@node-core/utils 5.14.0 → 5.15.0

package/README.md

@@ -89,6 +89,14 @@ After the token is generated, create an rc file with the following content:
 Note: you could use `ncu-config` to configure these variables, but it's not
 recommended to leave your tokens in your command line history.
 
+If you have `gpg` installed and setup on your local machine, it is recommended
+to store an encrypted version of this file:
+
+```console
+$ gpg --default-recipient-self --encrypt ~/.ncurc
+$ rm ~/.ncurc
+```
+
 ### Setting up Jenkins credentials
 
 The `git-node` and `ncu-ci` commands need to query the Node.js Jenkins API for
@@ -104,8 +112,9 @@ To obtain the Jenkins API token
 3. Enter an identifiable name (for example, `node-core-utils`) for this
    token in the inbox that appears, and click `GENERATE`.
 4. Copy the generated token.
-5. Add it into your `ncurc` file (`~/.ncurc` or `$XDG_CONFIG_HOME/ncurc`)
-   with `jenkins_token` as key, like this:
+5. Add it into your `ncurc` file (`~/.ncurc` or `$XDG_CONFIG_HOME/ncurc`, or
+   `~/.ncurc.gpg` or `$XDG_CONFIG_HOME/ncurc.gpg`) with `jenkins_token` as key,
+   like this:
 
    ```json
    {
@@ -125,6 +134,7 @@ Put the following entries into your
 ```
 # node-core-utils configuration file
 .ncurc
+.ncurc.gpg
 # node-core-utils working directory
 .ncu
 ```

package/bin/ncu-ci.js

@@ -111,8 +111,8 @@ const args = yargs(hideBin(process.argv))
     builder: (yargs) => {
       yargs
         .positional('prid', {
-          describe: 'ID of the PR',
-          type: 'number'
+          describe: 'ID of the PR or URL to the PR or its head commit',
+          type: 'string'
         })
         .option('certify-safe', {
           describe: 'SHA of the commit that is expected to be at the tip of the PR head. ' +
@@ -574,6 +574,15 @@ async function main(command, argv) {
   // Prepare queue.
   switch (command) {
     case 'run': {
+      const maybeURL = URL.parse(argv.prid);
+      if (maybeURL?.host === 'github.com') {
+        const [, owner, repo, , prid, , commit_sha] = maybeURL.pathname.split('/');
+        argv.owner ||= owner;
+        argv.repo ||= repo;
+        argv.certifySafe ||= commit_sha;
+        argv.prid = prid;
+      }
+      argv.prid = Number(argv.prid);
       const jobRunner = new RunPRJobCommand(cli, request, argv);
       return jobRunner.start();
     }

package/lib/cherry_pick.js

@@ -11,12 +11,16 @@ export default class CherryPick {
   constructor(prid, dir, cli, {
     owner,
     repo,
+    upstream,
+    gpgSign,
     lint,
     includeCVE
   } = {}) {
     this.prid = prid;
     this.cli = cli;
     this.dir = dir;
+    this.upstream = upstream;
+    this.gpgSign = gpgSign;
     this.options = { owner, repo, lint, includeCVE };
   }
 
@@ -88,14 +92,15 @@ export default class CherryPick {
       } else if (cleanLint === LINT_RESULTS.SUCCESS) {
         cli.ok('Lint passed cleanly');
       }
-      return this.amend(metadata.metadata, commitInfo);
+      this.metadata = metadata.metadata;
+      return this.amend(commitInfo);
     } catch (e) {
       cli.error(e.message);
       return false;
     }
   }
 
-  async amend(metadata, commitInfo) {
+  async amend(commitInfo) {
     const { cli } = this;
     const subjects = await runAsync('git',
       ['log', '--pretty=format:%s', `${commitInfo.base}..${commitInfo.head}`],
@@ -116,7 +121,7 @@ export default class CherryPick {
       await runAsync('git', ['commit', '--amend', '--no-edit']);
     }
 
