feat(crypto-fips): add migration recipe for crypto.fips

.vscode/settings.json

@@ -1,11 +1,17 @@
 {
-    "editor.formatOnSave": true,
-    "javascript.updateImportsOnFileMove.enabled": "always",
-    "typescript.updateImportsOnFileMove.enabled": "always",
-    "editor.formatOnPaste": true,
-    "editor.wordWrap": "wordWrapColumn",
-    "editor.wordWrapColumn": 100,
-    "[markdown]": {
-        "editor.wordWrap": "off"
-    }
+  "editor.formatOnSave": true,
+  "javascript.updateImportsOnFileMove.enabled": "always",
+  "typescript.updateImportsOnFileMove.enabled": "always",
+  "editor.formatOnPaste": true,
+  "editor.wordWrap": "wordWrapColumn",
+  "editor.wordWrapColumn": 100,
+  "[javascript][typescript][json]": {
+    "editor.defaultFormatter": "biomejs.biome"
+  },
+  "[markdown]": {
+    "editor.wordWrap": "off"
+  },
+  "[typescript]": {
+    "editor.defaultFormatter": "biomejs.biome"
+  }
 }

recipes/crypto-fips/README.md

@@ -0,0 +1,33 @@
+# `crypto.fips` DEP0093
+
+This recipe provides a guide for migrating from the deprecated `crypto.fips` to `crypto.getFips()` and `crypto.setFips()`.
+
+See [DEP0093](https://nodejs.org/api/deprecations.html#DEP0093).
+
+## Examples
+
+**Before:**
+
+```js
+// Using crypto.fips
+crypto.fips;
+
+// Using crypto.fips = true
+crypto.fips = true;
+
+// Using crypto.fips = false
+crypto.fips = false;
+```
+
+**After:**
+
+```js
+// Using crypto.getFips()
+crypto.getFips();
+
+// Using crypto.setFips(true)
+crypto.setFips(true);
+
+// Using crypto.setFips(false)
+crypto.setFips(false);
+```

recipes/crypto-fips/codemod.yaml

@@ -0,0 +1,21 @@
+schema_version: "1.0"
+name: "@nodejs/crypto-fips"
+version: 1.0.0
+description: Handle DEP0093 via transforming `crypto.fips` to `crypto.getFips()` and `crypto.setFips()`
+author: Usman S.
+license: MIT
+workflow: workflow.yaml
+category: migration
+
+targets:
+  languages:
+    - javascript
+    - typescript
+
+keywords:
+  - transformation
+  - migration
+
+registry:
+  access: public
+  visibility: public

recipes/crypto-fips/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@nodejs/crypto-fips",
+  "version": "1.0.0",
+  "description": "Handle DEP0093 via transforming `crypto.fips` to `crypto.getFips()` and `crypto.setFips()`",
+  "type": "module",
+  "scripts": {
+    "test": "npx codemod jssg test -l typescript ./src/workflow.ts ./"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/nodejs/userland-migrations.git",
+    "directory": "recipes/crypto-fips",
+    "bugs": "https://github.com/nodejs/userland-migrations/issues"
+  },
+  "author": "Usman S.",
+  "license": "MIT",
+  "homepage": "https://github.com/nodejs/userland-migrations/blob/main/recipes/crypto-fips/README.md",
+  "devDependencies": {
+    "@codemod.com/jssg-types": "^1.0.3"
+  },
+  "dependencies": {
+    "@nodejs/codemod-utils": "*"
+  }
+}

recipes/crypto-fips/src/workflow.ts

@@ -0,0 +1,95 @@
+import { getNodeImportStatements } from '@nodejs/codemod-utils/ast-grep/import-statement';
+import { getNodeRequireCalls } from '@nodejs/codemod-utils/ast-grep/require-call';
+import { resolveBindingPath } from '@nodejs/codemod-utils/ast-grep/resolve-binding-path';
+import type { SgRoot, Edit, SgNode } from '@codemod.com/jssg-types/main';
+
+function escapeRegExp(input: string): string {
+	return input.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+/**
+ * Transform function that converts deprecated crypto.fips calls
+ * to the new crypto.getFips() and crypto.setFips() syntax.
+ *
+ * Handles:
+ * 1. crypto.fips -> crypto.getFips()
+ * 2. crypto.fips = true -> crypto.setFips(true)
+ * 3. crypto.fips = false -> crypto.setFips(false)
+ */
+export default function transform(root: SgRoot): string | null {
+	const rootNode = root.root();
+	let hasChanges = false;
+	const edits: Edit[] = [];
+
+	const cryptoBases = new Set<string>();
+	setCryptoBases(getNodeRequireCalls(root, 'crypto'), cryptoBases);
+	setCryptoBases(getNodeImportStatements(root, 'crypto'), cryptoBases);
+
+	const assignmentResult = replaceAssignments(rootNode, cryptoBases);
+	edits.push(...assignmentResult.edits);
+	hasChanges = assignmentResult.hasChanges;
+
+	const readResult = replaceReads(rootNode, cryptoBases);
+	edits.push(...readResult.edits);
+	hasChanges = readResult.hasChanges;
+
+	if (!hasChanges) return null;
+	return rootNode.commitEdits(edits);
+}
+
+function setCryptoBases(statements: SgNode[], cryptoBases: Set<string>) {
+	for (const stmt of statements) {
+		const resolvedPath = resolveBindingPath(stmt, '$.fips');
+		if (!resolvedPath || !resolvedPath.includes('.')) continue;
+		cryptoBases.add(resolvedPath.slice(0, resolvedPath.lastIndexOf('.')));
+	}
+}
+
+function replaceAssignments(rootNode: SgNode, cryptoBases: Set<string>) {
+	const edits: Edit[] = [];
+	let hasChanges = false;
+
+	for (const base of cryptoBases) {
+		const assignments = rootNode.findAll({
+			rule: {
+				pattern: `${base}.fips = $VALUE`,
+			},
+		});
+
+		for (const assign of assignments) {
+			const valueText = assign.getMatch('VALUE')?.text() ?? '';
+			const basePropRegex = new RegExp(
+				`\\b${escapeRegExp(base)}\\.fips\\b`,
+				'g',
+			);
+			const transformedValue = valueText.replace(
+				basePropRegex,
+				`${base}.getFips()`,
+			);
+			edits.push(assign.replace(`${base}.setFips(${transformedValue})`));
+			hasChanges = true;
+		}
+	}
+
+	return { edits, hasChanges };
+}
+
+function replaceReads(rootNode: SgNode, cryptoBases: Set<string>) {
+	const edits: Edit[] = [];
+	let hasChanges = false;
+
+	for (const base of cryptoBases) {
+		const reads = rootNode.findAll({
+			rule: {
+				pattern: `${base}.fips`,
+			},
+		});
+
+		for (const read of reads) {
+			edits.push(read.replace(`${base}.getFips()`));
+			hasChanges = true;
+		}
+	}
+
+	return { edits, hasChanges };
+}

