@node-core/utils 5.16.2 → 6.1.0

package/lib/prepare_release.js

@@ -1,5 +1,5 @@
 import path from 'node:path';
-import { promises as fs } from 'node:fs';
+import { promises as fs, existsSync, readFileSync } from 'node:fs';
 
 import semver from 'semver';
 import { replaceInFile } from 'replace-in-file';
@@ -21,7 +21,11 @@ const isWindows = process.platform === 'win32';
 export default class ReleasePreparation extends Session {
   constructor(argv, cli, dir) {
     super(cli, dir);
-    this.isSecurityRelease = argv.security;
+    // argv.security can be either:
+    //   - true (boolean) if --security was used without parameter
+    //   - string if --security=path was used
+    this.isSecurityRelease = !!argv.security;
+    this.securityReleaseRepo = typeof argv.security === 'string' ? argv.security : null;
     this.isLTS = false;
     this.isLTSTransition = argv.startLTS;
     this.runBranchDiff = !argv.skipBranchDiff;
@@ -63,17 +67,62 @@ export default class ReleasePreparation extends Session {
       return false;
     }
 
+    const vulnCveMap = new Map();
+    if (this.isSecurityRelease && this.securityReleaseRepo) {
+      const vulnPath = path.join(
+        this.securityReleaseRepo,
+        'security-release',
+        'next-security-release',
+        'vulnerabilities.json'
+      );
+
+      if (!existsSync(vulnPath)) {
+        cli.error(`vulnerabilities.json not found at ${vulnPath}. ` +
+          'Skipping CVE auto-population.');
+        cli.warn('PRs will require manual CVE-ID entry.');
+      } else {
+        try {
+          cli.startSpinner(`Reading vulnerabilities.json from ${vulnPath}..`);
+          const vulnData = JSON.parse(readFileSync(vulnPath, 'utf-8'));
+          cli.stopSpinner(`Done reading vulnerabilities.json from ${vulnPath}`);
+
+          if (vulnData.reports && Array.isArray(vulnData.reports)) {
+            vulnData.reports.forEach(report => {
+              if (report.prURL && report.cveIds && report.cveIds.length > 0) {
+                vulnCveMap.set(report.prURL, report.cveIds);
+              }
+            });
+          }
+          cli.ok(`Loaded ${vulnCveMap.size} CVE mappings from vulnerabilities.json`);
+        } catch (err) {
+          cli.error(`Failed to read vulnerabilities.json: ${err.message}`);
+          cli.warn('Continuing without CVE auto-population.');
+        }
+      }
+    }
+
     for (const pr of prs) {
       if (pr.mergeable !== 'MERGEABLE') {
         this.warnForNonMergeablePR(pr);
       }
+
+      // Look up CVE-IDs from vulnerabilities.json
+      const prUrl = `https://github.com/${this.owner}/${this.repo}/pull/${pr.number}`;
+      const cveIds = vulnCveMap.get(prUrl);
+
+      if (!cveIds || cveIds.length === 0) {
+        cli.warn(`No CVE-IDs found in vulnerabilities.json for ${prUrl}`);
+      }
+
       const cp = new CherryPick(pr.number, this.dir, cli, {
         owner: this.owner,
         repo: this.repo,
         gpgSign: this.gpgSign,
         upstream: this.isSecurityRelease ? `https://${this.username}:${this.config.token}@github.com/${this.owner}/${this.repo}.git` : this.upstream,
         lint: false,
-        includeCVE: true
+        includeCVE: true,
+        cveIds: cveIds || null,
+        vulnCveMap
       });
       const success = await cp.start();
       if (!success) {

package/lib/promote_release.js

@@ -1,5 +1,7 @@
 import path from 'node:path';
 import fs from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { pipeline } from 'node:stream/promises';
 import semver from 'semver';
 import * as gst from 'git-secure-tag';
 
