@node-core/utils 5.3.0 → 5.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/components/git/security.js +1 -1
- package/lib/prepare_release.js +2 -2
- package/lib/security-announcement.js +2 -2
- package/lib/security_blog.js +10 -31
- package/package.json +10 -10
|
@@ -79,7 +79,7 @@ export function builder(yargs) {
|
|
|
79
79
|
'Request CVEs for a security release of Node.js based on' +
|
|
80
80
|
' the next-security-release/vulnerabilities.json'
|
|
81
81
|
).example(
|
|
82
|
-
'git node security --post-release'
|
|
82
|
+
'git node security --post-release',
|
|
83
83
|
'Create the post-release announcement on the Nodejs.org repo'
|
|
84
84
|
);
|
|
85
85
|
}
|
package/lib/prepare_release.js
CHANGED
|
@@ -2,7 +2,7 @@ import path from 'node:path';
|
|
|
2
2
|
import { promises as fs } from 'node:fs';
|
|
3
3
|
|
|
4
4
|
import semver from 'semver';
|
|
5
|
-
import
|
|
5
|
+
import { replaceInFile } from 'replace-in-file';
|
|
6
6
|
|
|
7
7
|
import { getMergedConfig } from './config.js';
|
|
8
8
|
import { runAsync, runSync } from './run.js';
|
|
@@ -427,7 +427,7 @@ export default class ReleasePreparation {
|
|
|
427
427
|
async updateREPLACEMEs() {
|
|
428
428
|
const { newVersion } = this;
|
|
429
429
|
|
|
430
|
-
await
|
|
430
|
+
await replaceInFile({
|
|
431
431
|
files: 'doc/api/*.md',
|
|
432
432
|
from: /REPLACEME/g,
|
|
433
433
|
to: `v${newVersion}`
|
|
@@ -53,7 +53,7 @@ export default class SecurityAnnouncement {
|
|
|
53
53
|
};
|
|
54
54
|
|
|
55
55
|
const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'build');
|
|
56
|
-
await
|
|
56
|
+
await createIssue(title, content, repository, { cli: this.cli, req: this.req });
|
|
57
57
|
}
|
|
58
58
|
|
|
59
59
|
createPreleaseAnnouncementIssue(releaseDate, team) {
|
|
@@ -71,6 +71,6 @@ export default class SecurityAnnouncement {
|
|
|
71
71
|
};
|
|
72
72
|
|
|
73
73
|
const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'docker');
|
|
74
|
-
await createIssue(title, content, repository, { cli: this.cli,
|
|
74
|
+
await createIssue(title, content, repository, { cli: this.cli, req: this.req });
|
|
75
75
|
}
|
|
76
76
|
}
|
package/lib/security_blog.js
CHANGED
|
@@ -8,7 +8,6 @@ import {
|
|
|
8
8
|
checkoutOnSecurityReleaseBranch,
|
|
9
9
|
NEXT_SECURITY_RELEASE_REPOSITORY,
|
|
10
10
|
validateDate,
|
|
11
|
-
getSummary,
|
|
12
11
|
commitAndPushVulnerabilitiesJSON,
|
|
13
12
|
NEXT_SECURITY_RELEASE_FOLDER
|
|
14
13
|
} from './security-release/security-release.js';
|
|
@@ -84,6 +83,7 @@ export default class SecurityBlog {
|
|
|
84
83
|
const releaseDate = new Date(content.releaseDate);
|
|
85
84
|
const template = this.getSecurityPostReleaseTemplate();
|
|
86
85
|
const data = {
|
|
86
|
+
// TODO: read from pre-sec-release
|
|
87
87
|
annoucementDate: await this.getAnnouncementDate(cli),
|
|
88
88
|
releaseDate: this.formatReleaseDate(releaseDate),
|
|
89
89
|
affectedVersions: this.getAffectedVersions(content),
|
|
@@ -205,46 +205,25 @@ export default class SecurityBlog {
|
|
|
205
205
|
const reports = content.reports;
|
|
206
206
|
let template = '';
|
|
207
207
|
for (const report of reports) {
|
|
208
|
-
|
|
208
|
+
const cveId = report.cveIds?.join(', ');
|
|
209
209
|
if (!cveId) {
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
cveId = await this.cli.prompt(`What is the CVE ID for vulnerability https://hackerone.com/reports/${report.id} ${report.title}?`, {
|
|
213
|
-
questionType: 'input',
|
|
214
|
-
defaultAnswer: 'TBD'
|
|
215
|
-
});
|
|
216
|
-
report.cve_ids = [cveId];
|
|
217
|
-
content[kChanged] = true;
