feat(DEP0064): handle tls.createSecurePair deprecation

recipes/tls-create-secure-pair-to-tls-socket/README.md

@@ -0,0 +1,104 @@
+# `tls.createSecurePair` deprecation DEP0064
+
+This recipe transforms the usage from the deprecated `createSecurePair()` to `TLSSocket()`.
+
+See [DEP0064](https://nodejs.org/api/deprecations.html#dep0064-tlscreatesecurepair).
+
+## Examples
+
+### 1) Basic `createSecurePair` usage
+```diff
+-const { createSecurePair } = require('node:tls');
+-const pair = createSecurePair(credentials);
++const { TLSSocket } = require('node:tls');
++const socket = new TLSSocket(underlyingSocket, { secureContext: credentials });
+```
+
+---
+
+### 2) Namespace import (CJS)
+```diff
+-const tls = require('node:tls');
+-const pair = tls.createSecurePair(credentials);
++const tls = require('node:tls');
++const socket = new tls.TLSSocket(underlyingSocket, { secureContext: credentials });
+```
+
+---
+
+### 3) With server context
+```diff
+-const { createSecurePair } = require('node:tls');
+-const pair = createSecurePair(credentials, true, true, false);
++const { TLSSocket } = require('node:tls');
++const socket = new TLSSocket(underlyingSocket, {
++  secureContext: credentials,
++  isServer: true,
++  requestCert: true,
++  rejectUnauthorized: false
++});
+```
+
+---
+
+### 4) ESM named import
+```diff
+-import { createSecurePair } from 'node:tls';
+-const pair = createSecurePair(credentials);
++import { TLSSocket } from 'node:tls';
++const socket = new TLSSocket(underlyingSocket, { secureContext: credentials });
+```
+
+---
+
+### 5) ESM namespace import
+```diff
+-import * as tls from 'node:tls';
+-const pair = tls.createSecurePair(credentials);
++import * as tls from 'node:tls';
++const socket = new tls.TLSSocket(underlyingSocket, { secureContext: credentials });
+```
+
+---
+
+### 6) Mixed usage with other TLS functions
+```diff
+-const { createSecurePair, createServer } = require('node:tls');
+-const pair = createSecurePair(credentials);
+-const server = createServer(options);
++const { TLSSocket, createServer } = require('node:tls');
++const socket = new TLSSocket(underlyingSocket, { secureContext: credentials });
++const server = createServer(options);
+```
+
+---
+
+### 7) ESM default import
+```diff
+-import tls from 'node:tls';
+-const pair = tls.createSecurePair(credentials);
++import tls, { TLSSocket } from 'node:tls';
++const socket = new tls.TLSSocket(underlyingSocket, { secureContext: credentials });
+```
+
+---
+
+### 8) ESM dynamic import (assignment)
+```diff
+-const tls = await import('node:tls');
+-const pair = tls.createSecurePair(credentials);
++const tls = await import('node:tls');
++const socket = new tls.TLSSocket(underlyingSocket, { secureContext: credentials });
+```
+
+---
+
+### 9) ESM dynamic import (thenable)
+```diff
+-import('node:tls').then(tls => {
+-  const pair = tls.createSecurePair(credentials);
+-});
++import('node:tls').then(tls => {
++  const socket = new tls.TLSSocket(underlyingSocket, { secureContext: credentials });
++});
+```

recipes/tls-create-secure-pair-to-tls-socket/codemod.yaml

@@ -0,0 +1,24 @@
+schema_version: "1.0"
+name: "@nodejs/tls-create-secure-pair-to-tls-socket"
+version: 1.0.0
+description: Handle DEP0064 by transforming `createSecurePair` to `TLSSocket`
+author: Leonardo Trevizo
+license: MIT
+workflow: workflow.yaml
+category: migration
+
+targets:
+  languages:
+    - javascript
+    - typescript
+
+keywords:
+  - transformation
+  - migration
+  - tls
+  - createSecurePair
+  - TLSSocket
+
+registry:
+  access: public
+  visibility: public

recipes/tls-create-secure-pair-to-tls-socket/package.json

@@ -0,0 +1,24 @@
+{
+    "name": "@nodejs/tls-create-secure-pair-to-tls-socket",
+    "version": "1.0.0",
+    "description": "Handle DEP0064 replacing `tls.createSecurePair()` with `tls.TLSSocket()`",
+    "type": "module",
+    "scripts": {
+        "test": "npx codemod jssg test -l typescript ./src/workflow.ts ./"
+    },
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/nodejs/userland-migrations.git",
+        "directory": "recipes/tls-create-secure-pair-to-tls-socket",
+        "bugs": "https://github.com/nodejs/userland-migrations/issues"
+    },
+    "author": "Leo Trevizo",
+    "license": "MIT",
+    "homepage": "https://github.com/nodejs/userland-migrations/blob/main/recipes/tls-create-secure-pair-to-tls-socket/README.md",
+    "devDependencies": {
+        "@codemod.com/jssg-types": "^1.0.9"
+    },
+    "dependencies": {
+        "@nodejs/codemod-utils": "*"
+    }
+}