@@ -196,31 +198,44 @@ export default class ReleasePromotion extends Session {
 
   async verifyTagSignature(version) {
     const { cli } = this;
-    const verifyTagPattern = /gpg:[^\n]+\ngpg:\s+using \w+ key ([^\n]+)\ngpg:\s+issuer "([^"]+)"\ngpg:\s+Good signature from (?:"[^"]+"(?: \[ultimate\])?\ngpg:\s+aka )*"([^<]+) <\2>"/;
-    const [verifyTagOutput, haystack] = await Promise.all([forceRunAsync(
-      'git', ['--no-pager',
-        'verify-tag',
-        `v${version}`
-      ], { ignoreFailure: false, captureStderr: true }), fs.readFile('README.md')]);
-    const match = verifyTagPattern.exec(verifyTagOutput);
-    if (match == null) {
-      cli.warn('git was not able to verify the tag:');
-      cli.info(verifyTagOutput);
-    } else {
-      const [, keyID, email, name] = match;
-      const needle = `* **${name}** <<${email}>>\n  ${'`'}${keyID}${'`'}`;
-      if (haystack.includes(needle)) {
-        return;
+
+    cli.startSpinner('Downloading active releasers keyring from nodejs/release-keys...');
+    const [keyRingStream, [GNUPGHOME, keyRingFd]] = await Promise.all([
+      fetch('https://github.com/nodejs/release-keys/raw/HEAD/gpg-only-active-keys/pubring.kbx'),
+      fs.mkdtemp(path.join(tmpdir(), 'ncu-'))
+        .then(async d => [d, await fs.open(path.join(d, 'pubring.kbx'), 'w')]),
+    ]);
+    if (!keyRingStream.ok) throw new Error('Failed to download keyring', { cause: keyRingStream });
+    await pipeline(keyRingStream.body, keyRingFd.createWriteStream());
+    cli.stopSpinner('Active releasers keyring stored in temp directory');
+
+    try {
+      await forceRunAsync(
+        'git', ['--no-pager',
+          'verify-tag',
+          `v${version}`
+        ], {
+          ignoreFailure: false,
+          spawnArgs: { env: { ...process.env, GNUPGHOME } },
+        });
+      cli.ok('git tag signature verified');
+    } catch (cause) {
+      cli.error('git was not able to verify the tag');
+      cli.warn('This means that either the tag was signed with the wrong key,');
+      cli.warn('or that nodejs/release-keys contains outdated information.');
+      cli.warn('The release should not proceed.');
+      if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
+        if (await cli.prompt('Do you want to delete the local tag?')) {
+          await forceRunAsync('git', ['tag', '-d', `v${version}`]);
+        } else {
+          cli.info(`Run 'git tag -d v${version}' to remove the local tag.`);
+        }
+        throw new Error('Aborted', { cause });
       }
-      cli.warn('Tag was signed with an undocumented identity/key pair!');
-      cli.info('Expected to find the following entry in the README:');
-      cli.info(needle);
-      cli.info('If you are using a subkey, it might be OK.');
-    }
-    cli.info(`If that doesn't sound right, consider removing the tag (git tag -d v${version
-             }), check your local config, and start the process over.`);
-    if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
-      throw new Error('Aborted');
+    } finally {
+      cli.startSpinner('Cleaning up temp files');
+      await fs.rm(GNUPGHOME, { force: true, recursive: true });
+      cli.stopSpinner('Temp files removed');
     }
   }
 

package/lib/session.js

@@ -19,7 +19,7 @@ export default class Session {
     this.cli = cli;
     this.dir = dir;
     this.prid = prid;
-    this.config = { ...getMergedConfig(this.dir), ...argv };
+    this.config = getMergedConfig(this.dir, undefined, argv);
     this.gpgSign = argv?.['gpg-sign']
       ? (argv['gpg-sign'] === true ? ['-S'] : ['-S', argv['gpg-sign']])
       : [];
@@ -126,7 +126,12 @@ export default class Session {
     writeJson(this.sessionPath, {
       state: STARTED,
       prid: this.prid,
-      config: this.config
+      // Filter out getters, those are likely encrypted data we don't need on the session.
+      config: Object.entries(Object.getOwnPropertyDescriptors(this.config))
+        .reduce((pv, [key, desc]) => {
+          if (Object.hasOwn(desc, 'value')) pv[key] = desc.value;
+          return pv;
+        }, { __proto__: null }),
     });
   }
 
