WIP

patch: Tell user that balena leave command does not remove the device…

.resinci.yml

@@ -7,9 +7,14 @@ npm:
       node_versions:
         - "12"
         - "14"
-    - name: linux
-      os: alpine
-      architecture: x86_64
-      node_versions:
-        - "12"
-        - "14"
+    ##
+    ## Temporarily skip Alpine tests until the following issues are resolved:
+    ##   * https://github.com/concourse/concourse/issues/7905
+    ##   * https://github.com/product-os/balena-concourse/issues/631
+    ##
+    # - name: linux
+    #   os: alpine
+    #   architecture: x86_64
+    #   node_versions:
+    #     - "12"
+    #     - "14"

CHANGELOG.md

@@ -4,6 +4,309 @@ All notable changes to this project will be documented in this file
 automatically by Versionist. DO NOT EDIT THIS FILE MANUALLY!
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## 13.4.1 - 2022-04-11
+
+* leave: Update log message to advise that device still needs deleting [Taro Murao]
+
+## 13.4.0 - 2022-04-08
+
+* deploy: Support all valid semver versions in balena.yml [Thodoris Greasidis]
+
+## 13.3.3 - 2022-04-08
+
+* Document the 'patches' folder in CONTRIBUTING.md [Paulo Castro]
+
+## 13.3.2 - 2022-04-07
+
+* Skip Alpine tests until Concourse + Alpine v3.14 issues are resolved [Paulo Castro]
+* build: Ensure HTTPS is used with dockerPort 2376 or with ca/cert/key [Paulo Castro]
+
+## 13.3.1 - 2022-03-08
+
+* Include link to Wiki release notes in version update notifications [Paulo Castro]
+
+## 13.3.0 - 2022-02-28
+
+* ssh: Allow ssh to service with IP address and production balenaOS image [Paulo Castro]
+* ssh: Advise use of 'balena login' if root authentication fails [Paulo Castro]
+
+## 13.2.1 - 2022-02-24
+
+* Remove unnecessary fetch of device info in `balena tunnel` [Pagan Gazzard]
+* Correctly use the device uuid when logging the tunnel target [Pagan Gazzard]
+
+## 13.2.0 - 2022-02-12
+
+* ssh: Attempt cloud username if 'root' authentication fails [Paulo Castro]
+* Replace occurrence of through2 dependency with standard stream module [Paulo Castro]
+* Refactor cached username logic from events.ts to bootstrap.ts for reuse [Paulo Castro]
+
+## 13.1.13 - 2022-02-10
+
+* Drop unused awaitDevice utility function [Lucian Buzzo]
+
+## 13.1.12 - 2022-02-09
+
+
+<details>
+<summary> preload: Stop using the deprecated /device-types/v1 API endpoints [Thodoris Greasidis] </summary>
+
+> ### balena-preload-12.0.0 - 2022-01-27
+> 
+> * Improve types [Thodoris Greasidis]
+> * Stop relying on the /device-types/v1 endpoints [Thodoris Greasidis]
+> * Bump TypeScript to v4.5 [Thodoris Greasidis]
+> 
+> <details>
+> <summary> Bump balena-sdk to v16 [Thodoris Greasidis] </summary>
+> 
+>> #### balena-sdk-16.0.0 - 2021-11-28
+>> 
+>> * **BREAKING**: Merge the hostApp model into the OS model [Thodoris Greasidis]
+>> * **BREAKING** Drop os.getSupportedVersions() method in favor of hostapp.getAvailableOsVersions() [Thodoris Greasidis]
+>> * os.getMaxSatisfyingVersion: Add optional param to choose OS line type [Thodoris Greasidis]
+>> * os.getMaxSatisfyingVersion: Include ESR versions [Thodoris Greasidis]
+>> * os.getMaxSatisfyingVersion: Switch to use hostApps [Thodoris Greasidis]
+>> * hostapp.getAvailableOsVersions: Add single device type argument overload [Thodoris Greasidis]
+>> * hostapp.getAllOsVersions: Add single device type argument overload [Thodoris Greasidis]
+>> * models.hostapp: Add a getAvailableOsVersions() convenience method [Thodoris Greasidis]
+>> * Support optional extra PineOptions in hostapp.getAllOsVersions() [Thodoris Greasidis]
+>> * **BREAKING** Include invalidated versions in hostapp.getAllOsVersions() [Thodoris Greasidis]
+>> * models/application: Add getDirectlyAccessible & getAllDirectlyAccessible [Thodoris Greasidis]
+>> * application.get: Add 'directly_accessible' convenience filter param [Thodoris Greasidis]
+>> * application.getAll: Add 'directly_accessible' convenience filter param [Thodoris Greasidis]
+>> * **BREAKING** Change application.getAll to include public apps [Thodoris Greasidis]
+>> * **BREAKING** Drop targeting/retrieving apps by name in favor of slugs [Thodoris Greasidis]
+>> * Bump minimum supported Typescript to v4.5.2 [Thodoris Greasidis]
+>> * **BREAKING**: Stop actively supporting node 10 [Thodoris Greasidis]
+>> * **BREAKING** Drop application.getAllWithDeviceServiceDetails() [Thodoris Greasidis]
+>> * **BREAKING** Change apiKey.getAll() to return all key variants [Thodoris Greasidis]
+>> * types: Drop is_in_local_mode from the Device model [Thodoris Greasidis]
+>> * types: Drop user__is_member_of__application in favor of the term form [Thodoris Greasidis]
+>> * typings: Drop Subscription's discounts__plan_addon property [Thodoris Greasidis]
+>> * typings: Stop extending the JWTUser type in the User model [Thodoris Greasidis]
+>> * models/config: Change the BETA device type state to NEW [Thodoris Greasidis]
+>> * typings: Drop the PineWithSelectOnGet type [Thodoris Greasidis]
+>> * Remove my_application from the supported resources [Thodoris Greasidis]
+>> * typings: Properly type some Device properties [Thodoris Greasidis]
+>> * typings: Drop the DeviceWithImageInstalls type [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.59.2 - 2021-11-28
+>> 
+>> 
+>> <details>
+>> <summary> Update balena-request to 11.5.0 [Thodoris Greasidis] </summary>
+>> 
+>>> ##### balena-request-11.5.0 - 2021-11-28
+>>> 
+>>> * Convert tests to JavaScript and drop coffeescript [Thodoris Greasidis]
+>>> * Fix the jsdoc generation [Thodoris Greasidis]
+>>> * Convert to typescript and publish typings [Thodoris Greasidis]
+>>> 
+>> </details>
+>> 
+>> 
+>> #### balena-sdk-15.59.1 - 2021-11-28
+>> 
+>> * Fix the typings of the Image contract field [Thodoris Greasidis]
+>> * Fix the typings for the Release contract field [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.59.0 - 2021-11-24
+>> 
+>> * Add release setIsInvalidated function [Matthew Yarmolinsky]
+>> 
+>> #### balena-sdk-15.58.1 - 2021-11-17
+>> 
+>> * Update typescript to 4.5.2 [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.58.0 - 2021-11-16
+>> 
+>> * models/release: Add note() method [Thodoris Greasidis]
+>> * typings: Add the release.invalidation_reason property [Thodoris Greasidis]
+>> * typings: Add the release.note property [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.57.2 - 2021-11-15
+>> 
+>> * tests/logs: Increase the wait time for retrieving the subscribed logs [Thodoris Greasidis]
+>> * tests/logs: Refactor to async-await [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.57.1 - 2021-11-11
+>> 
+>> * typings: Fix $filters for resources with non numeric ids [Thodoris Greasidis]
+>> * typings: Add application.can_use__application_as_host ReverseNavigation [Thodoris Greasidis]
+>> * Add missing apiKey.getDeviceApiKeysByDevice docs [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.57.0 - 2021-11-05
+>> 
+>> * models/api-key: Change update() & revoke() to work with all key variants [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.56.0 - 2021-11-04
+>> 
+>> * models/apiKey: Add getDeviceApiKeysByDevice() method [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.55.0 - 2021-11-01
+>> 
+>> * typings: Add the release.raw_version property [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.54.2 - 2021-10-25
+>> 
+>> * application/create: Rely on the hostApps for detecting discontinued DTs [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.54.1 - 2021-10-22
+>> 
+>> * tests/device: Async-await conversions & abstraction on multi-field tests [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.54.0 - 2021-10-20
+>> 
+>> * tests: Register devices in chunks of 10 to avoid uuid conflicts in node [Thodoris Greasidis]
+>> * Add known issue check on release isReccomanded logic [JSReds]
+>> * Add known_issue_list to hostApp.getOsVersions() [JSReds]
+>> 
+>> #### balena-sdk-15.53.0 - 2021-10-07
+>> 
+>> * Add support for batch device supervisor updates [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.52.0 - 2021-10-06
+>> 
+>> * Add support for batch device pinning to release [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.51.4 - 2021-09-28
+>> 
+>> * auth.isLoggedIn: Treat BalenaExpiredToken errors as logged out indicator [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.51.3 - 2021-09-28
+>> 
+>> * Convert application spec to TypeScript [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.51.2 - 2021-09-28
+>> 
+>> * application.trackLatestRelease: Fix using draft/invalidated releases [Thodoris Greasidis]
+>> * application.isTrackingLatestRelease: Exclude draft&invalidated releases [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.51.1 - 2021-09-20
+>> 
+>> 
+>> <details>
+>> <summary> Update balena-request to v11.4.2 [Kyle Harding] </summary>
+>> 
+>>> ##### balena-request-11.4.2 - 2021-09-20
+>>> 
+>>> * Allow overriding the default zlib flush setting [Kyle Harding]
+>>> 
+>> </details>
+>> 
+>> 
+>> #### balena-sdk-15.51.0 - 2021-09-16
+>> 
+>> * os.getConfig: Add typings for the provisioningKeyName option [Nitish Agarwal]
+>> 
+>> #### balena-sdk-15.50.1 - 2021-09-13
+>> 
+>> * models/os: Always first normalize the device type slug [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.50.0 - 2021-09-10
+>> 
+>> * Add release.finalize to promote draft releases to final [toochevere]
+>> 
+>> #### balena-sdk-15.49.1 - 2021-09-10
+>> 
+>> * typings: Drop the v5-model-only application_type.is_host_os [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.49.0 - 2021-09-06
+>> 
+>> * os.getSupportedOsUpdateVersions: Use the hostApp releases [Thodoris Greasidis]
+>> * os.download: Use the hostApp for finding the latest release [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.48.3 - 2021-08-27
+>> 
+>> 
+>> <details>
+>> <summary> Update balena-request to 11.4.1 [Kyle Harding] </summary>
+>> 
+>>> ##### balena-request-11.4.1 - 2021-08-27
+>>> 
+>>> * Allow more lenient gzip decompression [Kyle Harding]
+>>> 
+>> </details>
+>> 
+>> 
+>> #### balena-sdk-15.48.2 - 2021-08-27
+>> 
+>> * Improve hostapp.getAllOsVersions performance & reduce fetched data [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.48.1 - 2021-08-27
+>> 
+>> * Update typescript to 4.4.2 [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.48.0 - 2021-08-15
+>> 
+>> * Deprecate the release.release_version property [Thodoris Greasidis]
+>> * typings: Add the release versioning properties [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.47.1 - 2021-08-10
+>> 
+>> * Run browser tests using the minified browser bundle [Thodoris Greasidis]
+>> * Move to uglify-js to fix const assignment bug in minified build [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.47.0 - 2021-08-09
+>> 
+>> * typings: Add the release.is_final & is_finalized_at__date properties [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.46.1 - 2021-07-28
+>> 
+>> * apiKey.getAll: Return only NamedUserApiKeys for backwards compatibility [Thodoris Greasidis]
+>> 
+>> #### balena-sdk-15.46.0 - 2021-07-27
+>> 
+>> * Add email verification & email request methods [Nitish Agarwal]
+>> 
+>> #### balena-sdk-15.45.0 - 2021-07-26
+>> 
+>> * Update generateProvisioningKey to include keyName [Nitish Agarwal]
+>> 
+> </details>
+> 
+> 
+</details>
+
+## 13.1.11 - 2022-01-19
+
+* chore: lib/auth/utils.ts: Replace deprecated url.resolve, use async/await [Paulo Castro]
+* chore: Update @types/node to v12.20.42 [Paulo Castro]
+
+## 13.1.10 - 2022-01-16
+
+* Update docs and package.json re min Node.js supported version (12.8.0) [Paulo Castro]
+
+## 13.1.9 - 2022-01-14
+
+* Update packages in response to `colors` package issues [Scott Lowe]
+
+## 13.1.8 - 2022-01-11
+
+* local push: Fix "invalid character '/' looking for beginning of value" [Paulo Castro]
+* v14 preparations: Fix TypeError produced by 'npx oclif manifest' [Paulo Castro]
+
+## 13.1.7 - 2022-01-06
+
+* Update to pkg 5 [Pagan Gazzard]
+
+## 13.1.6 - 2022-01-04
+
+* Automation: enforce noImplicitAny for the type-checked javascript [Pagan Gazzard]
+
+## 13.1.5 - 2022-01-04
+
+* Build: switch from using inline-source via gulp to using it directly [Pagan Gazzard]
+
+## 13.1.4 - 2022-01-03
+
+* Update pkg [Pagan Gazzard]
+
+## 13.1.3 - 2022-01-03
+
+* Convert lib/utils/deploy-legacy to typescript [Pagan Gazzard]
+
 ## 13.1.2 - 2022-01-03
 
 * Convert lib/utils/compose to typescript [Pagan Gazzard]

CONTRIBUTING.md

@@ -125,6 +125,39 @@ The README file is manually edited, but subsections are automatically extracted
 
 The `INSTALL*.md` and `TROUBLESHOOTING.md` files are also manually edited.
 