|
|
210
|
+
this.cli.error(`CVE ID for vulnerability ${report.link} ${report.title} not found`);
|
|
211
|
+
process.exit(1);
|
|
218
212
|
}
|
|
219
213
|
template += `## ${report.title} (${cveId}) - (${report.severity.rating})\n\n`;
|
|
220
214
|
if (!report.summary) {
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
defaultAnswer: true
|
|
225
|
-
});
|
|
226
|
-
|
|
227
|
-
if (fetchIt) {
|
|
228
|
-
report.summary = await getSummary(report.id, this.req);
|
|
229
|
-
content[kChanged] = true;
|
|
230
|
-
}
|
|
231
|
-
|
|
232
|
-
if (!report.summary) {
|
|
233
|
-
this.cli.error(`Summary missing for vulnerability https://hackerone.com/reports/${report.id} ${report.title}. Please create it before continuing.`);
|
|
234
|
-
process.exit(1);
|
|
235
|
-
}
|
|
215
|
+
this.cli.error(`Summary missing for vulnerability ${report.link} ` +
|
|
216
|
+
`${report.title}. Please create it before continuing.`);
|
|
217
|
+
process.exit(1);
|
|
236
218
|
}
|
|
219
|
+
|
|
237
220
|
template += `${report.summary}\n\n`;
|
|
238
221
|
const releaseLines = report.affectedVersions.join(', ');
|
|
239
222
|
template += `Impact:\n\n- This vulnerability affects all users\
|
|
240
223
|
in active release lines: ${releaseLines}\n\n`;
|
|
241
224
|
if (!report.patchAuthors) {
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
defaultAnswer: 'TBD'
|
|
245
|
-
});
|
|
246
|
-
report.patchAuthors = author.split('&').map((p) => p.trim());
|
|
247
|
-
content[kChanged] = true;
|
|
225
|
+
this.cli.error(`Missing patch author for vulnerability ${report.link} ${report.title}`);
|
|
226
|
+
process.exit(1);
|
|
248
227
|
}
|
|
249
228
|
template += `Thank you, to ${report.reporter} for reporting this vulnerability\
|
|
250
229
|
and thank you ${report.patchAuthors.join(' and ')} for fixing it.\n\n`;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@node-core/utils",
|
|
3
|
-
"version": "5.3.
|
|
3
|
+
"version": "5.3.1",
|
|
4
4
|
"description": "Utilities for Node.js core collaborators",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"engines": {
|
|
@@ -34,8 +34,8 @@
|
|
|
34
34
|
],
|
|
35
35
|
"license": "MIT",
|
|
36
36
|
"dependencies": {
|
|
37
|
-
"@listr2/prompt-adapter-enquirer": "^2.0.
|
|
38
|
-
"@node-core/caritat": "^1.
|
|
37
|
+
"@listr2/prompt-adapter-enquirer": "^2.0.10",
|
|
38
|
+
"@node-core/caritat": "^1.6.0",
|
|
39
39
|
"@pkgjs/nv": "^0.2.2",
|
|
40
40
|
"branch-diff": "^3.0.4",
|
|
41
41
|
"chalk": "^5.3.0",
|
|
@@ -44,26 +44,26 @@
|
|
|
44
44
|
"clipboardy": "^4.0.0",
|
|
45
45
|
"core-validate-commit": "^4.0.0",
|
|
46
46
|
"figures": "^6.1.0",
|
|
47
|
-
"ghauth": "^6.0.
|
|
48
|
-
"inquirer": "^9.2
|
|
47
|
+
"ghauth": "^6.0.5",
|
|
48
|
+
"inquirer": "^9.3.2",
|
|
49
49
|
"js-yaml": "^4.1.0",
|
|
50
|
-
"listr2": "^8.2.
|
|
50
|
+
"listr2": "^8.2.3",
|
|
51
51
|
"lodash": "^4.17.21",
|
|
52
52
|
"log-symbols": "^6.0.0",
|
|
53
53
|
"ora": "^8.0.1",
|
|
54
|
-
"replace-in-file": "^
|
|
55
|
-
"undici": "^6.
|
|
54
|
+
"replace-in-file": "^8.0.2",
|
|
55
|
+
"undici": "^6.19.2",
|
|
56
56
|
"which": "^4.0.0",
|
|
57
57
|
"yargs": "^17.7.2"
|
|
58
58
|
},
|
|
59
59
|
"devDependencies": {
|
|
60
60
|
"@reporters/github": "^1.7.0",
|
|
61
|
-
"c8": "^
|
|
61
|
+
"c8": "^10.1.2",
|
|
62
62
|
"eslint": "^8.57.0",
|
|
63
63
|
"eslint-config-standard": "^17.1.0",
|
|
64
64
|
"eslint-plugin-import": "^2.29.1",
|
|
65
65
|
"eslint-plugin-n": "^16.6.2",
|
|
66
|
-
"eslint-plugin-promise": "^6.
|
|
66
|
+
"eslint-plugin-promise": "^6.4.0",
|
|
67
67
|
"sinon": "^18.0.0"
|
|
68
68
|
}
|
|
69
69
|
}
|