": {
-    "@eslint/js": "^9.19.0",
+    "@eslint/js": "^9.24.0",
     "@reporters/github": "^1.7.2",
     "c8": "^10.1.3",
-    "eslint": "^9.19.0",
+    "eslint": "^9.24.0",
     "eslint-plugin-import": "^2.31.0",
-    "eslint-plugin-n": "^17.15.1",
+    "eslint-plugin-n": "^17.17.0",
     "eslint-plugin-promise": "^7.2.1",
-    "globals": "^15.14.0",
-    "neostandard": "^0.12.0",
-    "sinon": "^19.0.2"
+    "globals": "^16.0.0",
+    "neostandard": "^0.12.1",
+    "sinon": "^20.0.0"
   }
 }