@node-core/utils 5.13.0 → 5.14.1

package/README.md

@@ -98,7 +98,7 @@ these commands.
 To obtain the Jenkins API token
 
 1. Open
-   `https://ci.nodejs.org/user/<your-github-username>/configure` (replace
+   `https://ci.nodejs.org/user/<your-github-username>/security` (replace
    \<your-github-username\> with your own GitHub username).
 2. Click on the `ADD NEW TOKEN` button in the `API Token` section.
 3. Enter an identifiable name (for example, `node-core-utils`) for this

package/bin/ncu-ci.js

@@ -114,7 +114,7 @@ const args = yargs(hideBin(process.argv))
           describe: 'ID of the PR',
           type: 'number'
         })
-        .positional('certify-safe', {
+        .option('certify-safe', {
           describe: 'SHA of the commit that is expected to be at the tip of the PR head. ' +
                     'If not provided, the command will use the SHA of the last approved commit.',
           type: 'string'

package/components/git/release.js

@@ -6,7 +6,7 @@ import TeamInfo from '../../lib/team_info.js';
 import Request from '../../lib/request.js';
 import { runPromise } from '../../lib/run.js';
 
-export const command = 'release [prid|options]';
+export const command = 'release [prid..]';
 export const describe = 'Manage an in-progress release or start a new one.';
 
 const PREPARE = 'prepare';
@@ -34,8 +34,13 @@ const releaseOptions = {
     describe: 'Promote new release of Node.js',
     type: 'boolean'
   },
+  fetchFrom: {
+    describe: 'Remote to fetch the release proposal(s) from, if different from the one where to' +
+              'push the tags and commits.',
+    type: 'string',
+  },
   releaseDate: {
-    describe: 'Default relase date when --prepare is used. It must be YYYY-MM-DD',
+    describe: 'Default release date when --prepare is used. It must be YYYY-MM-DD',
     type: 'string'
   },
   run: {
@@ -112,11 +117,6 @@ function release(state, argv) {
 }
 
 async function main(state, argv, cli, dir) {
-  const prID = /^(?:https:\/\/github\.com\/nodejs(-private)?\/node\1\/pull\/)?(\d+)$/.exec(argv.prid);
-  if (prID) {
-    if (prID[1]) argv.security = true;
-    argv.prid = Number(prID[2]);
-  }
   if (state === PREPARE) {
     const release = new ReleasePreparation(argv, cli, dir);
 
@@ -160,6 +160,24 @@ async function main(state, argv, cli, dir) {
       cli.stopSpinner(`${release.username} is a Releaser`);
     }
 
-    return release.promote();
+    const releases = [];
+    for (const pr of argv.prid) {
+      const match = /^(?:https:\/\/github\.com\/([^/]+)\/([^/]+)\/pull\/)?(\d+)(?:#.*)?$/.exec(pr);
+      if (!match) throw new Error('Invalid PR ID or URL', { cause: pr });
+      const [,owner, repo, prid] = match;
+
+      if (
+        owner &&
+        (owner !== release.owner || repo !== release.repo) &&
+        !argv.fetchFrom
+      ) {
+        console.warn('The configured owner/repo does not match the PR URL.');
+        console.info('You should either pass `--fetch-from` flag or check your configuration');
+        console.info(`E.g. --fetch-from=git@github.com:${owner}/${repo}.git`);
+        throw new Error('You need to tell what remote use to fetch security release proposal.');
+      }
+      releases.push(await release.preparePromotion({ owner, repo, prid: Number(prid) }));
+    }
+    return release.promote(releases);
   }
 }

package/components/git/wpt.js

@@ -47,7 +47,8 @@ async function main(argv) {
   const statusFolder = path.join(nodedir, 'test', 'wpt', 'status');
   let supported = [
     'dom',
-    'html'
+    'html',
+    'webcrypto'
   ];
   if (fs.existsSync(statusFolder)) {
     const jsons = fs.readdirSync(statusFolder);

package/lib/cherry_pick.js

@@ -11,12 +11,16 @@ export default class CherryPick {
   constructor(prid, dir, cli, {
     owner,
     repo,
+    upstream,
+    gpgSign,
     lint,
     includeCVE
   } = {}) {
     this.prid = prid;
     this.cli = cli;
     this.dir = dir;
+    this.upstream = upstream;
+    this.gpgSign = gpgSign;
     this.options = { owner, repo, lint, includeCVE };
   }
 
