@node-core/utils 5.16.2 → 6.0.0

package/README.md

@@ -76,18 +76,29 @@ Optionally, if you want to grant write access so `git-node` can write comments:
 
 You can also edit the permission of existing tokens later.
 
-After the token is generated, create an rc file with the following content:
-(`~/.ncurc` or `$XDG_CONFIG_HOME/ncurc`):
-
-```json
-{
-  "username": "your_github_username",
-  "token": "token_that_you_created"
-}
+After the token is generated, you can give it to NCU using:
+
+<details open name="set-token"><summary>With encryption (Recommended)</summary>
+
+```sh
+ncu-config set username your_github_username
+# Do not provide the token in the CLI, `ncu-config` will prompt you for it.
+ncu-config set -x token
+```
+
+Note: Encryption is available only if you have `gpg` setup on your machine.
+
+</details>
+
+<details name="set-token"><summary>Without encryption</summary>
+
+```sh
+ncu-config set username your_github_username
+# Do not provide the token in the CLI, `ncu-config` will prompt you for it.
+ncu-config set token
 ```
 
-Note: you could use `ncu-config` to configure these variables, but it's not
-recommended to leave your tokens in your command line history.
+</details>
 
 ### Setting up Jenkins credentials
 
@@ -108,27 +119,24 @@ To obtain the Jenkins API token
    `~/.ncurc.gpg` or `$XDG_CONFIG_HOME/ncurc.gpg`) with `jenkins_token` as key,
    like this:
 
-   ```json
-   {
-     "username": "your_github_username",
-     "token": "your_github_token",
-     "jenkins_token": "your_jenkins_token"
-   }
+   <details open name="set-jenkins-token"><summary>With encryption (recommended)</summary>
+   
+   ```sh
+   ncu-config set -x jenkins_token
    ```
 
-### Protecting your credentials
+   Note: Encryption is available only if you have `gpg` setup on your machine.
 
-If you have `gpg` installed and setup on your local machine, it is strongly recommended
-to store an encrypted version of this file:
+   </details>
+   <details name="set-jenkins-token"><summary>Without encryption</summary>
+   
+   ```sh
+   ncu-config set jenkins_token
+   ```
 
-```console
-$ gpg --default-recipient-self --encrypt ~/.ncurc
-$ rm ~/.ncurc
-```
+   </details>
 
-The credentials are now encrypted in `~/.ncurc.gpg` and everytime it's needed,
-node-core-utils will invoke `gpg` that may ask you to decrypt it using
-your default key via pinentry.
+### Protecting your credentials
 
 Put the following entries into your
 [global `gitignore` file](https://git-scm.com/docs/git-config#Documentation/git-config.txt-coreexcludesFile)

package/bin/ncu-config.js

@@ -1,10 +1,14 @@
 #!/usr/bin/env node
 
+import * as readline from 'node:readline/promises';
+import { stdin as input, stdout as output } from 'node:process';
+
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 
 import {
-  getConfig, updateConfig, GLOBAL_CONFIG, PROJECT_CONFIG, LOCAL_CONFIG
+  getConfig, updateConfig, GLOBAL_CONFIG, PROJECT_CONFIG, LOCAL_CONFIG,
+  encryptValue
 } from '../lib/config.js';
 import { setVerbosityFromEnv } from '../lib/verbosity.js';
 
@@ -13,10 +17,15 @@ setVerbosityFromEnv();
 const args = yargs(hideBin(process.argv))
   .completion('completion')
   .command({
-    command: 'set <key> <value>',
+    command: 'set <key> [<value>]',
     desc: 'Set a config variable',
     builder: (yargs) => {
       yargs
+        .option('encrypt', {
+          describe: 'Store the value encrypted using gpg',
+          alias: 'x',
+          type: 'boolean'
+        })
         .positional('key', {
           describe: 'key of the configuration',
           type: 'string'
@@ -61,8 +70,6 @@ const args = yargs(hideBin(process.argv))
