feat(crypto-fips): add migration recipe for crypto.fips (#177)

Co-authored-by: Aviv Keller <[email protected]>
Co-authored-by: Augustin Mauroy <[email protected]>
Co-authored-by: Bruno Rodrigues <[email protected]>
Co-authored-by: Jacob Smith <[email protected]>

Author: 5 people

.vscode/settings.json

@@ -8,5 +8,8 @@
     "[markdown]": {
         "editor.wordWrap": "off"
     },
+    "[typescript][javascript]": {
+        "editor.defaultFormatter": "biomejs.biome"
+    },
     "typescript.experimental.useTsgo": true
 }

package-lock.json

@@ -9,15 +9,15 @@ import type JS from "@codemod.com/jssg-types/langs/javascript";
  *
  * Handles:
  * 1. Updates import/require statements that import `createRequireFromPath`:
- *    - `const { createRequireFromPath } = require('module')` -> `const { createRequire } = require('module')`
- *    - `const { createRequireFromPath } = require('node:module')` -> `const { createRequire } = require('node:module')`
- *    - `import { createRequireFromPath } from 'module'` -> `import { createRequire } from 'module'`
- *    - `import { createRequireFromPath } from 'node:module'` -> `import { createRequire } from 'node:module'`
+ *    - `const { createRequireFromPath } = require('module')` → `const { createRequire } = require('module')`
+ *    - `const { createRequireFromPath } = require('node:module')` → `const { createRequire } = require('node:module')`
+ *    - `import { createRequireFromPath } from 'module'` → `import { createRequire } from 'module'`
+ *    - `import { createRequireFromPath } from 'node:module'` → `import { createRequire } from 'node:module'`
  *
  * 2. Updates variable declarations that use `createRequireFromPath`:
- *    - `const myRequire = createRequireFromPath(arg)` -> `const myRequire = createRequire(arg)`
- *    - `let myRequire = createRequireFromPath(arg)` -> `let myRequire = createRequire(arg)`
- *    - `var myRequire = createRequireFromPath(arg)` -> `var myRequire = createRequire(arg)`
+ *    - `const myRequire = createRequireFromPath(arg)` → `const myRequire = createRequire(arg)`
+ *    - `let myRequire = createRequireFromPath(arg)` → `let myRequire = createRequire(arg)`
+ *    - `var myRequire = createRequireFromPath(arg)` → `var myRequire = createRequire(arg)`
  *
  * 3. Preserves original variable names and declaration types.
  */

recipes/create-require-from-path/src/workflow.ts

@@ -0,0 +1,45 @@
+# `crypto.fips` DEP0093
+
+This recipe transforms the usage from the deprecated `crypto.fips` to `crypto.getFips()` and `crypto.setFips()`.
+
+See [DEP0093](https://nodejs.org/api/deprecations.html#DEP0093).
+
+## Examples
+
+**Before:**
+
+```js
+import crypto from "node:crypto";
+import { fips } from "node:crypto";
+
+// Using crypto.fips
+crypto.fips;
+fips;
+
+// Using crypto.fips = true
+crypto.fips = true;
+fips = true;
+
+// Using crypto.fips = false
+crypto.fips = false;
+fips = false;
+```
+
+**After:**
+
+```js
+import crypto from "node:crypto";
+import { getFips, setFips } from "node:crypto";
+
+// Using crypto.getFips()
+crypto.getFips();
+getFips();
+
+// Using crypto.setFips(true)
+crypto.setFips(true);
+setFips(true);
+
+// Using crypto.setFips(false)
+crypto.setFips(false);
+setFips(false);
+```

recipes/crypto-fips-to-getFips/README.md

@@ -0,0 +1,21 @@
+schema_version: "1.0"
+name: "@nodejs/crypto-fips-to-getFips"
+version: 1.0.0
+description: Handle DEP0093 via transforming `crypto.fips` to `crypto.getFips()` and `crypto.setFips()`
+author: Usman S.
+license: MIT
+workflow: workflow.yaml
+category: migration
+
+targets:
+  languages:
+    - javascript
+    - typescript
+
+keywords:
+  - transformation
+  - migration
+
+registry:
+  access: public
+  visibility: public