recipes/crypto-fips/tests/expected/file-1.js

@@ -0,0 +1,5 @@
+const crypto = require("node:crypto");
+
+if (crypto.getFips()) {
+	console.log("FIPS mode is enabled");
+}

recipes/crypto-fips/tests/expected/file-2.js

@@ -0,0 +1,3 @@
+const crypto = require("node:crypto");
+
+crypto.setFips(true);

recipes/crypto-fips/tests/expected/file-3.js

@@ -0,0 +1,6 @@
+const crypto = require("node:crypto");
+
+if (process.env.ENABLE_FIPS === "true") {
+	crypto.setFips(true);
+}
+console.log("FIPS enabled:", crypto.getFips());

recipes/crypto-fips/tests/expected/file-4.js

@@ -0,0 +1,4 @@
+import crypto from "node:crypto";
+
+const fipsStatus = crypto.getFips();
+crypto.setFips(!fipsStatus);

recipes/crypto-fips/tests/expected/file-5.js

@@ -0,0 +1,4 @@
+const nodeCrypto = require("node:crypto");
+
+const currentFips = nodeCrypto.getFips();
+nodeCrypto.setFips(!currentFips);

recipes/crypto-fips/tests/expected/file-6.js

@@ -0,0 +1,4 @@
+const crypto = require("node:crypto");
+
+console.log("FIPS enabled:", crypto.getFips());
+crypto.setFips(crypto.getFips() || process.env.FORCE_FIPS);

recipes/crypto-fips/tests/input/file-1.js

@@ -0,0 +1,5 @@
+const crypto = require("node:crypto");
+
+if (crypto.fips) {
+	console.log("FIPS mode is enabled");
+}

recipes/crypto-fips/tests/input/file-2.js

@@ -0,0 +1,3 @@
+const crypto = require("node:crypto");
+
+crypto.fips = true;

recipes/crypto-fips/tests/input/file-3.js

@@ -0,0 +1,6 @@
+const crypto = require("node:crypto");
+
+if (process.env.ENABLE_FIPS === "true") {
+	crypto.fips = true;
+}
+console.log("FIPS enabled:", crypto.fips);

recipes/crypto-fips/tests/input/file-4.js

@@ -0,0 +1,4 @@
+import crypto from "node:crypto";
+
+const fipsStatus = crypto.fips;
+crypto.fips = !fipsStatus;

recipes/crypto-fips/tests/input/file-5.js

@@ -0,0 +1,4 @@
+const nodeCrypto = require("node:crypto");
+
+const currentFips = nodeCrypto.fips;
+nodeCrypto.fips = !currentFips;

recipes/crypto-fips/tests/input/file-6.js

@@ -0,0 +1,4 @@
+const crypto = require("node:crypto");
+
+console.log("FIPS enabled:", crypto.fips);
+crypto.fips = crypto.fips || process.env.FORCE_FIPS;

recipes/crypto-fips/tsconfig.json

@@ -0,0 +1,23 @@
+{
+  "compilerOptions": {
+    "allowImportingTsExtensions": true,
+    "allowJs": true,
+    "alwaysStrict": true,
+    "baseUrl": "./",
+    "declaration": true,
+    "declarationMap": true,
+    "emitDeclarationOnly": true,
+    "lib": ["ESNext", "DOM"],
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "noImplicitThis": true,
+    "removeComments": true,
+    "strict": true,
+    "stripInternal": true,
+    "target": "esnext"
+  },
+  "include": ["./"],
+  "exclude": [
+    "tests/**"
+  ]
+}

recipes/crypto-fips/workflow.yaml

@@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/codemod-com/codemod/refs/heads/main/schemas/workflow.json
+
+version: "1"
+
+nodes:
+  - id: apply-transforms
+    name: Apply AST Transformations
+    type: automatic
+    steps:
+      - name: Handle DEP0093 via transforming `crypto.fips` to `crypto.getFips()`, `crypto.setFips()` to `crypto.setFips(true)` and `crypto.setFips(false)`.
+        js-ast-grep:
+          js_file: src/workflow.ts
+          base_path: .
+          include:
+            - "**/*.js"
+            - "**/*.jsx"
+            - "**/*.mjs"
+            - "**/*.cjs"
+            - "**/*.cts"
+            - "**/*.mts"
+            - "**/*.ts"
+            - "**/*.tsx"
+          exclude:
+            - "**/node_modules/**"
+          language: typescript