+## Patches folder
+
+The `patches` folder contains patch files created with the
+[patch-package](https://www.npmjs.com/package/patch-package) tool. Small code changes to
+third-party modules can be made by directly editing Javascript files under the `node_modules`
+folder and then running `patch-package` to create the patch files. The patch files are then
+applied immediately after `npm install`, through the `postinstall` script defined in
+`package.json`.
+
+The subfolders of the `patches` folder are documented in the
+[apply-patches.js](https://github.com/balena-io/balena-cli/blob/master/patches/apply-patches.js)
+script.
+
+To make changes to the patch files under the `patches` folder, **do not edit them directly,**
+not even for a "single character change" because the hash values in the patch files also need
+to be recomputed by `patch-packages`. Instead, edit the relevant files under `node_modules`
+directly, and then run `patch-packages` with the `--patch-dir` option to specify the subfolder
+where the patch should be saved. For example, edit `node_modules/exit-hook/index.js` and then
+run:
+
+```sh
+$ npx patch-package --patch-dir patches/all exit-hook
+```
+
+That said, these kinds of patches should be avoided in favour of creating pull requests
+upstream. Patch files create additional maintenance work over time as the patches need to be
+updated when the dependencies are updated, and they prevent the compounding community benefit
+that sharing fixes upstream have on open source projects like the balena CLI. The typical
+scenario where these patches are used is when the upstream maintainers are unresponsive or
+unwilling to merge the required fixes, the fixes are very small and specific to the balena CLI,
+and creating a fork of the upstream repo is likely to be more long-term effort than maintaining
+the patches.
+
 ## Windows
 
 Besides the regular npm installation dependencies, the `npm run build:installer` script

INSTALL-ADVANCED.md

@@ -78,7 +78,7 @@ If you are a Node.js developer, you may wish to install the balena CLI via [npm]
 The npm installation involves building native (platform-specific) binary modules, which require
 some development tools to be installed first, as follows.
 
-> **The balena CLI currently requires Node.js version 10 (min 10.20.0) or 12.**  
+> **The balena CLI currently requires Node.js version 12 (min 12.8.0).**  
 > **Versions 13 and later are not yet fully supported.**
 
 ### Install development tools

automation/build-bin.ts

@@ -96,6 +96,7 @@ async function diffPkgOutput(pkgOut: string) {
 		'> pkg@',
 		'> Fetching base Node.js binaries',
 		'  fetched-',
+		'prebuild-install WARN install No prebuilt binaries found',
 	];
 	const modulesRE =
 		process.platform === 'win32'
@@ -322,6 +323,10 @@ async function signFilesForNotarization() {
 				if (!item.stats.isFile()) {
 					return;
 				}
+				if (path.basename(item.path).endsWith('.node.bak')) {
+					console.log('Removing pkg .node.bak file', item.path);
+					fs.unlinkSync(item.path);
+				}
 				if (
 					path.basename(item.path).endsWith('.zip') &&
 					path.dirname(item.path).includes('test')

automation/check-npm-version.js

@@ -6,6 +6,8 @@
  *
  * We don't `require('semver')` to allow this script to be run as a npm
  * 'preinstall' hook, at which point no dependencies have been installed.
+ *
+ * @param {string} version
  */
 function parseSemver(version) {
 	const match = /v?(\d+)\.(\d+).(\d+)/.exec(version);
@@ -16,6 +18,10 @@ function parseSemver(version) {
 	return [parseInt(major, 10), parseInt(minor, 10), parseInt(patch, 10)];
 }
 
+/**
+ * @param {string} v1
+ * @param {string} v2
+ */
 function semverGte(v1, v2) {
 	let v1Array = parseSemver(v1);
 	let v2Array = parseSemver(v2);

automation/update-module.ts

@@ -36,8 +36,8 @@ const run = async (cmd: string) => {
 			}
 			resolve({ stdout, stderr });
 		});
-		p.stdout.pipe(process.stdout);
-		p.stderr.pipe(process.stderr);
+		p.stdout?.pipe(process.stdout);
+		p.stderr?.pipe(process.stderr);
 	});
 };
 

automation/utils.ts

@@ -117,7 +117,7 @@ export async function which(program: string): Promise<string> {
  */
 export async function whichSpawn(
 	programName: string,
-	args?: string[],
+	args: string[] = [],
 ): Promise<void> {
 	const program = await which(programName);
 	let error: Error | undefined;

docs/balena-cli.md

@@ -3020,6 +3020,10 @@ Use QEMU for ARM architecture emulation during the image build
 
 Alternative Dockerfile name/path, relative to the source folder
 
+#### --dockercompose DOCKERCOMPOSE
+
+Alternative docker-compose.yml name in the source root folder
+
 #### --logs
 
 No-op and deprecated since balena CLI v12.0.0. Build logs are now shown by default.
@@ -3244,6 +3248,10 @@ Use QEMU for ARM architecture emulation during the image build
 
 Alternative Dockerfile name/path, relative to the source folder
 
+#### --dockercompose DOCKERCOMPOSE
+
+Alternative docker-compose.yml name in the source root folder
+
 #### --logs
 
 No-op and deprecated since balena CLI v12.0.0. Build logs are now shown by default.

gulpfile.js

@@ -1,15 +0,0 @@
-const gulp = require('gulp');
-const inlinesource = require('gulp-inline-source');
-
-const OPTIONS = {
-	files: {
-		pages: 'lib/auth/pages/*.ejs',
-	},
-};
-
-gulp.task('pages', () =>
-	gulp
-		.src(OPTIONS.files.pages)
-		.pipe(inlinesource())
-		.pipe(gulp.dest('build/auth/pages')),
-);

lib/auth/utils.ts

@@ -14,57 +14,44 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-import * as _ from 'lodash';
-import * as url from 'url';
 import { getBalenaSdk } from '../utils/lazy';
 
 /**
- * @summary Get dashboard CLI login URL
- * @function
- * @protected
+ * Get dashboard CLI login URL
  *
- * @param {String} callbackUrl - callback url
- * @fulfil {String} - dashboard login url
- * @returns {Promise}
- *
- * @example
- * utils.getDashboardLoginURL('http://127.0.0.1:3000').then (url) ->
- * 	console.log(url)
+ * @param callbackUrl - Callback url, e.g. 'http://127.0.0.1:3000'
+ * @returns Dashboard login URL, e.g.:
+ * 'https://dashboard.balena-cloud.com/login/cli/http%253A%252F%252F127.0.0.1%253A59581%252Fauth'
  */
-export const getDashboardLoginURL = (callbackUrl: string) => {
+export async function getDashboardLoginURL(
+	callbackUrl: string,
+): Promise<string> {
 	// Encode percentages signs from the escaped url
 	// characters to avoid angular getting confused.
 	callbackUrl = encodeURIComponent(callbackUrl).replace(/%/g, '%25');
 
-	return getBalenaSdk()
-		.settings.get('dashboardUrl')
-		.then((dashboardUrl) =>
-			url.resolve(dashboardUrl, `/login/cli/${callbackUrl}`),
-		);
-};
+	const [{ URL }, dashboardUrl] = await Promise.all([
+		import('url'),
+		getBalenaSdk().settings.get('dashboardUrl'),
+	]);
+	return new URL(`/login/cli/${callbackUrl}`, dashboardUrl).href;
+}
 
 /**
- * @summary Log in using a token, but only if the token is valid
- * @function
- * @protected
+ * Log in using a token, but only if the token is valid.
  *
- * @description
  * This function checks that the token is not only well-structured
  * but that it also authenticates with the server successfully.
  *
  * If authenticated, the token is persisted, if not then the previous
  * login state is restored.
  *
- * @param {String} token - session token or api key
- * @fulfil {Boolean} - whether the login was successful or not
- * @returns {Promise}
- *
- * utils.loginIfTokenValid('...').then (loggedIn) ->
- *   if loggedIn
- *     console.log('Token is valid!')
+ * @param token - session token or api key
+ * @returns whether the login was successful or not
  */
-export const loginIfTokenValid = async (token: string): Promise<boolean> => {
-	if (_.isEmpty(token?.trim())) {
+export async function loginIfTokenValid(token?: string): Promise<boolean> {
+	token = (token || '').trim();
+	if (!token) {
 		return false;
 	}
 	const balena = getBalenaSdk();
@@ -86,4 +73,4 @@ export const loginIfTokenValid = async (token: string): Promise<boolean> => {
 		}
 	}
 	return isLoggedIn;
-};
+}

lib/commands/config/inject.ts

@@ -57,7 +57,7 @@ export default class ConfigInjectCmd extends Command {
 	public static usage = 'config inject <file>';
 
 	public static flags: flags.Input<FlagsDef> = {
-		type: cf.deviceTypeIgnored,
+		...cf.deviceTypeIgnored,
 		drive: cf.driveOrImg,
 		help: cf.help,
 	};

lib/commands/config/read.ts

@@ -47,7 +47,7 @@ export default class ConfigReadCmd extends Command {
 	public static usage = 'config read';
 
 	public static flags: flags.Input<FlagsDef> = {
-		type: cf.deviceTypeIgnored,
+		...cf.deviceTypeIgnored,
 		drive: cf.driveOrImg,
 		help: cf.help,
 		json: cf.json,

lib/commands/config/reconfigure.ts

@@ -50,7 +50,7 @@ export default class ConfigReconfigureCmd extends Command {
 	public static usage = 'config reconfigure';
 
 	public static flags: flags.Input<FlagsDef> = {
-		type: cf.deviceTypeIgnored,
+		...cf.deviceTypeIgnored,
 		drive: cf.driveOrImg,
 		advanced: flags.boolean({
 			description: 'show advanced commands',

lib/commands/config/write.ts

@@ -64,7 +64,7 @@ export default class ConfigWriteCmd extends Command {
 	public static usage = 'config write <key> <value>';
 
 	public static flags: flags.Input<FlagsDef> = {
-		type: cf.deviceTypeIgnored,
+		...cf.deviceTypeIgnored,
 		drive: cf.driveOrImg,
 		help: cf.help,
 	};

lib/commands/deploy.ts

@@ -114,7 +114,7 @@ ${dockerignoreHelp}
 	];
 
 	public static usage = 'deploy <fleet> [image]';
-
+	// TODO:  docker-compose naming
 	public static flags: flags.Input<FlagsDef> = {
 		source: flags.string({
 			description:

lib/commands/push.ts

@@ -138,6 +138,7 @@ export default class PushCmd extends Command {
 			char: 'e',
 			default: false,
 		}),
+		// TODO:  docker-compose naming
 		dockerfile: flags.string({
 			description:
 				'Alternative Dockerfile name/path, relative to the source folder',

lib/commands/ssh.ts

@@ -20,7 +20,6 @@ import Command from '../command';
 import * as cf from '../utils/common-flags';
 import { getBalenaSdk, stripIndent } from '../utils/lazy';
 import { parseAsInteger, validateLocalHostnameOrIp } from '../utils/validation';
-import * as BalenaSdk from 'balena-sdk';
 
 interface FlagsDef {
 	port?: number;
@@ -128,8 +127,8 @@ export default class SshCmd extends Command {
 		if (validateLocalHostnameOrIp(params.fleetOrDevice)) {
 			const { performLocalDeviceSSH } = await import('../utils/device/ssh');
 			return await performLocalDeviceSSH({
-				address: params.fleetOrDevice,
-				port: options.port,
+				hostname: params.fleetOrDevice,
+				port: options.port || 'local',
 				forceTTY: options.tty,
 				verbose: options.verbose,
 				service: params.service,
@@ -152,12 +151,6 @@ export default class SshCmd extends Command {
 			params.fleetOrDevice,
 		);
 