@@ -88,14 +92,15 @@ export default class CherryPick {
       } else if (cleanLint === LINT_RESULTS.SUCCESS) {
         cli.ok('Lint passed cleanly');
       }
-      return this.amend(metadata.metadata, commitInfo);
+      this.metadata = metadata.metadata;
+      return this.amend(commitInfo);
     } catch (e) {
       cli.error(e.message);
       return false;
     }
   }
 
-  async amend(metadata, commitInfo) {
+  async amend(commitInfo) {
     const { cli } = this;
     const subjects = await runAsync('git',
       ['log', '--pretty=format:%s', `${commitInfo.base}..${commitInfo.head}`],
@@ -116,7 +121,7 @@ export default class CherryPick {
       await runAsync('git', ['commit', '--amend', '--no-edit']);
     }
 
-    return LandingSession.prototype.amend.call(this, metadata);
+    return LandingSession.prototype.amend.call(this);
   }
 
   readyToAmend() {

package/lib/ci/run_ci.js

@@ -62,7 +62,8 @@ export class RunPRJob {
       parameter: [
         { name: 'GITHUB_ORG', value: this.owner },
         { name: 'REPO_NAME', value: this.repo },
-        { name: 'GIT_REMOTE_REF', value: `refs/pull/${this.prid}/head` }
+        { name: 'GIT_REMOTE_REF', value: `refs/pull/${this.prid}/head` },
+        { name: 'COMMIT_SHA_CHECK', value: this.certifySafe }
       ]
     }));
     return payload;

package/lib/landing_session.js

@@ -7,6 +7,7 @@ import Session from './session.js';
 import {
   shortSha, isGhAvailable, getEditor
 } from './utils.js';
+import { debuglog, isDebugVerbosity } from './verbosity.js';
 
 const isWindows = process.platform === 'win32';
 
@@ -27,9 +28,6 @@ export default class LandingSession extends Session {
     this.lint = lint;
     this.autorebase = autorebase;
     this.fixupAll = fixupAll;
-    this.gpgSign = argv?.['gpg-sign']
-      ? (argv['gpg-sign'] === true ? ['-S'] : ['-S', argv['gpg-sign']])
-      : [];
     this.oneCommitMax = oneCommitMax;
     this.expectedCommitShas = [];
     this.checkCI = !!checkCI;
@@ -120,6 +118,9 @@ export default class LandingSession extends Session {
         ['cherry-pick', '--allow-empty', ...this.gpgSign, `${base}..${head}`],
         { ignoreFailure: false });
     } catch (ex) {
+      if (isDebugVerbosity()) {
+        debuglog('[LandingSession] Got error', ex);
+      }
       cli.error('Failed to apply patches');
       process.exit(1);
     }

package/lib/prepare_release.js

@@ -70,6 +70,8 @@ export default class ReleasePreparation extends Session {
       const cp = new CherryPick(pr.number, this.dir, cli, {
         owner: this.owner,
         repo: this.repo,
+        gpgSign: this.gpgSign,
+        upstream: this.isSecurityRelease ? `https://${this.username}:${this.config.token}@github.com/${this.owner}/${this.repo}.git` : this.upstream,
         lint: false,
         includeCVE: true
       });

package/lib/prepare_security.js

@@ -70,7 +70,7 @@ export default class PrepareSecurityRelease extends SecurityRelease {
         { cli: this.cli, repository: this.repository }
       );
     }
-    this.cli.info(`Merge pull request with:
+    this.cli.info(`If the PR is ready (CI is passing): merge pull request with:
         - git checkout main
         - git merge ${NEXT_SECURITY_RELEASE_BRANCH} --no-ff -m "chore: add latest security release"
         - git push origin main`);

