@node-core/utils 5.3.0 → 5.4.0

package/components/git/security.js

@@ -79,7 +79,7 @@ export function builder(yargs) {
       'Request CVEs for a security release of Node.js based on' +
       ' the next-security-release/vulnerabilities.json'
     ).example(
-      'git node security --post-release' +
+      'git node security --post-release',
       'Create the post-release announcement on the Nodejs.org repo'
     );
 }

package/lib/pr_checker.js

@@ -29,6 +29,7 @@ const GITHUB_SUCCESS_CONCLUSIONS = ['SUCCESS', 'NEUTRAL', 'SKIPPED'];
 const FAST_TRACK_RE = /^Fast-track has been requested by @(.+?)\. Please 👍 to approve\.$/;
 const FAST_TRACK_MIN_APPROVALS = 2;
 const GIT_CONFIG_GUIDE_URL = 'https://github.com/nodejs/node/blob/99b1ada/doc/guides/contributing/pull-requests.md#step-1-fork';
+const IGNORED_CHECK_SLUGS = ['dependabot', 'codecov'];
 
 // eslint-disable-next-line no-extend-native
 Array.prototype.findLastIndex ??= function findLastIndex(fn) {
@@ -373,9 +374,9 @@ export default class PRChecker {
 
     // GitHub new Check API
     for (const { status, conclusion, app } of checkSuites.nodes) {
-      if (app && app.slug === 'dependabot') {
-        // Ignore Dependabot check suites. They are expected to show up
-        // sometimes and never complete.
+      if (app && IGNORED_CHECK_SLUGS.includes(app.slug)) {
+        // Ignore Dependabot and Codecov check suites.
+        // They are expected to show up sometimes and never complete.
         continue;
       }
 

package/lib/prepare_release.js

@@ -2,7 +2,7 @@ import path from 'node:path';
 import { promises as fs } from 'node:fs';
 
 import semver from 'semver';
-import replace from 'replace-in-file';
+import { replaceInFile } from 'replace-in-file';
 
 import { getMergedConfig } from './config.js';
 import { runAsync, runSync } from './run.js';
@@ -427,7 +427,7 @@ export default class ReleasePreparation {
   async updateREPLACEMEs() {
     const { newVersion } = this;
 
-    await replace({
+    await replaceInFile({
       files: 'doc/api/*.md',
       from: /REPLACEME/g,
       to: `v${newVersion}`

package/lib/prepare_security.js

@@ -6,7 +6,6 @@ import {
   NEXT_SECURITY_RELEASE_BRANCH,
   NEXT_SECURITY_RELEASE_FOLDER,
   NEXT_SECURITY_RELEASE_REPOSITORY,
-  PLACEHOLDERS,
   checkoutOnSecurityReleaseBranch,
   commitAndPushVulnerabilitiesJSON,
   validateDate,
@@ -37,22 +36,15 @@ export default class PrepareSecurityRelease {
     const createVulnerabilitiesJSON = await this.promptVulnerabilitiesJSON();
 
     let securityReleasePRUrl;
+    const content = await this.buildDescription(releaseDate, securityReleasePRUrl);
     if (createVulnerabilitiesJSON) {
-      securityReleasePRUrl = await this.startVulnerabilitiesJSONCreation(releaseDate);
+      securityReleasePRUrl = await this.startVulnerabilitiesJSONCreation(releaseDate, content);
     }
 
-    const createIssue = await this.promptCreateRelaseIssue();
-
-    if (createIssue) {
-      const content = await this.buildIssue(releaseDate, securityReleasePRUrl);
-      await createIssue(
-        this.title, content, this.repository, { cli: this.cli, repository: this.repository });
-    };
-
     this.cli.ok('Done!');
   }
 
-  async startVulnerabilitiesJSONCreation(releaseDate) {
+  async startVulnerabilitiesJSONCreation(releaseDate, content) {
     // checkout on the next-security-release branch
     checkoutOnSecurityReleaseBranch(this.cli, this.repository);
 
@@ -87,7 +79,7 @@ export default class PrepareSecurityRelease {
     if (!createPr) return;
 
     // create pr on the security-release repo
-    return this.createPullRequest();
+    return this.createPullRequest(content);
   }
 
   promptCreatePR() {
@@ -143,11 +135,9 @@ export default class PrepareSecurityRelease {
       { defaultAnswer: true });
   }
 