-		const device = await sdk.models.device.get(deviceUuid, {
-			$select: ['id', 'supervisor_version', 'is_online'],
-		});
-
-		const deviceId = device.id;
-		const supervisorVersion = device.supervisor_version;
 		const { which } = await import('../utils/which');
 
 		const [whichProxytunnel, username, proxyUrl] = await Promise.all([
@@ -209,19 +202,15 @@ export default class SshCmd extends Command {
 		// that we know exists and is accessible
 		let containerId: string | undefined;
 		if (params.service != null) {
-			containerId = await this.getContainerId(
-				sdk,
+			const { getContainerIdForService } = await import('../utils/device/ssh');
+			containerId = await getContainerIdForService({
 				deviceUuid,
-				params.service,
-				{
-					port: options.port,
-					proxyCommand,
-					proxyUrl: proxyUrl || '',
-					username: username!,
-				},
-				supervisorVersion,
-				deviceId,
-			);
+				hostname: `ssh.${proxyUrl}`,
+				port: options.port || 'cloud',
+				proxyCommand,
+				service: params.service,
+				username: username!,
+			});
 		}
 
 		let accessCommand: string;
@@ -230,158 +219,14 @@ export default class SshCmd extends Command {
 		} else {
 			accessCommand = `host ${deviceUuid}`;
 		}
-
-		const command = this.generateVpnSshCommand({
-			uuid: deviceUuid,
-			command: accessCommand,
-			verbose: options.verbose,
-			port: options.port,
+		const { runRemoteCommand } = await import('../utils/ssh');
+		await runRemoteCommand({
+			cmd: accessCommand,
+			hostname: `ssh.${proxyUrl}`,
+			port: options.port || 'cloud',
 			proxyCommand,
-			proxyUrl: proxyUrl || '',
-			username: username!,
+			username,
+			verbose: options.verbose,
 		});
-
-		const { spawnSshAndThrowOnError } = await import('../utils/ssh');
-		return spawnSshAndThrowOnError(command);
-	}
-
-	async getContainerId(
-		sdk: BalenaSdk.BalenaSDK,
-		uuid: string,
-		serviceName: string,
-		sshOpts: {
-			port?: number;
-			proxyCommand?: string[];
-			proxyUrl: string;
-			username: string;
-		},
-		version?: string,
-		id?: number,
-	): Promise<string> {
-		const semver = await import('balena-semver');
-
-		if (version == null || id == null) {
-			const device = await sdk.models.device.get(uuid, {
-				$select: ['id', 'supervisor_version'],
-			});
-			version = device.supervisor_version;
-			id = device.id;
-		}
-
-		let containerId: string | undefined;
-		if (semver.gte(version, '8.6.0')) {
-			const apiUrl = await sdk.settings.get('apiUrl');
-			// TODO: Move this into the SDKs device model
-			const request = await sdk.request.send({
-				method: 'POST',
-				url: '/supervisor/v2/containerId',
-				baseUrl: apiUrl,
-				body: {
-					method: 'GET',
-					deviceId: id,
-				},
-			});
-			if (request.status !== 200) {
-				throw new Error(
-					`There was an error connecting to device ${uuid}, HTTP response code: ${request.status}.`,
-				);
-			}
-			const body = request.body;
-			if (body.status !== 'success') {
-				throw new Error(
-					`There was an error communicating with device ${uuid}.\n\tError: ${body.message}`,
-				);
-			}
-			containerId = body.services[serviceName];
-		} else {
-			console.error(stripIndent`
-			Using legacy method to detect container ID. This will be slow.
-			To speed up this process, please update your device to an OS
-			which has a supervisor version of at least v8.6.0.
-		`);
-			// We need to execute a balena ps command on the device,
-			// and parse the output, looking for a specific
-			// container
-			const childProcess = await import('child_process');
-			const { escapeRegExp } = await import('lodash');
-			const { which } = await import('../utils/which');
-			const { deviceContainerEngineBinary } = await import(
-				'../utils/device/ssh'
-			);
-
-			const sshBinary = await which('ssh');
-			const sshArgs = this.generateVpnSshCommand({
-				uuid,
-				verbose: false,
-				port: sshOpts.port,
-				command: `host ${uuid} "${deviceContainerEngineBinary}" ps --format "{{.ID}} {{.Names}}"`,
-				proxyCommand: sshOpts.proxyCommand,
-				proxyUrl: sshOpts.proxyUrl,
-				username: sshOpts.username,
-			});
-
-			if (process.env.DEBUG) {
-				console.error(`[debug] [${sshBinary}, ${sshArgs.join(', ')}]`);
-			}
-			const subProcess = childProcess.spawn(sshBinary, sshArgs, {
-				stdio: [null, 'pipe', null],
-			});
-			const containers = await new Promise<string>((resolve, reject) => {
-				const output: string[] = [];
-				subProcess.stdout.on('data', (chunk) => output.push(chunk.toString()));
-				subProcess.on('close', (code: number) => {
-					if (code !== 0) {
-						reject(
-							new Error(
-								`Non-zero error code when looking for service container: ${code}`,
-							),
-						);
-					} else {
-						resolve(output.join(''));
-					}
-				});
-			});
-
-			const lines = containers.split('\n');
-			const regex = new RegExp(`\\/?${escapeRegExp(serviceName)}_\\d+_\\d+`);
-			for (const container of lines) {
-				const [cId, name] = container.split(' ');
-				if (regex.test(name)) {
-					containerId = cId;
-					break;
-				}
-			}
-		}
-
-		if (containerId == null) {
-			throw new Error(
-				`Could not find a service ${serviceName} on device ${uuid}.`,
-			);
-		}
-		return containerId;
-	}
-
-	generateVpnSshCommand(opts: {
-		uuid: string;
-		command: string;
-		verbose: boolean;
-		port?: number;
-		username: string;
-		proxyUrl: string;
-		proxyCommand?: string[];
-	}) {
-		return [
-			...(opts.verbose ? ['-vvv'] : []),
-			'-t',
-			...['-o', 'LogLevel=ERROR'],
-			...['-o', 'StrictHostKeyChecking=no'],
-			...['-o', 'UserKnownHostsFile=/dev/null'],
-			...(opts.proxyCommand && opts.proxyCommand.length
-				? ['-o', `ProxyCommand=${opts.proxyCommand.join(' ')}`]
-				: []),
-			...(opts.port ? ['-p', opts.port.toString()] : []),
-			`${opts.username}@ssh.${opts.proxyUrl}`,
-			opts.command,
-		];
 	}
 }

lib/commands/tunnel.ts

@@ -136,8 +136,7 @@ export default class TunnelCmd extends Command {
 		// Ascertain device uuid
 		const { getOnlineTargetDeviceUuid } = await import('../utils/patterns');
 		const uuid = await getOnlineTargetDeviceUuid(sdk, params.deviceOrFleet);
-		const device = await sdk.models.device.get(uuid);
-		logger.logInfo(`Opening a tunnel to ${device.uuid}...`);
+		logger.logInfo(`Opening a tunnel to ${uuid}...`);
 
 		const _ = await import('lodash');
 		const localListeners = _.chain(options.port)
@@ -147,11 +146,7 @@ export default class TunnelCmd extends Command {
 			.map(async ({ localPort, localAddress, remotePort }) => {
 				try {
 					const { tunnelConnectionToDevice } = await import('../utils/tunnel');
-					const handler = await tunnelConnectionToDevice(
-						device.uuid,
-						remotePort,
-						sdk,
-					);
+					const handler = await tunnelConnectionToDevice(uuid, remotePort, sdk);
 
 					const { createServer } = await import('net');
 					const server = createServer(async (client: Socket) => {
@@ -162,7 +157,7 @@ export default class TunnelCmd extends Command {
 								client.remotePort || 0,
 								client.localAddress,
 								client.localPort,
-								device.vpn_address || '',
+								uuid,
 								remotePort,
 							);
 						} catch (err) {
@@ -171,7 +166,7 @@ export default class TunnelCmd extends Command {
 								client.remotePort || 0,
 								client.localAddress,
 								client.localPort,
-								device.vpn_address || '',
+								uuid,
 								remotePort,
 								err,
 							);
@@ -186,15 +181,15 @@ export default class TunnelCmd extends Command {
 					});
 
 					logger.logInfo(
-						` - tunnelling ${localAddress}:${localPort} to ${device.uuid}:${remotePort}`,
+						` - tunnelling ${localAddress}:${localPort} to ${uuid}:${remotePort}`,
 					);
 
 					return true;
 				} catch (err) {
 					logger.logWarn(
-						` - not tunnelling ${localAddress}:${localPort} to ${
-							device.uuid
-						}:${remotePort}, failed ${JSON.stringify(err.message)}`,
+						` - not tunnelling ${localAddress}:${localPort} to ${uuid}:${remotePort}, failed ${JSON.stringify(
+							err.message,
+						)}`,
 					);
 
 					return false;

lib/events.ts

@@ -16,12 +16,7 @@
  */
 
 import * as packageJSON from '../package.json';
-import { getBalenaSdk, stripIndent } from './utils/lazy';
-
-interface CachedUsername {
-	token: string;
-	username: string;
-}
+import { stripIndent } from './utils/lazy';
 
 /**
  * Track balena CLI usage events (product improvement analytics).
@@ -49,40 +44,13 @@ export async function trackCommand(commandSignature: string) {
 				scope.setExtra('command', commandSignature);
 			});
 		}
-		const settings = await import('balena-settings-client');
-
-		const username = await (async () => {
-			const getStorage = await import('balena-settings-storage');
-			const dataDirectory = settings.get<string>('dataDirectory');
-			const storage = getStorage({ dataDirectory });
-			let token;
-			try {
-				token = await storage.get('token');
-			} catch {
-				// If we can't get a token then we can't get a username
-				return;
-			}
-			try {
-				const result = (await storage.get('cachedUsername')) as CachedUsername;
-				if (result.token === token) {
-					return result.username;
-				}
-			} catch {
-				// ignore
-			}
-			try {
-				const balena = getBalenaSdk();
-				const $username = await balena.auth.whoami();
-				await storage.set('cachedUsername', {
-					token,
-					username: $username,
-				} as CachedUsername);
-				return $username;
-			} catch {
-				return;
-			}
-		})();
-
+		const { getCachedUsername } = await import('./utils/bootstrap');
+		let username: string | undefined;
+		try {
+			username = (await getCachedUsername())?.username;
+		} catch {
+			// ignore
+		}
 		if (!process.env.BALENARC_NO_SENTRY) {
 			Sentry!.configureScope((scope) => {
 				scope.setUser({
@@ -96,6 +64,7 @@ export async function trackCommand(commandSignature: string) {
 			!process.env.BALENA_CLI_TEST_TYPE &&
 			!process.env.BALENARC_NO_ANALYTICS
 		) {
+			const settings = await import('balena-settings-client');
 			const balenaUrl = settings.get<string>('balenaUrl');
 			await sendEvent(balenaUrl, `[CLI] ${commandSignature}`, username);
 		}

lib/fast-boot.ts

@@ -27,14 +27,7 @@ import * as fs from 'fs';
 import * as os from 'os';
 import * as path from 'path';
 
-// `@types/node` does not know about `options: { bigint?: boolean }`
-type statT = (
-	fPath: string,
-	options: { bigint?: boolean },
-) => fs.Stats | Promise<fs.Stats>;
-
-// async stat does not work with pkg's internal `/snapshot` filesystem
-const stat: statT = process.pkg ? fs.statSync : fs.promises.stat;
+const stat = process.pkg ? fs.statSync : fs.promises.stat;
 
 let fastBootStarted = false;
 

lib/utils/bootstrap.ts

@@ -119,3 +119,61 @@ export async function pkgExec(modFunc: string, args: string[]) {
 		console.error(err);
 	}
 }
+
+export interface CachedUsername {
+	token: string;
+	username: string;
+}
+
+let cachedUsername: CachedUsername | undefined;
+
+/**
+ * Return the parsed contents of the `~/.balena/cachedUsername` file. If the file
+ * does not exist, create it with the details from the cloud. If not connected
+ * to the internet, return undefined. This function is used by `lib/events.ts`
+ * (event tracking) and `lib/utils/device/ssh.ts` and needs to gracefully handle
+ * the scenario of not being connected to the internet.
+ */
+export async function getCachedUsername(): Promise<CachedUsername | undefined> {
+	if (cachedUsername) {
+		return cachedUsername;
+	}
+	const [{ getBalenaSdk }, getStorage, settings] = await Promise.all([
+		import('./lazy'),
+		import('balena-settings-storage'),
+		import('balena-settings-client'),
+	]);
+	const dataDirectory = settings.get<string>('dataDirectory');
+	const storage = getStorage({ dataDirectory });
+	let token: string | undefined;
+	try {
+		token = (await storage.get('token')) as string | undefined;
+	} catch {
+		// ignore
+	}
+	if (!token) {
+		// If we can't get a token then we can't get a username
+		return;
+	}
+	try {
+		const result = (await storage.get('cachedUsername')) as
+			| CachedUsername
+			| undefined;
+		if (result && result.token === token && result.username) {
+			cachedUsername = result;
+			return cachedUsername;
+		}
+	} catch {
+		// ignore
+	}
+	try {
+		const username = await getBalenaSdk().auth.whoami();
+		if (username) {
+			cachedUsername = { token, username };
+			await storage.set('cachedUsername', cachedUsername);
+		}
+	} catch {
+		// ignore (not connected to the internet?)
+	}
+	return cachedUsername;
+}

lib/utils/common-flags.ts

@@ -97,14 +97,18 @@ export const deviceType = flags.string({
 	required: true,
 });
 
-export const deviceTypeIgnored = isV14()
-	? undefined
-	: flags.string({
-			description: 'ignored - no longer required',
-			char: 't',
-			required: false,
-			hidden: true,
-	  });
+export const deviceTypeIgnored = {
+	...(isV14()
+		? {}
+		: {
+				type: flags.string({
+					description: 'ignored - no longer required',
+					char: 't',
+					required: false,
+					hidden: true,
+				}),
+		  }),
+};
 
 export const json: IBooleanFlag<boolean> = flags.boolean({
 	char: 'j',

lib/utils/compose-types.d.ts

@@ -61,6 +61,7 @@ export interface ComposeOpts {
 export interface ComposeCliFlags {
 	emulated: boolean;
 	dockerfile?: string;
+	dockercompose?: string;
 	logs: boolean;
 	nologs: boolean;
 	'multi-dockerignore': boolean;

lib/utils/compose_ts.ts

@@ -28,6 +28,7 @@ import type {
 	ImageDescriptor,
 } from 'resin-compose-parse';
 import type * as MultiBuild from 'resin-multibuild';
+import * as semver from 'semver';
 import type { Duplex, Readable } from 'stream';
 import type { Pack } from 'tar-stream';
 
@@ -1348,9 +1349,6 @@ async function pushServiceImages(
 	);
 }
 
-// TODO: This should be shared between the CLI & the Builder
-const PLAIN_SEMVER_REGEX = /^([0-9]+)\.([0-9]+)\.([0-9]+)$/;
-
 export async function deployProject(
 	docker: Dockerode,
 	logger: Logger,
@@ -1373,10 +1371,10 @@ export async function deployProject(
 
 	const contractPath = path.join(projectPath, 'balena.yml');
 	const contract = await getContractContent(contractPath);
-	if (contract?.version && !PLAIN_SEMVER_REGEX.test(contract?.version)) {
+	if (contract?.version && !semver.valid(contract.version)) {
 		throw new ExpectedError(stripIndent`\
-			Error: expected the version field in "${contractPath}"
-			to be a basic semver in the format '1.2.3'. Got '${contract.version}' instead`);
+			Error: the version field in "${contractPath}"
+			is not a valid semver`);
 	}
 
 	const $release = await runSpinner(
@@ -1641,6 +1639,7 @@ function truncateString(str: string, len: number): string {
 	return str.slice(0, str.lastIndexOf('\n'));
 }
 
