Automate updates of all dependencies

[mhdawson]

PR's like this are really hard to validate and should probably be done through automation.

nodejs/node#44283

@RafaelGSS,@facutuesca is that something you could add to your do list?

https://github.com/nodejs/node/blob/main/doc/contributing/maintaining-root-certs.md)

• acorn
• ada
• base64
• brotli
• cares
• cjs-module-lexer
• corepack
• googletest
• histogram
• icu-small
• llhttp
• nghttp2
• ngtcp2
• npm
• openssl
• undici
• uv
• uvwasi
• v8
• zlib
• root certificate updates
• simdutf
• minimatch

[richardlau]

FYI if you are not aware there is a PR to add a workflow for updating the timezone information: nodejs/node#43988.

Updating ICU itself is sometimes done together with V8 updates if V8 has bumped ICU versions.

[mhdawson]

@richardlau thanks for pointing that out.

@RafaelGSS, @facutuesca maybe what we should focus on is looking at all of the dependencies, if upates are automated and if not identify which ones should be, and prioritize which ones we'd want to automate. (For example I think we had some discusssions around openSSL, but I think we should track/work on them as an overall program to ensure progress).

If that makes sense to you two I might update the title of this issue to be more about doing it in general for all of the dependencies.

[RafaelGSS]

That makes sense to me.

[facutuesca]

@mhdawson I'll start working on this (looking at all dependencies and see which ones we could update with a script). Should we change the title of the issue to match that?

[mhdawson]

@facutuesca thanks, I've updated the title.

[mhdawson]

I updated the first part of the issue to have the list of deps along with checkboxes. We can track progress there in terms of which ones we have automated versus not so far.

[mhdawson]

@BethGriggs if you have any insight/suggestions of what we might need/want to include in the automation based on what you have leared about SALSA, that info would be good to factor into how we do the automation.

[facutuesca]

@mhdawson

The following dependencies are already updated automatically via a Github action:

• corepack (action and Makefile target)
• eslint (action and script)
• undici (action and script)

The following have a script + docs on how to update them (but no GH Action):

• cares (script and docs)
• llhttp (script and docs)
• nghttp2 (script and docs)
• npm (script and docs)

The following have only docs on how to update them:

• base64 (docs)
• cjs-module-lexer (docs)
• icu-small (docs)
• ngtcp2 (docs)
• OpenSSL (docs)
• V8 (docs)
• zlib (docs)

Finally, the following don't have any docs/scripts/etc:

• acorn
• brotli
• googletest
• histogram
• uv

[RafaelGSS]

I'd go with the ones that are often updated, such as OpenSSL / ICU / zlib

[richardlau]

ICU doesn't update very often (about once a year), although we do now have an automated workflow for updating the timezone information (which updates more often) in the ICU data file.

I believe the npm team have their own automation to push npm releases into Node.js core.

[mhdawson]

I'd agree that starting with the ones we update most often would be good, and in particular OpenSSL. I think we have a few starting points. I'd written up nodejs/node#42395 and I think that @RafaelGSS had also done some work on that front as well.

I also think that working on the list for which we have no instructions is also a priority as I see not having that documented as a risk we might get it wrong if we do have to do an update.

[mhdawson]

@facutuesca and thanks for the good categorization, it's good to be able to look at the overall list like that.

[richardlau]

Root certificates is another thing we could add to the list: nodejs/node#45477
Update process: https://github.com/nodejs/node/blob/main/doc/contributing/maintaining-root-certs.md

FWIW Adoptium have some automation for something similar for Termurin Java builds (thanks @sxa for the pointer 🙇): https://github.com/adoptium/temurin-build/blob/master/.github/workflows/ca-cert-updater.yml
I believe their version of mk-ca-bundle.pl differs from ours and they also have less information in their commit messages regarding the certificates removed/added or NSS version the update is based on.

[mhdawson]

@richardlau thanks for pointing that out. I think starting with automating the root cert updates would be a good thing to start with.