-  async buildIssue(releaseDate, securityReleasePRUrl = PLACEHOLDERS.vulnerabilitiesPRURL) {
+  async buildDescription() {
     const template = await this.getSecurityIssueTemplate();
-    const content = template.replace(PLACEHOLDERS.releaseDate, releaseDate)
-      .replace(PLACEHOLDERS.vulnerabilitiesPRURL, securityReleasePRUrl);
-    return content;
+    return template;
   }
 
   async chooseReports() {
@@ -185,11 +175,11 @@ export default class PrepareSecurityRelease {
     return fullPath;
   }
 
-  async createPullRequest() {
+  async createPullRequest(content) {
     const { owner, repo } = this.repository;
     const response = await this.req.createPullRequest(
       this.title,
-      'List of vulnerabilities to be included in the next security release',
+      content ?? 'List of vulnerabilities to be included in the next security release',
       {
         owner,
         repo,

package/lib/security-announcement.js

@@ -53,7 +53,7 @@ export default class SecurityAnnouncement {
     };
 
     const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'build');
-    await this.createIssue(title, content, repository);
+    await createIssue(title, content, repository, { cli: this.cli, req: this.req });
   }
 
   createPreleaseAnnouncementIssue(releaseDate, team) {
@@ -71,6 +71,6 @@ export default class SecurityAnnouncement {
     };
 
     const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'docker');
-    await createIssue(title, content, repository, { cli: this.cli, repository: this.repository });
+    await createIssue(title, content, repository, { cli: this.cli, req: this.req });
   }
 }

package/lib/security_blog.js

@@ -8,7 +8,6 @@ import {
   checkoutOnSecurityReleaseBranch,
   NEXT_SECURITY_RELEASE_REPOSITORY,
   validateDate,
-  getSummary,
   commitAndPushVulnerabilitiesJSON,
   NEXT_SECURITY_RELEASE_FOLDER
 } from './security-release/security-release.js';
@@ -84,6 +83,7 @@ export default class SecurityBlog {
     const releaseDate = new Date(content.releaseDate);
     const template = this.getSecurityPostReleaseTemplate();
     const data = {
+      // TODO: read from pre-sec-release
       annoucementDate: await this.getAnnouncementDate(cli),
       releaseDate: this.formatReleaseDate(releaseDate),
       affectedVersions: this.getAffectedVersions(content),
@@ -205,46 +205,25 @@ export default class SecurityBlog {
     const reports = content.reports;
     let template = '';
     for (const report of reports) {
-      let cveId = report.cve_ids?.join(', ');
+      const cveId = report.cveIds?.join(', ');
       if (!cveId) {
-        // ask for the CVE ID
-        // it should have been created with the step `--request-cve`
-        cveId = await this.cli.prompt(`What is the CVE ID for vulnerability https://hackerone.com/reports/${report.id} ${report.title}?`, {
-          questionType: 'input',
-          defaultAnswer: 'TBD'
-        });
-        report.cve_ids = [cveId];
-        content[kChanged] = true;
+        this.cli.error(`CVE ID for vulnerability ${report.link} ${report.title} not found`);
+        process.exit(1);
       }
       template += `## ${report.title} (${cveId}) - (${report.severity.rating})\n\n`;
       if (!report.summary) {
-        const fetchIt = await this.cli.prompt(`Summary missing for vulnerability https://hackerone.com/reports/${report.id} ${report.title}.\
- Do you want to try fetch it from HackerOne??`, {
-          questionType: 'confirm',
-          defaultAnswer: true
-        });
-
-        if (fetchIt) {
-          report.summary = await getSummary(report.id, this.req);
-          content[kChanged] = true;
-        }
-
-        if (!report.summary) {
-          this.cli.error(`Summary missing for vulnerability https://hackerone.com/reports/${report.id} ${report.title}. Please create it before continuing.`);
-          process.exit(1);
-        }
+        this.cli.error(`Summary missing for vulnerability ${report.link} ` +
+        `${report.title}. Please create it before continuing.`);
+        process.exit(1);
       }
+
       template += `${report.summary}\n\n`;
       const releaseLines = report.affectedVersions.join(', ');
       template += `Impact:\n\n- This vulnerability affects all users\
  in active release lines: ${releaseLines}\n\n`;
       if (!report.patchAuthors) {
-        const author = await this.cli.prompt(`Who fixed vulnerability https://hackerone.com/reports/${report.id} ${report.title}? If multiple use & as separator`, {
-          questionType: 'input',
-          defaultAnswer: 'TBD'
-        });
-        report.patchAuthors = author.split('&').map((p) => p.trim());
-        content[kChanged] = true;
+        this.cli.error(`Missing patch author for vulnerability ${report.link} ${report.title}`);
+        process.exit(1);
       }
       template += `Thank you, to ${report.reporter} for reporting this vulnerability\
  and thank you ${report.patchAuthors.join(' and ')} for fixing it.\n\n`;
@@ -253,9 +232,10 @@ export default class SecurityBlog {
   }
 