recipes/crypto-fips-to-getFips/codemod.yaml

@@ -0,0 +1,24 @@
+{
+  "name": "@nodejs/crypto-fips-to-getFips",
+  "version": "1.0.0",
+  "description": "Handle DEP0093 via transforming `crypto.fips` to `crypto.getFips()` and `crypto.setFips()`",
+  "type": "module",
+  "scripts": {
+    "test": "npx codemod jssg test -l typescript ./src/workflow.ts ./"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/nodejs/userland-migrations.git",
+    "directory": "recipes/crypto-fips-to-getFips",
+    "bugs": "https://github.com/nodejs/userland-migrations/issues"
+  },
+  "author": "Usman S.",
+  "license": "MIT",
+  "homepage": "https://github.com/nodejs/userland-migrations/blob/main/recipes/crypto-fips-to-getFips/README.md",
+  "devDependencies": {
+    "@codemod.com/jssg-types": "^1.0.9"
+  },
+  "dependencies": {
+    "@nodejs/codemod-utils": "*"
+  }
+}

recipes/crypto-fips-to-getFips/package.json

@@ -0,0 +1,190 @@
+import {
+	getNodeImportCalls,
+	getNodeImportStatements,
+} from "@nodejs/codemod-utils/ast-grep/import-statement";
+import { getNodeRequireCalls } from "@nodejs/codemod-utils/ast-grep/require-call";
+import { resolveBindingPath } from "@nodejs/codemod-utils/ast-grep/resolve-binding-path";
+import { updateBinding } from "@nodejs/codemod-utils/ast-grep/update-binding";
+import { removeLines } from "@nodejs/codemod-utils/ast-grep/remove-lines";
+import type { SgRoot, SgNode, Edit, Range } from "@codemod.com/jssg-types/main";
+import type Js from "@codemod.com/jssg-types/langs/javascript";
+
+type Binding = {
+	type: "namespace" | "destructured";
+	binding: string;
+	node: SgNode<Js>;
+};
+
+/**
+ * Transform function that converts deprecated crypto.fips calls
+ * to the new crypto.getFips() and crypto.setFips() syntax.
+ *
+ * Handles:
+ * 1. crypto.fips → crypto.getFips()
+ * 2. crypto.fips = value → crypto.setFips(value)
+ * 3. const { fips } = require("crypto") → const { getFips, setFips } = require("crypto")
+ * 4. import { fips } from "crypto" → import { getFips, setFips } from "crypto")
+ * 5. const { fips } = await import("crypto") → const { getFips, setFips } = await import("crypto")
+ * 6. Aliased imports: { fips: alias } → { getFips, setFips }
+ */
+export default function transform(root: SgRoot<Js>): string | null {
+	const rootNode = root.root();
+	const edits: Edit[] = [];
+	const linesToRemove: Range[] = [];
+
+	const bindings = collectCryptoFipsBindings(root);
+
+	if (bindings.length === 0) return null;
+
+	for (const binding of bindings) {
+		if (binding.type === "namespace") {
+			edits.push(...transformNamespaceUsage(rootNode, binding.binding));
+		} else {
+			edits.push(...transformDestructuredUsage(rootNode, binding.binding));
+
+			const result = updateBinding(binding.node, {
+				old: binding.binding,
+				new: ["getFips", "setFips"],
+			});
+			if (result?.edit) {
+				edits.push(result.edit);
+			}
+			if (result?.lineToRemove) {
+				linesToRemove.push(result.lineToRemove);
+			}
+		}
+	}
+
+	if (edits.length === 0 && linesToRemove.length === 0) return null;
+
+	const sourceCode = rootNode.commitEdits(edits);
+	return linesToRemove.length > 0 ? removeLines(sourceCode, linesToRemove) : sourceCode;
+}
+
+/**
+ * Collect all crypto.fips bindings from the file
+ */
+function collectCryptoFipsBindings(root: SgRoot<Js>): Binding[] {
+	const bindings: Binding[] = [];