+// TODO:  docker-compose naming
 export const composeCliFlags: flags.Input<ComposeCliFlags> = {
 	emulated: flags.boolean({
 		description:
@@ -1651,6 +1650,10 @@ export const composeCliFlags: flags.Input<ComposeCliFlags> = {
 		description:
 			'Alternative Dockerfile name/path, relative to the source folder',
 	}),
+	dockercompose: flags.string({
+		description:
+			'Alternative docker-compose.yml name in the source root folder',
+	}),
 	logs: flags.boolean({
 		description:
 			'No-op and deprecated since balena CLI v12.0.0. Build logs are now shown by default.',

lib/utils/deploy-legacy.ts

@@ -17,15 +17,27 @@
 
 import { getVisuals } from './lazy';
 import { promisify } from 'util';
+import type * as Dockerode from 'dockerode';
+import type Logger = require('./logger');
+import type { Request } from 'request';
 
-const getBuilderPushEndpoint = function (baseUrl, owner, app) {
-	const querystring = require('querystring');
+const getBuilderPushEndpoint = function (
+	baseUrl: string,
+	owner: string,
+	app: string,
+) {
+	const querystring = require('querystring') as typeof import('querystring');
 	const args = querystring.stringify({ owner, app });
 	return `https://builder.${baseUrl}/v1/push?${args}`;
 };
 
-const getBuilderLogPushEndpoint = function (baseUrl, buildId, owner, app) {
-	const querystring = require('querystring');
+const getBuilderLogPushEndpoint = function (
+	baseUrl: string,
+	buildId: number,
+	owner: string,
+	app: string,
+) {
+	const querystring = require('querystring') as typeof import('querystring');
 	const args = querystring.stringify({ owner, app, buildId });
 	return `https://builder.${baseUrl}/v1/pushLogs?${args}`;
 };
@@ -35,32 +47,37 @@ const getBuilderLogPushEndpoint = function (baseUrl, buildId, owner, app) {
  * @param {string} imageId
  * @param {string} bufferFile
  */
-const bufferImage = function (docker, imageId, bufferFile) {
-	const streamUtils = require('./streams');
+const bufferImage = function (
+	docker: Dockerode,
+	imageId: string,
+	bufferFile: string,
+): Promise<NodeJS.ReadableStream & { length: number }> {
+	const streamUtils = require('./streams') as typeof import('./streams');
 
 	const image = docker.getImage(imageId);
 	const sizePromise = image.inspect().then((img) => img.Size);
 
 	return Promise.all([image.get(), sizePromise]).then(
 		([imageStream, imageSize]) =>
-			streamUtils.buffer(imageStream, bufferFile).then((bufferedStream) => {
-				// @ts-ignore adding an extra property
-				bufferedStream.length = imageSize;
-				return bufferedStream;
-			}),
+			streamUtils
+				.buffer(imageStream, bufferFile)
+				.then((bufferedStream: NodeJS.ReadableStream & { length?: number }) => {
+					bufferedStream.length = imageSize;
+					return bufferedStream as NodeJS.ReadableStream & { length: number };
+				}),
 	);
 };
 
-const showPushProgress = function (message) {
+const showPushProgress = function (message: string) {
 	const visuals = getVisuals();
 	const progressBar = new visuals.Progress(message);
 	progressBar.update({ percentage: 0 });
 	return progressBar;
 };
 
-const uploadToPromise = (uploadRequest, logger) =>
-	new Promise(function (resolve, reject) {
-		const handleMessage = function (data) {
+const uploadToPromise = (uploadRequest: Request, logger: Logger) =>
+	new Promise<{ buildId: number }>(function (resolve, reject) {
+		uploadRequest.on('error', reject).on('data', function handleMessage(data) {
 			let obj;
 			data = data.toString();
 			logger.logDebug(`Received data: ${data}`);
@@ -86,25 +103,24 @@ const uploadToPromise = (uploadRequest, logger) =>
 				default:
 					reject(new Error(`Received unexpected reply from remote: ${data}`));
 			}
-		};
-
-		uploadRequest.on('error', reject).on('data', handleMessage);
+		});
 	});
 
 /**
  * @returns {Promise<{ buildId: number }>}
  */
 const uploadImage = function (
-	imageStream,
-	token,
-	username,
-	url,
-	appName,
-	logger,
-) {
-	const request = require('request');
-	const progressStream = require('progress-stream');
-	const zlib = require('zlib');
+	imageStream: NodeJS.ReadableStream & { length: number },
+	token: string,
+	username: string,
+	url: string,
+	appName: string,
+	logger: Logger,
+): Promise<{ buildId: number }> {
+	const request = require('request') as typeof import('request');
+	const progressStream =
+		require('progress-stream') as typeof import('progress-stream');
+	const zlib = require('zlib') as typeof import('zlib');
 
 	// Need to strip off the newline
 	const progressMessage = logger
@@ -143,8 +159,15 @@ const uploadImage = function (
 	return uploadToPromise(uploadRequest, logger);
 };
 
-const uploadLogs = function (logs, token, url, buildId, username, appName) {
-	const request = require('request');
+const uploadLogs = function (
+	logs: string,
+	token: string,
+	url: string,
+	buildId: number,
+	username: string,
+	appName: string,
+) {
+	const request = require('request') as typeof import('request');
 	return request.post({
 		json: true,
 		url: getBuilderLogPushEndpoint(url, buildId, username, appName),
@@ -156,25 +179,24 @@ const uploadLogs = function (logs, token, url, buildId, username, appName) {
 };
 
 /**
- * @param {import('dockerode')} docker
- * @param {import('./logger')} logger
- * @param {string} token
- * @param {string} username
- * @param {string} url
- * @param {{appName: string; imageName: string; buildLogs: string; shouldUploadLogs: boolean}} opts
  * - appName: the name of the app to deploy to
  * - imageName: the name of the image to deploy
  * - buildLogs: a string with build output
  */
 export const deployLegacy = async function (
-	docker,
-	logger,
-	token,
-	username,
-	url,
-	opts,
-) {
-	const tmp = require('tmp');
+	docker: Dockerode,
+	logger: Logger,
+	token: string,
+	username: string,
+	url: string,
+	opts: {
+		appName: string;
+		imageName: string;
+		buildLogs: string;
+		shouldUploadLogs: boolean;
+	},
+): Promise<number> {
+	const tmp = require('tmp') as typeof import('tmp');
 	const tmpNameAsync = promisify(tmp.tmpName);
 
 	// Ensure the tmp files gets deleted
@@ -195,8 +217,8 @@ export const deployLegacy = async function (
 			// has occured before any data was written) this call will throw an
 			// ugly error, just suppress it
 
-			require('fs')
-				.promises.unlink(bufferFile)
+			(require('fs') as typeof import('fs')).promises
+				.unlink(bufferFile)
 				.catch(() => undefined),
 		);
 

lib/utils/device/ssh.ts

@@ -13,89 +13,140 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import type { ContainerInfo } from 'dockerode';
+
+import { ExpectedError } from '../../errors';
 import { stripIndent } from '../lazy';
 
-export interface DeviceSSHOpts {
-	address: string;
-	port?: number;
+import {
+	findBestUsernameForDevice,
+	getRemoteCommandOutput,
+	runRemoteCommand,
+	SshRemoteCommandOpts,
+} from '../ssh';
+
+export interface DeviceSSHOpts extends SshRemoteCommandOpts {
 	forceTTY?: boolean;
-	verbose: boolean;
 	service?: string;
 }
 
-export const deviceContainerEngineBinary = `$(if [ -f /usr/bin/balena ]; then echo "balena"; else echo "docker"; fi)`;
+const deviceContainerEngineBinary = `$(if [ -f /usr/bin/balena ]; then echo "balena"; else echo "docker"; fi)`;
+
+/**
+ * List the running containers on the device over ssh, and return the full
+ * container name that matches the given service name.
+ *
+ * Note: In the past, two other approaches were implemented for this function:
+ *
+ *   - Obtaining container IDs through a supervisor API call:
+ *     '/supervisor/v2/containerId' endpoint, via cloud.
+ *   - Obtaining container IDs using 'dockerode' connected directly to
+ *     balenaEngine on a device, TCP port 2375.
+ *
+ * The problem with using the supervisor API is that it means that 'balena ssh'
+ * becomes dependent on the supervisor being up an running, but sometimes ssh
+ * is needed to investigate devices issues where the supervisor has got into
+ * trouble (e.g. supervisor in restart loop). This is the subject of CLI issue
+ * https://github.com/balena-io/balena-cli/issues/1560 .
+ *
+ * The problem with using dockerode to connect directly to port 2375 (balenaEngine)
+ * is that it only works with development variants of balenaOS. Production variants
+ * block access to port 2375 for security reasons. 'balena ssh' should support
+ * production variants as well, especially after balenaOS v2.44.0 that introduced
+ * support for using the cloud account username for ssh authentication.
+ *
+ * Overall, the most reliable approach is to run 'balena-engine ps' over ssh.
+ * It is OK to depend on balenaEngine because ssh to a container is implemented
+ * through 'balena-engine exec' anyway, and of course it is OK to depend on ssh
+ * itself.
+ */
+export async function getContainerIdForService(
+	opts: SshRemoteCommandOpts & { service: string; deviceUuid?: string },
+): Promise<string> {
+	opts.cmd = `"${deviceContainerEngineBinary}" ps --format "{{.ID}} {{.Names}}"`;
+	if (opts.deviceUuid) {
+		// If a device UUID is given, perform ssh via cloud proxy 'host' command
+		opts.cmd = `host ${opts.deviceUuid} ${opts.cmd}`;
+	}
+
+	const psLines: string[] = (
+		await getRemoteCommandOutput({ ...opts, stderr: 'inherit' })
+	).stdout
+		.toString()
+		.split('\n')
+		.filter((l) => l);
+
+	const { escapeRegExp } = await import('lodash');
+	const regex = new RegExp(`(?:^|\\/)${escapeRegExp(opts.service)}_\\d+_\\d+`);
+	// Old balenaOS container name pattern:
+	//    main_1234567_2345678
+	// New balenaOS container name patterns:
+	//    main_1234567_2345678_a000b111c222d333e444f555a666b777
+	//    main_1_1_localrelease
+	const nameRegex = /(?:^|\/)([a-zA-Z0-9_-]+)_\d+_\d+(?:_.+)?$/;
+
+	const serviceNames: string[] = [];
+	const containerNames: string[] = [];
+	let containerId: string | undefined;
+
+	// sample psLine: 'b603c74e951e bar_4587562_2078151_3261c9d4c22f2c53a5267be459c89990'
+	for (const psLine of psLines) {
+		const [cId, name] = psLine.split(' ');
+		if (cId && name) {
+			if (regex.test(name)) {
+				containerNames.push(name);
+				containerId = cId;
+			}
+			const match = name.match(nameRegex);
+			if (match) {
+				serviceNames.push(match[1]);
+			}
+		}
+	}
+
+	if (containerNames.length > 1) {
+		const [s, d] = [opts.service, opts.deviceUuid || opts.hostname];
+		throw new ExpectedError(stripIndent`
+			Found more than one container matching service name "${s}" on device "${d}":
+			${containerNames.join(', ')}
+			Use different service names to avoid ambiguity.
+		`);
+	}
+	if (!containerId) {
+		const [s, d] = [opts.service, opts.deviceUuid || opts.hostname];
+		throw new ExpectedError(
+			`Could not find a container matching service name "${s}" on device "${d}".${
+				serviceNames.length > 0
+					? `\nAvailable services:\n\t${serviceNames.join('\n\t')}`
+					: ''
+			}`,
+		);
+	}
+	return containerId;
+}
 
 export async function performLocalDeviceSSH(
 	opts: DeviceSSHOpts,
 ): Promise<void> {
-	const { escapeRegExp, reduce } = await import('lodash');
-	const { spawnSshAndThrowOnError } = await import('../ssh');
-	const { ExpectedError } = await import('../../errors');
+	// Before we started using `findBestUsernameForDevice`, we tried the approach
+	// of attempting ssh with the 'root' username first and, if that failed, then
+	// attempting ssh with a regular user (balenaCloud username). The problem with
+	// that approach was that it would print the following message to the console:
+	//     "root@192.168.1.36: Permission denied (publickey)"
+	// ... right before having success as a regular user, which looked broken or
+	// confusing from users' point of view.  Capturing stderr to prevent that
+	// message from being printed is tricky because the messages printed to stderr
+	// may include the stderr output of remote commands that are of interest to
+	// the user.
+	const username = await findBestUsernameForDevice(opts.hostname, opts.port);
+	let cmd = '';
 
-	let command = '';
-
-	if (opts.service != null) {
-		// Get the containers which are on-device. Currently we
-		// are single application, which means we can assume any
-		// container which fulfills the form of
-		// $serviceName_$appId_$releaseId is what we want. Once
-		// we have multi-app, we should show a dialog which
-		// allows the user to choose the correct container
-
-		const Docker = await import('dockerode');
-		const docker = new Docker({
-			host: opts.address,
-			port: 2375,
+	if (opts.service) {
+		const containerId = await getContainerIdForService({
+			...opts,
+			service: opts.service,
+			username,
 		});
 
