@node-core/utils 5.8.0 → 5.9.0

package/lib/prepare_release.js

@@ -363,8 +363,14 @@ export default class ReleasePreparation extends Session {
     try {
       runSync('git', ['rev-parse', tagName]);
     } catch {
-      this.cli.startSpinner(`Error parsing git ref ${tagName}, attempting fetching it as a tag`);
-      runSync('git', ['fetch', this.upstream, 'tag', '-n', tagName]);
+      this.cli.error(`Error parsing git ref ${tagName}`);
+      this.cli.startSpinner('Attempting fetching it as a tag\n');
+      try {
+        runSync('git', ['fetch', this.upstream, 'tag', '-n', tagName]);
+      } catch (e) {
+        this.cli.error(`${e.message}\nRun: git remote update`);
+        process.exit(1);
+      }
       this.cli.stopSpinner(`Tag fetched: ${tagName}`);
     }
     try {
@@ -765,7 +771,7 @@ export default class ReleasePreparation extends Session {
   }
 
   async prepareLocalBranch() {
-    const { cli } = this;
+    const { cli, isSecurityRelease } = this;
     if (this.newVersion) {
       // If the CLI asked for a specific version:
       const newVersion = semver.parse(this.newVersion);
@@ -789,11 +795,19 @@ export default class ReleasePreparation extends Session {
     // Otherwise, we need to figure out what's the next version number for the
     // release line of the branch that's currently checked out.
     const currentBranch = this.getCurrentBranch();
-    const match = /^v(\d+)\.x-staging$/.exec(currentBranch);
 
+    // In security releases vN.x branch is the base
+    let regex = /^v(\d+)\.x-staging$/;
+    let targetBranch = 'vN.x-staging';
+    if (isSecurityRelease) {
+      regex = /^v(\d+)\.x$/;
+      targetBranch = 'vN.x';
+    }
+
+    const match = regex.exec(currentBranch);
     if (!match) {
       cli.warn(`Cannot prepare a release from ${currentBranch
-          }. Switch to a staging branch before proceeding.`);
+        }. Switch to a ${targetBranch} branch before proceeding.`);
       return;
     }
     this.stagingBranch = currentBranch;

package/lib/promote_release.js

@@ -131,6 +131,7 @@ export default class ReleasePromotion extends Session {
       throw new Error('Aborted');
     }
     await this.secureTagRelease();
+    await this.verifyTagSignature();
 
     // Set up for next release.
     cli.startSpinner('Setting up for next release');
@@ -223,6 +224,28 @@ export default class ReleasePromotion extends Session {
         this.isLTS ? '=false' : ''} --title=${JSON.stringify(this.releaseTitle)} --notes-file -`);
   }
 
+  async verifyTagSignature() {
+    const { cli, version } = this;
+    const [needle, haystack] = await Promise.all([forceRunAsync(
+      'git', ['--no-pager',
+        'log', '-1',
+        `refs/tags/v${version}`,
+        '--format=* **%an** <<%ae>>\n  `%GF`'
+      ], { captureStdout: true }), fs.readFile('README.md')]);
+    if (haystack.includes(needle)) {
+      return;
+    }
+    cli.warn('Tag was signed with an undocumented identity/key pair!');
+    cli.info('Expected to find the following entry in the README:');
+    cli.info(needle);
+    cli.info('If you are using a subkey, it might be OK.');
+    cli.info(`Otherwise consider removing the tag (git tag -d v${version
+             }), check your local config, and start the process over.`);
+    if (!await cli.prompt('Do you want to proceed anyway?', { defaultAnswer: false })) {
+      throw new Error('Aborted');
+    }
+  }
+
   async verifyPRAttributes() {
     const { cli, prid, owner, repo, req } = this;
 

package/lib/security_blog.js

@@ -47,7 +47,7 @@ export default class SecurityBlog extends SecurityRelease {
     const fileNameExt = fileName + '.md';
     const preRelease = this.buildPreRelease(template, data);
 
