feat: security post release blogpost (#785)

* feat: post-release blogpost

* fix: appending on existing pre-release

* fix: reworded to post release

* feat: update vulnerabilities.json

* fix: if no changes dont update

* fix: comments from release

* fix: improved strcture

* fix: download section

---------

Co-authored-by: Rafael Gonzaga <[email protected]>

Author: marco-ippolito

components/git/security.js

@@ -39,6 +39,10 @@ const securityOptions = {
   'request-cve': {
     describe: 'Request CVEs for a security release',
     type: 'boolean'
+  },
+  'post-release': {
+    describe: 'Create the post-release announcement',
+    type: 'boolean'
   }
 };
 
@@ -49,34 +53,34 @@ export function builder(yargs) {
   return yargs.options(securityOptions)
     .example(
       'git node security --start',
-      'Prepare a security release of Node.js')
+      'Prepare a security release of Node.js'
+    )
     .example(
       'git node security --sync',
       'Synchronize an ongoing security release with HackerOne'
     )
     .example(
       'git node security --update-date=YYYY/MM/DD',
       'Updates the target date of the security release'
-    )
-    .example(
+    ).example(
       'git node security --add-report=H1-ID',
       'Fetches HackerOne report based on ID provided and adds it into vulnerabilities.json'
-    )
-    .example(
+    ).example(
       'git node security --remove-report=H1-ID',
       'Removes the Hackerone report based on ID provided from vulnerabilities.json'
-    )
-    .example(
+    ).example(
       'git node security --pre-release',
       'Create the pre-release announcement on the Nodejs.org repo'
     ).example(
       'git node security --notify-pre-release',
       'Notifies the community about the security release'
-    )
-    .example(
+    ).example(
       'git node security --request-cve',
       'Request CVEs for a security release of Node.js based on' +
       ' the next-security-release/vulnerabilities.json'
+    ).example(
+      'git node security --post-release' +
+      'Create the post-release announcement on the Nodejs.org repo'
     );
 }
 
@@ -105,6 +109,9 @@ export function handler(argv) {
   if (argv['request-cve']) {
     return requestCVEs(argv);
   }
+  if (argv['post-release']) {
+    return createPostRelease(argv);
+  }
   yargsInstance.showHelp();
 }
 
@@ -146,7 +153,14 @@ async function requestCVEs() {
   return hackerOneCve.requestCVEs();
 }
 
-async function startSecurityRelease(argv) {
+async function createPostRelease() {
+  const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
+  const cli = new CLI(logStream);
+  const blog = new SecurityBlog(cli);
+  return blog.createPostRelease();
+}
+
+async function startSecurityRelease() {
   const logStream = process.stdout.isTTY ? process.stdout : process.stderr;
   const cli = new CLI(logStream);
   const release = new PrepareSecurityRelease(cli);

lib/github/templates/security-post-release.md

@@ -0,0 +1,18 @@
+---
+date: %ANNOUNCEMENT_DATE%
+category: vulnerability
+title: %RELEASE_DATE% Security Releases
+slug: %SLUG%
+layout: blog-post
+author: %AUTHOR%
+---
+
+## Security releases available
+
+Updates are now available for the %AFFECTED_VERSIONS% Node.js release lines for the
+following issues.
+%DEPENDENCY_UPDATES%
+%REPORTS%
+## Downloads and release details
+
+%DOWNLOADS%

lib/github/templates/security-pre-release.md

@@ -13,7 +13,7 @@ The Node.js project will release new versions of the %AFFECTED_VERSIONS%
 releases lines on or shortly after, %RELEASE_DATE% in order to address:
 
 %VULNERABILITIES%
-%OPENSSL_UPDATES%
+
 ## Impact
 
 %IMPACT%
@@ -28,7 +28,7 @@ Releases will be available on, or shortly after, %RELEASE_DATE%.
 
 ## Contact and future updates
 
-The current Node.js security policy can be found at https://nodejs.org/en/security/.
-Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.
+The current Node.js security policy can be found at <https://nodejs.org/en/security/>.
+Please follow the process outlined in <https://github.com/nodejs/node/blob/master/SECURITY.md> if you wish to report a vulnerability in Node.js.
 
-Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.
+Subscribe to the low-volume announcement-only nodejs-sec mailing list at <https://groups.google.com/forum/#!forum/nodejs-sec> to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

lib/security-release/security-release.js

@@ -20,9 +20,12 @@ export const PLACEHOLDERS = {
   annoucementDate: '%ANNOUNCEMENT_DATE%',
   slug: '%SLUG%',
   affectedVersions: '%AFFECTED_VERSIONS%',
-  openSSLUpdate: '%OPENSSL_UPDATES%',
   impact: '%IMPACT%',
-  vulnerabilities: '%VULNERABILITIES%'
+  vulnerabilities: '%VULNERABILITIES%',
+  reports: '%REPORTS%',
+  author: '%AUTHOR%',
+  dependencyUpdates: '%DEPENDENCY_UPDATES%',
+  downloads: '%DOWNLOADS%'
 };
 
 export function checkRemote(cli, repository) {