recipes/tls-create-secure-pair-to-tls-socket/src/workflow.ts

@@ -0,0 +1,136 @@
+import type { SgRoot, SgNode, Edit } from '@codemod.com/jssg-types/main';
+import type JS from '@codemod.com/jssg-types/langs/javascript';
+import { resolveBindingPath } from '@nodejs/codemod-utils/ast-grep/resolve-binding-path';
+import { getModuleDependencies } from '@nodejs/codemod-utils/ast-grep/module-dependencies';
+import { updateBinding } from '@nodejs/codemod-utils/ast-grep/update-binding';
+
+export default function transform(root: SgRoot<JS>): string | null {
+	const rootNode = root.root();
+	const tlsStmts = getModuleDependencies(root, 'tls');
+
+	if (!tlsStmts.length) return null;
+
+	const cspBindings = [];
+
+	for (const stmt of tlsStmts) {
+		const binding = resolveBindingPath(stmt, '$.createSecurePair');
+		if (binding) cspBindings.push(binding);
+	}
+
+	if (!cspBindings.length) return null;
+
+	const edits: Edit[] = [];
+
+	// Transform all createSecurePair calls
+	const calls = rootNode.findAll({ rule: { kind: 'call_expression' } });
+
+	for (const call of calls) {
+		const callee = call.field('function');
+		if (!callee) continue;
+
+		const binding = getCallBinding(callee);
+		if (!binding || !cspBindings.includes(binding)) continue;
+
+		// Extract arguments
+		const args = call.field('arguments');
+		if (!args) continue;
+
+		const argNodes = args.children().filter((n) => n.isNamed());
+
+		const options = buildOptions(
+			argNodes[0]?.text() || null,
+			argNodes[1]?.text() || null,
+			argNodes[2]?.text() || null,
+			argNodes[3]?.text() || null,
+		);
+
+		const replacement = binding.includes('.')
+			? `new ${binding.replace(/\.createSecurePair$/, '.TLSSocket')}(underlyingSocket, ${options})`
+			: `new TLSSocket(underlyingSocket, ${options})`;
+
+		edits.push(call.replace(replacement));
+	}
+
+	// Rename variables named 'pair' to 'socket'
+	edits.push(...renamePairVariables(rootNode, cspBindings));
+
+	// Update imports
+	const importStmts = tlsStmts.filter(
+		(s) => s.is('import_statement') || s.is('variable_declarator'),
+	);
+
+	for (const importStmt of importStmts) {
+		const result = updateBinding(importStmt, {
+			old: 'createSecurePair',
+			new: 'TLSSocket',
+			removeAlias: true,
+		});
+
+		if (result?.edit) {
+			edits.push(result.edit);
+		}
+	}
+
+	if (!edits.length) return null;
+
+	return rootNode.commitEdits(edits);
+}
+
+function getCallBinding(callee: SgNode<JS>): string | null {
+	if (callee.is('member_expression')) {
+		const obj = callee.field('object');
+		const prop = callee.field('property');
+		if (!obj || !prop) return null;
+		return `${obj.text()}.${prop.text()}`;
+	}
+	if (callee.is('identifier')) {
+		return callee.text();
+	}
+	return null;
+}
+
+function buildOptions(
+	secureContext?: string | null,
+	isServer?: string | null,
+	requestCert?: string | null,
+	rejectUnauthorized?: string | null,
+) {
+	const kv: string[] = [];
+	if (secureContext) kv.push(`secureContext: ${secureContext}`);
+	if (isServer) kv.push(`isServer: ${isServer}`);
+	if (requestCert) kv.push(`requestCert: ${requestCert}`);
+	if (rejectUnauthorized) kv.push(`rejectUnauthorized: ${rejectUnauthorized}`);
+	return kv.length > 0 ? `{ ${kv.join(', ')} }` : '{}';
+}
+
+function renamePairVariables(rootNode: SgNode<JS>, bindings: string[]): Edit[] {
+	const edits: Edit[] = [];
+
+	const decls = rootNode.findAll({
+		rule: {
+			kind: 'variable_declarator',
+			all: [
+				{ has: { field: 'name', pattern: 'pair' } },
+				{ has: { field: 'value', kind: 'call_expression' } },
+			],
+		},
+	});
+
+	for (const decl of decls) {
+		const callExpr = decl.field('value');
+		if (!callExpr) continue;
+
+		const callee = callExpr.field('function');
+		if (!callee) continue;
+
+		const binding = getCallBinding(callee);
+		if (!binding || !bindings.includes(binding)) continue;
+
+		const name = decl.field('name');
+		if (name.is('identifier')) {
+			edits.push(name.replace('socket'));
+		}
+	}
+
+	return edits;
+}