package/lib/promote_release.js

@@ -17,19 +17,10 @@ const dryRunMessage = 'You are running in dry-run mode, meaning NCU will not run
 
 export default class ReleasePromotion extends Session {
   constructor(argv, req, cli, dir) {
-    super(cli, dir, argv.prid);
+    super(cli, dir, null, argv);
     this.req = req;
-    if (argv.security) {
-      this.config.owner = 'nodejs-private';
-      this.config.repo = 'node-private';
-    }
     this.dryRun = !argv.run;
-    this.isLTS = false;
-    this.ltsCodename = '';
-    this.date = '';
-    this.gpgSign = argv?.['gpg-sign']
-      ? (argv['gpg-sign'] === true ? ['-S'] : ['-S', argv['gpg-sign']])
-      : [];
+    this.proposalUpstreamRemote = argv.fetchFrom ?? this.upstream;
   }
 
   get branch() {
@@ -43,8 +34,8 @@ export default class ReleasePromotion extends Session {
     return defaultBranchRef.name;
   }
 
-  async promote() {
-    const { prid, cli } = this;
+  async preparePromotion({ prid, owner, repo }) {
+    const { cli, proposalUpstreamRemote } = this;
 
     // In the promotion stage, we can pull most relevant data
     // from the release commit created in the preparation stage.
@@ -54,9 +45,7 @@ export default class ReleasePromotion extends Session {
       isApproved,
       jenkinsReady,
       releaseCommitSha
-    } = await this.verifyPRAttributes();
-
-    this.releaseCommitSha = releaseCommitSha;
+    } = await this.verifyPRAttributes({ prid, owner, repo });
 
     let localCloneIsClean = true;
     const currentHEAD = await forceRunAsync('git', ['rev-parse', 'HEAD'],
@@ -74,7 +63,7 @@ export default class ReleasePromotion extends Session {
     if (!localCloneIsClean) {
       if (await cli.prompt('Should we reset the local HEAD to be the release proposal?')) {
         cli.startSpinner('Fetching the proposal upstream...');
-        await forceRunAsync('git', ['fetch', this.upstream, releaseCommitSha],
+        await forceRunAsync('git', ['fetch', proposalUpstreamRemote, releaseCommitSha],
           { ignoreFailure: false });
         await forceRunAsync('git', ['reset', releaseCommitSha, '--hard'], { ignoreFailure: false });
         cli.stopSpinner('Local HEAD is now in sync with the proposal');
@@ -84,9 +73,9 @@ export default class ReleasePromotion extends Session {
       }
     }
 
-    await this.parseDataFromReleaseCommit();
+    const releaseData = await this.parseDataFromReleaseCommit(releaseCommitSha);
 
-    const { version } = this;
+    const { version, isLTS, ltsCodename, date, versionComponents } = releaseData;
     cli.startSpinner('Verifying Jenkins CI status');
     if (!jenkinsReady) {
       cli.stopSpinner(
@@ -134,102 +123,79 @@ export default class ReleasePromotion extends Session {
       cli.warn(`Aborting release promotion for version ${version}`);
       throw new Error('Aborted');
     }
-    await this.secureTagRelease();
-    await this.verifyTagSignature();
+    await this.secureTagRelease({ version, isLTS, ltsCodename, releaseCommitSha, date });
+    await this.verifyTagSignature(version);
 
     // Set up for next release.
     cli.startSpinner('Setting up for next release');
-    const workingOnNewReleaseCommit = await this.setupForNextRelease();
+    const workingOnNewReleaseCommit =
+      await this.setupForNextRelease({ prid, owner, repo, versionComponents });
     cli.stopSpinner('Successfully set up for next release');
 