   .conflicts('global', 'project')
   .help();
 
-const argv = args.parse();
-
 function getConfigType(argv) {
   if (argv.global) {
     return { configName: 'global', configType: GLOBAL_CONFIG };
@@ -73,9 +80,19 @@ function getConfigType(argv) {
   return { configName: 'local', configType: LOCAL_CONFIG };
 }
 
-function setHandler(argv) {
+async function setHandler(argv) {
   const { configName, configType } = getConfigType(argv);
   const config = getConfig(configType);
+  if (!argv.value) {
+    const rl = readline.createInterface({ input, output });
+    argv.value = await rl.question('What value do you want to set? ');
+    rl.close();
+  } else if (argv.encrypt) {
+    console.warn('Passing sensitive config value via the shell is discouraged');
+  }
+  if (argv.encrypt) {
+    argv.value = await encryptValue(argv.value);
+  }
   console.log(
     `Updating ${configName} configuration ` +
     `[${argv.key}]: ${config[argv.key]} -> ${argv.value}`);
@@ -96,6 +113,8 @@ function listHandler(argv) {
   }
 }
 
+const argv = await args.parse();
+
 if (!['get', 'set', 'list'].includes(argv._[0])) {
   args.showHelp();
 }

package/components/git/v8.js

@@ -2,12 +2,12 @@ import path from 'node:path';
 
 import logSymbols from 'log-symbols';
 
-import { minor, major, backport } from '../../lib/update-v8/index.js';
+import { minor, major, backport, deps } from '../../lib/update-v8/index.js';
 import { defaultBaseDir } from '../../lib/update-v8/constants.js';
 import { checkCwd } from '../../lib/update-v8/common.js';
 import { forceRunAsync } from '../../lib/run.js';
 
-export const command = 'v8 [major|minor|backport]';
+export const command = 'v8 [major|minor|backport|deps]';
 export const describe = 'Update or patch the V8 engine';
 
 export function builder(yargs) {
@@ -26,6 +26,11 @@ export function builder(yargs) {
           describe: 'Bump the NODE_MODULE_VERSION constant',
           default: true
         });
+        yargs.option('concurrent', {
+          type: 'boolean',
+          describe: 'Update dependencies concurrently',
+          default: true,
+        });
       }
     })
     .command({
@@ -64,6 +69,19 @@ export function builder(yargs) {
           });
       }
     })
+    .command({
+      command: 'deps',
+      desc: 'Update V8 dependencies from the DEPS file',
+      handler,
+      builder: (yargs) => {
+        yargs
+          .option('concurrent', {
+            type: 'boolean',
+            describe: 'Update dependencies concurrently',
+            default: true,
+          });
+      }
+    })
     .demandCommand(1, 'Please provide a valid command')
     .option('node-dir', {
       describe: 'Directory of a Node.js clone',
@@ -126,6 +144,8 @@ export function handler(argv) {
           return major(options);
         case 'backport':
           return backport(options);
+        case 'deps':
+          return deps(options);
       }
     })
     .catch((err) => {

package/lib/auth.js

@@ -3,7 +3,7 @@ import { ClientRequest } from 'node:http';
 
 import ghauth from 'ghauth';
 
-import { getMergedConfig, getNcurcPath } from './config.js';
+import { clearCachedConfig, encryptValue, getMergedConfig, getNcurcPath } from './config.js';
 
 export default lazy(auth);
 
@@ -60,67 +60,90 @@ function encode(name, token) {
   return Buffer.from(`${name}:${token}`).toString('base64');
 }
 
+function setOwnProperty(target, key, value) {
+  return Object.defineProperty(target, key, {
+    __proto__: null,
+    configurable: true,
+    enumerable: true,
+    value
+  });
+}
+
 // TODO: support jenkins only...or not necessary?
