# Security Release Process The security release process covers the steps required to plan/implement a security release. This document is copied into the description of the Next Security Release, and used to track progress on the release. It contains ***TEXT LIKE THIS*** which will be replaced during the release process with the information described. ## Planning * [ ] Open an [issue](https://github.com/nodejs-private/node-private) titled `Next Security Release`, and put this checklist in the description. * [ ] Get agreement on the list of vulnerabilities to be addressed: * ***H1 REPORT LINK***: ***DESCRIPTION*** (***CVE or H1 CVE request link***) * v10.x, v12.x: ***LINK to PR URL*** * ... * [ ] PR release announcements in [private](https://github.com/nodejs-private/nodejs.org-private): * (Use previous PRs as templates, don't forget to update the site banner, and the date in the slug so that it will move to the top of the blog list.) * [ ] pre-release: ***LINK TO PR*** * [ ] post-release: ***LINK TO PR*** * [ ] Get agreement on the planned date for the release: ***RELEASE DATE*** * [ ] Get release team volunteers for all affected lines: * v12.x: ***NAME of RELEASER(S)*** * ... other lines, if multiple releasers ## Announcement (one week in advance of the planned release) * [ ] Check that all vulnerabilities are ready for release integration: * PRs against all affected release lines or cherry-pick clean * Approved * Pass `make test` * Have CVEs * Described in the pre/post announcements * [ ] Pre-release announcement [email][]: ***LINK TO EMAIL*** (Get access from existing manager: Ben Noordhuis, Rod Vagg, Michael Dawson) * [ ] Pre-release announcement to nodejs.org blog: ***LINK TO BLOG*** (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to nodejs/nodejs.org) * [ ] Request releaser(s) to start integrating the PRs to be released. * [ ] Notify [docker-node][] of upcoming security release date: ***LINK*** * [ ] Notify build-wg of upcoming security release date by opening an issue in [nodejs/build][] to request WG members are available to fix any CI issues. ## Release day * [ ] [Lock CI](https://github.com/nodejs/build/blob/master/doc/jenkins-guide.md#before-the-release) * [ ] The releaser(s) run the release process to completion. * [ ] [Unlock CI](https://github.com/nodejs/build/blob/master/doc/jenkins-guide.md#after-the-release) * [ ] Post-release announcement in reply [email][]: ***LINK TO EMAIL*** * [ ] Post-release announcement to Nodejs.org blog: ***LINK TO BLOG POST*** * (Re-PR the pre-approved branch from nodejs-private/nodejs.org-private to nodejs/nodejs.org) * [ ] Email `"Rachel Romoff" ` to tweet an announcement, or if you are on twitter you can just direct message the `@nodejs` handle. * [ ] Comment in [docker-node][] issue that release is ready for integration. The docker-node team will build and release docker image updates. * [ ] For every H1 report resolved: * Close as Resolved * Request Disclosure * Request publication of [H1 CVE requests][] * (Check that the "Version Fixed" field in the CVE is correct, and provide links to the release blogs in the "Public Reference" section) * [ ] PR machine-readable JSON descriptions of the vulnerabilities to the [core](https://github.com/nodejs/security-wg/tree/master/vuln/core) vulnerability DB. ***LINK TO PR*** * [ ] Close this issue * [ ] Make sure the PRs for the vulnerabilities are closed. [H1 CVE requests]: https://hackerone.com/nodejs/cve_requests [docker-node]: https://github.com/nodejs/docker-node/issues [nodejs/build]: https://github.com/nodejs/build/issues [email]: https://groups.google.com/forum/#!forum/nodejs-sec