@@ -382,12 +387,19 @@ export default class Session {
       cli.setExitCode(1);
     }
     if (!upstream) {
-      cli.warn('You have not told git-node the remote you want to sync with.');
+      cli.warn('You have not told git-node what remote name you are trying to land commits on.');
       cli.separator();
-      cli.info(
-        'For example, if your remote pointing to nodejs/node is' +
-        ' `remote-upstream`, you can run:\n\n' +
-        '  $ ncu-config set upstream remote-upstream');
+      const remoteName = runSync('git', ['remote', '-v'])
+        .match(/^(\S+)\s+(?:https:\/\/github\.com\/|git@github\.com:)nodejs\/node\.git \(\S+\)\r?$/m)?.[1];
+      cli.info(remoteName
+        ? `You likely want to run the following:\n\n  $ ncu-config set upstream ${remoteName}`
+        : 'The expected repository does not seem to appear in your local config.\n' +
+        '1. First, add the Node.js core repository as a remote:\n' +
+        '   $ git remote add upstream https://github.com/nodejs/node.git\n\n' +
+        '2. Then, tell git-node to use this remote for syncing:\n' +
+        '   $ ncu-config set upstream upstream\n\n' +
+        'Note: Using "upstream" is recommended, but you can use any remote name.\n' +
+        'For security reasons, you need to add the remote manually.');
       cli.separator();
       cli.setExitCode(1);
     }

package/lib/update-v8/deps.js

@@ -0,0 +1,88 @@
+import path from 'node:path';
+import { promises as fs } from 'node:fs';
+
+import { chromiumGit, v8Deps } from './constants.js';
+import { forceRunAsync } from '../run.js';
+import {
+  addToGitignore,
+  filterForVersion,
+  getNodeV8Version,
+  removeDirectory,
+  replaceGitignore,
+} from './util.js';
+
+async function fetchFromGit(cwd, repo, commit) {
+  await removeDirectory(cwd);
+  await fs.mkdir(cwd, { recursive: true });
+  await exec('init');
+  await exec('remote', 'add', 'origin', repo);
+  await exec('fetch', 'origin', commit);
+  await exec('reset', '--hard', 'FETCH_HEAD');
+  await removeDirectory(path.join(cwd, '.git'));
+
+  function exec(...options) {
+    return forceRunAsync('git', options, {
+      ignoreFailure: false,
+      spawnArgs: { cwd, stdio: 'ignore' }
+    });
+  }
+}
+
+async function readDeps(nodeDir) {
+  const depsStr = await fs.readFile(path.join(nodeDir, 'deps/v8/DEPS'), 'utf8');
+  const start = depsStr.indexOf('deps = {');
+  const end = depsStr.indexOf('\n}', start) + 2;
+  const depsDeclaration = depsStr.substring(start, end).replace(/^ *#.*/gm, '');
+  const Var = () => chromiumGit; // eslint-disable-line no-unused-vars
+  let deps;
+  eval(depsDeclaration); // eslint-disable-line no-eval
+  return deps;
+}
+
+async function lookupDep(depsTable, depName) {
+  const dep = depsTable[depName];
+  if (!dep) {
+    throw new Error(`V8 dep "${depName}" not found in DEPS file`);
+  }
+  if (typeof dep === 'object') {
+    return dep.url.split('@');
+  }
+  return dep.split('@');
+}
+
+export default function updateV8Deps() {
+  return {
+    title: 'Update V8 DEPS',
+    task: async(ctx, task) => {
+      const newV8Version = await getNodeV8Version(ctx.nodeDir);
+      const repoPrefix = newV8Version.majorMinor >= 86 ? '' : 'v8/';
+      const deps = filterForVersion(v8Deps.map((v8Dep) => ({
+        ...v8Dep,
+        repo: `${repoPrefix}${v8Dep.repo}`,
+        path: v8Dep.repo
+      })), newV8Version);
+      if (deps.length === 0) return;
+      const depsTable = await readDeps(ctx.nodeDir);
+      const subtasks = [];
+      for (const dep of deps) {
+        // Update .gitignore sequentially to avoid races
+        if (dep.gitignore) {
+          if (typeof dep.gitignore === 'string') {
+            await addToGitignore(ctx.nodeDir, dep.gitignore);
+          } else {
+            await replaceGitignore(ctx.nodeDir, dep.gitignore);
+          }
+        }
+        subtasks.push({
+          title: `Update ${dep.path}`,
+          task: async(ctx) => {
+            const [repo, commit] = await lookupDep(depsTable, dep.repo);
+            const thePath = path.join(ctx.nodeDir, 'deps/v8', dep.path);
+            await fetchFromGit(thePath, repo, commit);
+          }
+        });
+      }
+      return task.newListr(subtasks, { concurrent: ctx.concurrent });
+    }
+  };
+};