 // TODO: make this a class with dependency (CLI) injectable for testing
 async function auth(
   options = { github: true },
   githubAuth = ghauth) {
-  const result = {};
+  const result = {
+    get github() {
+      let username;
+      let token;
+      try {
+        ({ username, token } = getMergedConfig());
+      } catch (e) {
+        // Ignore error and prompt
+      }
+
+      check(username, token);
+      const github = encode(username, token);
+      setOwnProperty(result, 'github', github);
+      return github;
+    },
+
+    get jenkins() {
+      const { username, jenkins_token } = getMergedConfig();
+      if (!username || !jenkins_token) {
+        errorExit(
+          'Get your Jenkins API token in https://ci.nodejs.org/me/security ' +
+          'and run the following command to add it to your ncu config: ' +
+          'ncu-config --global set -x jenkins_token'
+        );
+      };
+      check(username, jenkins_token);
+      const jenkins = encode(username, jenkins_token);
+      setOwnProperty(result, 'jenkins', jenkins);
+      return jenkins;
+    },
+
+    get h1() {
+      const { h1_username, h1_token } = getMergedConfig();
+      check(h1_username, h1_token);
+      const h1 = encode(h1_username, h1_token);
+      setOwnProperty(result, 'h1', h1);
+      return h1;
+    }
+  };
   if (options.github) {
-    let username;
-    let token;
+    let config;
     try {
-      ({ username, token } = getMergedConfig());
-    } catch (e) {
-      // Ignore error and prompt
+      config = getMergedConfig();
+    } catch {
+      config = {};
     }
-
-    if (!username || !token) {
+    if (!Object.hasOwn(config, 'token') || !Object.hasOwn(config, 'username')) {
       process.stdout.write(
         'If this is your first time running this command, ' +
         'follow the instructions to create an access token' +
         '. If you prefer to create it yourself on Github, ' +
         'see https://github.com/nodejs/node-core-utils/blob/main/README.md.\n');
       const credentials = await tryCreateGitHubToken(githubAuth);
-      username = credentials.user;
-      token = credentials.token;
+      const username = credentials.user;
+      let token;
+      try {
+        token = await encryptValue(credentials.token);
+      } catch (err) {
+        console.warn('Failed encrypt token, storing unencrypted instead');
+        token = credentials.token;
+      }
       const json = JSON.stringify({ username, token }, null, 2);
       fs.writeFileSync(getNcurcPath(), json, {
         mode: 0o600 /* owner read/write */
       });
       // Try again reading the file
-      ({ username, token } = getMergedConfig());
+      clearCachedConfig();
     }
-    check(username, token);
-    result.github = encode(username, token);
   }
 
-  if (options.jenkins) {
-    const { username, jenkins_token } = getMergedConfig();
-    if (!username || !jenkins_token) {
-      errorExit(
-        'Get your Jenkins API token in https://ci.nodejs.org/me/configure ' +
-        'and run the following command to add it to your ncu config: ' +
-        'ncu-config --global set jenkins_token TOKEN'
-      );
-    };
-    check(username, jenkins_token);
-    result.jenkins = encode(username, jenkins_token);
-  }
-
-  if (options.h1) {
-    const { h1_username, h1_token } = getMergedConfig();
-    if (!h1_username || !h1_token) {
-      errorExit(
-        'Get your HackerOne API token in ' +
-        'https://docs.hackerone.com/organizations/api-tokens.html ' +
-        'and run the following command to add it to your ncu config: ' +
-        'ncu-config --global set h1_token TOKEN or ' +