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/cjs-destructured-alias.js

@@ -0,0 +1,4 @@
+const { TLSSocket } = require('node:tls');
+
+// Using an alias in CJS
+const socket = new TLSSocket(underlyingSocket, { secureContext: credentials, isServer: true });

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/cjs-destructured-basic.js

@@ -0,0 +1,2 @@
+const { TLSSocket } = require('node:tls');
+const socket = new TLSSocket(underlyingSocket, { secureContext: credentials });

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/cjs-destructured-flags.js

@@ -0,0 +1,2 @@
+const { TLSSocket } = require('node:tls');
+const socket = new TLSSocket(underlyingSocket, { secureContext: credentials, isServer: true, requestCert: true, rejectUnauthorized: false });

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/cjs-named.js

@@ -0,0 +1,2 @@
+const { TLSSocket } = require('node:tls');
+const socket = new TLSSocket(underlyingSocket, { secureContext: credentials });

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/cjs-namespace-basic.js

@@ -0,0 +1,2 @@
+const tls = require('node:tls');
+const socket = new tls.TLSSocket(underlyingSocket, { secureContext: credentials });

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/dynamic-import-assign.js

@@ -0,0 +1,2 @@
+const tls = await import('node:tls');
+const socket = new tls.TLSSocket(underlyingSocket, { secureContext: credentials });

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/dynamic-import-function.js

@@ -0,0 +1,3 @@
+import('node:tls').then(function (tls) {
+    const socket = new tls.TLSSocket(underlyingSocket, { secureContext: credentials });
+});

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/dynamic-import-then.js

@@ -0,0 +1,3 @@
+import('node:tls').then(tls => {
+	const socket = new tls.TLSSocket(underlyingSocket, { secureContext: credentials });
+});

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/esm-already-has-tlssocket.js

@@ -0,0 +1,5 @@
+import { TLSSocket } from 'node:tls';
+
+// Already has TLSSocket in imports
+const socket = new TLSSocket(underlyingSocket, { secureContext: credentials });
+const existingSocket = new TLSSocket(socket, {});

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/esm-default-import.js

@@ -0,0 +1,2 @@
+import tls from 'node:tls';
+const socket = new tls.TLSSocket(underlyingSocket, { secureContext: credentials });

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/esm-mixed-imports.js

@@ -0,0 +1,4 @@
+import tls, { createServer } from 'node:tls';
+
+const server = createServer(options);
+const socket = new tls.TLSSocket(underlyingSocket, { secureContext: credentials });

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/esm-named-alias.js

@@ -0,0 +1,4 @@
+import { TLSSocket } from 'node:tls';
+
+// Using an alias
+const socket = new TLSSocket(underlyingSocket, { secureContext: credentials });

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/esm-named-basic.js

@@ -0,0 +1,2 @@
+import { TLSSocket } from 'node:tls';
+const socket = new TLSSocket(underlyingSocket, { secureContext: credentials });

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/esm-namespace-basic.js

@@ -0,0 +1,2 @@
+import * as tls from 'node:tls';
+const socket = new tls.TLSSocket(underlyingSocket, { secureContext: credentials });

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/mixed-with-other-symbols.js

@@ -0,0 +1,3 @@
+const { createServer, TLSSocket } = require('node:tls');
+const socket = new TLSSocket(underlyingSocket, { secureContext: credentials });
+const server = createServer(options);

recipes/tls-create-secure-pair-to-tls-socket/tests/expected/multiple-calls.js

@@ -0,0 +1,8 @@
+const { TLSSocket } = require('node:tls');
+
+// Multiple calls with different arguments
+const pair1 = new TLSSocket(underlyingSocket, {});
+const pair2 = new TLSSocket(underlyingSocket, { secureContext: credentials });
+const pair3 = new TLSSocket(underlyingSocket, { secureContext: credentials, isServer: true });
+const pair4 = new TLSSocket(underlyingSocket, { secureContext: credentials, isServer: true, requestCert: false });
+const pair5 = new TLSSocket(underlyingSocket, { secureContext: credentials, isServer: true, requestCert: false, rejectUnauthorized: true });