   getDependencyUpdatesTemplate(dependencyUpdates) {
-    if (!dependencyUpdates) return '';
-    let template = 'This security release includes the following dependency' +
-      ' updates to address public vulnerabilities:\n\n';
+    if (typeof dependencyUpdates !== 'object') return '';
+    if (Object.keys(dependencyUpdates).length === 0) return '';
+    let template = '\nThis security release includes the following dependency' +
+      ' updates to address public vulnerabilities:\n';
     for (const dependencyUpdate of Object.values(dependencyUpdates)) {
       for (const dependency of dependencyUpdate) {
         const title = dependency.title.substring(dependency.title.indexOf(':') + ':'.length).trim();
@@ -351,7 +331,12 @@ export default class SecurityBlog {
         affectedVersions.add(affectedVersion);
       }
     }
-    return Array.from(affectedVersions).join(', ');
+    const parseToNumber = str => +(str.match(/[\d.]+/g)[0]);
+    return Array.from(affectedVersions)
+      .sort((a, b) => {
+        return parseToNumber(a) > parseToNumber(b) ? -1 : 1;
+      })
+      .join(', ');
   }
 
   getSecurityPreReleaseTemplate() {

package/lib/update-v8/applyNodeChanges.js

@@ -1,7 +1,5 @@
 import path from 'node:path';
 
-import { Listr } from 'listr2';
-
 import {
   getNodeV8Version,
   filterForVersion,
@@ -19,10 +17,10 @@ const nodeChanges = [
 export default function applyNodeChanges() {
   return {
     title: 'Apply Node-specific changes',
-    task: async(ctx) => {
+    task: async(ctx, task) => {
       const v8Version = await getNodeV8Version(ctx.nodeDir);
       const list = filterForVersion(nodeChanges, v8Version);
-      return new Listr(list.map((change) => change.task()));
+      return task.newListr(list.map((change) => change.task()));
     }
   };
 }

package/lib/update-v8/backport.js

@@ -4,7 +4,6 @@ import {
 } from 'node:fs';
 
 import inquirer from 'inquirer';
-import { Listr } from 'listr2';
 import { ListrEnquirerPromptAdapter } from '@listr2/prompt-adapter-enquirer';
 
 import { shortSha } from '../utils.js';
@@ -50,8 +49,8 @@ export function doBackport(options) {
 
   return {
     title: 'V8 commit backport',
-    task: () => {
-      return new Listr(todo);
+    task: (ctx, task) => {
+      return task.newListr(todo);
     }
   };
 };
@@ -164,8 +163,8 @@ function applyPatches() {
 function applyAndCommitPatches() {
   return {
     title: 'Apply and commit patches to deps/v8',
-    task: (ctx) => {
-      return new Listr(ctx.patches.map(applyPatchTask));
+    task: (ctx, task) => {
+      return task.newListr(ctx.patches.map(applyPatchTask));
     }
   };
 }
@@ -173,7 +172,7 @@ function applyAndCommitPatches() {
 function applyPatchTask(patch) {
   return {
     title: `Commit ${shortSha(patch.sha)}`,
-    task: (ctx) => {
+    task: (ctx, task) => {
       const todo = [
         {
           title: 'Apply patch',
@@ -188,7 +187,7 @@ function applyPatchTask(patch) {
         }
       }
       todo.push(commitPatch(patch));
-      return new Listr(todo);
+      return task.newListr(todo);
     }
   };
 }

package/lib/update-v8/majorUpdate.js

@@ -1,8 +1,6 @@
 import path from 'node:path';
 import { promises as fs } from 'node:fs';
 