-        'ncu-config --global set h1_username USERNAME'
-      );
-    };
-    result.h1 = encode(h1_username, h1_token);
-  }
   return result;
 }
 

package/lib/config.js

@@ -4,6 +4,7 @@ import os from 'node:os';
 import { readJson, writeJson } from './file.js';
 import { existsSync, mkdtempSync, rmSync } from 'node:fs';
 import { spawnSync } from 'node:child_process';
+import { forceRunAsync, runSync } from './run.js';
 
 export const GLOBAL_CONFIG = Symbol('globalConfig');
 export const PROJECT_CONFIG = Symbol('projectConfig');
@@ -18,32 +19,95 @@ export function getNcurcPath() {
   }
 }
 
-export function getMergedConfig(dir, home) {
-  const globalConfig = getConfig(GLOBAL_CONFIG, home);
-  const projectConfig = getConfig(PROJECT_CONFIG, dir);
-  const localConfig = getConfig(LOCAL_CONFIG, dir);
-  return Object.assign(globalConfig, projectConfig, localConfig);
+let mergedConfig;
+export function getMergedConfig(dir, home, additional) {
+  if (mergedConfig == null) {
+    const globalConfig = getConfig(GLOBAL_CONFIG, home);
+    const projectConfig = getConfig(PROJECT_CONFIG, dir);
+    const localConfig = getConfig(LOCAL_CONFIG, dir);
+    mergedConfig = Object.assign(globalConfig, projectConfig, localConfig, additional);
+  }
+  return mergedConfig;
 };
+export function clearCachedConfig() {
+  mergedConfig = null;
+}
+
+export async function encryptValue(input) {
+  console.warn('Spawning gpg to encrypt the config value');
+  return forceRunAsync(
+    process.env.GPG_BIN || 'gpg',
+    ['--default-recipient-self', '--encrypt', '--armor'],
+    {
+      captureStdout: true,
+      ignoreFailure: false,
+      input
+    }
+  );
+}
+
+function setOwnProperty(target, key, value) {
+  return Object.defineProperty(target, key, {
+    __proto__: null,
+    configurable: true,
+    enumerable: true,
+    value
+  });
+}
+function addEncryptedPropertyGetter(target, key, input) {
+  if (input?.startsWith?.('-----BEGIN PGP MESSAGE-----\n')) {
+    return Object.defineProperty(target, key, {
+      __proto__: null,
+      configurable: true,
+      get() {
+        // Using an error object to get a stack trace in debug mode.
+        const warn = new Error(
+          `The config value for ${key} is encrypted, spawning gpg to decrypt it...`
+        );
+        console.warn(setOwnProperty(warn, 'name', 'Warning'));
+        const value = runSync(process.env.GPG_BIN || 'gpg', ['--decrypt'], { input });
+        setOwnProperty(target, key, value);
+        return value;
+      },
+      set(newValue) {
+        if (!addEncryptedPropertyGetter(target, key, newValue)) {
+          throw new Error(
+            'Refusing to override an encrypted value with a non-encrypted one. ' +
+            'Please use an encrypted one, or delete the config key first.'
+          );
+        }
+      }
+    });
+  }
+}
 
-export function getConfig(configType, dir) {
+export function getConfig(configType, dir, raw = false) {
   const configPath = getConfigPath(configType, dir);
   const encryptedConfigPath = configPath + '.gpg';
   if (existsSync(encryptedConfigPath)) {
     console.warn('Encrypted config detected, spawning gpg to decrypt it...');
     const { status, stdout } =
-      spawnSync('gpg', ['--decrypt', encryptedConfigPath]);
+      spawnSync(process.env.GPG_BIN || 'gpg', ['--decrypt', encryptedConfigPath]);
     if (status === 0) {
       return JSON.parse(stdout.toString('utf-8'));
     }
   }
   try {
-    return readJson(configPath);
+    const json = readJson(configPath);
+    if (!raw) {
+      // Raw config means encrypted values are returned as is.
+      // Otherwise we install getters to decrypt them when accessed.