-		const regex = new RegExp(`(^|\\/)${escapeRegExp(opts.service)}_\\d+_\\d+`);
-		const nameRegex = /\/?([a-zA-Z0-9_-]+)_\d+_\d+/;
-		let allContainers: ContainerInfo[];
-		try {
-			allContainers = await docker.listContainers();
-		} catch (_e) {
-			throw new ExpectedError(stripIndent`
-				Could not access docker daemon on device ${opts.address}.
-				Please ensure the device is in local mode.`);
-		}
-
-		const serviceNames: string[] = [];
-		const containers: Array<{ id: string; name: string }> = [];
-		for (const container of allContainers) {
-			for (const name of container.Names) {
-				if (regex.test(name)) {
-					containers.push({ id: container.Id, name });
-					break;
-				}
-				const match = name.match(nameRegex);
-				if (match) {
-					serviceNames.push(match[1]);
-				}
-			}
-		}
-		if (containers.length === 0) {
-			throw new ExpectedError(
-				`Could not find a service on device with name ${opts.service}. ${
-					serviceNames.length > 0
-						? `Available services:\n${reduce(
-								serviceNames,
-								(str, name) => `${str}\t${name}\n`,
-								'',
-						  )}`
-						: ''
-				}`,
-			);
-		}
-		if (containers.length > 1) {
-			throw new ExpectedError(stripIndent`
-				Found more than one container matching service name "${opts.service}":
-				${containers.map((container) => container.name).join(', ')}
-				Use different service names to avoid ambiguity.
-			`);
-		}
-
-		const containerId = containers[0].id;
 		const shellCmd = `/bin/sh -c "if [ -e /bin/bash ]; then exec /bin/bash; else exec /bin/sh; fi"`;
 		// stdin (fd=0) is not a tty when data is piped in, for example
 		// echo 'ls -la; exit;' | balena ssh 192.168.0.20 service1
@@ -103,17 +154,8 @@ export async function performLocalDeviceSSH(
 		//     https://assets.balena.io/newsletter/2020-01/pipe.png
 		const isTTY = !!opts.forceTTY || (await import('tty')).isatty(0);
 		const ttyFlag = isTTY ? '-t' : '';
-		command = `${deviceContainerEngineBinary} exec -i ${ttyFlag} ${containerId} ${shellCmd}`;
+		cmd = `${deviceContainerEngineBinary} exec -i ${ttyFlag} ${containerId} ${shellCmd}`;
 	}
 
-	return spawnSshAndThrowOnError([
-		...(opts.verbose ? ['-vvv'] : []),
-		'-t',
-		...['-p', opts.port ? opts.port.toString() : '22222'],
-		...['-o', 'LogLevel=ERROR'],
-		...['-o', 'StrictHostKeyChecking=no'],
-		...['-o', 'UserKnownHostsFile=/dev/null'],
-		`root@${opts.address}`,
-		...(command ? [command] : []),
-	]);
+	await runRemoteCommand({ ...opts, cmd, username });
 }

lib/utils/docker.ts

@@ -174,14 +174,8 @@ export async function isBalenaEngine(docker: dockerode): Promise<boolean> {
 	);
 }
 
-export interface ExtendedDockerOptions extends dockerode.DockerOptions {
-	docker?: string; // socket path, e.g. /var/run/docker.sock
-	dockerHost?: string; // host name or IP address
-	dockerPort?: number; // TCP port number, e.g. 2375
-}
-
 export async function getDocker(
-	options: ExtendedDockerOptions,
+	options: DockerConnectionCliFlags,
 ): Promise<dockerode> {
 	const connectOpts = await generateConnectOpts(options);
 	const client = await createClient(connectOpts);
@@ -196,14 +190,18 @@ export async function createClient(
 	return new Docker(opts);
 }
 
-async function generateConnectOpts(opts: ExtendedDockerOptions) {
-	let connectOpts: dockerode.DockerOptions = {};
-
-	// Start with docker-modem defaults which take several env vars into account,
-	// including DOCKER_HOST, DOCKER_TLS_VERIFY, DOCKER_CERT_PATH, SSH_AUTH_SOCK
-	// https://github.com/apocas/docker-modem/blob/v3.0.0/lib/modem.js#L15-L70
-	const Modem = require('docker-modem');
-	const defaultOpts = new Modem();
+/**
+ * Initialize Docker connection options with the default values from the
+ * 'docker-modem' package, which takes several env vars into account,
+ * including DOCKER_HOST, DOCKER_TLS_VERIFY, DOCKER_CERT_PATH, SSH_AUTH_SOCK
+ * https://github.com/apocas/docker-modem/blob/v3.0.0/lib/modem.js#L15-L70
+ *
+ * @param opts Command line options like --dockerHost and --dockerPort
+ */
+export function getDefaultDockerModemOpts(
+	opts: DockerConnectionCliFlags,
+): dockerode.DockerOptions {
+	const connectOpts: dockerode.DockerOptions = {};
 	const optsOfInterest: Array<keyof dockerode.DockerOptions> = [
 		'ca',
 		'cert',
@@ -215,9 +213,33 @@ async function generateConnectOpts(opts: ExtendedDockerOptions) {
 		'username',
 		'timeout',
 	];
-	for (const opt of optsOfInterest) {
-		connectOpts[opt] = defaultOpts[opt];
+	const Modem = require('docker-modem');
+	const originalDockerHost = process.env.DOCKER_HOST;
+	try {
+		if (opts.dockerHost) {
+			process.env.DOCKER_HOST ||= opts.dockerPort
+				? `${opts.dockerHost}:${opts.dockerPort}`
+				: opts.dockerHost;
+		}
+		const defaultOpts = new Modem();
+		for (const opt of optsOfInterest) {
+			connectOpts[opt] = defaultOpts[opt];
+		}
+	} finally {
+		// Did you know? Any value assigned to `process.env.XXX` becomes a string.
+		// For example, `process.env.DOCKER_HOST = undefined` results in
+		// value 'undefined' (a 9-character string) being assigned.
+		if (originalDockerHost) {
+			process.env.DOCKER_HOST = originalDockerHost;
+		} else {
+			delete process.env.DOCKER_HOST;
+		}
 	}
+	return connectOpts;
+}
+
+export async function generateConnectOpts(opts: DockerConnectionCliFlags) {
+	let connectOpts = getDefaultDockerModemOpts(opts);
 
 	// Now override the default options with any explicit command line options
 	if (opts.docker != null && opts.dockerHost == null) {
@@ -241,9 +263,9 @@ async function generateConnectOpts(opts: ExtendedDockerOptions) {
 	// These should be file paths (strings)
 	const tlsOpts = [opts.ca, opts.cert, opts.key];
 
-	// If any are set...
+	// If any tlsOpts are set...
 	if (tlsOpts.some((opt) => opt)) {
-		// but not all ()
+		// but not all
 		if (!tlsOpts.every((opt) => opt)) {
 			throw new ExpectedError(
 				'You must provide a CA, certificate and key in order to use TLS',
@@ -258,7 +280,11 @@ async function generateConnectOpts(opts: ExtendedDockerOptions) {
 		const [ca, cert, key] = await Promise.all(
 			tlsOpts.map((opt: string) => fs.readFile(opt, 'utf8')),
 		);
-		connectOpts = { ...connectOpts, ca, cert, key };
+		// Also ensure that the protocol is 'https' like 'docker-modem' does:
+		// https://github.com/apocas/docker-modem/blob/v3.0.0/lib/modem.js#L101-L103
+		// TODO: delete redundant logic from this function now that similar logic
+		// exists in the 'docker-modem' package.
+		connectOpts = { ...connectOpts, ca, cert, key, protocol: 'https' };
 	}
 
 	return connectOpts;

lib/utils/ignore.ts

@@ -92,6 +92,7 @@ async function readDockerIgnoreFile(projectDir: string): Promise<string> {
 	return dockerIgnoreStr;
 }
 
+// TODO:  docker-compose naming
 /**
  * Create an instance of '@balena/dockerignore', initialized with the contents
  * of a .dockerignore file (if any) found at the given directory argument, plus

lib/utils/lazy.ts

@@ -21,7 +21,6 @@ import type { Chalk } from 'chalk';
 import type * as visuals from 'resin-cli-visuals';
 import type * as CliForm from 'resin-cli-form';
 import type { ux } from 'cli-ux';
-import type { stripIndent as StripIndent } from 'common-tags';
 
 // Equivalent of _.once but avoiding the need to import lodash for lazy deps
 const once = <T>(fn: () => T) => {
@@ -63,4 +62,4 @@ export const getCliUx = once(() => require('cli-ux').ux as typeof ux);
 // Directly export stripIndent as we always use it immediately, but importing just `stripIndent` reduces startup time
 export const stripIndent =
 	// tslint:disable-next-line:no-var-requires
-	require('common-tags/lib/stripIndent') as typeof StripIndent;
+	require('common-tags/lib/stripIndent') as typeof import('common-tags/lib/stripIndent');

lib/utils/messages.ts

@@ -86,6 +86,7 @@ If the --registry-secrets option is not specified, and a secrets.yml or
 secrets.json file exists in the balena directory (usually $HOME/.balena),
 this file will be used instead.`;
 
+// TODO:  docker-compose naming
 export const dockerignoreHelp =
 	'DOCKERIGNORE AND GITIGNORE FILES  \n' +
 	`By default, the balena CLI will use a single ".dockerignore" file (if any) at

lib/utils/patterns.ts

@@ -207,35 +207,6 @@ export async function selectOrganization(organizations?: Organization[]) {
 	});
 }
 
-export async function awaitDevice(uuid: string) {
-	const balena = getBalenaSdk();
-	const deviceName = await balena.models.device.getName(uuid);
-	const visuals = getVisuals();
-	const spinner = new visuals.Spinner(
-		`Waiting for ${deviceName} to come online`,
-	);
-
-	const poll = async (): Promise<void> => {
-		const isOnline = await balena.models.device.isOnline(uuid);
-		if (isOnline) {
-			spinner.stop();
-			console.info(`The device **${deviceName}** is online!`);
-			return;
-		} else {
-			// Spinner implementation is smart enough to
-			// not start again if it was already started
-			spinner.start();
-
-			await delay(3000);
-			await poll();
-		}
-	};
-
-	console.info(`Waiting for ${deviceName} to connect to balena...`);
-	await poll();
-	return uuid;
-}
-
 export async function awaitDeviceOsUpdate(
 	uuid: string,
 	targetOsVersion: string,

lib/utils/promote.ts

@@ -20,7 +20,7 @@ import { ExpectedError, printErrorMessage } from '../errors';
 import { getVisuals, stripIndent, getCliForm } from './lazy';
 import Logger = require('./logger');
 import { confirm } from './patterns';
-import { exec, execBuffered, getDeviceOsRelease } from './ssh';
+import { getLocalDeviceCmdStdout, getDeviceOsRelease } from './ssh';
 
 const MIN_BALENAOS_VERSION = 'v2.14.0';
 
@@ -80,7 +80,12 @@ export async function leave(
 	logger.logDebug('Deconfiguring...');
 	await deconfigure(deviceHostnameOrIp);
 
-	logger.logSuccess('Device successfully left the platform.');
+	logger.logSuccess(stripIndent`
+		Device successfully left the platform. The device will still be listed as part
+		of the fleet, but changes to the fleet will no longer affect the device and its
+		status will eventually be reported as 'Offline'. To irrecoverably delete the
+		device from the fleet, use the 'balena device rm' command or delete it through
+		the balenaCloud web dashboard.`);
 }
 
 async function execCommand(
@@ -88,20 +93,25 @@ async function execCommand(
 	cmd: string,
 	msg: string,
 ): Promise<void> {
-	const through = await import('through2');
+	const { Writable } = await import('stream');
 	const visuals = getVisuals();
 
 	const spinner = new visuals.Spinner(`[${deviceIp}] Connecting...`);
 	const innerSpinner = spinner.spinner;
 
-	const stream = through(function (data, _enc, cb) {
-		innerSpinner.setSpinnerTitle(`%s [${deviceIp}] ${msg}`);
-		cb(null, data);
+	const stream = new Writable({
+		write(_chunk: Buffer, _enc, callback) {
+			innerSpinner.setSpinnerTitle(`%s [${deviceIp}] ${msg}`);
+			callback();
+		},
 	});
 
 	spinner.start();
-	await exec(deviceIp, cmd, stream);
-	spinner.stop();
+	try {
+		await getLocalDeviceCmdStdout(deviceIp, cmd, stream);
+	} finally {
+		spinner.stop();
+	}
 }
 
 async function configure(deviceIp: string, config: any): Promise<void> {
@@ -121,7 +131,7 @@ async function deconfigure(deviceIp: string): Promise<void> {
 async function assertDeviceIsCompatible(deviceIp: string): Promise<void> {
 	const cmd = 'os-config --version';
 	try {
-		await execBuffered(deviceIp, cmd);
+		await getLocalDeviceCmdStdout(deviceIp, cmd);
 	} catch (err) {
 		if (err instanceof ExpectedError) {
 			throw err;

lib/utils/remote-build.ts

@@ -212,7 +212,7 @@ function handleBuilderMetadata(obj: BuilderMessage, build: RemoteBuild) {
 			}
 
 			const value = match[1];
-			const amount = match[2] || 1;
+			const amount = Number(match[2]) || 1;
 
 			switch (value) {
 				case 'erase':

lib/utils/ssh.ts

@@ -16,147 +16,314 @@
  */
 import { spawn, StdioOptions } from 'child_process';
 import * as _ from 'lodash';
-import { TypedError } from 'typed-error';
 
 import { ExpectedError } from '../errors';
 