-    return LandingSession.prototype.amend.call(this, metadata);
+    return LandingSession.prototype.amend.call(this);
   }
 
   readyToAmend() {

package/lib/config.js

@@ -2,6 +2,8 @@ import path from 'node:path';
 import os from 'node:os';
 
 import { readJson, writeJson } from './file.js';
+import { existsSync } from 'node:fs';
+import { spawnSync } from 'node:child_process';
 
 export const GLOBAL_CONFIG = Symbol('globalConfig');
 export const PROJECT_CONFIG = Symbol('projectConfig');
@@ -25,6 +27,14 @@ export function getMergedConfig(dir, home) {
 
 export function getConfig(configType, dir) {
   const configPath = getConfigPath(configType, dir);
+  const encryptedConfigPath = configPath + '.gpg';
+  if (existsSync(encryptedConfigPath)) {
+    const { status, stdout } =
+      spawnSync('gpg', ['--decrypt', encryptedConfigPath]);
+    if (status === 0) {
+      return JSON.parse(stdout.toString('utf-8'));
+    }
+  }
   try {
     return readJson(configPath);
   } catch (cause) {

package/lib/landing_session.js

@@ -7,6 +7,7 @@ import Session from './session.js';
 import {
   shortSha, isGhAvailable, getEditor
 } from './utils.js';
+import { debuglog, isDebugVerbosity } from './verbosity.js';
 
 const isWindows = process.platform === 'win32';
 
@@ -27,9 +28,6 @@ export default class LandingSession extends Session {
     this.lint = lint;
     this.autorebase = autorebase;
     this.fixupAll = fixupAll;
-    this.gpgSign = argv?.['gpg-sign']
-      ? (argv['gpg-sign'] === true ? ['-S'] : ['-S', argv['gpg-sign']])
-      : [];
     this.oneCommitMax = oneCommitMax;
     this.expectedCommitShas = [];
     this.checkCI = !!checkCI;
@@ -120,6 +118,9 @@ export default class LandingSession extends Session {
         ['cherry-pick', '--allow-empty', ...this.gpgSign, `${base}..${head}`],
         { ignoreFailure: false });
     } catch (ex) {
+      if (isDebugVerbosity()) {
+        debuglog('[LandingSession] Got error', ex);
+      }
       cli.error('Failed to apply patches');
       process.exit(1);
     }

package/lib/prepare_release.js

@@ -70,6 +70,8 @@ export default class ReleasePreparation extends Session {
       const cp = new CherryPick(pr.number, this.dir, cli, {
         owner: this.owner,
         repo: this.repo,
+        gpgSign: this.gpgSign,
+        upstream: this.isSecurityRelease ? `https://${this.username}:${this.config.token}@github.com/${this.owner}/${this.repo}.git` : this.upstream,
         lint: false,
         includeCVE: true
       });

package/lib/promote_release.js

@@ -17,13 +17,10 @@ const dryRunMessage = 'You are running in dry-run mode, meaning NCU will not run
 
 export default class ReleasePromotion extends Session {
   constructor(argv, req, cli, dir) {
-    super(cli, dir);
+    super(cli, dir, null, argv);
     this.req = req;
     this.dryRun = !argv.run;
     this.proposalUpstreamRemote = argv.fetchFrom ?? this.upstream;
-    this.gpgSign = argv?.['gpg-sign']
-      ? (argv['gpg-sign'] === true ? ['-S'] : ['-S', argv['gpg-sign']])
-      : [];
   }
 
   get branch() {

package/lib/request.js

@@ -43,7 +43,11 @@ export default class Request {
   }
 
   async text(url, options = {}) {
-    return this.fetch(url, options).then(res => res.text());
+    const res = await this.fetch(url, options);
+    if (isDebugVerbosity()) {
+      debuglog('[Request] Got response from', url, ':\n', res.status, ' ', res.statusText);
+    }
+    return res.text();
   }
 
   async json(url, options = {}) {

package/lib/security-announcement.js

@@ -1,9 +1,12 @@
+import fs from 'node:fs';
 import {
   NEXT_SECURITY_RELEASE_REPOSITORY,
   checkoutOnSecurityReleaseBranch,
   getVulnerabilitiesJSON,
+  getVulnerabilitiesJSONPath,
   validateDate,
   formatDateToYYYYMMDD,
+  commitAndPushVulnerabilitiesJSON,
   createIssue
 } from './security-release/security-release.js';
 import auth from './auth.js';
@@ -40,10 +43,21 @@ export default class SecurityAnnouncement {
     validateDate(content.releaseDate);
     const releaseDate = new Date(content.releaseDate);
 