+    const shouldRebaseStagingBranch = await cli.prompt(
+      'Rebase staging branch on top of the release commit?', { defaultAnswer: true });
+    const tipOfStagingBranch = shouldRebaseStagingBranch
+      ? await this.rebaseRemoteBranch(
+          `v${versionComponents.major}.x-staging`,
+          workingOnNewReleaseCommit)
+      : workingOnNewReleaseCommit;
+
+    return { releaseCommitSha, workingOnNewReleaseCommit, tipOfStagingBranch, ...releaseData };
+  }
+
+  async promote(releases) {
+    const { cli } = this;
+
     // Cherry pick release commit to master.
     const shouldCherryPick = await cli.prompt(
-      'Cherry-pick release commit to the default branch?', { defaultAnswer: true });
+      'Cherry-pick release commit(s) to the default branch?', { defaultAnswer: true });
     if (!shouldCherryPick) {
-      cli.warn(`Aborting release promotion for version ${version}`);
       throw new Error('Aborted');
     }
-    const appliedCleanly = await this.cherryPickToDefaultBranch();
-
-    // Ensure `node_version.h`'s `NODE_VERSION_IS_RELEASE` bit is not updated
-    await forceRunAsync('git', ['checkout',
-      appliedCleanly
-        ? 'HEAD^' // In the absence of conflict, the top of the remote branch is the commit before.
-        : 'HEAD', // In case of conflict, HEAD is still the top of the remove branch.
-      '--', 'src/node_version.h'],
-    { ignoreFailure: false });
-
-    if (appliedCleanly) {
-      // There were no conflicts, we have to amend the commit to revert the
-      // `node_version.h` changes.
-      await forceRunAsync('git', ['commit', ...this.gpgSign, '--amend', '--no-edit', '-n'],
-        { ignoreFailure: false });
-    } else {
-      // There will be remaining cherry-pick conflicts the Releaser will
-      // need to resolve, so confirm they've been resolved before
-      // proceeding with next steps.
-      cli.separator();
-      cli.info('Resolve the conflicts and commit the result');
-      cli.separator();
-      const didResolveConflicts = await cli.prompt(
-        'Finished resolving cherry-pick conflicts?', { defaultAnswer: true });
-      if (!didResolveConflicts) {
-        cli.warn(`Aborting release promotion for version ${version}`);
-        throw new Error('Aborted');
-      }
-    }
+    const defaultBranch = await this.checkoutDefaultBranch();
 
-    if (existsSync('.git/CHERRY_PICK_HEAD')) {
-      cli.info('Cherry-pick is still in progress, attempting to continue it.');
-      await forceRunAsync('git', ['cherry-pick', ...this.gpgSign, '--continue'],
-        { ignoreFailure: false });
-    }
-
-    // Validate release commit on the default branch
-    const releaseCommitOnDefaultBranch =
-      await forceRunAsync('git', ['show', 'HEAD', '--name-only', '--pretty=format:%s'],
-        { captureStdout: true, ignoreFailure: false });
-    const [commitTitle, ...modifiedFiles] = releaseCommitOnDefaultBranch.trim().split('\n');
-    await this.validateReleaseCommit(commitTitle);
-    if (modifiedFiles.some(file => !file.endsWith('.md'))) {
-      cli.warn('Some modified files are not markdown, that\'s unusual.');
-      cli.info(`The list of modified files: ${modifiedFiles.map(f => `- ${f}`).join('\n')}`);
-      if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
-        throw new Error('Aborted');
-      }
+    for (const { releaseCommitSha } of releases) {
+      await this.cherryPickReleaseCommit(releaseCommitSha);
     }
 
-    // Push to the remote the release tag, and default, release, and staging branch.
-    await this.pushToRemote(workingOnNewReleaseCommit);
+    // Push to the remote the release tag(s), and default, release, and staging branches.
+    await this.pushToRemote(this.upstream, defaultBranch, ...releases.flatMap(
+      ({ version, versionComponents, workingOnNewReleaseCommit, tipOfStagingBranch }) => [
+        `v${version}`,
+        `${workingOnNewReleaseCommit}:refs/heads/v${versionComponents.major}.x`,
+        `+${tipOfStagingBranch}:refs/heads/v${versionComponents.major}.x-staging`,
+      ]));
 
