@node-core/utils 5.16.2 → 6.1.0

package/README.md

@@ -76,18 +76,29 @@ Optionally, if you want to grant write access so `git-node` can write comments:
 
 You can also edit the permission of existing tokens later.
 
-After the token is generated, create an rc file with the following content:
-(`~/.ncurc` or `$XDG_CONFIG_HOME/ncurc`):
-
-```json
-{
-  "username": "your_github_username",
-  "token": "token_that_you_created"
-}
+After the token is generated, you can give it to NCU using:
+
+<details open name="set-token"><summary>With encryption (Recommended)</summary>
+
+```sh
+ncu-config set username your_github_username
+# Do not provide the token in the CLI, `ncu-config` will prompt you for it.
+ncu-config set -x token
+```
+
+Note: Encryption is available only if you have `gpg` setup on your machine.
+
+</details>
+
+<details name="set-token"><summary>Without encryption</summary>
+
+```sh
+ncu-config set username your_github_username
+# Do not provide the token in the CLI, `ncu-config` will prompt you for it.
+ncu-config set token
 ```
 
-Note: you could use `ncu-config` to configure these variables, but it's not
-recommended to leave your tokens in your command line history.
+</details>
 
 ### Setting up Jenkins credentials
 
@@ -108,27 +119,24 @@ To obtain the Jenkins API token
    `~/.ncurc.gpg` or `$XDG_CONFIG_HOME/ncurc.gpg`) with `jenkins_token` as key,
    like this:
 
-   ```json
-   {
-     "username": "your_github_username",
-     "token": "your_github_token",
-     "jenkins_token": "your_jenkins_token"
-   }
+   <details open name="set-jenkins-token"><summary>With encryption (recommended)</summary>
+   
+   ```sh
+   ncu-config set -x jenkins_token
    ```
 
-### Protecting your credentials
+   Note: Encryption is available only if you have `gpg` setup on your machine.
 
-If you have `gpg` installed and setup on your local machine, it is strongly recommended
-to store an encrypted version of this file:
+   </details>
+   <details name="set-jenkins-token"><summary>Without encryption</summary>
+   
+   ```sh
+   ncu-config set jenkins_token
+   ```
 
-```console
-$ gpg --default-recipient-self --encrypt ~/.ncurc
-$ rm ~/.ncurc
-```
+   </details>
 
-The credentials are now encrypted in `~/.ncurc.gpg` and everytime it's needed,
-node-core-utils will invoke `gpg` that may ask you to decrypt it using
-your default key via pinentry.
+### Protecting your credentials
 
 Put the following entries into your
 [global `gitignore` file](https://git-scm.com/docs/git-config#Documentation/git-config.txt-coreexcludesFile)

package/bin/ncu-config.js

@@ -1,10 +1,14 @@
 #!/usr/bin/env node
 
+import * as readline from 'node:readline/promises';
+import { stdin as input, stdout as output } from 'node:process';
+
 import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 
 import {
-  getConfig, updateConfig, GLOBAL_CONFIG, PROJECT_CONFIG, LOCAL_CONFIG
+  getConfig, updateConfig, GLOBAL_CONFIG, PROJECT_CONFIG, LOCAL_CONFIG,
+  encryptValue
 } from '../lib/config.js';
 import { setVerbosityFromEnv } from '../lib/verbosity.js';
 
@@ -13,10 +17,15 @@ setVerbosityFromEnv();
 const args = yargs(hideBin(process.argv))
   .completion('completion')
   .command({
-    command: 'set <key> <value>',
+    command: 'set <key> [<value>]',
     desc: 'Set a config variable',
     builder: (yargs) => {
       yargs
+        .option('encrypt', {
+          describe: 'Store the value encrypted using gpg',
+          alias: 'x',
+          type: 'boolean'
+        })
         .positional('key', {
           describe: 'key of the configuration',
           type: 'string'
@@ -61,8 +70,6 @@ const args = yargs(hideBin(process.argv))
   .conflicts('global', 'project')
   .help();
 
-const argv = args.parse();
-
 function getConfigType(argv) {
   if (argv.global) {
     return { configName: 'global', configType: GLOBAL_CONFIG };
@@ -73,9 +80,19 @@ function getConfigType(argv) {
   return { configName: 'local', configType: LOCAL_CONFIG };
