From 20f60af8d8bba56ebaf0bc173957e31633c55cc3 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Mon, 11 May 2026 17:00:59 -0300 Subject: [PATCH 1/3] feat: check for reports without PR_URL on H1 (#1074) --- lib/cli.js | 8 +++++ lib/prepare_security.js | 68 ++++++++++++++++++++++++++++++++++++++--- 2 files changed, 72 insertions(+), 4 deletions(-) diff --git a/lib/cli.js b/lib/cli.js index 1c119b75..dfb6cc75 100644 --- a/lib/cli.js +++ b/lib/cli.js @@ -94,6 +94,14 @@ export default class CLI { return answer; } + async promptCheckbox(message, choices) { + if (this.assumeYes) { + return choices.filter((c) => c.checked).map((c) => c.value); + } + + return inquirer.checkbox({ message, choices }); + } + setAssumeYes() { this.assumeYes = true; } diff --git a/lib/prepare_security.js b/lib/prepare_security.js index 943bc60b..cf7d2890 100644 --- a/lib/prepare_security.js +++ b/lib/prepare_security.js @@ -10,11 +10,19 @@ import { validateDate, promptDependencies, getSupportedVersions, + getReportSeverity, pickReport, SecurityRelease } from './security-release/security-release.js'; import _ from 'lodash'; +function relativeDate(date) { + const days = Math.floor((Date.now() - date) / (1000 * 60 * 60 * 24)); + if (days < 30) return days === 1 ? '1 day ago' : `${days} days ago`; + const months = Math.floor(days / 30); + return months === 1 ? '1 month ago' : `${months} months ago`; +} + export default class PrepareSecurityRelease extends SecurityRelease { title = 'Next Security Release'; @@ -25,6 +33,13 @@ export default class PrepareSecurityRelease extends SecurityRelease { }); this.req = new Request(credentials); + + let excludedReports = []; + const showTriaged = await this.promptShowTriagedWithoutPR(); + if (showTriaged) { + excludedReports = await this.showTriagedReportsWithoutPR(); + } + const releaseDate = await this.promptReleaseDate(); if (releaseDate !== 'TBD') { validateDate(releaseDate); @@ -34,7 +49,8 @@ export default class PrepareSecurityRelease extends SecurityRelease { let securityReleasePRUrl; const content = await this.buildDescription(releaseDate, securityReleasePRUrl); if (createVulnerabilitiesJSON) { - securityReleasePRUrl = await this.startVulnerabilitiesJSONCreation(releaseDate, content); + securityReleasePRUrl = await this.startVulnerabilitiesJSONCreation( + releaseDate, content, excludedReports); } this.cli.ok('Done!'); @@ -93,12 +109,12 @@ export default class PrepareSecurityRelease extends SecurityRelease { this.cli.ok('Done!'); } - async startVulnerabilitiesJSONCreation(releaseDate, content) { + async startVulnerabilitiesJSONCreation(releaseDate, content, excludedReports = []) { // checkout on the next-security-release branch checkoutOnSecurityReleaseBranch(this.cli, this.repository); // choose the reports to include in the security release - const reports = await this.chooseReports(); + const reports = await this.chooseReports(excludedReports); const depUpdates = await this.getDependencyUpdates(); const deps = _.groupBy(depUpdates, 'name'); @@ -184,17 +200,61 @@ export default class PrepareSecurityRelease extends SecurityRelease { { defaultAnswer: true }); } + async promptShowTriagedWithoutPR() { + return this.cli.prompt( + 'Do you want to see which reports are triaged but have no PR URL?', + { defaultAnswer: true }); + } + + async showTriagedReportsWithoutPR() { + this.cli.info('Fetching triaged reports without PR URL...'); + const reports = await this.req.getTriagedReports(); + const reportsWithoutPR = reports.data.filter( + (report) => !report.relationships.custom_field_values.data.length + ); + if (!reportsWithoutPR.length) { + this.cli.ok('All triaged reports have a PR URL.'); + return []; + } + const severityRank = { critical: 0, high: 1, medium: 2, low: 3 }; + const choices = reportsWithoutPR + .sort((a, b) => { + const dateA = new Date(a.attributes.created_at); + const dateB = new Date(b.attributes.created_at); + if (dateB - dateA !== 0) return dateB - dateA; + const rankA = severityRank[getReportSeverity(a).rating] ?? 4; + const rankB = severityRank[getReportSeverity(b).rating] ?? 4; + return rankA - rankB; + }) + .map((report) => { + const { id, attributes: { title, created_at } } = report; + const { rating } = getReportSeverity(report); + const openedDate = relativeDate(new Date(created_at)); + const link = `https://hackerone.com/reports/${id}`; + return { + name: `[${openedDate}] (${rating}) ${title} - ${link}`, + value: id, + checked: true + }; + }); + return this.cli.promptCheckbox( + 'Select reports to exclude from the upcoming security release:', + choices + ); + } + async buildDescription() { const template = await this.getSecurityIssueTemplate(); return template; } - async chooseReports() { + async chooseReports(excludedReports = []) { this.cli.info('Getting triaged H1 reports...'); const reports = await this.req.getTriagedReports(); const selectedReports = []; for (const report of reports.data) { + if (excludedReports.includes(report.id)) continue; const rep = await pickReport(report, { cli: this.cli, req: this.req }); if (!rep) continue; selectedReports.push(rep); From 54be933b1a86a123c62e19e907e157cb19c58d10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Wed, 13 May 2026 08:41:41 +0200 Subject: [PATCH 2/3] feat(v8): add llvm-libc to V8 deps (#1073) Keep only the folders that are needed at the moment Refs: https://chromium-review.googlesource.com/c/v8/v8/+/7828379 --- lib/update-v8/constants.js | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/lib/update-v8/constants.js b/lib/update-v8/constants.js index 86d601d6..fd702516 100644 --- a/lib/update-v8/constants.js +++ b/lib/update-v8/constants.js @@ -47,6 +47,14 @@ const highwayIgnore = `/third_party/highway/src/* const dragonboxIgnore = `/third_party/dragonbox/src/* !/third_party/dragonbox/src/include`; +const llvmLibcIgnore = `/third_party/llvm-libc/src/* +!/third_party/llvm-libc/src/hdr +!/third_party/llvm-libc/src/include +!/third_party/llvm-libc/src/shared +!/third_party/llvm-libc/src/src +/third_party/llvm-libc/src/src/* +!/third_party/llvm-libc/src/src/__support`; + export const v8Deps = [ { name: 'trace_event', @@ -146,4 +154,13 @@ export const v8Deps = [ }, since: 138 }, + { + name: 'llvm-libc', + repo: 'third_party/llvm-libc/src', + gitignore: { + match: '/third_party/llvm-libc/src', + replace: llvmLibcIgnore + }, + since: 150 + }, ]; From 37cc6f0b01162d8a01899975436b4a5c4576d68c Mon Sep 17 00:00:00 2001 From: "Node.js GitHub Bot" Date: Wed, 13 May 2026 02:44:11 -0400 Subject: [PATCH 3/3] chore(main): release 6.4.0 (#1075) --- CHANGELOG.md | 8 ++++++++ npm-shrinkwrap.json | 4 ++-- package.json | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae65cf5a..637d81fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,13 @@ # Changelog +## [6.4.0](https://github.com/nodejs/node-core-utils/compare/v6.3.3...v6.4.0) (2026-05-13) + + +### Features + +* check for reports without PR_URL on H1 ([#1074](https://github.com/nodejs/node-core-utils/issues/1074)) ([20f60af](https://github.com/nodejs/node-core-utils/commit/20f60af8d8bba56ebaf0bc173957e31633c55cc3)) +* **v8:** add llvm-libc to V8 deps ([#1073](https://github.com/nodejs/node-core-utils/issues/1073)) ([54be933](https://github.com/nodejs/node-core-utils/commit/54be933b1a86a123c62e19e907e157cb19c58d10)) + ## [6.3.3](https://github.com/nodejs/node-core-utils/compare/v6.3.2...v6.3.3) (2026-04-27) diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json index c53059fb..6de6b36a 100644 --- a/npm-shrinkwrap.json +++ b/npm-shrinkwrap.json @@ -1,12 +1,12 @@ { "name": "@node-core/utils", - "version": "6.3.3", + "version": "6.4.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@node-core/utils", - "version": "6.3.3", + "version": "6.4.0", "license": "MIT", "dependencies": { "@inquirer/prompts": "^7.4.1", diff --git a/package.json b/package.json index 6c8746b1..a6a38545 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@node-core/utils", - "version": "6.3.3", + "version": "6.4.0", "description": "Utilities for Node.js core collaborators", "type": "module", "engines": {