fixup! feat: add resolve report and close PR

lib/prepare_security.js

@@ -56,11 +56,16 @@ export default class PrepareSecurityRelease extends SecurityRelease {
 
     this.req = new Request(credentials);
     const vulnerabilityJSON = this.readVulnerabilitiesJSON();
+    this.cli.info('Closing and request disclosure to HackerOne reports');
     await this.closeAndRequestDisclosure(vulnerabilityJSON.reports);
+
+    this.cli.info('Closing pull requests');
     // For now, close the ones with vN.x label
     await this.closePRWithLabel(this.getAffectedVersions(vulnerabilityJSON));
-    // TODO: Update next-security-release folder to current releaseDate
-    // TODO: Merge the PR
+    this.cli.info(`Merge pull request with:
+        - git checkout main
+        - git merge --squash ${NEXT_SECURITY_RELEASE_BRANCH}
+        - git push origin main`);
     this.cli.ok('Done!');
   }
 
@@ -278,30 +283,36 @@ export default class PrepareSecurityRelease extends SecurityRelease {
   }
 
   async closeAndRequestDisclosure(jsonReports) {
+    this.cli.startSpinner('Closing HackerOne reports');
     for (const report of jsonReports) {
+      this.cli.updateSpinner(`Closing report ${report.id}...`);
       await this.req.updateReportState(
         report.id,
         'resolved',
         'Closing as resolved'
       );
-      // TODO: Request Disclosure
+
+      this.cli.updateSpinner(`Requesting disclosure to report ${report.id}...`);
+      await this.req.requestDisclosure(report.id);
     }
+    this.cli.stopSpinner('Done closing H1 Reports and requesting disclosure');
   }
 
   async closePRWithLabel(labels) {
     if (typeof labels === 'string') {
       labels = [labels];
     }
 
-    const url = 'https://github.com/nodejs-private/node-private/pulls'
+    const url = 'https://github.com/nodejs-private/node-private/pulls';
+    this.cli.startSpinner('Closing GitHub Pull Requests...');
     // At this point, GitHub does not provide filters through their REST API
     const prs = this.req.getPullRequest(url);
     for (const pr of prs) {
       if (pr.labels.some((l) => labels.includes(l))) {
-        this.cli.info(`Closing Pull Request: ${pr.id}`);
-        // TODO assert
+        this.cli.updateSpinner(`Closing Pull Request: ${pr.id}`);
         await this.req.closePullRequest(pr.id);
       }
     }
+    this.cli.startSpinner('Closed GitHub Pull Requests.');
   }
 }

lib/request.js

@@ -239,6 +239,27 @@ export default class Request {
     return this.json(url, options);
   }
 
+  async requestDisclosure(reportId) {
+    const url = `https://api.hackerone.com/v1/reports/${reportId}/disclosure_requests`;
+    const options = {
+      method: 'POST',
+      headers: {
+        Authorization: `Basic ${this.credentials.h1}`,
+        'User-Agent': 'node-core-utils',
+        Accept: 'application/json'
+      },
+      body: JSON.stringify({
+        data: {
+          attributes: {
+            // default to limited version
+            substate: 'no-content'
+          }
+        }
+      })
+    };
+    return this.json(url, options);
+  }
+
   // This is for github v4 API queries, for other types of queries
   // use .text or .json
   async query(query, variables) {

lib/security-release/security-release.js

@@ -262,5 +262,4 @@ export class SecurityRelease {
       })
       .join(', ');
   }
-
 }

lib/update_security_release.js

@@ -6,7 +6,7 @@ import {
   pickReport,
   getReportSeverity,
   getSummary,
-  SecurityRelease,
+  SecurityRelease
 } from './security-release/security-release.js';
 import fs from 'node:fs';
 import auth from './auth.js';
@@ -44,6 +44,7 @@ export default class UpdateSecurityRelease extends SecurityRelease {
         prURL
       };
     }
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
     fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
     this.cli.ok('Synced vulnerabilities.json with HackerOne');
   }