-import { Listr } from 'listr2';
-
 import { getCurrentV8Version } from './common.js';
 import {
   getNodeV8Version,
@@ -19,8 +17,8 @@ import { forceRunAsync } from '../run.js';
 export default function majorUpdate() {
   return {
     title: 'Major V8 update',
-    task: () => {
-      return new Listr([
+    task: (ctx, task) => {
+      return task.newListr([
         getCurrentV8Version(),
         checkoutBranch(),
         removeDepsV8(),

package/lib/update-v8/minorUpdate.js

@@ -2,8 +2,6 @@ import { spawn } from 'node:child_process';
 import path from 'node:path';
 import { promises as fs } from 'node:fs';
 
-import { Listr } from 'listr2';
-
 import { getCurrentV8Version } from './common.js';
 import { isVersionString } from './util.js';
 import { forceRunAsync } from '../run.js';
@@ -11,8 +9,8 @@ import { forceRunAsync } from '../run.js';
 export default function minorUpdate() {
   return {
     title: 'Minor V8 update',
-    task: () => {
-      return new Listr([
+    task: (ctx, task) => {
+      return task.newListr([
         getCurrentV8Version(),
         getLatestV8Version(),
         doMinorUpdate()

package/lib/update-v8/updateV8Clone.js

@@ -1,15 +1,13 @@
 import { promises as fs } from 'node:fs';
 
-import { Listr } from 'listr2';
-
 import { v8Git } from './constants.js';
 import { forceRunAsync } from '../run.js';
 
 export default function updateV8Clone() {
   return {
     title: 'Update local V8 clone',
-    task: () => {
-      return new Listr([fetchOrigin(), createClone()]);
+    task: (ctx, task) => {
+      return task.newListr([fetchOrigin(), createClone()]);
     }
   };
 };

package/lib/update-v8/updateVersionNumbers.js

@@ -1,15 +1,13 @@
 import path from 'node:path';
 import { promises as fs } from 'node:fs';
 
-import { Listr } from 'listr2';
-
 import { getNodeV8Version } from './util.js';
 
 export default function updateVersionNumbers() {
   return {
     title: 'Update version numbers',
-    task: () => {
-      return new Listr([resetEmbedderString(), bumpNodeModule()]);
+    task: (ctx, task) => {
+      return task.newListr([resetEmbedderString(), bumpNodeModule()]);
     }
   };
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "5.3.0",
+  "version": "5.4.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {
@@ -34,8 +34,8 @@
   ],
   "license": "MIT",
   "dependencies": {
-    "@listr2/prompt-adapter-enquirer": "^2.0.8",
-    "@node-core/caritat": "^1.3.1",
+    "@listr2/prompt-adapter-enquirer": "^2.0.10",
+    "@node-core/caritat": "^1.6.0",
     "@pkgjs/nv": "^0.2.2",
     "branch-diff": "^3.0.4",
     "chalk": "^5.3.0",
@@ -44,26 +44,26 @@
     "clipboardy": "^4.0.0",
     "core-validate-commit": "^4.0.0",
     "figures": "^6.1.0",
-    "ghauth": "^6.0.4",
-    "inquirer": "^9.2.22",
+    "ghauth": "^6.0.5",
+    "inquirer": "^9.3.2",
     "js-yaml": "^4.1.0",
-    "listr2": "^8.2.1",
+    "listr2": "^8.2.3",
     "lodash": "^4.17.21",
     "log-symbols": "^6.0.0",
     "ora": "^8.0.1",
-    "replace-in-file": "^7.1.0",
-    "undici": "^6.18.0",
+    "replace-in-file": "^8.0.2",
+    "undici": "^6.19.2",
     "which": "^4.0.0",
     "yargs": "^17.7.2"
   },
   "devDependencies": {
     "@reporters/github": "^1.7.0",
-    "c8": "^9.1.0",
+    "c8": "^10.1.2",
     "eslint": "^8.57.0",
     "eslint-config-standard": "^17.1.0",
     "eslint-plugin-import": "^2.29.1",
     "eslint-plugin-n": "^16.6.2",
-    "eslint-plugin-promise": "^6.1.1",
+    "eslint-plugin-promise": "^6.4.0",
     "sinon": "^18.0.0"
   }
 }