     // Promote and sign the release builds.
     await this.promoteAndSignRelease();
 
     cli.separator();
-    cli.ok(`Release promotion for ${version} complete.\n`);
+    cli.ok('Release promotion(s) complete.\n');
     cli.info(
       'To finish this release, you\'ll need to: \n' +
-      ` 1. Check the release at: https://nodejs.org/dist/v${version}\n` +
-      ' 2. Create the blog post for nodejs.org.\n' +
-      ' 3. Create the release on GitHub.\n' +
-      ' 4. Optionally, announce the release on your social networks.\n' +
+      ' 1. Check the release(s) at: https://nodejs.org/dist/v{version}\n' +
+      ' 2. Create the blog post(s) for nodejs.org.\n' +
+      ' 3. Create the release(s) on GitHub.\n' +
+      ' 4. Optionally, announce the release(s) on your social networks.\n' +
       ' 5. Tag @nodejs-social-team on #nodejs-release Slack channel.\n');
 
     cli.separator();
-    cli.info('Use the following command to create the GitHub release:');
+    cli.info('Use the following command(s) to create the GitHub release(s):');
     cli.separator();
-    cli.info(
-      'awk \'' +
-      `/^## ${this.date}, Version ${this.version.replaceAll('.', '\\.')} /,` +
-      '/^<a id="[0-9]+\\.[0-9]+\\.[0-9]+"><\\x2fa>$/{' +
-      'print buf; if(firstLine == "") firstLine = $0; else buf = $0' +
-    `}' doc/changelogs/CHANGELOG_V${
-      this.versionComponents.major}.md | gh release create v${this.version} --verify-tag --latest${
-        this.isLTS ? '=false' : ''} --title=${JSON.stringify(this.releaseTitle)} --notes-file -`);
+    for (const { date, version, versionComponents, isLTS, releaseTitle } of releases) {
+      cli.info(
+        'awk \'' +
+        `/^## ${date}, Version ${version.replaceAll('.', '\\.')} /,` +
+        '/^<a id="[0-9]+\\.[0-9]+\\.[0-9]+"><\\x2fa>$/{' +
+        'print buf; if(firstLine == "") firstLine = $0; else buf = $0' +
+        `}' doc/changelogs/CHANGELOG_V${
+          versionComponents.major}.md | gh release create v${version} --verify-tag --latest${
+            isLTS ? '=false' : ''} --title=${JSON.stringify(releaseTitle)} --notes-file -`);
+    }
   }
 
-  async verifyTagSignature() {
-    const { cli, version } = this;
+  async verifyTagSignature(version) {
+    const { cli } = this;
     const verifyTagPattern = /gpg:[^\n]+\ngpg:\s+using RSA key ([^\n]+)\ngpg:\s+issuer "([^"]+)"\ngpg:\s+Good signature from "([^<]+) <\2>"/;
     const [verifyTagOutput, haystack] = await Promise.all([forceRunAsync(
       'git', ['--no-pager',
@@ -258,8 +224,8 @@ export default class ReleasePromotion extends Session {
     }
   }
 
-  async verifyPRAttributes() {
-    const { cli, prid, owner, repo, req } = this;
+  async verifyPRAttributes({ prid, owner, repo }) {
+    const { cli, req } = this;
 
     const data = new PRData({ prid, owner, repo }, cli, req);
     await data.getAll();
@@ -325,8 +291,8 @@ export default class ReleasePromotion extends Session {
     return data;
   }
 
-  async parseDataFromReleaseCommit() {
-    const { cli, releaseCommitSha } = this;
+  async parseDataFromReleaseCommit(releaseCommitSha) {
+    const { cli } = this;
 
     const releaseCommitMessage = await forceRunAsync('git', [
       '--no-pager', 'log', '-1',
@@ -338,26 +304,19 @@ export default class ReleasePromotion extends Session {
 
     const releaseCommitData = await this.validateReleaseCommit(releaseCommitMessage);
 