+      for (const [key, val] of Object.entries(json)) {
+        addEncryptedPropertyGetter(json, key, val);
+      }
+    }
+    return json;
   } catch (cause) {
     throw new Error('Unable to parse config file ' + configPath, { cause });
   }
 };
 
-export function getConfigPath(configType, dir) {
+function getConfigPath(configType, dir) {
   switch (configType) {
     case GLOBAL_CONFIG:
       return getNcurcPath();
@@ -61,7 +125,7 @@ export function getConfigPath(configType, dir) {
   }
 };
 
-export function writeConfig(configType, obj, dir) {
+function writeConfig(configType, obj, dir) {
   const configPath = getConfigPath(configType, dir);
   const encryptedConfigPath = configPath + '.gpg';
   if (existsSync(encryptedConfigPath)) {
@@ -69,7 +133,7 @@ export function writeConfig(configType, obj, dir) {
     const tmpFile = path.join(tmpDir, 'config.json');
     try {
       writeJson(tmpFile, obj);
-      const { status } = spawnSync('gpg',
+      const { status } = spawnSync(process.env.GPG_BIN || 'gpg',
         ['--default-recipient-self', '--yes', '--encrypt', '--output', encryptedConfigPath, tmpFile]
       );
       if (status !== 0) {
@@ -85,7 +149,7 @@ export function writeConfig(configType, obj, dir) {
 };
 
 export function updateConfig(configType, obj, dir) {
-  const config = getConfig(configType, dir);
+  const config = getConfig(configType, dir, true);
   writeConfig(configType, Object.assign(config, obj), dir);
 };
 

package/lib/landing_session.js

@@ -464,8 +464,8 @@ export default class LandingSession extends Session {
     const url = `https://github.com/${owner}/${repo}/pull/${prid}`;
     cli.log(`2. Post "Landed in ${willBeLanded}" in ${url}`);
     if (isGhAvailable()) {
-      cli.log(`   gh pr comment ${prid} --body "Landed in ${willBeLanded}"`);
-      cli.log(`   gh pr close ${prid}`);
+      cli.log(`   gh pr comment ${url} --body "Landed in ${willBeLanded}"`);
+      cli.log(`   gh pr close ${url}`);
     }
   }
 

package/lib/pr_checker.js

@@ -19,7 +19,6 @@ const { FROM_COMMENT, FROM_REVIEW_COMMENT } = REVIEW_SOURCES;
 
 const SECOND = 1000;
 const MINUTE = SECOND * 60;
-const HOUR = MINUTE * 60;
 
 const WAIT_TIME_MULTI_APPROVAL = 24 * 2;
 const WAIT_TIME_SINGLE_APPROVAL = 24 * 7;
@@ -196,10 +195,18 @@ export default class PRChecker {
 
     const createTime = new Date(this.pr.createdAt);
     const msFromCreateTime = now.getTime() - createTime.getTime();
-    const minutesFromCreateTime = Math.ceil(msFromCreateTime / MINUTE);
-    const hoursFromCreateTime = Math.ceil(msFromCreateTime / HOUR);
-    let timeLeftMulti = this.waitTimeMultiApproval - hoursFromCreateTime;
-    const timeLeftSingle = this.waitTimeSingleApproval - hoursFromCreateTime;
+    const minutesFromCreateTime = msFromCreateTime / MINUTE;
+    const timeLeftMulti = this.waitTimeMultiApproval * 60 - minutesFromCreateTime;
+    const timeLeftSingle = this.waitTimeSingleApproval * 60 - minutesFromCreateTime;
+    const timeToText = (time, liaison_word = undefined) => {
+      let unity = 'minute';
+      if (time > 59) {
+        unity = 'hour';
+        time /= 60;
+      }
+      time = Math.ceil(time);
+      return `${time} ${liaison_word ? liaison_word + ' ' : ''}${unity}${time === 1 ? '' : 's'}`;
+    };
 
     if (approved.length >= 2) {
       if (isFastTracked || isCodeAndLearn) {
@@ -208,15 +215,9 @@ export default class PRChecker {
       if (timeLeftMulti < 0) {
         return true;
       }
-      if (timeLeftMulti === 0) {
-        const timeLeftMins =
-          this.waitTimeMultiApproval * 60 - minutesFromCreateTime;
-        cli.error(`This PR needs to wait ${timeLeftMins} ` +
-                  `more minutes to land${fastTrackAppendix}`);
-        return false;
-      }
-      cli.error(`This PR needs to wait ${timeLeftMulti} more ` +
-                `hours to land${fastTrackAppendix}`);
+      cli.error(
+        `This PR needs to wait ${timeToText(timeLeftMulti, 'more')} to land${fastTrackAppendix}`
+      );
       return false;
     }
 
@@ -224,10 +225,9 @@ export default class PRChecker {
