Skip to content

Commit

Permalink
tools: add version update to external dependencies
Browse files Browse the repository at this point in the history
Refs: nodejs/security-wg#973
Most of the duplicated code in all the dependencies updaters
has been moved in the `utils.sh` file

PR-URL: #48081
Refs: nodejs/security-wg#973
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
  • Loading branch information
fasenderos authored Jun 6, 2023
1 parent 1b4ce69 commit c541153
Show file tree
Hide file tree
Showing 27 changed files with 316 additions and 420 deletions.
150 changes: 79 additions & 71 deletions doc/contributing/maintaining/maintaining-dependencies.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,29 +8,30 @@ directories to create the Node.js binaries.
All dependencies are located within the `deps` directory.
This a list of all the dependencies:

* [acorn][]
* [ada][]
* [base64][]
* [brotli][]
* [c-ares][]
* [cjs-module-lexer][]
* [acorn 8.8.2][]
* [ada 2.5.0][]
* [base64 0.5.0][]
* [brotli 1.0.9][]
* [c-ares 1.19.0][]
* [cjs-module-lexer 1.2.2][]
* [corepack][]
* [googletest][]
* [histogram][]
* [icu-small][]
* [llhttp][]
* [minimatch][]
* [nghttp2][]
* [ngtcp2][]
* [npm][]
* [openssl][]
* [postject][]
* [simdutf][]
* [undici][]
* [uv][]
* [uvwasi][]
* [V8][]
* [zlib][]
* [histogram 0.11.8][]
* [icu-small 73.1][]
* [libuv 1.44.2][]
* [llhttp 8.1.0][]
* [minimatch 9.0.0][]
* [nghttp2 1.53.0][]
* [nghttp3 0.7.0][]
* [ngtcp2 0.8.1][]
* [npm 9.6.7][]
* [openssl 3.0.8][]
* [postject 1.0.0-alpha.6][]
* [simdutf 3.2.9][]
* [undici 5.22.1][]
* [uvwasi 0.0.16][]
* [V8 11.3.244.8][]
* [zlib 1.2.13][]

Any code which meets one or more of these conditions should
be managed as a dependency:
Expand Down Expand Up @@ -136,48 +137,49 @@ Most dependencies are automatically updated by
[dependency-update-action][] that runs weekly.
However, it is possible to manually update a dependency by running
the corresponding script in `tools/update-deps`.
[OpenSSL][] has its own update action: [update-openssl-action][].
[OpenSSL](https://github.com/openssl/openssl) has its own update action:
[update-openssl-action][].
[npm-cli-bot](https://github.com/npm/cli/blob/latest/.github/workflows/create-node-pr.yml)
takes care of [npm][] update, it is maintained by the npm team.
takes care of npm update, it is maintained by the npm team.

## Dependency list

### acorn
### acorn 8.8.2

The [acorn](https://github.com/acornjs/acorn) dependency is a JavaScript parser.
[acorn-walk](https://github.com/acornjs/acorn/tree/master/acorn-walk) is
an abstract syntax tree walker for the ESTree format.

### ada
### ada 2.5.0

The [ada](https://github.com/ada-url/ada) dependency is a
fast and spec-compliant URL parser written in C++.

### base64
### base64 0.5.0

The [base64](https://github.com/aklomp/base64) dependency is a base64
stream encoding/decoding library in C99 with SIMD and OpenMP acceleration.
It also contains wrapper functions to encode/decode simple
length-delimited strings.

### brotli
### brotli 1.0.9

The [brotli](https://github.com/google/brotli) dependency is
used for the homonym generic-purpose lossless compression algorithm.

### c-ares
### c-ares 1.19.0

The [c-ares](https://github.com/c-ares/c-ares) is a C library
for asynchronous DNS requests.

### cjs-module-lexer
### cjs-module-lexer 1.2.2

The [cjs-module-lexer](https://github.com/nodejs/node/tree/HEAD/deps/cjs-module-lexer)
dependency is used within the Node.js ESM implementation to detect the
named exports of a CommonJS module.
See [maintaining-cjs-module-lexer][] for more information.

## corepack
### corepack

The [corepack](https://github.com/nodejs/corepack) dependency is a
zero-runtime-dependency Node.js script that acts as a bridge between
Expand All @@ -192,36 +194,47 @@ by Node.js by default.
The [googletest](https://github.com/google/googletest) dependency is Google’s
C++ testing and mocking framework.

### histogram
### histogram 0.11.8

The [histogram](https://github.com/HdrHistogram/HdrHistogram_c) dependency is
a C port of High Dynamic Range (HDR) Histogram.

### icu-small
### icu-small 73.1

The [icu](http://site.icu-project.org) is widely used set of C/C++
and Java libraries providing Unicode and Globalization
support for software applications.
See [maintaining-icu][] for more informations.

### llhttp
### libuv 1.44.2

The [libuv](https://github.com/libuv/libuv) dependency is a
multi-platform support library with a focus on asynchronous I/O.
It was primarily developed for use by Node.js.

### llhttp 8.1.0

The [llhttp](https://github.com/nodejs/llhttp) dependency is
the http parser used by Node.js.
See [maintaining-http][] for more informations.