-    this.date = releaseCommitData.date;
-    this.version = releaseCommitData.version;
-    this.stagingBranch = releaseCommitData.stagingBranch;
-    this.versionComponents = releaseCommitData.versionComponents;
-    this.isLTS = releaseCommitData.isLTS;
-    this.ltsCodename = releaseCommitData.ltsCodename;
-
     // Check if CHANGELOG show the correct releaser for the current release
     const changeLogDiff = await forceRunAsync('git', [
       '--no-pager', 'diff',
-      `${this.releaseCommitSha}^..${this.releaseCommitSha}`,
+      `${releaseCommitSha}^..${releaseCommitSha}`,
       '--',
-      `doc/changelogs/CHANGELOG_V${this.versionComponents.major}.md`
+      `doc/changelogs/CHANGELOG_V${releaseCommitData.versionComponents.major}.md`
     ], { captureStdout: true, ignoreFailure: false });
     const headingLine = /^\+## \d{4}-\d{2}-\d{2}, Version \d.+$/m.exec(changeLogDiff);
     if (headingLine == null) {
       cli.error('Cannot find section for the new release in CHANGELOG');
       throw new Error('Aborted');
     }
-    this.releaseTitle = headingLine[0].slice(4);
+    releaseCommitData.releaseTitle = headingLine[0].slice(4);
     const expectedLine = `+## ${releaseCommitMessage}, @${this.username}`;
     if (headingLine[0] !== expectedLine &&
         !headingLine[0].startsWith(`${expectedLine} prepared by @`)) {
@@ -370,11 +329,11 @@ export default class ReleasePromotion extends Session {
         throw new Error('Aborted');
       }
     }
-  }
 
-  async secureTagRelease() {
-    const { version, isLTS, ltsCodename, releaseCommitSha } = this;
+    return releaseCommitData;
+  }
 
+  async secureTagRelease({ version, isLTS, ltsCodename, releaseCommitSha, date }) {
     const releaseInfo = isLTS ? `${ltsCodename} (LTS)` : '(Current)';
 
     try {
@@ -382,7 +341,7 @@ export default class ReleasePromotion extends Session {
         const api = new gst.API(process.cwd());
         api.sign(`v${version}`, releaseCommitSha, {
           insecure: false,
-          m: `${this.date} Node.js v${version} ${releaseInfo} Release`
+          m: `${date} Node.js v${version} ${releaseInfo} Release`
         }, (err) => err ? reject(err) : resolve());
       });
     } catch (err) {
@@ -401,9 +360,7 @@ export default class ReleasePromotion extends Session {
 
   // Set up the branch so that nightly builds are produced with the next
   // version number and a pre-release tag.
-  async setupForNextRelease() {
-    const { versionComponents, prid, owner, repo } = this;
-
+  async setupForNextRelease({ prid, owner, repo, versionComponents }) {
     // Update node_version.h for next patch release.
     const filePath = path.resolve('src', 'node_version.h');
     const nodeVersionFile = await fs.open(filePath, 'r+');
@@ -440,22 +397,16 @@ export default class ReleasePromotion extends Session {
     return workingOnNewReleaseCommit.trim();
   }
 
-  async pushToRemote(workingOnNewReleaseCommit) {
-    const { cli, dryRun, version, versionComponents, stagingBranch } = this;
-    const releaseBranch = `v${versionComponents.major}.x`;
-    const tagVersion = `v${version}`;
+  async pushToRemote(upstream, ...refs) {
+    const { cli, dryRun } = this;
 
     this.defaultBranch ??= await this.getDefaultBranch();
 
-    let prompt = `Push release tag and commits to ${this.upstream}?`;
+    let prompt = `Push release tag and commits to ${upstream}?`;
     if (dryRun) {
       cli.info(dryRunMessage);
       cli.info('Run the following command to push to remote:');
-      cli.info(`git push ${this.upstream} ${
-        this.defaultBranch} ${
-        tagVersion} ${
-        workingOnNewReleaseCommit}:refs/heads/${releaseBranch} ${
-        workingOnNewReleaseCommit}:refs/heads/${stagingBranch}`);
+      cli.info(`git push ${upstream} ${refs.join(' ')}`);
       cli.warn('Once pushed, you must not delete the local tag');
       prompt = 'Ready to continue?';
     }
@@ -469,12 +420,8 @@ export default class ReleasePromotion extends Session {
     }
 
