build,src: add tag/property for security releases

doc/releases.md

@@ -217,6 +217,13 @@ be produced with a version string that does not have a trailing pre-release tag:
 #define NODE_VERSION_IS_RELEASE 1
 ```
 
+If this is a security release, set the `NODE_VERSION_IS_SECURITY_RELEASE` macro
+value to `1`.
+
+```c
+#define NODE_VERSION_IS_SECURITY_RELEASE 1
+```
+
 **Also consider whether to bump `NODE_MODULE_VERSION`**:
 
 This macro is used to signal an ABI version for native addons. It currently has
@@ -488,6 +495,7 @@ On release proposal branch, edit `src/node_version.h` again and:
 
 - Increment `NODE_PATCH_VERSION` by one
 - Change `NODE_VERSION_IS_RELEASE` back to `0`
+- Change `NODE_VERSION_IS_SECURITY_RELEASE` back to `0`
 
 Commit this change with the following commit message format:
 
@@ -514,8 +522,9 @@ $ git push upstream v1.x-staging
 
 Cherry-pick the release commit to `master`. After cherry-picking, edit
 `src/node_version.h` to ensure the version macros contain whatever values were
-previously on `master`. `NODE_VERSION_IS_RELEASE` should be `0`. **Do not**
-cherry-pick the "Working on vx.y.z" commit to `master`.
+previously on `master`. `NODE_VERSION_IS_RELEASE` and
+`NODE_VERSION_IS_SECURITY_RELEASE` should be `0`. **Do not** cherry-pick the
+"Working on vx.y.z" commit to `master`.
 
 Run `make lint` before pushing to `master`, to make sure the Changelog
 formatting passes the lint rules on `master`.

src/node_metadata.cc

@@ -95,6 +95,8 @@ Metadata::Release::Release() : name(NODE_RELEASE) {
   lts = NODE_VERSION_LTS_CODENAME;
 #endif  // NODE_VERSION_IS_LTS
 
+  security = NODE_VERSION_IS_SECURITY_RELEASE != 0;
+
 #ifdef NODE_HAS_RELEASE_URLS
 #define NODE_RELEASE_URLPFX NODE_RELEASE_URLBASE "v" NODE_VERSION_STRING "/"
 #define NODE_RELEASE_URLFPFX NODE_RELEASE_URLPFX "node-v" NODE_VERSION_STRING

src/node_metadata.h

@@ -80,6 +80,7 @@ class Metadata {
     Release();
 
     std::string name;
+    bool security;
 #if NODE_VERSION_IS_LTS
     std::string lts;
 #endif  // NODE_VERSION_IS_LTS

src/node_process_object.cc

@@ -112,6 +112,11 @@ MaybeLocal<Object> CreateProcessObject(
   Local<Object> release = Object::New(env->isolate());
   READONLY_PROPERTY(process, "release", release);
   READONLY_STRING_PROPERTY(release, "name", per_process::metadata.release.name);
+  if (per_process::metadata.release.security) {
+    READONLY_TRUE_PROPERTY(release, "security");
+  } else {
+    READONLY_FALSE_PROPERTY(release, "security");
+  }
 #if NODE_VERSION_IS_LTS
   READONLY_STRING_PROPERTY(release, "lts", per_process::metadata.release.lts);
 #endif  // NODE_VERSION_IS_LTS

src/node_report.cc

@@ -596,6 +596,8 @@ static void PrintComponentVersions(JSONWriter* writer) {
 static void PrintRelease(JSONWriter* writer) {
   writer->json_objectstart("release");
   writer->json_keyvalue("name", node::per_process::metadata.release.name);
+  writer->json_keyvalue("security",
+                        node::per_process::metadata.release.security);
 #if NODE_VERSION_IS_LTS
   writer->json_keyvalue("lts", node::per_process::metadata.release.lts);
 #endif

src/node_v8_platform-inl.h

@@ -53,6 +53,8 @@ class NodeTraceStateObserver
     trace_process->BeginDictionary("release");
     trace_process->SetString("name",
                              per_process::metadata.release.name.c_str());
+    trace_process->SetBoolean("security",
+                             per_process::metadata.release.security);
 #if NODE_VERSION_IS_LTS
     trace_process->SetString("lts", per_process::metadata.release.lts.c_str());
 #endif

src/node_version.h

@@ -30,6 +30,7 @@
 #define NODE_VERSION_LTS_CODENAME ""
 
 #define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_SECURITY_RELEASE 0
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)

test/parallel/test-process-release.js

@@ -7,6 +7,8 @@ const versionParts = process.versions.node.split('.');
 
 assert.strictEqual(process.release.name, 'node');
 
+assert.strictEqual(typeof process.release.security, 'boolean');
+
 // It's expected that future LTS release lines will have additional
 // branches in here
 if (versionParts[0] === '4' && versionParts[1] >= 2) {

test/parallel/test-trace-events-metadata.js

@@ -61,6 +61,7 @@ proc.once('exit', common.mustCall(() => {
         trace.args.process.arch === process.arch &&
         trace.args.process.platform === process.platform &&
         trace.args.process.release.name === process.release.name &&
+        trace.args.process.release.security === process.release.security &&
         (!process.release.lts ||
           trace.args.process.release.lts === process.release.lts)));