package/lib/update-v8/index.js

@@ -5,6 +5,7 @@ import updateVersionNumbers from './updateVersionNumbers.js';
 import commitUpdate from './commitUpdate.js';
 import majorUpdate from './majorUpdate.js';
 import minorUpdate from './minorUpdate.js';
+import updateDeps from './deps.js';
 import updateV8Clone from './updateV8Clone.js';
 
 export function major(options) {
@@ -34,6 +35,14 @@ export async function backport(options) {
   return tasks.run(options);
 };
 
+export async function deps(options) {
+  const tasks = new Listr(
+    [updateDeps()],
+    getOptions(options)
+  );
+  return tasks.run(options);
+};
+
 /**
  * Get the listr2 options.
  * @param {{ verbose?: boolean }} options The original options.

package/lib/update-v8/majorUpdate.js

@@ -1,17 +1,12 @@
 import path from 'node:path';
-import { promises as fs } from 'node:fs';
 
 import { getCurrentV8Version } from './common.js';
+import updateV8Deps from './deps.js';
 import {
-  getNodeV8Version,
-  filterForVersion,
-  addToGitignore,
-  replaceGitignore,
   removeDirectory,
   isVersionString
 } from './util.js';
 import applyNodeChanges from './applyNodeChanges.js';
-import { chromiumGit, v8Deps } from './constants.js';
 import { forceRunAsync } from '../run.js';
 
 export default function majorUpdate() {
@@ -106,65 +101,3 @@ function addDepsV8() {
     })
   };
 }
-
-function updateV8Deps() {
-  return {
-    title: 'Update V8 DEPS',
-    task: async(ctx) => {
-      const newV8Version = await getNodeV8Version(ctx.nodeDir);
-      const repoPrefix = newV8Version.majorMinor >= 86 ? '' : 'v8/';
-      const deps = filterForVersion(v8Deps.map((v8Dep) => ({
-        ...v8Dep,
-        repo: `${repoPrefix}${v8Dep.repo}`,
-        path: v8Dep.repo
-      })), newV8Version);
-      if (deps.length === 0) return;
-      for (const dep of deps) {
-        if (dep.gitignore) {
-          if (typeof dep.gitignore === 'string') {
-            await addToGitignore(ctx.nodeDir, dep.gitignore);
-          } else {
-            await replaceGitignore(ctx.nodeDir, dep.gitignore);
-          }
-        }
-        const [repo, commit] = await readDeps(ctx.nodeDir, dep.repo);
-        const thePath = path.join(ctx.nodeDir, 'deps/v8', dep.path);
-        await fetchFromGit(thePath, repo, commit);
-      }
-    }
-  };
-}
-
-async function readDeps(nodeDir, depName) {
-  const depsStr = await fs.readFile(path.join(nodeDir, 'deps/v8/DEPS'), 'utf8');
-  const start = depsStr.indexOf('deps = {');
-  const end = depsStr.indexOf('\n}', start) + 2;
-  const depsDeclaration = depsStr.substring(start, end).replace(/^ *#.*/gm, '');
-  const Var = () => chromiumGit; // eslint-disable-line no-unused-vars
-  let deps;
-  eval(depsDeclaration); // eslint-disable-line no-eval
-  const dep = deps[depName];
-  if (!dep) {
-    throw new Error(`V8 dep "${depName}" not found in DEPS file`);
-  }
-  if (typeof dep === 'object') {
-    return dep.url.split('@');
-  }
-  return dep.split('@');
-}
-
-async function fetchFromGit(cwd, repo, commit) {
-  await fs.mkdir(cwd, { recursive: true });
-  await exec('init');
-  await exec('remote', 'add', 'origin', repo);
-  await exec('fetch', 'origin', commit);
-  await exec('reset', '--hard', 'FETCH_HEAD');
-  await removeDirectory(path.join(cwd, '.git'));
-
-  function exec(...options) {
-    return forceRunAsync('git', options, {
-      ignoreFailure: false,
-      spawnArgs: { cwd, stdio: 'ignore' }
-    });
-  }
-}