 }
 
-function setHandler(argv) {
+async function setHandler(argv) {
   const { configName, configType } = getConfigType(argv);
   const config = getConfig(configType);
+  if (!argv.value) {
+    const rl = readline.createInterface({ input, output });
+    argv.value = await rl.question('What value do you want to set? ');
+    rl.close();
+  } else if (argv.encrypt) {
+    console.warn('Passing sensitive config value via the shell is discouraged');
+  }
+  if (argv.encrypt) {
+    argv.value = await encryptValue(argv.value);
+  }
   console.log(
     `Updating ${configName} configuration ` +
     `[${argv.key}]: ${config[argv.key]} -> ${argv.value}`);
@@ -96,6 +113,8 @@ function listHandler(argv) {
   }
 }
 
+const argv = await args.parse();
+
 if (!['get', 'set', 'list'].includes(argv._[0])) {
   args.showHelp();
 }

package/components/git/release.js

@@ -50,8 +50,14 @@ const releaseOptions = {
     type: 'boolean'
   },
   security: {
-    describe: 'Demarcate the new security release as a security release',
-    type: 'boolean'
+    describe: 'Demarcate the new security release as a security release. ' +
+              'Optionally provide path to security-release repository for CVE auto-population',
+    type: 'string',
+    coerce: (arg) => {
+      // If --security=path is used, return the path
+      if (arg === '' || arg === true) return true;
+      return arg;
+    }
   },
   skipBranchDiff: {
     describe: 'Skips the initial branch-diff check when preparing releases',

package/components/git/v8.js

@@ -2,12 +2,12 @@ import path from 'node:path';
 
 import logSymbols from 'log-symbols';
 
-import { minor, major, backport } from '../../lib/update-v8/index.js';
+import { minor, major, backport, deps } from '../../lib/update-v8/index.js';
 import { defaultBaseDir } from '../../lib/update-v8/constants.js';
 import { checkCwd } from '../../lib/update-v8/common.js';
 import { forceRunAsync } from '../../lib/run.js';
 
-export const command = 'v8 [major|minor|backport]';
+export const command = 'v8 [major|minor|backport|deps]';
 export const describe = 'Update or patch the V8 engine';
 
 export function builder(yargs) {
@@ -26,6 +26,11 @@ export function builder(yargs) {
           describe: 'Bump the NODE_MODULE_VERSION constant',
           default: true
         });
+        yargs.option('concurrent', {
+          type: 'boolean',
+          describe: 'Update dependencies concurrently',
+          default: true,
+        });
       }
     })
     .command({
@@ -64,6 +69,19 @@ export function builder(yargs) {
           });
       }
     })
+    .command({
+      command: 'deps',
+      desc: 'Update V8 dependencies from the DEPS file',
+      handler,
+      builder: (yargs) => {
+        yargs
+          .option('concurrent', {
+            type: 'boolean',
+            describe: 'Update dependencies concurrently',
+            default: true,
+          });
+      }
+    })
     .demandCommand(1, 'Please provide a valid command')
     .option('node-dir', {
       describe: 'Directory of a Node.js clone',
@@ -126,6 +144,8 @@ export function handler(argv) {
           return major(options);
         case 'backport':
           return backport(options);
+        case 'deps':
+          return deps(options);
       }
     })
     .catch((err) => {

package/lib/auth.js

@@ -3,7 +3,7 @@ import { ClientRequest } from 'node:http';
 
 import ghauth from 'ghauth';
 
-import { getMergedConfig, getNcurcPath } from './config.js';
+import { clearCachedConfig, encryptValue, getMergedConfig, getNcurcPath } from './config.js';
 
 export default lazy(auth);
 
@@ -60,67 +60,90 @@ function encode(name, token) {
   return Buffer.from(`${name}:${token}`).toString('base64');
 }
 
+function setOwnProperty(target, key, value) {
+  return Object.defineProperty(target, key, {
+    __proto__: null,
+    configurable: true,
+    enumerable: true,
+    value
+  });
+}
+
 // TODO: support jenkins only...or not necessary?