+	const allStatements = [
+		...getNodeImportStatements(root, "crypto"),
+		...getNodeImportCalls(root, "crypto"),
+		...getNodeRequireCalls(root, "crypto"),
+	];
+
+	for (const node of allStatements) {
+		const resolvedPath = resolveBindingPath(node, "$.fips");
+
+		if (!resolvedPath) continue;
+
+		if (resolvedPath.includes(".")) {
+			bindings.push({
+				type: "namespace",
+				binding: resolvedPath.slice(0, resolvedPath.lastIndexOf(".")),
+				node,
+			});
+		} else {
+			bindings.push({
+				type: "destructured",
+				binding: resolvedPath,
+				node,
+			});
+		}
+	}
+
+	return bindings;
+}
+
+/**
+ * Transform namespace usage: crypto.fips → crypto.getFips(), crypto.fips = val → crypto.setFips(val)
+ */
+function transformNamespaceUsage(rootNode: SgNode<Js>, base: string): Edit[] {
+	const edits: Edit[] = [];
+
+	const assignments = rootNode.findAll({
+		rule: { pattern: `${base}.fips = $VALUE` },
+	});
+
+	for (const assignment of assignments) {
+		const valueNode = assignment.getMatch("VALUE");
+		if (valueNode) {
+			let value = valueNode.text();
+			value = value.replace(new RegExp(`\\b${base}\\.fips\\b`, "g"), `${base}.getFips()`);
+			edits.push(assignment.replace(`${base}.setFips(${value})`));
+		}
+	}
+
+	const reads = rootNode.findAll({
+		rule: {
+			pattern: `${base}.fips`,
+			not: {
+				inside: {
+					kind: "assignment_expression",
+					has: {
+						kind: "member_expression",
+						pattern: `${base}.fips`,
+					},
+				},
+			},
+		},
+	});
+
+	for (const read of reads) {
+		edits.push(read.replace(`${base}.getFips()`));
+	}
+
+	return edits;
+}
+
+/**
+ * Transform destructured usage: fips → getFips(), fips = val → setFips(val)
+ */
+function transformDestructuredUsage(rootNode: SgNode<Js>, binding: string): Edit[] {
+	const edits: Edit[] = [];
+
+	const assignments = rootNode.findAll({
+		rule: {
+			pattern: `${binding} = $VALUE`,
+		},
+	});
+
+	for (const assignment of assignments) {
+		const valueNode = assignment.getMatch("VALUE");
+		if (valueNode) {
+			let value = valueNode.text();
+			value = value.replace(new RegExp(`\\b${binding}\\b`, "g"), "getFips()");
+			edits.push(assignment.replace(`setFips(${value})`));
+		}
+	}
+
+	const reads = rootNode.findAll({
+		rule: {
+			kind: "identifier",
+			pattern: binding,
+			not: {
+				inside: {
+					any: [
+						{
+							kind: "assignment_expression",
+							has: {
+								kind: "identifier",
+								pattern: binding,
+							},
+						},
+						{ kind: "import_statement" },
+						{ kind: "import_specifier" },
+						{ kind: "named_imports" },
+						{ kind: "object_pattern" },
+						{ kind: "pair_pattern" },
+					],
+				},
+			},
+		},
+	});
+
+	for (const read of reads) {
+		edits.push(read.replace("getFips()"));
+	}
+
+	return edits;
+}

recipes/crypto-fips-to-getFips/src/workflow.ts

@@ -0,0 +1,5 @@
+const crypto = require("node:crypto");
+
+if (crypto.getFips()) {
+	console.log("FIPS mode is enabled");
+}

recipes/crypto-fips-to-getFips/tests/expected/file-1.js

@@ -0,0 +1,6 @@
+import { getFips, setFips } from "node:crypto";
+
+if (getFips()) {
+	console.log("FIPS mode is enabled");
+}
+setFips(true);

recipes/crypto-fips-to-getFips/tests/expected/file-10.js

@@ -0,0 +1,4 @@
+const { getFips, setFips } = await import("node:crypto");
+
+setFips(true);
+console.log(getFips());