       if (timeLeftSingle < 0) {
         return true;
       }
-      timeLeftMulti = timeLeftMulti < 0 || isFastTracked ? 0 : timeLeftMulti;
-      cli.error(`This PR needs to wait ${timeLeftSingle} more hours to land ` +
-                `(or ${timeLeftMulti} hours if there is one more approval)` +
-                fastTrackAppendix);
+      cli.error(`This PR needs to wait ${timeToText(timeLeftSingle, 'more')} to land (or ${
+          timeToText(timeLeftMulti < 0 || isFastTracked ? 0 : timeLeftMulti)
+        } if there is one more approval)${fastTrackAppendix}`);
       return false;
     }
   }

package/lib/promote_release.js

@@ -1,5 +1,7 @@
 import path from 'node:path';
 import fs from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { pipeline } from 'node:stream/promises';
 import semver from 'semver';
 import * as gst from 'git-secure-tag';
 
@@ -196,31 +198,44 @@ export default class ReleasePromotion extends Session {
 
   async verifyTagSignature(version) {
     const { cli } = this;
-    const verifyTagPattern = /gpg:[^\n]+\ngpg:\s+using \w+ key ([^\n]+)\ngpg:\s+issuer "([^"]+)"\ngpg:\s+Good signature from (?:"[^"]+"(?: \[ultimate\])?\ngpg:\s+aka )*"([^<]+) <\2>"/;
-    const [verifyTagOutput, haystack] = await Promise.all([forceRunAsync(
-      'git', ['--no-pager',
-        'verify-tag',
-        `v${version}`
-      ], { ignoreFailure: false, captureStderr: true }), fs.readFile('README.md')]);
-    const match = verifyTagPattern.exec(verifyTagOutput);
-    if (match == null) {
-      cli.warn('git was not able to verify the tag:');
-      cli.info(verifyTagOutput);
-    } else {
-      const [, keyID, email, name] = match;
-      const needle = `* **${name}** <<${email}>>\n  ${'`'}${keyID}${'`'}`;
-      if (haystack.includes(needle)) {
-        return;
+
+    cli.startSpinner('Downloading active releasers keyring from nodejs/release-keys...');
+    const [keyRingStream, [GNUPGHOME, keyRingFd]] = await Promise.all([
+      fetch('https://github.com/nodejs/release-keys/raw/HEAD/gpg-only-active-keys/pubring.kbx'),
+      fs.mkdtemp(path.join(tmpdir(), 'ncu-'))
+        .then(async d => [d, await fs.open(path.join(d, 'pubring.kbx'), 'w')]),
+    ]);
+    if (!keyRingStream.ok) throw new Error('Failed to download keyring', { cause: keyRingStream });
+    await pipeline(keyRingStream.body, keyRingFd.createWriteStream());
+    cli.stopSpinner('Active releasers keyring stored in temp directory');
+
+    try {
+      await forceRunAsync(
+        'git', ['--no-pager',
+          'verify-tag',
+          `v${version}`
+        ], {
+          ignoreFailure: false,
+          spawnArgs: { env: { ...process.env, GNUPGHOME } },
+        });
+      cli.ok('git tag signature verified');
+    } catch (cause) {
+      cli.error('git was not able to verify the tag');
+      cli.warn('This means that either the tag was signed with the wrong key,');
+      cli.warn('or that nodejs/release-keys contains outdated information.');
+      cli.warn('The release should not proceed.');
+      if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
+        if (await cli.prompt('Do you want to delete the local tag?')) {
+          await forceRunAsync('git', ['tag', '-d', `v${version}`]);
+        } else {
+          cli.info(`Run 'git tag -d v${version}' to remove the local tag.`);
+        }
+        throw new Error('Aborted', { cause });
       }
-      cli.warn('Tag was signed with an undocumented identity/key pair!');
-      cli.info('Expected to find the following entry in the README:');
-      cli.info(needle);
-      cli.info('If you are using a subkey, it might be OK.');
-    }
-    cli.info(`If that doesn't sound right, consider removing the tag (git tag -d v${version
-             }), check your local config, and start the process over.`);
-    if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
-      throw new Error('Aborted');
+    } finally {
+      cli.startSpinner('Cleaning up temp files');
+      await fs.rm(GNUPGHOME, { force: true, recursive: true });
+      cli.stopSpinner('Temp files removed');
     }
   }