     cli.startSpinner('Pushing to remote');
-    await forceRunAsync('git', ['push', this.upstream, this.defaultBranch, tagVersion,
-      `${workingOnNewReleaseCommit}:refs/heads/${releaseBranch}`,
-      `${workingOnNewReleaseCommit}:refs/heads/${stagingBranch}`],
-    { ignoreFailure: false });
-    cli.stopSpinner(`Pushed ${tagVersion}, ${this.defaultBranch}, ${
-      releaseBranch}, and ${stagingBranch} to remote`);
+    await forceRunAsync('git', ['push', upstream, ...refs], { ignoreFailure: false });
+    cli.stopSpinner(`Pushed ${JSON.stringify(refs)} to remote`);
     cli.warn('Now that it has been pushed, you must not delete the local tag');
   }
 
@@ -507,21 +454,91 @@ export default class ReleasePromotion extends Session {
     cli.stopSpinner('Release has been signed and promoted');
   }
 
-  async cherryPickToDefaultBranch() {
+  async rebaseRemoteBranch(branchName, workingOnNewReleaseCommit) {
+    const { cli, upstream } = this;
+    cli.startSpinner('Fetch staging branch');
+    await forceRunAsync('git', ['fetch', upstream, branchName], { ignoreFailure: false });
+    cli.updateSpinner('Reset and rebase');
+    await forceRunAsync('git', ['reset', 'FETCH_HEAD', '--hard'], { ignoreFailure: false });
+    await forceRunAsync('git',
+      ['rebase', workingOnNewReleaseCommit, ...this.gpgSign], { ignoreFailure: false });
+    const tipOfStagingBranch = await forceRunAsync('git', ['rev-parse', 'HEAD'],
+      { ignoreFailure: false, captureStdout: true });
+    cli.stopSpinner('Rebased successfully');
+
+    return tipOfStagingBranch.trim();
+  }
+
+  async checkoutDefaultBranch() {
     this.defaultBranch ??= await this.getDefaultBranch();
-    const releaseCommitSha = this.releaseCommitSha;
     await forceRunAsync('git', ['checkout', this.defaultBranch], { ignoreFailure: false });
 
     await this.tryResetBranch();
 
+    return this.defaultBranch;
+  }
+
+  async cherryPick(commit) {
     // There might be conflicts, we do not want to treat this as a hard failure,
     // but we want to retain that information.
     try {
-      await forceRunAsync('git', ['cherry-pick', ...this.gpgSign, releaseCommitSha],
+      await forceRunAsync('git', ['cherry-pick', ...this.gpgSign, commit],
         { ignoreFailure: false });
       return true;
     } catch {
       return false;
     }
   }
+
+  async cherryPickReleaseCommit(releaseCommitSha) {
+    const { cli } = this;
+
+    const appliedCleanly = await this.cherryPick(releaseCommitSha);
+    // Ensure `node_version.h`'s `NODE_VERSION_IS_RELEASE` bit is not updated
+    await forceRunAsync('git', ['checkout',
+      appliedCleanly
+        ? 'HEAD^' // In the absence of conflict, the top of the remote branch is the commit before.
+        : 'HEAD', // In case of conflict, HEAD is still the top of the remove branch.
+      '--', 'src/node_version.h'],
+    { ignoreFailure: false });
+
+    if (appliedCleanly) {
+      // There were no conflicts, we have to amend the commit to revert the
+      // `node_version.h` changes.
+      await forceRunAsync('git', ['commit', ...this.gpgSign, '--amend', '--no-edit', '-n'],
+        { ignoreFailure: false });
+    } else {
+      // There will be remaining cherry-pick conflicts the Releaser will
+      // need to resolve, so confirm they've been resolved before
+      // proceeding with next steps.
+      cli.separator();
+      cli.info('Resolve the conflicts and commit the result');
+      cli.separator();
+      const didResolveConflicts = await cli.prompt(
+        'Finished resolving cherry-pick conflicts?', { defaultAnswer: true });
+      if (!didResolveConflicts) {
+        throw new Error('Aborted');
+      }
+    }
+
+    if (existsSync('.git/CHERRY_PICK_HEAD')) {
+      cli.info('Cherry-pick is still in progress, attempting to continue it.');
+      await forceRunAsync('git', ['cherry-pick', ...this.gpgSign, '--continue'],
+        { ignoreFailure: false });
+    }
+
+    // Validate release commit on the default branch
+    const releaseCommitOnDefaultBranch =
+      await forceRunAsync('git', ['show', 'HEAD', '--name-only', '--pretty=format:%s'],
+        { captureStdout: true, ignoreFailure: false });
+    const [commitTitle, ...modifiedFiles] = releaseCommitOnDefaultBranch.trim().split('\n');
+    await this.validateReleaseCommit(commitTitle);
+    if (modifiedFiles.some(file => !file.endsWith('.md'))) {
+      cli.warn('Some modified files are not markdown, that\'s unusual.');
+      cli.info(`The list of modified files: ${modifiedFiles.map(f => `- ${f}`).join('\n')}`);
+      if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
+        throw new Error('Aborted');
+      }
+    }
+  }
 }