 // TODO: make this a class with dependency (CLI) injectable for testing
 async function auth(
   options = { github: true },
   githubAuth = ghauth) {
-  const result = {};
+  const result = {
+    get github() {
+      let username;
+      let token;
+      try {
+        ({ username, token } = getMergedConfig());
+      } catch (e) {
+        // Ignore error and prompt
+      }
+
+      check(username, token);
+      const github = encode(username, token);
+      setOwnProperty(result, 'github', github);
+      return github;
+    },
+
+    get jenkins() {
+      const { username, jenkins_token } = getMergedConfig();
+      if (!username || !jenkins_token) {
+        errorExit(
+          'Get your Jenkins API token in https://ci.nodejs.org/me/security ' +
+          'and run the following command to add it to your ncu config: ' +
+          'ncu-config --global set -x jenkins_token'
+        );
+      };
+      check(username, jenkins_token);
+      const jenkins = encode(username, jenkins_token);
+      setOwnProperty(result, 'jenkins', jenkins);
+      return jenkins;
+    },
+
+    get h1() {
+      const { h1_username, h1_token } = getMergedConfig();
+      check(h1_username, h1_token);
+      const h1 = encode(h1_username, h1_token);
+      setOwnProperty(result, 'h1', h1);
+      return h1;
+    }
+  };
   if (options.github) {
-    let username;
-    let token;
+    let config;
     try {
-      ({ username, token } = getMergedConfig());
-    } catch (e) {
-      // Ignore error and prompt
+      config = getMergedConfig();
+    } catch {
+      config = {};
     }
-
-    if (!username || !token) {
+    if (!Object.hasOwn(config, 'token') || !Object.hasOwn(config, 'username')) {
       process.stdout.write(
         'If this is your first time running this command, ' +
         'follow the instructions to create an access token' +
         '. If you prefer to create it yourself on Github, ' +
         'see https://github.com/nodejs/node-core-utils/blob/main/README.md.\n');
       const credentials = await tryCreateGitHubToken(githubAuth);
-      username = credentials.user;
-      token = credentials.token;
+      const username = credentials.user;
+      let token;
+      try {
+        token = await encryptValue(credentials.token);
+      } catch (err) {
+        console.warn('Failed encrypt token, storing unencrypted instead');
+        token = credentials.token;
+      }
       const json = JSON.stringify({ username, token }, null, 2);
       fs.writeFileSync(getNcurcPath(), json, {
         mode: 0o600 /* owner read/write */
       });
       // Try again reading the file
-      ({ username, token } = getMergedConfig());
+      clearCachedConfig();
     }
-    check(username, token);
-    result.github = encode(username, token);
   }
 
-  if (options.jenkins) {
-    const { username, jenkins_token } = getMergedConfig();
-    if (!username || !jenkins_token) {
-      errorExit(
-        'Get your Jenkins API token in https://ci.nodejs.org/me/configure ' +
-        'and run the following command to add it to your ncu config: ' +
-        'ncu-config --global set jenkins_token TOKEN'
-      );
-    };
-    check(username, jenkins_token);
-    result.jenkins = encode(username, jenkins_token);
-  }
-
-  if (options.h1) {
-    const { h1_username, h1_token } = getMergedConfig();
-    if (!h1_username || !h1_token) {
-      errorExit(
-        'Get your HackerOne API token in ' +
-        'https://docs.hackerone.com/organizations/api-tokens.html ' +
-        'and run the following command to add it to your ncu config: ' +
