chore(db-migrations): vendor mysql-patcher to eliminate supply chain risk

Remove the mysql-patcher npm dependency and vendor the library as a
modernized async/await ESM module into lib/mysql-patcher.js. Replaces
async, bluebird, clone, glob, and xtend with native equivalents. Adds
project.json with nx test-unit, test-integration, and lint targets.
Adds eslint config extending root, prettier formatting, and jest config.
Includes 15 unit tests and 7 integration tests.

Rewrites check-db-patcher.sh to poll PM2 logs directly instead of
using pgrep, fixing the race condition where the patcher finishes
before the script can find the process. Strips ANSI escape codes
from log output for clean patch summary display.

Author: vbudhram

_scripts/check-db-patcher.sh

@@ -1,42 +1,24 @@
 #!/bin/bash
-NAME="patcher.mjs" # nodejs script's name here
 RETRY=60
 
 echo -e "\nChecking for DB patches..."
 
-# Wait for patcher process to appear
-echo "⏳ Waiting for patcher process to start..."
-for i in $(seq 1 $RETRY); do
-  PATCHER_PID=$(pgrep -f "$NAME")
-  if [[ -n "$PATCHER_PID" ]]; then
-    echo "🔄 Patcher process found (PID: $PATCHER_PID)"
-    break
-  fi
-  if [[ $i -eq $RETRY ]]; then
-    echo "❌ Timeout: Patcher process did not start in time"
-    exit 1
-  fi
-  sleep 1
-done
-
-# Confirm the process is running
-if ! ps -p "$PATCHER_PID" > /dev/null; then
-  echo "⚠️ DB patcher process ($NAME, PID $PATCHER_PID) is not running. Skipping wait."
-  exit 0
-fi
+# Strategy: poll PM2 logs for the patcher outcome. This avoids the race
+# condition where the patcher starts and finishes before we can pgrep it
+# (common when all DBs are already at target level).
 
+echo "⏳ Waiting for DB patches to complete..."
 for i in $(seq 1 $RETRY); do
-  if ps -p "$PATCHER_PID" > /dev/null; then
-    sleep 0.5
-  else
-    # Show patch summary from PM2 logs (deduplicated)
-    echo "📋 Patch Summary:"
-    if command -v pm2 >/dev/null 2>&1; then
-      pm2 logs mysql --lines 50 --nostream 2>/dev/null | \
+  if command -v pm2 >/dev/null 2>&1; then
+    LOG_OUTPUT=$(pm2 logs mysql --lines 100 --nostream 2>/dev/null)
+
+    # Check for failure first
+    if echo "$LOG_OUTPUT" | grep -qE "Failed to patch|Error:.*patch"; then
+      echo "📋 Patch Summary:"
+      echo "$LOG_OUTPUT" | \
         grep -E "(Successfully patched|Error:|Failed to patch)" | \
-        sed 's/.*|mysql[[:space:]]*|//' | \
-        sort -u | \
-        tail -20 | \
+        sed 's/.*|mysql[[:space:]]*|[[:space:]]*//' | sed 's/\x1b\[[0-9;]*m//g' | \
+        sort -u | tail -20 | \
         while read line; do
           if [[ $line =~ ^Successfully ]]; then
             echo "  ✅ $line"
@@ -46,24 +28,28 @@ for i in $(seq 1 $RETRY); do
             echo "  💥 $line"
           fi
         done
+      echo "❌ DB patches failed"
+      exit 1
     fi
 
-    # Check if there were any errors in the logs
-    has_errors=$(pm2 logs mysql --lines 50 --nostream 2>/dev/null | grep -c "Error:\|Failed to patch" 2>/dev/null || echo "0")
-
-    if [[ ! "$has_errors" =~ ^[0-9]+$ ]]; then
-      has_errors=0
-    fi
-
-    if [[ $has_errors -eq 0 ]]; then
+    # Check for success — need all 4 databases
+    SUCCESS_COUNT=$(echo "$LOG_OUTPUT" | grep -c "Successfully patched" 2>/dev/null || echo "0")
+    if [[ "$SUCCESS_COUNT" -ge 4 ]]; then
+      echo "📋 Patch Summary:"
+      echo "$LOG_OUTPUT" | \
+        grep -E "Successfully patched" | \
+        sed 's/.*|mysql[[:space:]]*|[[:space:]]*//' | sed 's/\x1b\[[0-9;]*m//g' | \
+        sort -u | tail -20 | \
+        while read line; do
+          echo "  ✅ $line"
+        done
       echo "✅ DB patches applied successfully"
       exit 0
-    else
-      echo "❌ DB patches failed"
-      exit 1
     fi
   fi
+
+  sleep 1
 done
 
-echo "❌ Timeout: DB patches did not finish in time."
+echo "❌ Timeout: DB patches did not complete in 60 seconds."
 exit 1

packages/db-migrations/.eslintrc.json

@@ -0,0 +1,13 @@
+{
+  "extends": ["../../.eslintrc.json"],
+  "root": true,
+  "ignorePatterns": ["dist", "databases", "contentful"],
+  "overrides": [
+    {
+      "files": ["**/*.spec.js"],
+      "env": {
+        "jest": true
+      }
+    }
+  ]
+}

packages/db-migrations/bin/patcher.mjs

@@ -2,14 +2,12 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-import { promisify } from 'util';
 import fs from 'fs/promises';
 import path from 'path';
 import mysql from 'mysql';
-import patcher from 'mysql-patcher';
+import Patcher from '../lib/mysql-patcher.js';
 import convict from 'convict';
 import { makeMySQLConfig } from 'fxa-shared/db/config';
-const patch = promisify(patcher.patch);
 
 const conf = convict({
   fxa: makeMySQLConfig('AUTH', 'fxa'),
@@ -43,7 +41,7 @@ for (const db of databases) {
   try {
     const cfg = conf.get(db);
     console.log(`Patching ${db} to ${level}`);
-    let results = await patch({
+    await Patcher.patch({
       user: cfg.user,
       password: cfg.password,
       host: cfg.host,
@@ -57,7 +55,6 @@ for (const db of databases) {
       reversePatchAllowed: false,
       database: cfg.database,
     });
-    console.log(`Results: ${results}`);
     console.log(`Successfully patched ${db} to ${level}`);
   } catch (error) {
     // fyi these logs show up in `pm2 logs mysql`

packages/db-migrations/jest.config.js

@@ -0,0 +1,21 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/** @type {import('jest').Config} */
+export default {
+  displayName: 'db-migrations',
+  testEnvironment: 'node',
+  moduleFileExtensions: ['js', 'json'],
+  coverageDirectory: '../../coverage/packages/db-migrations',
+  reporters: [
+    'default',
+    [
+      'jest-junit',
+      {
+        outputDirectory: 'artifacts/tests/db-migrations',
+        outputName: 'db-migrations-jest-results.xml',
+      },
+    ],
+  ],
+}