package/lib/update-v8/util.js

@@ -37,13 +37,18 @@ export function filterForVersion(list, version) {
 
 export async function addToGitignore(nodeDir, value) {
   const gitignorePath = path.join(nodeDir, 'deps/v8/.gitignore');
-  await fs.appendFile(gitignorePath, `${value}\n`);
+  const gitignore = await fs.readFile(gitignorePath, 'utf8');
+  if (!gitignore.includes(value)) {
+    await fs.appendFile(gitignorePath, `${value}\n`);
+  }
 }
 
 export async function replaceGitignore(nodeDir, options) {
   const gitignorePath = path.join(nodeDir, 'deps/v8/.gitignore');
   let gitignore = await fs.readFile(gitignorePath, 'utf8');
-  gitignore = gitignore.replace(options.match, options.replace);
+  if (!gitignore.includes(options.replace)) {
+    gitignore = gitignore.replace(options.match, options.replace);
+  }
   await fs.writeFile(gitignorePath, gitignore);
 }
 

package/lib/update_security_release.js

@@ -12,6 +12,7 @@ import fs from 'node:fs';
 import auth from './auth.js';
 import Request from './request.js';
 import nv from '@pkgjs/nv';
+import semver from 'semver';
 
 export default class UpdateSecurityRelease extends SecurityRelease {
   async sync() {
@@ -268,17 +269,26 @@ Summary: ${summary}\n`,
   async calculateVersions(affectedVersions, supportedVersions) {
     const h1AffectedVersions = [];
     const patchedVersions = [];
+    let isPatchRelease = true;
     for (const affectedVersion of affectedVersions) {
-      const major = affectedVersion.split('.')[0];
-      const latest = supportedVersions.find((v) => v.major === Number(major)).version;
+      const affectedMajor = affectedVersion.split('.')[0];
+      const latest = supportedVersions.find((v) => v.major === Number(affectedMajor)).version;
       const version = await this.cli.prompt(
         `What is the affected version (<=) for release line ${affectedVersion}?`,
         { questionType: 'input', defaultAnswer: latest });
 
-      const nextPatchVersion = parseInt(version.split('.')[2]) + 1;
+      const nextPatchVersion = semver.inc(version, 'patch');
+      const nextMinorVersion = semver.inc(version, 'minor');
       const patchedVersion = await this.cli.prompt(
         `What is the patched version (>=) for release line ${affectedVersion}?`,
-        { questionType: 'input', defaultAnswer: nextPatchVersion });
+        {
+          questionType: 'input',
+          defaultAnswer: isPatchRelease ? nextPatchVersion : nextMinorVersion
+        });
+
+      if (patchedVersion !== nextPatchVersion) {
+        isPatchRelease = false; // is a minor release
+      }
 
       patchedVersions.push(patchedVersion);
       h1AffectedVersions.push({

package/lib/verbosity.js

@@ -18,6 +18,9 @@ export function setVerbosityFromEnv() {
   if (Object.keys(VERBOSITY).includes(env)) {
     verbosity = VERBOSITY[env];
   }
+  if (!isDebugVerbosity()) {
+    Error.stackTraceLimit = 0;
+  }
 };
 
 export function debuglog(...args) {

package/lib/voting_session.js

@@ -10,7 +10,6 @@ import {
   getEditor, isGhAvailable
 } from './utils.js';
 
-// eslint-disable-next-line import/no-unresolved
 import voteUsingGit from '@node-core/caritat/voteUsingGit';
 import * as yaml from 'js-yaml';