-    const pathToBlogPosts = 'apps/site/pages/en/blog/release';
+    const pathToBlogPosts = 'apps/site/pages/en/blog/vulnerability';
     const pathToBannerJson = 'apps/site/site.json';
 
     const file = path.resolve(process.cwd(), nodejsOrgFolder, pathToBlogPosts, fileNameExt);
@@ -161,7 +161,7 @@ export default class SecurityBlog extends SecurityRelease {
       link: content.link ?? currentValue.link,
       type: content.type ?? currentValue.type
     };
-    fs.writeFileSync(siteJsonPath, JSON.stringify(siteJson, null, 2));
+    fs.writeFileSync(siteJsonPath, JSON.stringify(siteJson, null, 2) + '\n');
   }
 
   formatReleaseDate(releaseDate) {
@@ -299,34 +299,37 @@ export default class SecurityBlog extends SecurityRelease {
   }
 
   getImpact(content) {
-    const impact = content.reports.reduce((acc, report) => {
-      for (const affectedVersion of report.affectedVersions) {
-        if (acc[affectedVersion]) {
-          acc[affectedVersion].push(report);
-        } else {
-          acc[affectedVersion] = [report];
-        }
+    const impact = new Map();
+    for (const report of content.reports) {
+      for (const version of report.affectedVersions) {
+        if (!impact.has(version)) impact.set(version, []);
+        impact.get(version).push(report);
       }
-      return acc;
-    }, {});
-
-    const impactText = [];
-    for (const [key, value] of Object.entries(impact)) {
-      const groupedByRating = Object.values(_.groupBy(value, 'severity.rating'))
-        .map(severity => {
-          if (!severity[0]?.severity?.rating) {
-            this.cli.error(`severity.rating not found for the report ${severity[0].id}. \
-              Please add it manually before continuing.`);
+    }
+
+    const result = Array.from(impact.entries())
+      .sort(([a], [b]) => b.localeCompare(a)) // DESC
+      .map(([version, reports]) => {
+        const severityCount = new Map();
+
+        for (const report of reports) {
+          const rating = report.severity.rating?.toLowerCase();
+          if (!rating) {
+            this.cli.error(`severity.rating not found for report ${report.id}.`);
             process.exit(1);
           }
-          const firstSeverityRating = severity[0].severity.rating.toLocaleLowerCase();
-          return `${severity.length} ${firstSeverityRating} severity issues`;
-        }).join(', ');
+          severityCount.set(rating, (severityCount.get(rating) || 0) + 1);
+        }
 
-      impactText.push(`The ${key} release line of Node.js is vulnerable to ${groupedByRating}.`);
-    }
+        const groupedByRating = Array.from(severityCount.entries())
+          .map(([rating, count]) => `${count} ${rating} severity issues`)
+          .join(', ');
+
+        return `The ${version} release line of Node.js is vulnerable to ${groupedByRating}.`;
+      })
+      .join('\n');
 
-    return impactText.join('\n');
+    return result;
   }
 
   getVulnerabilities(content) {

package/lib/update_security_release.js

@@ -226,8 +226,11 @@ Summary: ${summary}\n`,
                 vectorString: cvss_vector_string
               }
             ],
+            auto_submit_on_publicly_disclosing_report: true,
+            references: ['https://nodejs.org/en/blog/vulnerability'],
+            report_id: report.id,
             weakness_id: Number(weakness_id),
-            description: title,
+            description: report.summary,
             vulnerability_discovered_at: new Date().toISOString()
           }
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "5.8.0",
+  "version": "5.9.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {
@@ -40,7 +40,7 @@
     "@pkgjs/nv": "^0.2.2",
     "branch-diff": "^3.1.1",
     "chalk": "^5.3.0",
-    "changelog-maker": "^4.1.1",
+    "changelog-maker": "^4.3.1",
     "cheerio": "^1.0.0",
     "clipboardy": "^4.0.0",
     "core-validate-commit": "^4.1.0",