package/lib/request.js

@@ -43,7 +43,11 @@ export default class Request {
   }
 
   async text(url, options = {}) {
-    return this.fetch(url, options).then(res => res.text());
+    const res = await this.fetch(url, options);
+    if (isDebugVerbosity()) {
+      debuglog('[Request] Got response from', url, ':\n', res.status, ' ', res.statusText);
+    }
+    return res.text();
   }
 
   async json(url, options = {}) {

package/lib/session.js

@@ -20,6 +20,9 @@ export default class Session {
     this.dir = dir;
     this.prid = prid;
     this.config = { ...getMergedConfig(this.dir), ...argv };
+    this.gpgSign = argv?.['gpg-sign']
+      ? (argv['gpg-sign'] === true ? ['-S'] : ['-S', argv['gpg-sign']])
+      : [];
 
     if (warnForMissing) {
       const { upstream, owner, repo } = this;

package/lib/update_security_release.js

@@ -46,6 +46,10 @@ export default class UpdateSecurityRelease extends SecurityRelease {
     }
     const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
     fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+
+    const commitMessage = 'chore: git node security --sync';
+    commitAndPushVulnerabilitiesJSON([vulnerabilitiesJSONPath],
+      commitMessage, { cli: this.cli, repository: this.repository });
     this.cli.ok('Synced vulnerabilities.json with HackerOne');
   }
 

package/lib/voting_session.js

@@ -29,7 +29,6 @@ export default class VotingSession extends Session {
     this.abstain = abstain;
     this.closeVote = argv['decrypt-key-part'];
     this.postComment = argv['post-comment'];
-    this.gpgSign = argv['gpg-sign'];
   }
 
   get argv() {
@@ -111,7 +110,7 @@ export default class VotingSession extends Session {
                     out.toString('base64') +
                     '\n-----END SHAMIR KEY PART-----';
     this.cli.log('Your key part is:');
-    this.cli.log(keyPart);
+    console.log(keyPart); // Using `console.log` so this gets output to stdout, not stderr.
     const body = 'I would like to close this vote, and for this effect, I\'m revealing my ' +
                  `key part:\n\n${'```'}\n${keyPart}\n${'```'}\n`;
     if (this.postComment) {

package/lib/wpt/index.js

@@ -79,9 +79,13 @@ export class WPTUpdater {
     await removeDirectory(this.fixtures(this.path));
 
     this.cli.startSpinner('Pulling assets...');
-    await Promise.all(assets.map(
-      (asset) => this.pullTextFile(fixtures, asset.name)
-    ));
+    // See https://github.com/nodejs/node-core-utils/issues/810
+    for (let i = 0; i < assets.length; i += 10) {
+      const chunk = assets.slice(i, i + 10);
+      await Promise.all(chunk.map(
+        (asset) => this.pullTextFile(fixtures, asset.name)
+      ));
+    }
     this.cli.stopSpinner(`Downloaded ${assets.length} assets.`);
 
     return assets;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "5.13.0",
+  "version": "5.14.1",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {