feat: prompt dependency updates url in vulnerabilities.json creation

nodejs · Mar 26, 2024 · 0290516 · 0290516
1 parent fbdd466
commit 0290516
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 8 deletions.
diff --git a/lib/prepare_security.js b/lib/prepare_security.js
@@ -11,7 +11,8 @@ import {
   checkoutOnSecurityReleaseBranch,
   commitAndPushVulnerabilitiesJSON,
   getSummary,
-  validateDate
+  validateDate,
+  promptDependencies
 } from './security-release/security-release.js';
 
 export default class SecurityReleaseSteward {
@@ -35,7 +36,9 @@ export default class SecurityReleaseSteward {
 
     let securityReleasePRUrl;
     if (createVulnerabilitiesJSON) {
-      securityReleasePRUrl = await this.createVulnerabilitiesJSON(req, release, { cli });
+      securityReleasePRUrl = await this.createVulnerabilitiesJSON(
+        req, release, releaseDate, { cli }
+      );
     }
 
     const createIssue = await release.promptCreateRelaseIssue(cli);
@@ -48,15 +51,16 @@ export default class SecurityReleaseSteward {
     cli.ok('Done!');
   }
 
-  async createVulnerabilitiesJSON(req, release, { cli }) {
+  async createVulnerabilitiesJSON(req, release, releaseDate, { cli }) {
     // checkout on the next-security-release branch
     checkoutOnSecurityReleaseBranch(cli, this.repository);
 
     // choose the reports to include in the security release
     const reports = await release.chooseReports(cli);
+    const deps = await release.getDependencyUpdates({ cli });
 
     // create the vulnerabilities.json file in the security-release repo
-    const filePath = await release.createVulnerabilitiesJSON(reports, { cli });
+    const filePath = await release.createVulnerabilitiesJSON(reports, deps, releaseDate, { cli });
 
     // review the vulnerabilities.json file
     const review = await release.promptReviewVulnerabilitiesJSON(cli);
@@ -184,8 +188,7 @@ class PrepareSecurityRelease {
       }
 
       cli.separator();
-      cli.info(`Report: ${link} - ${title} (${
-        reportSeverity?.rating?.toUpperCase() || reportSeverity})`);
+      cli.info(`Report: ${link} - ${title} (${reportSeverity?.rating || reportSeverity})`);
       const include = await cli.prompt(
         'Would you like to include this report to the next security release?',
         { defaultAnswer: true });
@@ -214,10 +217,12 @@ class PrepareSecurityRelease {
     return selectedReports;
   }
 
-  async createVulnerabilitiesJSON(reports, { cli }) {
+  async createVulnerabilitiesJSON(reports, dependencies, releaseDate, { cli }) {
     cli.separator('Creating vulnerabilities.json...');
     const file = JSON.stringify({
-      reports
+      releaseDate,
+      reports,
+      dependencies
     }, null, 2);
 
     const folderPath = path.join(process.cwd(), NEXT_SECURITY_RELEASE_FOLDER);
@@ -261,4 +266,26 @@ class PrepareSecurityRelease {
     }
     process.exit(1);
   }
+
+  async getDependencyUpdates({ cli }) {
+    const deps = [];
+
+    const updates = await cli.prompt('Are there dependency updates in this security release?', {
+      defaultAnswer: true,
+      questionType: 'confirm'
+    });
+
+    if (!updates) return deps;
+
+    let asking = true;
+    while (asking) {
+      const dep = await promptDependencies(cli);
+      if (!dep) {
+        asking = false;
+        break;
+      }
+      deps.push(dep);
+    }
+    return deps;
+  }
 }
diff --git a/lib/security-release/security-release.js b/lib/security-release/security-release.js
@@ -97,3 +97,10 @@ export function validateDate(releaseDate) {
     throw new Error('Invalid date format');
   }
 }
+
+export function promptDependencies(cli) {
+  return cli.prompt('Enter the link to the dependency update PR (leave empty to exit): ', {
+    defaultAnswer: '',
+    questionType: 'input'
+  });
+}