### minimatch
### minimatch 9.0.0

The [minimatch](https://github.com/isaacs/minimatch) dependency is a
minimal matching utility.

### nghttp2
### nghttp2 1.53.0

The [nghttp2](https://github.com/nghttp2/nghttp2) dependency is a C library
implementing HTTP/2 protocol.
See [maintaining-http][] for more informations.

### ngtcp2
### nghttp3 0.7.0

The [nghttp3](https://github.com/ngtcp2/nghttp3) dependency is HTTP/3 library
written in C. See ngtcp2 for more informations.

### ngtcp2 0.8.1

The ngtcp2 and nghttp3 dependencies provide the core functionality for
QUIC and HTTP/3.
Expand All @@ -241,7 +254,7 @@ The `nghttp3` library depends on `ngtcp2`. Both should always be updated
together. From `ngtcp2` we only want the contents of the `lib` and `crypto`
directories; from `nghttp3` we only want the contents of the `lib` directory.

### npm
### npm 9.6.7

The [npm](https://github.com/npm/cli) dependency is
the package manager for JavaScript.
Expand All @@ -256,7 +269,7 @@ are at the discretion of the release and LTS teams.
This process only covers full updates to new versions of npm. Cherry-picked
changes can be reviewed and landed via the normal consensus seeking process.

### openssl
### openssl 3.0.8

The [openssl](https://github.com/quictls/openssl) dependency is a
fork of OpenSSL to enable QUIC.
Expand All @@ -268,77 +281,72 @@ the main openssl/openssl releases with the addition of APIs to support
the QUIC protocol.
See [maintaining-openssl][] for more informations.

### postject
### postject 1.0.0-alpha.6

The [postject](https://github.com/nodejs/postject) dependency is used for the
[Single Executable strategic initiative](https://github.com/nodejs/single-executable).

### simdutf
### simdutf 3.2.9

The [simdutf](https://github.com/simdutf/simdutf) dependency is
a C++ library for fast UTF-8 decoding and encoding.

### undici
### undici 5.22.1

The [undici](https://github.com/nodejs/undici) dependency is an HTTP/1.1 client,
written from scratch for Node.js..
See [maintaining-http][] for more informations.

### uv

The [libuv](https://github.com/libuv/libuv) dependency is a
multi-platform support library with a focus on asynchronous I/O.
It was primarily developed for use by Node.js.

### uvwasi
### uvwasi 0.0.16

The [uvwasi](https://github.com/nodejs/uvwasi) dependency implements
the WASI system call API, so that WebAssembly runtimes can easily
implement WASI calls.
Under the hood, uvwasi leverages libuv where possible for maximum portability.
See [maintaining-web-assembly][] for more informations.

### V8
### V8 11.3.244.8

[V8](https://chromium.googlesource.com/v8/v8.git/) is Google's open source
high-performance JavaScript and WebAssembly engine, written in C++.
See [maintaining-V8][] for more informations.

### zlib
### zlib 1.2.13

The [zlib](https://chromium.googlesource.com/chromium/src/+/refs/heads/main/third_party/zlib)
dependency lossless data-compression library,
it comes from the Chromium team's zlib fork which incorporated
performance improvements not currently available in standard zlib.

[acorn]: #acorn
[ada]: #ada
[base64]: #base64
[brotli]: #brotli
[c-ares]: #c-ares
[cjs-module-lexer]: #cjs-module-lexer
[acorn 8.8.2]: #acorn-882
[ada 2.5.0]: #ada-250
[base64 0.5.0]: #base64-050
[brotli 1.0.9]: #brotli-109
[c-ares 1.19.0]: #c-ares-1190
[cjs-module-lexer 1.2.2]: #cjs-module-lexer-122
[corepack]: #corepack
[dependency-update-action]: ../../../.github/workflows/tools.yml
[googletest]: #googletest
[histogram]: #histogram
[icu-small]: #icu-small
[llhttp]: #llhttp
[histogram 0.11.8]: #histogram-0118
[icu-small 73.1]: #icu-small-731
[libuv 1.44.2]: #libuv-1442
[llhttp 8.1.0]: #llhttp-810
[maintaining-V8]: ./maintaining-V8.md
[maintaining-cjs-module-lexer]: ./maintaining-cjs-module-lexer.md
[maintaining-http]: ./maintaining-http.md
[maintaining-icu]: ./maintaining-icu.md
[maintaining-openssl]: ./maintaining-openssl.md
[maintaining-web-assembly]: ./maintaining-web-assembly.md
[minimatch]: #minimatch
[nghttp2]: #nghttp2
[ngtcp2]: #ngtcp2
[npm]: #npm
[openssl]: #openssl
[postject]: #postject
[simdutf]: #simdutf
[undici]: #undici
[minimatch 9.0.0]: #minimatch-900
[nghttp2 1.53.0]: #nghttp2-1530
[nghttp3 0.7.0]: #nghttp3-070
[ngtcp2 0.8.1]: #ngtcp2-081
[npm 9.6.7]: #npm-967
[openssl 3.0.8]: #openssl-308
[postject 1.0.0-alpha.6]: #postject-100-alpha6
[simdutf 3.2.9]: #simdutf-329
[undici 5.22.1]: #undici-5221
[update-openssl-action]: ../../../.github/workflows/update-openssl.yml
[uv]: #uv
[uvwasi]: #uvwasi
[v8]: #v8
[zlib]: #zlib
[uvwasi 0.0.16]: #uvwasi-0016
[v8 11.3.244.8]: #v8-1132448
[zlib 1.2.13]: #zlib-1213
11 changes: 5 additions & 6 deletions tools/dep_updaters/update-acorn-walk.sh
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,14 @@ ROOT=$(cd "$(dirname "$0")/../.." && pwd)
[ -x "$NODE" ] || NODE=$(command -v node)
NPM="$ROOT/deps/npm/bin/npm-cli.js"