-        'ncu-config --global set h1_token TOKEN or ' +
-        'ncu-config --global set h1_username USERNAME'
-      );
-    };
-    result.h1 = encode(h1_username, h1_token);
-  }
   return result;
 }
 

package/lib/cherry_pick.js

@@ -14,20 +14,30 @@ export default class CherryPick {
     upstream,
     gpgSign,
     lint,
-    includeCVE
+    includeCVE,
+    cveIds,
+    vulnCveMap
   } = {}) {
     this.prid = prid;
     this.cli = cli;
     this.dir = dir;
     this.upstream = upstream;
     this.gpgSign = gpgSign;
-    this.options = { owner, repo, lint, includeCVE };
+    this.options = { owner, repo, lint, includeCVE, cveIds, vulnCveMap };
   }
 
   get includeCVE() {
     return this.options.includeCVE ?? false;
   }
 
+  get cveIds() {
+    return this.options.cveIds ?? null;
+  }
+
+  get vulnCveMap() {
+    return this.options.vulnCveMap ?? null;
+  }
+
   get owner() {
     return this.options.owner || 'nodejs';
   }

package/lib/config.js

@@ -4,6 +4,7 @@ import os from 'node:os';
 import { readJson, writeJson } from './file.js';
 import { existsSync, mkdtempSync, rmSync } from 'node:fs';
 import { spawnSync } from 'node:child_process';
+import { forceRunAsync, runSync } from './run.js';
 
 export const GLOBAL_CONFIG = Symbol('globalConfig');
 export const PROJECT_CONFIG = Symbol('projectConfig');
@@ -18,32 +19,95 @@ export function getNcurcPath() {
   }
 }
 
-export function getMergedConfig(dir, home) {
-  const globalConfig = getConfig(GLOBAL_CONFIG, home);
-  const projectConfig = getConfig(PROJECT_CONFIG, dir);
-  const localConfig = getConfig(LOCAL_CONFIG, dir);
-  return Object.assign(globalConfig, projectConfig, localConfig);
+let mergedConfig;
+export function getMergedConfig(dir, home, additional) {
+  if (mergedConfig == null) {
+    const globalConfig = getConfig(GLOBAL_CONFIG, home);
+    const projectConfig = getConfig(PROJECT_CONFIG, dir);
+    const localConfig = getConfig(LOCAL_CONFIG, dir);
+    mergedConfig = Object.assign(globalConfig, projectConfig, localConfig, additional);
+  }
+  return mergedConfig;
 };
+export function clearCachedConfig() {
+  mergedConfig = null;
+}
+
+export async function encryptValue(input) {
+  console.warn('Spawning gpg to encrypt the config value');
+  return forceRunAsync(
+    process.env.GPG_BIN || 'gpg',
+    ['--default-recipient-self', '--encrypt', '--armor'],
+    {
+      captureStdout: true,
+      ignoreFailure: false,
+      input
+    }
+  );
+}
+
+function setOwnProperty(target, key, value) {
+  return Object.defineProperty(target, key, {
+    __proto__: null,
+    configurable: true,
+    enumerable: true,
+    value
+  });
+}
+function addEncryptedPropertyGetter(target, key, input) {
+  if (input?.startsWith?.('-----BEGIN PGP MESSAGE-----\n')) {
+    return Object.defineProperty(target, key, {
+      __proto__: null,
+      configurable: true,
+      get() {
+        // Using an error object to get a stack trace in debug mode.
+        const warn = new Error(
+          `The config value for ${key} is encrypted, spawning gpg to decrypt it...`
+        );
+        console.warn(setOwnProperty(warn, 'name', 'Warning'));
+        const value = runSync(process.env.GPG_BIN || 'gpg', ['--decrypt'], { input });
+        setOwnProperty(target, key, value);
+        return value;
+      },
+      set(newValue) {
+        if (!addEncryptedPropertyGetter(target, key, newValue)) {
+          throw new Error(
+            'Refusing to override an encrypted value with a non-encrypted one. ' +
+            'Please use an encrypted one, or delete the config key first.'