-export class ExecError extends TypedError {
-	public cmd: string;
-	public exitCode: number;
+export class SshPermissionDeniedError extends ExpectedError {}
 
-	constructor(cmd: string, exitCode: number) {
-		super(`Command '${cmd}' failed with error: ${exitCode}`);
+export class RemoteCommandError extends ExpectedError {
+	cmd: string;
+	exitCode?: number;
+	exitSignal?: NodeJS.Signals;
+
+	constructor(cmd: string, exitCode?: number, exitSignal?: NodeJS.Signals) {
+		super(sshErrorMessage(cmd, exitSignal, exitCode));
 		this.cmd = cmd;
 		this.exitCode = exitCode;
+		this.exitSignal = exitSignal;
 	}
 }
 
-export async function exec(
-	deviceIp: string,
-	cmd: string,
-	stdout?: NodeJS.WritableStream,
-): Promise<void> {
+export interface SshRemoteCommandOpts {
+	cmd?: string;
+	hostname: string;
+	ignoreStdin?: boolean;
+	port?: number | 'cloud' | 'local';
+	proxyCommand?: string[];
+	username?: string;
+	verbose?: boolean;
+}
+
+export const stdioIgnore: {
+	stdin: 'ignore';
+	stdout: 'ignore';
+	stderr: 'ignore';
+} = {
+	stdin: 'ignore',
+	stdout: 'ignore',
+	stderr: 'ignore',
+};
+
+export function sshArgsForRemoteCommand({
+	cmd = '',
+	hostname,
+	ignoreStdin = false,
+	port,
+	proxyCommand,
+	username = 'root',
+	verbose = false,
+}: SshRemoteCommandOpts): string[] {
+	port = port === 'local' ? 22222 : port === 'cloud' ? 22 : port;
+	return [
+		...(verbose ? ['-vvv'] : []),
+		...(ignoreStdin ? ['-n'] : []),
+		'-t',
+		...(port ? ['-p', port.toString()] : []),
+		...['-o', 'LogLevel=ERROR'],
+		...['-o', 'StrictHostKeyChecking=no'],
+		...['-o', 'UserKnownHostsFile=/dev/null'],
+		...(proxyCommand && proxyCommand.length
+			? ['-o', `ProxyCommand=${proxyCommand.join(' ')}`]
+			: []),
+		`${username}@${hostname}`,
+		...(cmd ? [cmd] : []),
+	];
+}
+
+/**
+ * Execute the given command on a local balenaOS device over ssh.
+ * @param cmd Shell command to execute on the device
+ * @param hostname Device's hostname or IP address
+ * @param port SSH server TCP port number or 'local' (22222) or 'cloud' (22)
+ * @param stdin Readable stream to pipe to the remote command stdin,
+ * or 'ignore' or 'inherit' as documented in the child_process.spawn function.
+ * @param stdout Writeable stream to pipe from the remote command stdout,
+ * or 'ignore' or 'inherit' as documented in the child_process.spawn function.
+ * @param stderr Writeable stream to pipe from the remote command stdout,
+ * or 'ignore' or 'inherit' as documented in the child_process.spawn function.
+ * @param username SSH username for authorization. With balenaOS 2.44.0 or
+ * later, it can be a balenaCloud username.
+ * @param verbose Produce debugging output
+ */
+export async function runRemoteCommand({
+	cmd = '',
+	hostname,
+	port,
+	proxyCommand,
+	stdin = 'inherit',
+	stdout = 'inherit',
+	stderr = 'inherit',
+	username = 'root',
+	verbose = false,
+}: SshRemoteCommandOpts & {
+	stdin?: 'ignore' | 'inherit' | NodeJS.ReadableStream;
+	stdout?: 'ignore' | 'inherit' | NodeJS.WritableStream;
+	stderr?: 'ignore' | 'inherit' | NodeJS.WritableStream;
+}): Promise<void> {
+	let ignoreStdin: boolean;
+	if (stdin === 'ignore') {
+		// Set ignoreStdin=true in order for the "ssh -n" option to be used to
+		// prevent the ssh client from using the CLI process stdin. In addition,
+		// stdin must be forced to 'inherit' (if it is not a readable stream) in
+		// order to work around a bug in older versions of the built-in Windows
+		// 10 ssh client that otherwise prints the following to stderr and
+		// hangs:  "GetConsoleMode on STD_INPUT_HANDLE failed with 6"
+		// They actually fixed the bug in newer versions of the ssh client:
+		// https://github.com/PowerShell/Win32-OpenSSH/issues/856 but users
+		// have to manually download and install a new client.
+		ignoreStdin = true;
+		stdin = 'inherit';
+	} else {
+		ignoreStdin = false;
+	}
 	const { which } = await import('./which');
 	const program = await which('ssh');
-	const args = [
-		'-n',
-		'-t',
-		'-p',
-		'22222',
-		'-o',
-		'LogLevel=ERROR',
-		'-o',
-		'StrictHostKeyChecking=no',
-		'-o',
-		'UserKnownHostsFile=/dev/null',
-		`root@${deviceIp}`,
+	const args = sshArgsForRemoteCommand({
 		cmd,
-	];
+		hostname,
+		ignoreStdin,
+		port,
+		proxyCommand,
+		username,
+		verbose,
+	});
+
 	if (process.env.DEBUG) {
 		const logger = (await import('./logger')).getLogger();
 		logger.logDebug(`Executing [${program},${args}]`);
 	}
 
-	// Note: stdin must be 'inherit' to workaround a bug in older versions of
-	// the built-in Windows 10 ssh client that otherwise prints the following
-	// to stderr and hangs: "GetConsoleMode on STD_INPUT_HANDLE failed with 6"
-	// They fixed the bug in newer versions of the ssh client:
-	// https://github.com/PowerShell/Win32-OpenSSH/issues/856
-	// but users whould have to manually download and install a new client.
-	// Note that "ssh -n" does not solve the problem, but should in theory
-	// prevent the ssh client from using the CLI process stdin, even if it
-	// is connected with 'inherit'.
 	const stdio: StdioOptions = [
-		'inherit',
-		stdout ? 'pipe' : 'inherit',
-		'inherit',
+		typeof stdin === 'string' ? stdin : 'pipe',
+		typeof stdout === 'string' ? stdout : 'pipe',
+		typeof stderr === 'string' ? stderr : 'pipe',
 	];
+	let exitCode: number | undefined;
+	let exitSignal: NodeJS.Signals | undefined;
+	try {
+		[exitCode, exitSignal] = await new Promise<[number, NodeJS.Signals]>(
+			(resolve, reject) => {
+				const ps = spawn(program, args, { stdio })
+					.on('error', reject)
+					.on('close', (code, signal) => resolve([code, signal]));
 
-	const exitCode = await new Promise<number>((resolve, reject) => {
-		const ps = spawn(program, args, { stdio })
-			.on('error', reject)
-			.on('close', resolve);
-
-		if (stdout) {
-			ps.stdout.pipe(stdout);
-		}
-	});
-	if (exitCode !== 0) {
-		throw new ExecError(cmd, exitCode);
+				if (ps.stdin && stdin && typeof stdin !== 'string') {
+					stdin.pipe(ps.stdin);
+				}
+				if (ps.stdout && stdout && typeof stdout !== 'string') {
+					ps.stdout.pipe(stdout);
+				}
+				if (ps.stderr && stderr && typeof stderr !== 'string') {
+					ps.stderr.pipe(stderr);
+				}
+			},
+		);
+	} catch (error) {
+		const msg = [
+			`ssh failed with exit code=${exitCode} signal=${exitSignal}:`,
+			`[${program}, ${args.join(', ')}]`,
+			...(error ? [`${error}`] : []),
+		];
+		throw new ExpectedError(msg.join('\n'));
+	}
+	if (exitCode || exitSignal) {
+		throw new RemoteCommandError(cmd, exitCode, exitSignal);
 	}
 }
 
-export async function execBuffered(
-	deviceIp: string,
-	cmd: string,
-	enc?: string,
-): Promise<string> {
-	const through = await import('through2');
-	const buffer: string[] = [];
-	await exec(
-		deviceIp,
+/**
+ * Execute the given command on a local balenaOS device over ssh.
+ * Capture stdout and/or stderr to Buffers and return them.
+ *
+ * @param deviceIp IP address of the local device
+ * @param cmd Shell command to execute on the device
+ * @param opts Options
+ * @param opts.username SSH username for authorization. With balenaOS 2.44.0 or
+ * later, it may be a balenaCloud username. Otherwise, 'root'.
+ * @param opts.stdin Passed through to the runRemoteCommand function
+ * @param opts.stdout If 'capture', capture stdout to a Buffer.
+ * @param opts.stderr If 'capture', capture stdout to a Buffer.
+ */
+export async function getRemoteCommandOutput({
+	cmd,
+	hostname,
+	port,
+	proxyCommand,
+	stdin = 'ignore',
+	stdout = 'capture',
+	stderr = 'capture',
+	username = 'root',
+	verbose = false,
+}: SshRemoteCommandOpts & {
+	stdin?: 'ignore' | 'inherit' | NodeJS.ReadableStream;
+	stdout?: 'capture' | 'ignore' | 'inherit' | NodeJS.WritableStream;
+	stderr?: 'capture' | 'ignore' | 'inherit' | NodeJS.WritableStream;
+}): Promise<{ stdout: Buffer; stderr: Buffer }> {
+	const { Writable } = await import('stream');
+	const stdoutChunks: Buffer[] = [];
+	const stderrChunks: Buffer[] = [];
+	const stdoutStream = new Writable({
+		write(chunk: Buffer, _enc, callback) {
+			stdoutChunks.push(chunk);
+			callback();
+		},
+	});
+	const stderrStream = new Writable({
+		write(chunk: Buffer, _enc, callback) {
+			stderrChunks.push(chunk);
+			callback();
+		},
+	});
+	await runRemoteCommand({
 		cmd,
-		through(function (data, _enc, cb) {
-			buffer.push(data.toString(enc));
-			cb();
-		}),
-	);
-	return buffer.join('');
+		hostname,
+		port,
+		proxyCommand,
+		stdin,
+		stdout: stdout === 'capture' ? stdoutStream : stdout,
+		stderr: stderr === 'capture' ? stderrStream : stderr,
+		username,
+		verbose,
+	});
+	return {
+		stdout: Buffer.concat(stdoutChunks),
+		stderr: Buffer.concat(stderrChunks),
+	};
 }
 
+/** Convenience wrapper for getRemoteCommandOutput */
+export async function getLocalDeviceCmdStdout(
+	hostname: string,
+	cmd: string,
+	stdout: 'capture' | 'ignore' | 'inherit' | NodeJS.WritableStream = 'capture',
+): Promise<Buffer> {
+	const port = 'local';
+	return (
+		await getRemoteCommandOutput({
+			cmd,
+			hostname,
+			port,
+			stdout,
+			stderr: 'inherit',
+			username: await findBestUsernameForDevice(hostname, port),
+		})
+	).stdout;
+}
+
+/**
+ * Run a trivial 'exit 0' command over ssh on the target hostname (typically the
+ * IP address of a local device) with the 'root' username, in order to determine
+ * whether root authentication suceeds. It should succeed with development
+ * variants of balenaOS and fail with production variants, unless a ssh key was
+ * added to the device's 'config.json' file.
+ * @return True if succesful, false on any errors.
+ */
+export const isRootUserGood = _.memoize(async (hostname: string, port) => {
+	try {
+		await runRemoteCommand({ cmd: 'exit 0', hostname, port, ...stdioIgnore });
+	} catch (e) {
+		return false;
+	}
+	return true;
+});
+
+/**
+ * Determine whether the given local device (hostname or IP address) should be
+ * accessed as the 'root' user or as a regular cloud user (balenaCloud or
+ * openBalena). Where possible, the root user is preferable because:
+ * - It allows ssh to be used in air-gapped scenarios (no internet access).
+ *   Logging in as a regular user requires the device to fetch public keys from
+ *   the cloud backend.
+ * - Root authentication is significantly faster for local devices (a fraction
+ *   of a second versus 5+ seconds).
+ * - Non-root authentication requires balenaOS v2.44.0 or later, so not (yet)
+ *   universally possible.
+ */
+export const findBestUsernameForDevice = _.memoize(
+	async (hostname: string, port): Promise<string> => {
+		let username: string | undefined;
+		if (await isRootUserGood(hostname, port)) {
+			username = 'root';
+		} else {
+			const { getCachedUsername } = await import('./bootstrap');
+			username = (await getCachedUsername())?.username;
+		}
+		if (!username) {
+			const { stripIndent } = await import('./lazy');
+			throw new ExpectedError(stripIndent`
+				SSH authentication failed for 'root@${hostname}'.
+				Please login with 'balena login' for alternative authentication.`);
+		}
+		return username;
+	},
+);
+
 /**
  * Return a device's balenaOS release by executing 'cat /etc/os-release'
  * over ssh to the given deviceIp address.  The result is cached with
  * lodash's memoize.
  */
-export const getDeviceOsRelease = _.memoize(async (deviceIp: string) =>
-	execBuffered(deviceIp, 'cat /etc/os-release'),
+export const getDeviceOsRelease = _.memoize(async (hostname: string) =>
+	(await getLocalDeviceCmdStdout(hostname, 'cat /etc/os-release')).toString(),
 );
 