# shellcheck disable=SC1091
. "$ROOT/tools/dep_updaters/utils.sh"

NEW_VERSION=$("$NODE" "$NPM" view acorn-walk dist-tags.latest)
CURRENT_VERSION=$("$NODE" -p "require('./deps/acorn/acorn-walk/package.json').version")

echo "Comparing $NEW_VERSION with $CURRENT_VERSION"

if [ "$NEW_VERSION" = "$CURRENT_VERSION" ]; then
echo "Skipped because Acorn-walk is on the latest version."
exit 0
fi
# This function exit with 0 if new version and current version are the same
compare_dependency_version "acorn-walk" "$NEW_VERSION" "$CURRENT_VERSION"

cd "$( dirname "$0" )/../.." || exit

Expand Down
26 changes: 9 additions & 17 deletions tools/dep_updaters/update-acorn.sh
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,14 @@ ROOT=$(cd "$(dirname "$0")/../.." && pwd)
[ -x "$NODE" ] || NODE=$(command -v node)
NPM="$ROOT/deps/npm/bin/npm-cli.js"

# shellcheck disable=SC1091
. "$ROOT/tools/dep_updaters/utils.sh"

NEW_VERSION=$("$NODE" "$NPM" view acorn dist-tags.latest)
CURRENT_VERSION=$("$NODE" -p "require('./deps/acorn/acorn/package.json').version")

echo "Comparing $NEW_VERSION with $CURRENT_VERSION"

if [ "$NEW_VERSION" = "$CURRENT_VERSION" ]; then
echo "Skipped because Acorn is on the latest version."
exit 0
fi
# This function exit with 0 if new version and current version are the same
compare_dependency_version "acorn" "$NEW_VERSION" "$CURRENT_VERSION"

cd "$( dirname "$0" )/../.." || exit

Expand Down Expand Up @@ -50,14 +49,7 @@ mv acorn-tmp/node_modules/acorn deps/acorn

rm -rf acorn-tmp/

echo "All done!"
echo ""
echo "Please git add acorn, commit the new version:"
echo ""
echo "$ git add -A deps/acorn src/acorn_version.h"
echo "$ git commit -m \"deps: update acorn to $NEW_VERSION\""
echo ""

# The last line of the script should always print the new version,
# as we need to add it to $GITHUB_ENV variable.
echo "NEW_VERSION=$NEW_VERSION"
# Update the version number on maintaining-dependencies.md
# and print the new version as the last line of the script as we need
# to add it to $GITHUB_ENV variable
finalize_version_update "acorn" "$NEW_VERSION" "src/acorn_version.h"
23 changes: 6 additions & 17 deletions tools/dep_updaters/update-ada.sh
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,8 @@ EOF

CURRENT_VERSION=$(grep "#define ADA_VERSION" "$DEPS_DIR/ada/ada.h" | sed -n "s/^.*VERSION \"\(.*\)\"/\1/p")

echo "Comparing $NEW_VERSION with $CURRENT_VERSION"

if [ "$NEW_VERSION" = "$CURRENT_VERSION" ]; then
echo "Skipped because ada is on the latest version."
exit 0
fi
# This function exit with 0 if new version and current version are the same
compare_dependency_version "ada" "$NEW_VERSION" "$CURRENT_VERSION"

echo "Making temporary workspace..."

Expand Down Expand Up @@ -63,14 +59,7 @@ mv "$DEPS_DIR/ada/"*.gyp "$DEPS_DIR/ada/README.md" "$WORKSPACE/"
rm -rf "$DEPS_DIR/ada"
mv "$WORKSPACE" "$DEPS_DIR/ada"

echo "All done!"
echo ""
echo "Please git add ada, commit the new version:"
echo ""
echo "$ git add -A deps/ada"
echo "$ git commit -m \"deps: update ada to $NEW_VERSION\""
echo ""

# The last line of the script should always print the new version,
# as we need to add it to $GITHUB_ENV variable.
echo "NEW_VERSION=$NEW_VERSION"
# Update the version number on maintaining-dependencies.md
# and print the new version as the last line of the script as we need
# to add it to $GITHUB_ENV variable
finalize_version_update "ada" "$NEW_VERSION"
Loading

0 comments on commit c541153

Please sign in to comment.