fix: split security release vulnerability wording

RafaelGSS · RafaelGSS · commit da25653c27e1 · 2026-05-28T15:29:27.000-03:00
Signed-off-by: RafaelGSS &lt;rafael.nunu@hotmail.com&gt;
diff --git a/lib/security-release/security-release.js b/lib/security-release/security-release.js
@@ -12,10 +12,10 @@ export const NEXT_SECURITY_RELEASE_REPOSITORY = {
 };
 
 const SEVERITY_RANK = {
-  critical: 0,
-  high: 1,
-  medium: 2,
-  low: 3
+  low: 0,
+  medium: 1,
+  high: 2,
+  critical: 3
 };
 
 const SEVERITY_LABEL = {
@@ -146,18 +146,19 @@ export function formatDateToYYYYMMDD(date) {
 
 export function getHighestSeverity(reports) {
   let highestSeverity = '';
+  let highestRank = -1;
 
   for (const report of reports) {
-    const rating = report.severity.rating.toLowerCase();
-    const currentRank = SEVERITY_RANK[rating] ?? Number.MAX_SAFE_INTEGER;
-    const highestRank = SEVERITY_RANK[highestSeverity] ?? Number.MAX_SAFE_INTEGER;
+    const rating = report.severity.rating;
+    const currentRank = SEVERITY_RANK[rating] ?? -1;
 
-    if (!highestSeverity || currentRank < highestRank) {
+    if (currentRank > highestRank) {
       highestSeverity = rating;
+      highestRank = currentRank;
     }
   }
 
-  return SEVERITY_LABEL[highestSeverity] ?? highestSeverity.toUpperCase();
+  return SEVERITY_LABEL[highestSeverity] ?? 'NONE';
 }
 
 export function getHighestSeverityAnnouncement(reports) {
diff --git a/lib/security_blog.js b/lib/security_blog.js
@@ -39,7 +39,7 @@ export default class SecurityBlog extends SecurityRelease {
       annoucementDate: await this.getAnnouncementDate(cli),
       releaseDate: this.formatReleaseDate(releaseDate),
       affectedVersions: this.getAffectedVersions(content),
-      vulnerabilities: this.getVulnerabilities(content),
+      vulnerabilities: this.getPreReleaseVulnerabilities(content),
       slug: this.getSlug(releaseDate),
       impact: this.getImpact(content)
     };
@@ -347,12 +347,34 @@ export default class SecurityBlog extends SecurityRelease {
   }
 
   getVulnerabilities(content) {
+    const severityCount = new Map();
+
     for (const report of content.reports) {
       if (!report.severity?.rating) {
         this.cli.error(`severity.rating not found for report ${report.id}.`);
         process.exit(1);
       }
+
+      const rating = report.severity.rating;
+      severityCount.set(rating, (severityCount.get(rating) || 0) + 1);
+    }
+
+    const text = [];
+    for (const [rating, count] of severityCount) {
+      text.push(`- ${count} ${rating} severity issues.`);
     }
+
+    return text.join('\n');
+  }
+
+  getPreReleaseVulnerabilities(content) {
+    for (const report of content.reports) {
+      if (!report.severity?.rating) {
+        this.cli.error(`severity.rating not found for report ${report.id}.`);
+        process.exit(1);
+      }
+    }
+
     return getHighestSeverityAnnouncement(content.reports);
   }
 
diff --git a/test/unit/security_release.test.js b/test/unit/security_release.test.js
@@ -11,6 +11,19 @@ const cli = {
   error() {}
 };
 
+function assertExits(fn) {
+  const originalExit = process.exit;
+  process.exit = () => {
+    throw new Error('process.exit');
+  };
+
+  try {
+    assert.throws(fn, /process\.exit/);
+  } finally {
+    process.exit = originalExit;
+  }
+}
+
 function report(id, rating, affectedVersions = ['24.x']) {
   return {
     id,
@@ -46,6 +59,16 @@ describe('security_release: severity announcement', () => {
       'The highest severity issue fixed in this release is MEDIUM.'
     );
   });
+
+  it('ignores invalid severity ratings', () => {
+    const reports = [
+      report(1, 'low'),
+      report(2, 'hypercritical'),
+      report(3, 'medium')
+    ];
+
+    assert.strictEqual(getHighestSeverity(reports), 'MEDIUM');
+  });
 });
 
 describe('security_blog: pre-release severity wording', () => {
@@ -59,7 +82,7 @@ describe('security_blog: pre-release severity wording', () => {
     };
 
     assert.strictEqual(
-      blog.getVulnerabilities(content),
+      blog.getPreReleaseVulnerabilities(content),
       'The highest severity issue fixed in this release is MEDIUM.'
     );
   });
@@ -80,4 +103,94 @@ describe('security_blog: pre-release severity wording', () => {
         'The highest severity issue fixed in the 20.x release line is HIGH.'
     );
   });
+
+  it('replaces the pre-release template placeholder with the highest severity sentence', () => {
+    const blog = new SecurityBlog(cli);
+    const template = blog.getSecurityPreReleaseTemplate();
+    const preRelease = blog.buildPreRelease(template, {
+      annoucementDate: '2026-06-01T00:00:00.000Z',
+      releaseDate: 'Tuesday, June 2, 2026',
+      affectedVersions: '24.x, 22.x',
+      vulnerabilities: blog.getPreReleaseVulnerabilities({
+        reports: [
+          report(1, 'low'),
+          report(2, 'high')
+        ]
+      }),
+      slug: 'june-2026-security-releases',
+      impact: 'The highest severity issue fixed in the 24.x release line is HIGH.'
+    });
+
+    assert.match(
+      preRelease,
+      /The highest severity issue fixed in this release is HIGH\./
+    );
+    assert.doesNotMatch(preRelease, /%VULNERABILITIES%/);
+  });
+
+  it('exits when a report is missing a severity rating', () => {
+    const errors = [];
+    const blog = new SecurityBlog({
+      error(message) {
+        errors.push(message);
+      }
+    });
+    const content = {
+      reports: [
+        {
+          id: 1,
+          severity: {},
+          affectedVersions: ['24.x']
+        }
+      ]
+    };
+
+    assertExits(() => blog.getPreReleaseVulnerabilities(content));
+    assertExits(() => blog.getImpact(content));
+    assert.deepStrictEqual(errors, [
+      'severity.rating not found for report 1.',
+      'severity.rating not found for report 1.'
+    ]);
+  });
+});
+
+describe('security_blog: post-release severity wording', () => {
+  it('keeps the vulnerability count list', () => {
+    const blog = new SecurityBlog(cli);
+    const content = {
+      reports: [
+        report(1, 'low'),
+        report(2, 'medium'),
+        report(3, 'medium')
+      ]
+    };
+
+    assert.strictEqual(
+      blog.getVulnerabilities(content),
+      '- 1 low severity issues.\n- 2 medium severity issues.'
+    );
+  });
+
+  it('exits when a report is missing a severity rating', () => {
+    const errors = [];
+    const blog = new SecurityBlog({
+      error(message) {
+        errors.push(message);
+      }
+    });
+    const content = {
+      reports: [
+        {
+          id: 1,
+          severity: {},
+          affectedVersions: ['24.x']
+        }
+      ]
+    };
+
+    assertExits(() => blog.getVulnerabilities(content));
+    assert.deepStrictEqual(errors, [
+      'severity.rating not found for report 1.'
+    ]);
+  });
 });