+          );
+        }
+      }
+    });
+  }
+}
 
-export function getConfig(configType, dir) {
+export function getConfig(configType, dir, raw = false) {
   const configPath = getConfigPath(configType, dir);
   const encryptedConfigPath = configPath + '.gpg';
   if (existsSync(encryptedConfigPath)) {
     console.warn('Encrypted config detected, spawning gpg to decrypt it...');
     const { status, stdout } =
-      spawnSync('gpg', ['--decrypt', encryptedConfigPath]);
+      spawnSync(process.env.GPG_BIN || 'gpg', ['--decrypt', encryptedConfigPath]);
     if (status === 0) {
       return JSON.parse(stdout.toString('utf-8'));
     }
   }
   try {
-    return readJson(configPath);
+    const json = readJson(configPath);
+    if (!raw) {
+      // Raw config means encrypted values are returned as is.
+      // Otherwise we install getters to decrypt them when accessed.
+      for (const [key, val] of Object.entries(json)) {
+        addEncryptedPropertyGetter(json, key, val);
+      }
+    }
+    return json;
   } catch (cause) {
     throw new Error('Unable to parse config file ' + configPath, { cause });
   }
 };
 
-export function getConfigPath(configType, dir) {
+function getConfigPath(configType, dir) {
   switch (configType) {
     case GLOBAL_CONFIG:
       return getNcurcPath();
@@ -61,7 +125,7 @@ export function getConfigPath(configType, dir) {
   }
 };
 
-export function writeConfig(configType, obj, dir) {
+function writeConfig(configType, obj, dir) {
   const configPath = getConfigPath(configType, dir);
   const encryptedConfigPath = configPath + '.gpg';
   if (existsSync(encryptedConfigPath)) {
@@ -69,7 +133,7 @@ export function writeConfig(configType, obj, dir) {
     const tmpFile = path.join(tmpDir, 'config.json');
     try {
       writeJson(tmpFile, obj);
-      const { status } = spawnSync('gpg',
+      const { status } = spawnSync(process.env.GPG_BIN || 'gpg',
         ['--default-recipient-self', '--yes', '--encrypt', '--output', encryptedConfigPath, tmpFile]
       );
       if (status !== 0) {
@@ -85,7 +149,7 @@ export function writeConfig(configType, obj, dir) {
 };
 
 export function updateConfig(configType, obj, dir) {
-  const config = getConfig(configType, dir);
+  const config = getConfig(configType, dir, true);
   writeConfig(configType, Object.assign(config, obj), dir);
 };
 

package/lib/landing_session.js

@@ -345,12 +345,39 @@ export default class LandingSession extends Session {
     }
 
     if (!containCVETrailer && this.includeCVE) {
-      const cveID = await cli.prompt(
-        'Git found no CVE-ID trailer in the original commit message. ' +
-        'Please, provide the CVE-ID',
-        { questionType: 'input', defaultAnswer: 'CVE-2023-XXXXX' }
-      );
-      amended.push('CVE-ID: ' + cveID);
+      let cveID;
+      if (this.cveIds && this.cveIds.length > 0) {
+        cveID = this.cveIds.join(', ');
+        cli.ok(`Using CVE-ID from vulnerabilities.json: ${cveID}`);
+      } else {
+        // Fallback: check if the original commit has a PR-URL trailer
+        // and use it to look up CVE-IDs from the vulnerabilities map
+        if (this.vulnCveMap) {
+          const prUrlMatch = original.match(PR_RE);
+          if (prUrlMatch) {
+            const prUrl = prUrlMatch[1];
+            const cveIds = this.vulnCveMap.get(prUrl);
+            if (cveIds && cveIds.length > 0) {
+              cveID = cveIds.join(', ');
+              cli.ok(`Using CVE-ID from backport PR-URL (${prUrl}): ${cveID}`);
+            }
+          }
+        }
+
+        // Fall back to prompt if still not found
+        if (!cveID) {
+          cveID = await cli.prompt(
+            'Git found no CVE-ID trailer in the original commit message. ' +
+            'Please, provide the CVE-ID or leave it empty',
+            { questionType: 'input', defaultAnswer: 'CVE-2026-XXXXX' }
+          );
+        }
+      }
+      // Some commits might not address a vulnerability, but it is necessary
+      // for the security release to happen.