-// TODO: consolidate the various forms of executing ssh child processes
-// in the CLI, like exec and spawn, starting with the files:
-//   lib/actions/ssh.ts
-//   lib/utils/ssh.ts
-//   lib/utils/device/ssh.ts
-
-/**
- * Obtain the full path for ssh using which, then spawn a child process.
- * - If the child process returns error code 0, return the function normally
- *   (do not throw an error).
- * - If the child process returns a non-zero error code, set process.exitCode
- *   to that error code, and throw ExpectedError with a warning message.
- * - If the child process is terminated by a process signal, set
- *   process.exitCode = 1, and throw ExpectedError with a warning message.
- */
-export async function spawnSshAndThrowOnError(
-	args: string[],
-	options?: import('child_process').SpawnOptions,
-) {
-	const { whichSpawn } = await import('./which');
-	const [exitCode, exitSignal] = await whichSpawn(
-		'ssh',
-		args,
-		options,
-		true, // returnExitCodeOrSignal
-	);
-	if (exitCode || exitSignal) {
-		// ssh returns a wide range of exit codes, including return codes of
-		// interactive shells. For example, if the user types CTRL-C on an
-		// interactive shell and then `exit`, ssh returns error code 130.
-		// Another example, typing "exit 1" on an interactive shell causes ssh
-		// to return exit code 1. In these cases, print a short one-line warning
-		// message, and exits the CLI process with the same error code.
-		process.exitCode = exitCode;
-		throw new ExpectedError(sshErrorMessage(exitSignal, exitCode));
-	}
-}
-
-function sshErrorMessage(exitSignal?: string, exitCode?: number) {
+function sshErrorMessage(cmd: string, exitSignal?: string, exitCode?: number) {
 	const msg: string[] = [];
+	cmd = cmd ? `Remote command "${cmd}"` : 'Process';
 	if (exitSignal) {
-		msg.push(`Warning: ssh process was terminated with signal "${exitSignal}"`);
+		msg.push(`SSH: ${cmd} terminated with signal "${exitSignal}"`);
 	} else {
-		msg.push(`Warning: ssh process exited with non-zero code "${exitCode}"`);
+		msg.push(`SSH: ${cmd} exited with non-zero status code "${exitCode}"`);
 		switch (exitCode) {
 			case 255:
 				msg.push(`

lib/utils/sudo.ts

@@ -98,7 +98,7 @@ async function spawnAndPipe(
 				resolve();
 			}
 		});
-		if (stderr) {
+		if (stderr && ps.stderr) {
 			ps.stderr.pipe(stderr);
 		}
 	});

lib/utils/update.ts

@@ -1,5 +1,5 @@
 /*
-Copyright 2016-2019 Balena
+Copyright 2016-2022 Balena
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -40,14 +40,35 @@ export function notify() {
 		}
 	}
 	const up = notifier.update;
-	if (
-		up &&
-		(require('semver') as typeof import('semver')).lt(up.current, up.latest)
-	) {
-		notifier.notify({
-			defer: false,
-			message: `Update available ${up.current} → ${up.latest}\n
-https://github.com/balena-io/balena-cli/blob/master/INSTALL.md`,
-		});
+	const message = up && getNotifierMessage(up);
+	if (message) {
+		notifier.notify({ defer: false, message });
 	}
 }
+
+export function getNotifierMessage(updateInfo: UpdateNotifier.UpdateInfo) {
+	const semver = require('semver') as typeof import('semver');
+	const message: string[] = [];
+	const [current, latest] = [updateInfo.current, updateInfo.latest];
+
+	if (semver.lt(current, latest)) {
+		message.push(
+			`Update available ${current} → ${latest}`,
+			'https://github.com/balena-io/balena-cli/blob/master/INSTALL.md',
+		);
+		const currentMajor = semver.major(current);
+		const latestMajor = semver.major(latest);
+		if (currentMajor !== latestMajor) {
+			message.push(
+				'',
+				`Check the v${latestMajor} release notes at:`,
+				getReleaseNotesUrl(latestMajor),
+			);
+		}
+	}
+	return message.join('\n');
+}
+
+function getReleaseNotesUrl(majorVersion: number) {
+	return `https://github.com/balena-io/balena-cli/wiki/CLI-v${majorVersion}-Release-Notes`;
+}

lib/utils/which.ts

@@ -95,52 +95,3 @@ export async function which(
 	}
 	return programPath;
 }
-
-/**
- * Call which(programName) and spawn() with the given arguments.
- *
- * If returnExitCodeOrSignal is true, the returned promise will resolve to
- * an array [code, signal] with the child process exit code number or exit
- * signal string respectively (as provided by the spawn close event).
- *
- * If returnExitCodeOrSignal is false, the returned promise will reject with
- * a custom error if the child process returns a non-zero exit code or a
- * non-empty signal string (as reported by the spawn close event).
- *
- * In either case and if spawn itself emits an error event or fails synchronously,
- * the returned promise will reject with a custom error that includes the error
- * message of spawn's error.
- */
-export async function whichSpawn(
-	programName: string,
-	args: string[],
-	options: import('child_process').SpawnOptions = { stdio: 'inherit' },
-	returnExitCodeOrSignal = false,
-): Promise<[number | undefined, string | undefined]> {
-	const { spawn } = await import('child_process');
-	const program = await which(programName);
-	if (process.env.DEBUG) {
-		console.error(`[debug] [${program}, ${args.join(', ')}]`);
-	}
-	let error: Error | undefined;
-	let exitCode: number | undefined;
-	let exitSignal: string | undefined;
-	try {
-		[exitCode, exitSignal] = await new Promise((resolve, reject) => {
-			spawn(program, args, options)
-				.on('error', reject)
-				.on('close', (code, signal) => resolve([code, signal]));
-		});
-	} catch (err) {
-		error = err;
-	}
-	if (error || (!returnExitCodeOrSignal && (exitCode || exitSignal))) {
-		const msg = [
-			`${programName} failed with exit code=${exitCode} signal=${exitSignal}:`,
-			`[${program}, ${args.join(', ')}]`,
-			...(error ? [`${error}`] : []),
-		];
-		throw new Error(msg.join('\n'));
-	}
-	return [exitCode, exitSignal];
-}

package.json

@@ -1,6 +1,6 @@
 {
   "name": "balena-cli",
-  "version": "13.1.2",
+  "version": "13.4.1",
   "description": "The official balena Command Line Interface",
   "main": "./build/app.js",
   "homepage": "https://github.com/balena-io/balena-cli",
@@ -51,8 +51,9 @@
     "build": "npm run build:src && npm run catch-uncommitted",
     "build:t": "npm run lint && npm run build:fast && npm run build:test",
     "build:src": "npm run lint && npm run build:fast && npm run build:test && npm run build:doc && npm run build:completion",
-    "build:fast": "gulp pages && tsc && npx oclif manifest",
-    "build:test": "tsc -P ./tsconfig.dev.json --noEmit && tsc -P ./tsconfig.js.json --noEmit",
+    "build:pages": "mkdirp ./build/auth/pages/&& inline-source --compress ./lib/auth/pages/error.ejs ./build/auth/pages/error.ejs && inline-source --compress ./lib/auth/pages/success.ejs ./build/auth/pages/success.ejs",
+    "build:fast": "npm run build:pages && tsc && npx oclif manifest",
+    "build:test": "tsc -P ./tsconfig.dev.json --noEmit",
     "build:doc": "ts-node --transpile-only automation/capitanodoc/index.ts > docs/balena-cli.md",
     "build:completion": "node completion/generate-completion.js",
     "build:standalone": "ts-node --transpile-only automation/run.ts build:standalone",
@@ -70,10 +71,9 @@
     "test:only": "npm run build:fast && cross-env BALENA_CLI_TEST_TYPE=source mocha \"tests/**/${npm_config_test}.spec.ts\"",
     "catch-uncommitted": "ts-node --transpile-only automation/run.ts catch-uncommitted",
     "ci": "npm run test && npm run catch-uncommitted",
-    "watch": "gulp watch",
     "lint": "npm run lint-tsconfig && npm run lint-other",
     "lint-tsconfig": "balena-lint -e ts -e js -t tsconfig.dev.json --fix automation/ lib/ tests/ typings/",
-    "lint-other": "balena-lint -e ts -e js --fix bin/balena bin/balena-dev completion/ gulpfile.js .mocharc.js .mocharc-standalone.js",
+    "lint-other": "balena-lint -e ts -e js --fix bin/balena bin/balena-dev completion/ .mocharc.js .mocharc-standalone.js",
     "update": "ts-node --transpile-only ./automation/update-module.ts",
     "prepare": "echo {} > bin/.fast-boot.json",
     "prepublishOnly": "npm run build"
@@ -90,7 +90,7 @@
   "author": "Balena Inc. (https://balena.io/)",
   "license": "Apache-2.0",
   "engines": {
-    "node": ">=12.0.0 <13.0.0",
+    "node": ">=12.8.0 <13.0.0",
     "npm": "<7.0.0"
   },
   "husky": {
@@ -127,7 +127,7 @@
     "@types/chai-as-promised": "^7.1.4",
     "@types/cli-truncate": "^2.0.0",
     "@types/common-tags": "^1.8.1",
-    "@types/dockerode": "^3.3.0",
+    "@types/dockerode": "^3.3.8",
     "@types/ejs": "^3.1.0",
     "@types/express": "^4.17.13",
     "@types/fs-extra": "^9.0.13",
@@ -147,7 +147,7 @@
     "@types/ndjson": "^2.0.1",
     "@types/net-keepalive": "^0.4.1",
     "@types/nock": "^11.1.0",
-    "@types/node": "^10.17.60",
+    "@types/node": "^12.20.42",
     "@types/node-cleanup": "^2.1.2",
     "@types/parse-link-header": "^1.0.1",
     "@types/prettyjson": "^0.0.30",
@@ -155,6 +155,7 @@
     "@types/request": "^2.48.7",
     "@types/rewire": "^2.5.28",
     "@types/rimraf": "^3.0.2",
+    "@types/semver": "^7.3.9",
     "@types/shell-escape": "^0.2.0",
     "@types/sinon": "^10.0.6",
     "@types/split": "^1.0.0",
@@ -174,17 +175,17 @@
     "ent": "^2.2.0",
     "filehound": "^1.17.5",
     "fs-extra": "^9.1.0",
-    "gulp": "^4.0.2",
-    "gulp-inline-source": "^4.0.0",
     "http-proxy": "^1.18.1",
     "husky": "^4.3.8",
+    "inline-source-cli": "^2.0.0",
     "intercept-stdout": "^0.1.2",
     "jsonwebtoken": "^8.5.1",
+    "mkdirp": "^1.0.4",
     "mocha": "^8.4.0",
     "mock-require": "^3.0.3",
     "nock": "^13.2.1",
     "parse-link-header": "^1.0.1",
-    "pkg": "^4.4.9",
+    "pkg": "^5.5.1",
     "publish-release": "^1.6.1",
     "rewire": "^5.0.0",
     "simple-git": "^2.48.0",
@@ -206,7 +207,7 @@
     "balena-errors": "^4.7.1",
     "balena-image-fs": "^7.0.6",
     "balena-image-manager": "^7.1.1",
-    "balena-preload": "^11.0.0",
+    "balena-preload": "^12.0.0",
     "balena-release": "^3.2.0",
     "balena-sdk": "^16.9.0",
     "balena-semver": "^2.3.0",
@@ -223,7 +224,7 @@
     "columnify": "^1.5.2",
     "common-tags": "^1.7.2",
     "denymount": "^2.3.0",
-    "docker-modem": "^3.0.2",
+    "docker-modem": "3.0.0",
     "docker-progress": "^5.0.1",
     "docker-qemu-transpose": "^1.1.1",
     "dockerode": "^3.3.1",
@@ -257,14 +258,14 @@
     "oclif": "^1.18.4",
     "open": "^7.1.0",
     "patch-package": "^6.4.7",
-    "prettyjson": "^1.1.3",
+    "prettyjson": "^1.2.5",
     "progress-stream": "^2.0.0",
     "reconfix": "^1.0.0-v0-1-0-fork-46760acff4d165f5238bfac5e464256ef1944476",
     "request": "^2.88.2",
     "resin-cli-form": "^2.0.2",
     "resin-cli-visuals": "^1.8.0",
     "resin-compose-parse": "^2.1.3",
-    "resin-doodles": "^0.1.1",
+    "resin-doodles": "^0.2.0",
     "resin-multibuild": "^4.12.2",
     "resin-stream-logger": "^0.1.2",
     "rimraf": "^3.0.2",
@@ -287,6 +288,6 @@
     "windosu": "^0.3.0"
   },
   "versionist": {
-    "publishedAt": "2022-01-03T15:32:12.163Z"
+    "publishedAt": "2022-04-11T16:10:47.566Z"
   }
 }

patches/all/pkg+4.4.9.dev.patch

@@ -1,37 +0,0 @@
-diff --git a/node_modules/pkg/lib-es5/packer.js b/node_modules/pkg/lib-es5/packer.js
-index 7295bb6..76805a3 100644
---- a/node_modules/pkg/lib-es5/packer.js
-+++ b/node_modules/pkg/lib-es5/packer.js
-@@ -128,6 +128,7 @@ function _default({
-           const newStat = Object.assign({}, value);
-           newStat.isFileValue = value.isFile();
-           newStat.isDirectoryValue = value.isDirectory();
-+          newStat.isSocketValue = value.isSocket();
-           const buffer = Buffer.from(JSON.stringify(newStat));
-           stripes.push({
-             snap,
-diff --git a/node_modules/pkg/prelude/bootstrap.js b/node_modules/pkg/prelude/bootstrap.js
-index 0d19f1d..db69015 100644
---- a/node_modules/pkg/prelude/bootstrap.js
-+++ b/node_modules/pkg/prelude/bootstrap.js
-@@ -925,8 +925,10 @@ function payloadFileSync (pointer) {
- 
-     var isFileValue = s.isFileValue;
-     var isDirectoryValue = s.isDirectoryValue;
-+    var isSocketValue = s.isSocketValue;
-     delete s.isFileValue;
-     delete s.isDirectoryValue;
-+    delete s.isSocketValue;
- 
-     s.isFile = function () {
-       return isFileValue;
-@@ -934,6 +936,9 @@ function payloadFileSync (pointer) {
-     s.isDirectory = function () {
-       return isDirectoryValue;
-     };
-+    s.isSocket = function () {
-+      return isSocketValue;
-+    };
-     s.isSymbolicLink = function () {
-       return false;
-     };

patches/apply-patches.js

@@ -24,7 +24,10 @@ const { promisify } = require('util');
 const execFileAsync = promisify(execFile);
 const patchesDir = 'patches';
 