-    await Promise.all([
+    const [dockerIssue, buildIssue] = await Promise.all([
       this.createDockerNodeIssue(releaseDate),
       this.createBuildWGIssue(releaseDate)
     ]);
+
+    content.buildIssue = buildIssue;
+    content.dockerIssue = dockerIssue;
+
+    const vulnerabilitiesJSONPath = getVulnerabilitiesJSONPath();
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+    const commitMessage = 'chore: add build and docker issue link';
+    commitAndPushVulnerabilitiesJSON([vulnerabilitiesJSONPath],
+      commitMessage, { cli: this.cli, repository: this.repository });
+
+    this.cli.ok('Added docker and build issue in vulnerabilities.json');
   }
 
   async createBuildWGIssue(releaseDate) {
@@ -53,7 +67,7 @@ export default class SecurityAnnouncement {
     };
 
     const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'build');
-    await createIssue(title, content, repository, { cli: this.cli, req: this.req });
+    return createIssue(title, content, repository, { cli: this.cli, req: this.req });
   }
 
   createPreleaseAnnouncementIssue(releaseDate, team) {
@@ -71,6 +85,6 @@ export default class SecurityAnnouncement {
     };
 
     const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'docker');
-    await createIssue(title, content, repository, { cli: this.cli, req: this.req });
+    return createIssue(title, content, repository, { cli: this.cli, req: this.req });
   }
 }

package/lib/security-release/security-release.js

@@ -107,6 +107,12 @@ export function getVulnerabilitiesJSON(cli) {
   return file;
 }
 
+export function getVulnerabilitiesJSONPath() {
+  const vulnerabilitiesJSONPath = path.join(process.cwd(),
+    NEXT_SECURITY_RELEASE_FOLDER, 'vulnerabilities.json');
+  return vulnerabilitiesJSONPath;
+}
+
 export function validateDate(releaseDate) {
   const value = new Date(releaseDate).valueOf();
   if (Number.isNaN(value) || value < 0) {
@@ -135,6 +141,7 @@ export async function createIssue(title, content, repository, { cli, req }) {
   const data = await req.createIssue(title, content, repository);
   if (data.html_url) {
     cli.ok(`Created: ${data.html_url}`);
+    return data.html_url;
   } else {
     cli.error(data);
     process.exit(1);

package/lib/security_blog.js

@@ -6,7 +6,8 @@ import {
   PLACEHOLDERS,
   checkoutOnSecurityReleaseBranch,
   validateDate,
-  SecurityRelease
+  SecurityRelease,
+  commitAndPushVulnerabilitiesJSON,
 } from './security-release/security-release.js';
 import auth from './auth.js';
 import Request from './request.js';
@@ -56,16 +57,41 @@ export default class SecurityBlog extends SecurityRelease {
     const endDate = new Date(data.annoucementDate);
     endDate.setDate(endDate.getDate() + 7);
 
+    const link = `https://nodejs.org/en/blog/vulnerability/${fileName}`;
     this.updateWebsiteBanner(site, {
       startDate: data.annoucementDate,
       endDate: endDate.toISOString(),
       text: `New security releases to be made available ${data.releaseDate}`,
-      link: `https://nodejs.org/en/blog/vulnerability/${fileName}`,
+      link,
       type: 'warning'
     });
-
     fs.writeFileSync(file, preRelease);
+
     cli.ok(`Announcement file created and banner has been updated. Folder: ${nodejsOrgFolder}`);
+    await this.updateAnnouncementLink(link);
+  }
+
+  async updateAnnouncementLink(link) {
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    let shouldCommit = false;
+    for (let i = 0; i < content.reports.length; ++i) {
+      if (content.reports[i].announcement !== link) {
+        content.reports[i].announcement = link;
+        shouldCommit = true;
+      }
+    };
+
+    if (shouldCommit) {
+      fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+      const commitMessage = 'chore: add announcement link';
+      commitAndPushVulnerabilitiesJSON([vulnerabilitiesJSONPath],
+        commitMessage, { cli: this.cli, repository: this.repository });
+
+      this.cli.ok('Updated the announcement link in vulnerabilities.json');
+    }
+
+    return [vulnerabilitiesJSONPath];
   }
 