+      if (cveID !== '') {
+        amended.push('CVE-ID: ' + cveID);
+      }
     }
 
     const message = amended.join('\n');
@@ -464,8 +491,8 @@ export default class LandingSession extends Session {
     const url = `https://github.com/${owner}/${repo}/pull/${prid}`;
     cli.log(`2. Post "Landed in ${willBeLanded}" in ${url}`);
     if (isGhAvailable()) {
-      cli.log(`   gh pr comment ${prid} --body "Landed in ${willBeLanded}"`);
-      cli.log(`   gh pr close ${prid}`);
+      cli.log(`   gh pr comment ${url} --body "Landed in ${willBeLanded}"`);
+      cli.log(`   gh pr close ${url}`);
     }
   }
 

package/lib/pr_checker.js

@@ -19,7 +19,6 @@ const { FROM_COMMENT, FROM_REVIEW_COMMENT } = REVIEW_SOURCES;
 
 const SECOND = 1000;
 const MINUTE = SECOND * 60;
-const HOUR = MINUTE * 60;
 
 const WAIT_TIME_MULTI_APPROVAL = 24 * 2;
 const WAIT_TIME_SINGLE_APPROVAL = 24 * 7;
@@ -196,10 +195,18 @@ export default class PRChecker {
 
     const createTime = new Date(this.pr.createdAt);
     const msFromCreateTime = now.getTime() - createTime.getTime();
-    const minutesFromCreateTime = Math.ceil(msFromCreateTime / MINUTE);
-    const hoursFromCreateTime = Math.ceil(msFromCreateTime / HOUR);
-    let timeLeftMulti = this.waitTimeMultiApproval - hoursFromCreateTime;
-    const timeLeftSingle = this.waitTimeSingleApproval - hoursFromCreateTime;
+    const minutesFromCreateTime = msFromCreateTime / MINUTE;
+    const timeLeftMulti = this.waitTimeMultiApproval * 60 - minutesFromCreateTime;
+    const timeLeftSingle = this.waitTimeSingleApproval * 60 - minutesFromCreateTime;
+    const timeToText = (time, liaison_word = undefined) => {
+      let unity = 'minute';
+      if (time > 59) {
+        unity = 'hour';
+        time /= 60;
+      }
+      time = Math.ceil(time);
+      return `${time} ${liaison_word ? liaison_word + ' ' : ''}${unity}${time === 1 ? '' : 's'}`;
+    };
 
     if (approved.length >= 2) {
       if (isFastTracked || isCodeAndLearn) {
@@ -208,15 +215,9 @@ export default class PRChecker {
       if (timeLeftMulti < 0) {
         return true;
       }
-      if (timeLeftMulti === 0) {
-        const timeLeftMins =
-          this.waitTimeMultiApproval * 60 - minutesFromCreateTime;
-        cli.error(`This PR needs to wait ${timeLeftMins} ` +
-                  `more minutes to land${fastTrackAppendix}`);
-        return false;
-      }
-      cli.error(`This PR needs to wait ${timeLeftMulti} more ` +
-                `hours to land${fastTrackAppendix}`);
+      cli.error(
+        `This PR needs to wait ${timeToText(timeLeftMulti, 'more')} to land${fastTrackAppendix}`
+      );
       return false;
     }
 
@@ -224,10 +225,9 @@ export default class PRChecker {
       if (timeLeftSingle < 0) {
         return true;
       }
-      timeLeftMulti = timeLeftMulti < 0 || isFastTracked ? 0 : timeLeftMulti;
-      cli.error(`This PR needs to wait ${timeLeftSingle} more hours to land ` +
-                `(or ${timeLeftMulti} hours if there is one more approval)` +
-                fastTrackAppendix);
+      cli.error(`This PR needs to wait ${timeToText(timeLeftSingle, 'more')} to land (or ${
+          timeToText(timeLeftMulti < 0 || isFastTracked ? 0 : timeLeftMulti)
+        } if there is one more approval)${fastTrackAppendix}`);
       return false;
     }
   }