1# Security release process 2 3The security release process covers the steps required to plan/implement a 4security release. This document is copied into the description of the Next 5Security Release and used to track progress on the release. It contains ***TEXT 6LIKE THIS*** which will be replaced during the release process with the 7information described. 8 9## Planning 10 11* [ ] Open an [issue](https://github.com/nodejs-private/node-private) titled 12 `Next Security Release`, and put this checklist in the description. 13 14* [ ] Get agreement on the list of vulnerabilities to be addressed: 15 * ***H1 REPORT LINK***: ***DESCRIPTION*** (***CVE or H1 CVE request link***) 16 * v10.x, v12.x: ***LINK to PR URL*** 17 * ... 18 19* [ ] PR release announcements in [private](https://github.com/nodejs-private/nodejs.org-private): 20 * (Use previous PRs as templates. Don't forget to update the site banner and 21 the date in the slug so that it will move to the top of the blog list.) 22 * [ ] pre-release: ***LINK TO PR*** 23 * [ ] post-release: ***LINK TO PR*** 24 * Ask the HackerOne reporter if they would like to be credited on the 25 security release blog page: 26 ```text 27 Thank you to <name> for reporting this vulnerability. 28 ``` 29 30* [ ] Get agreement on the planned date for the release: ***RELEASE DATE*** 31 32* [ ] Get release team volunteers for all affected lines: 33 * v12.x: ***NAME of RELEASER(S)*** 34 * ... other lines, if multiple releasers 35 36## Announcement (one week in advance of the planned release) 37 38* [ ] Check that all vulnerabilities are ready for release integration: 39 * PRs against all affected release lines or cherry-pick clean 40 * Approved 41 * Pass `make test` 42 * Have CVEs 43 * Make sure that dependent libraries have CVEs for their issues. We should 44 only create CVEs for vulnerabilities in Node.js itself. This is to avoid 45 having duplicate CVEs for the same vulnerability. 46 * Described in the pre/post announcements 47 48* [ ] Pre-release announcement [email][]: ***LINK TO EMAIL*** 49 * Subject: `Node.js security updates for all active release lines, Month Year` 50 * Body: 51 ```text 52 The Node.js project will release new versions of all supported release lines on or shortly after Day of week, Month Day of Month, Year 53 For more information see: https://nodejs.org/en/blog/vulnerability/month-year-security-releases/ 54 ``` 55 (Get access from existing manager: Ben Noordhuis, Rod Vagg, Michael Dawson) 56 57* [ ] CC `oss-security@lists.openwall.com` on pre-release 58 59The google groups UI does not support adding a CC, until we figure 60out a better way, forward the email you receive to 61`oss-security@lists.openwall.com` as a CC. 62 63* [ ] Pre-release announcement to nodejs.org blog: ***LINK TO BLOG*** 64 (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to 65 nodejs/nodejs.org) 66 67* [ ] Post in the #nodejs-social channel in the OpenJS Foundation Slack 68 asking that the social team tweet/retweet the pre-announcement. 69 If you are on Twitter, you can just direct message the `@nodejs` handle. 70 71* [ ] Request releaser(s) to start integrating the PRs to be released. 72 73* [ ] Notify [docker-node][] of upcoming security release date: ***LINK*** 74 ```text 75 Heads up of Node.js security releases Day Month Year 76 77 As per the Node.js security release process this is the FYI that there is going to be a security release Day Month Year 78 ``` 79 80* [ ] Notify build-wg of upcoming security release date by opening an issue 81 in [nodejs/build][] to request WG members are available to fix any CI issues. 82 ```text 83 Heads up of Node.js security releases Day Month Year 84 85 As per security release process this is a heads up that there will be security releases Day Month Year and we'll need people from build to lock/unlock ci and to support and build issues we see. 86 ``` 87 88## Release day 89 90* [ ] [Lock CI](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#before-the-release) 91 92* [ ] The releaser(s) run the release process to completion. 93 94* [ ] [Unlock CI](https://github.com/nodejs/build/blob/HEAD/doc/jenkins-guide.md#after-the-release) 95 96* [ ] Post-release announcement in reply [email][]: ***LINK TO EMAIL*** 97 * CC: `oss-security@lists.openwall.com` 98 * Subject: `Node.js security updates for all active release lines, Month Year` 99 * Body: 100 ```text 101 The Node.js project has now released new versions of all supported release lines. 102 For more information see: https://nodejs.org/en/blog/vulnerability/month-year-security-releases/ 103 ``` 104 105* [ ] Post-release announcement to Nodejs.org blog: ***LINK TO BLOG POST*** 106 * (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to 107 nodejs/nodejs.org) 108 109* [ ] Post in the #nodejs-social channel in the OpenJS Foundation Slack 110 asking that the social team tweet/retweet the announcement. 111 If you are on Twitter, you can just direct message the `@nodejs` handle. 112 113* [ ] Comment in [docker-node][] issue that release is ready for integration. 114 The docker-node team will build and release docker image updates. 115 116* [ ] For every H1 report resolved: 117 * Close as Resolved 118 * Request Disclosure 119 * Request publication of [H1 CVE requests][] 120 * (Check that the "Version Fixed" field in the CVE is correct, and provide 121 links to the release blogs in the "Public Reference" section) 122 123* [ ] PR machine-readable JSON descriptions of the vulnerabilities to the 124 [core](https://github.com/nodejs/security-wg/tree/HEAD/vuln/core) 125 vulnerability DB. ***LINK TO PR*** 126 * For each vulnerability add a `#.json` file, one can copy an existing 127 [json](https://github.com/nodejs/security-wg/blob/0d82062d917cb9ddab88f910559469b2b13812bf/vuln/core/78.json) 128 file, and increment the latest created file number and use that as the name 129 of the new file to be added. For example, `79.json`. 130 131* [ ] Close this issue 132 133* [ ] Make sure the PRs for the vulnerabilities are closed. 134 135[H1 CVE requests]: https://hackerone.com/nodejs/cve_requests 136[docker-node]: https://github.com/nodejs/docker-node/issues 137[email]: https://groups.google.com/forum/#!forum/nodejs-sec 138[nodejs/build]: https://github.com/nodejs/build/issues 139