   async createPostRelease(nodejsOrgFolder) {

package/lib/session.js

@@ -20,6 +20,9 @@ export default class Session {
     this.dir = dir;
     this.prid = prid;
     this.config = { ...getMergedConfig(this.dir), ...argv };
+    this.gpgSign = argv?.['gpg-sign']
+      ? (argv['gpg-sign'] === true ? ['-S'] : ['-S', argv['gpg-sign']])
+      : [];
 
     if (warnForMissing) {
       const { upstream, owner, repo } = this;

package/lib/update_security_release.js

@@ -152,6 +152,7 @@ export default class UpdateSecurityRelease extends SecurityRelease {
     for (const cve of cves) {
       const report = reports.find(report => report.id === cve.reportId);
       report.cveIds = [cve.cve_identifier];
+      report.patchedVersions = cve.patchedVersions;
     }
   }
 
@@ -219,12 +220,14 @@ Summary: ${summary}\n`,
 
       if (!create) continue;
 
+      const { h1AffectedVersions, patchedVersions } =
+        await this.calculateVersions(affectedVersions, supportedVersions);
       const body = {
         data: {
           type: 'cve-request',
           attributes: {
             team_handle: 'nodejs-team',
-            versions: await this.formatAffected(affectedVersions, supportedVersions),
+            versions: h1AffectedVersions,
             metrics: [
               {
                 vectorString: cvss_vector_string
@@ -246,7 +249,7 @@ Summary: ${summary}\n`,
         continue;
       }
       const { cve_identifier } = data.attributes;
-      cves.push({ cve_identifier, reportId: id });
+      cves.push({ cve_identifier, reportId: id, patchedVersions });
     }
     return cves;
   }
@@ -262,15 +265,23 @@ Summary: ${summary}\n`,
     }
   }
 
-  async formatAffected(affectedVersions, supportedVersions) {
-    const result = [];
+  async calculateVersions(affectedVersions, supportedVersions) {
+    const h1AffectedVersions = [];
+    const patchedVersions = [];
     for (const affectedVersion of affectedVersions) {
       const major = affectedVersion.split('.')[0];
       const latest = supportedVersions.find((v) => v.major === Number(major)).version;
       const version = await this.cli.prompt(
         `What is the affected version (<=) for release line ${affectedVersion}?`,
         { questionType: 'input', defaultAnswer: latest });
-      result.push({
+
+      const nextPatchVersion = parseInt(version.split('.')[2]) + 1;
+      const patchedVersion = await this.cli.prompt(
+        `What is the patched version (>=) for release line ${affectedVersion}?`,
+        { questionType: 'input', defaultAnswer: nextPatchVersion });
+
+      patchedVersions.push(patchedVersion);
+      h1AffectedVersions.push({
         vendor: 'nodejs',
         product: 'node',
         func: '<=',
@@ -279,6 +290,6 @@ Summary: ${summary}\n`,
         affected: true
       });
     }
-    return result;
+    return { h1AffectedVersions, patchedVersions };
   }
 }

package/lib/voting_session.js

@@ -111,7 +111,7 @@ export default class VotingSession extends Session {
                     out.toString('base64') +
                     '\n-----END SHAMIR KEY PART-----';
     this.cli.log('Your key part is:');
-    this.cli.log(keyPart);
+    console.log(keyPart); // Using `console.log` so this gets output to stdout, not stderr.
     const body = 'I would like to close this vote, and for this effect, I\'m revealing my ' +
                  `key part:\n\n${'```'}\n${keyPart}\n${'```'}\n`;
     if (this.postComment) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "5.14.0",
+  "version": "5.15.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {
@@ -68,6 +68,6 @@
     "eslint-plugin-promise": "^7.2.1",
     "globals": "^16.0.0",
     "neostandard": "^0.12.1",
-    "sinon": "^20.0.0"
+    "sinon": "^21.0.0"
   }
 }