-/** Run the patch-package tool in a child process and wait for it to finish */
+/**
+ * Run the patch-package tool in a child process and wait for it to finish
+ * @param {string} patchDir
+ */
 async function patchPackage(patchDir) {
 	// Equivalent to: `npx patch-package --patch-dir $patchDir`
 	const result = await execFileAsync('node', [

tests/commands/ssh.spec.ts

@@ -32,33 +32,53 @@ describe('balena ssh', function () {
 	let hasSshExecutable = false;
 	let mockedExitCode = 0;
 
+	async function mockSpawn({ revert = false } = {}) {
+		const childProcessPath = 'child_process';
+		if (revert) {
+			mock.stop(childProcessPath);
+			mock.reRequire('../../build/utils/ssh');
+			mock.reRequire('../../build/utils/device/ssh');
+			return;
+		}
+		const { EventEmitter } = await import('stream');
+		const childProcessMod = await import(childProcessPath);
+		const originalSpawn = childProcessMod.spawn;
+		mock(childProcessPath, {
+			...childProcessMod,
+			spawn: (program: string, ...args: any[]) => {
+				if (program.includes('ssh')) {
+					const emitter = new EventEmitter();
+					setTimeout(() => emitter.emit('close', mockedExitCode), 1);
+					return emitter;
+				}
+				return originalSpawn(program, ...args);
+			},
+		});
+	}
+
 	this.beforeAll(async function () {
 		hasSshExecutable = await checkSsh();
-		if (hasSshExecutable) {
-			[sshServer, sshServerPort] = await startMockSshServer();
+		if (!hasSshExecutable) {
+			this.skip();
 		}
-		const modPath = '../../build/utils/which';
-		const mod = await import(modPath);
-		mock(modPath, {
-			...mod,
-			whichSpawn: async () => [mockedExitCode, undefined],
-		});
+		[sshServer, sshServerPort] = await startMockSshServer();
+		await mockSpawn();
 	});
 
-	this.afterAll(function () {
+	this.afterAll(async function () {
 		if (sshServer) {
 			sshServer.close();
 			sshServer = undefined;
 		}
-		mock.stopAll();
+		await mockSpawn({ revert: true });
 	});
 
-	this.beforeEach(() => {
+	this.beforeEach(function () {
 		api = new BalenaAPIMock();
 		api.expectGetMixpanel({ optional: true });
 	});
 
-	this.afterEach(() => {
+	this.afterEach(function () {
 		// Check all expected api calls have been made and clean up.
 		api.done();
 	});
@@ -87,7 +107,7 @@ describe('balena ssh', function () {
 		async () => {
 			const deviceUUID = 'abc1234';
 			const expectedErrLines = [
-				'Warning: ssh process exited with non-zero code "255"',
+				'SSH: Remote command "host abc1234" exited with non-zero status code "255"',
 			];
 			api.expectGetWhoAmI({ optional: true, persist: true });
 			api.expectGetDevice({ fullUUID: deviceUUID, isOnline: true });
@@ -99,22 +119,7 @@ describe('balena ssh', function () {
 		},
 	);
 
-	it('should produce the expected error message (real ssh, device IP address)', async function () {
-		if (!hasSshExecutable) {
-			this.skip();
-		}
-		mock.stop('../../build/utils/helpers');
-		const expectedErrLines = [
-			'Warning: ssh process exited with non-zero code "255"',
-		];
-		const { err, out } = await runCommand(
-			`ssh 127.0.0.1 -p ${sshServerPort} --noproxy`,
-		);
-		expect(cleanOutput(err, true)).to.include.members(expectedErrLines);
-		expect(out).to.be.empty;
-	});
-
-	it('should fail if device not online (mocked, device UUID)', async () => {
+	itSS('should fail if device not online (mocked, device UUID)', async () => {
 		const deviceUUID = 'abc1234';
 		const expectedErrLines = ['Device with UUID abc1234 is offline'];
 		api.expectGetWhoAmI({ optional: true, persist: true });
@@ -126,6 +131,19 @@ describe('balena ssh', function () {
 		expect(cleanOutput(err, true)).to.include.members(expectedErrLines);
 		expect(out).to.be.empty;
 	});
+
+	it('should produce the expected error message (real ssh, device IP address)', async function () {
+		await mockSpawn({ revert: true });
+		api.expectGetWhoAmI({ optional: true, persist: true });
+		const expectedErrLines = [
+			'SSH: Process exited with non-zero status code "255"',
+		];
+		const { err, out } = await runCommand(
+			`ssh 127.0.0.1 -p ${sshServerPort} --noproxy`,
+		);
+		expect(cleanOutput(err, true)).to.include.members(expectedErrLines);
+		expect(out).to.be.empty;
+	});
 });
 
 /** Check whether the 'ssh' tool (executable) exists in the PATH */
@@ -159,9 +177,10 @@ async function startMockSshServer(): Promise<[Server, number]> {
 		console.error(`mock ssh server error:\n${err}`);
 	});
 
-	return new Promise<[Server, number]>((resolve, reject) => {
-		// port 0: let the OS allocation any available TCP port number
-		const listener = server.listen(0, '127.0.0.1', (err: Error) => {
+	return await new Promise<[Server, number]>((resolve, reject) => {
+		// TODO: remove 'as any' below. According to @types/node v12.20.42, the
+		// callback type is `() => void`, but our code assumes `(err: Error) => void`
+		const listener = (server.listen as any)(0, '127.0.0.1', (err: Error) => {
 			// this callback is called for the 'listening' event
 			if (err) {
 				console.error(`Error starting mock ssh server:\n${err}`);

tests/deprecation.spec.ts

@@ -141,10 +141,10 @@ describe('DeprecationChecker', function () {
 
 			getStub.resolves(mockCache);
 
-			// Force isTTY to be false (undefined). It happens to be true when
+			// Force isTTY to be false. It happens to be true when
 			// the tests run on balenaCI on macOS and Linux.
 			const originalIsTTY = process.stderr.isTTY;
-			process.stderr.isTTY = undefined;
+			process.stderr.isTTY = false;
 			let result: TestOutput;
 			try {
 				result = await runCommand('version');

tests/nock/proxy-server.ts

@@ -113,7 +113,9 @@ async function createProxyServer(): Promise<[number, number]> {
 	let proxyPort = 0; // TCP port number, 0 means automatic allocation
 
 	await new Promise<void>((resolve, reject) => {
-		const listener = server.listen(0, '127.0.0.1', (err: Error) => {
+		// TODO: remove 'as any' below. According to @types/node v12.20.42, the
+		// callback type is `() => void`, but our code assumes `(err: Error) => void`
+		const listener = (server.listen as any)(0, '127.0.0.1', (err: Error) => {
 			if (err) {
 				console.error(`Error starting proxy server:\n${err}`);
 				reject(err);
@@ -195,7 +197,9 @@ async function createInterceptorServer(): Promise<number> {
 	let interceptorPort = 0;
 
 	await new Promise<void>((resolve, reject) => {
-		const listener = server.listen(0, '127.0.0.1', (err: Error) => {
+		// TODO: remove 'as any' below. According to @types/node v12.20.42, the
+		// callback type is `() => void`, but our code assumes `(err: Error) => void`
+		const listener = (server.listen as any)(0, '127.0.0.1', (err: Error) => {
 			if (err) {
 				console.error(`Error starting interceptor server:\n${err}`);
 				reject(err);

tests/test-data/pkg/expected-warnings-darwin.txt

@@ -24,10 +24,6 @@
   The file must be distributed with executable as %2.
   %1: node_modules/open/xdg-open
   %2: path-to-executable/xdg-open
-> Warning Cannot include addon %1 into executable.
-  The addon must be distributed with executable as %2.
-  %1: node_modules/@ronomon/direct-io/binding.node
-  %2: path-to-executable/binding.node
 > Warning Cannot include file %1 into executable.
   The file must be distributed with executable as %2.
   %1: node_modules/etcher-sdk/node_modules/drivelist/build/Release/drivelist.node
@@ -100,18 +96,6 @@
   The file must be distributed with executable as %2.
   %1: node_modules/drivelist/scripts/win32.bat
   %2: path-to-executable/drivelist/win32.bat
-> Warning Cannot include addon %1 into executable.
-  The addon must be distributed with executable as %2.
-  %1: node_modules/fsevents/fsevents.node
-  %2: path-to-executable/fsevents.node
-> Warning Cannot include addon %1 into executable.
-  The addon must be distributed with executable as %2.
-  %1: node_modules/fsevents/fsevents.node
-  %2: path-to-executable/fsevents.node
-> Warning Cannot include addon %1 into executable.
-  The addon must be distributed with executable as %2.
-  %1: node_modules/xxhash/build/Release/hash.node
-  %2: path-to-executable/hash.node
 > Warning Cannot include file %1 into executable.
   The file must be distributed with executable as %2.
   %1: node_modules/opn/xdg-open

tests/test-data/pkg/expected-warnings-linux.txt

@@ -24,10 +24,6 @@
   The file must be distributed with executable as %2.
   %1: node_modules/open/xdg-open
   %2: path-to-executable/xdg-open
-> Warning Cannot include addon %1 into executable.
-  The addon must be distributed with executable as %2.
-  %1: node_modules/@ronomon/direct-io/binding.node
-  %2: path-to-executable/binding.node
 > Warning Cannot include file %1 into executable.
   The file must be distributed with executable as %2.
   %1: node_modules/etcher-sdk/node_modules/drivelist/build/Release/drivelist.node
@@ -100,10 +96,6 @@
   The file must be distributed with executable as %2.
   %1: node_modules/drivelist/scripts/win32.bat
   %2: path-to-executable/drivelist/win32.bat
-> Warning Cannot include addon %1 into executable.
-  The addon must be distributed with executable as %2.
-  %1: node_modules/xxhash/build/Release/hash.node
-  %2: path-to-executable/hash.node
 > Warning Cannot include file %1 into executable.
   The file must be distributed with executable as %2.
   %1: node_modules/opn/xdg-open

tests/test-data/pkg/expected-warnings-win32.txt

@@ -24,10 +24,6 @@
   The file must be distributed with executable as %2.
   %1: node_modules\open\xdg-open
   %2: path-to-executable/xdg-open
-> Warning Cannot include addon %1 into executable.
-  The addon must be distributed with executable as %2.
-  %1: node_modules\@ronomon\direct-io\binding.node
-  %2: path-to-executable/binding.node
 > Warning Cannot include file %1 into executable.
   The file must be distributed with executable as %2.
   %1: node_modules\etcher-sdk\node_modules\drivelist\build\Release\drivelist.node
@@ -100,10 +96,6 @@
   The file must be distributed with executable as %2.
   %1: node_modules\drivelist\scripts\win32.bat
   %2: path-to-executable/drivelist/win32.bat
-> Warning Cannot include addon %1 into executable.
-  The addon must be distributed with executable as %2.
-  %1: node_modules\xxhash\build\Release\hash.node
-  %2: path-to-executable/hash.node
 > Warning Cannot include file %1 into executable.
   The file must be distributed with executable as %2.
   %1: node_modules\opn\xdg-open

tests/utils/docker.spec.ts

@@ -0,0 +1,137 @@
+/**
+ * @license
+ * Copyright 2022 Balena Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { expect } from 'chai';
+
+import {
+	DockerConnectionCliFlags,
+	generateConnectOpts,
+	getDefaultDockerModemOpts,
+} from '../../build/utils/docker';
+
+const defaultSocketPath =
+	process.platform === 'win32'
+		? '//./pipe/docker_engine'
+		: '/var/run/docker.sock';
+
+describe('getDefaultDockerModemOpts() function', function () {
+	it('should use a Unix socket when --dockerHost is not used', () => {
+		const cliFlags: DockerConnectionCliFlags = {
+			dockerPort: 2376,
+		};
+		const defaultOps = getDefaultDockerModemOpts(cliFlags);
+		expect(defaultOps).to.deep.include({
+			host: undefined,
+			port: undefined,
+			protocol: 'http',
+			socketPath: defaultSocketPath,
+		});
+	});
+
+	it('should use the HTTP protocol when --dockerPort is 2375', () => {
+		const cliFlags: DockerConnectionCliFlags = {
+			dockerHost: 'foo',
+			dockerPort: 2375,
+		};
+		const defaultOps = getDefaultDockerModemOpts(cliFlags);
+		expect(defaultOps).to.deep.include({
+			host: 'foo',
+			port: '2375',
+			protocol: 'http',
+			socketPath: undefined,
+		});
+	});
+
+	it('should use the HTTPS protocol when --dockerPort is 2376', () => {
+		const cliFlags: DockerConnectionCliFlags = {
+			dockerHost: 'foo',
+			dockerPort: 2376,
+		};
+		const defaultOps = getDefaultDockerModemOpts(cliFlags);
+		expect(defaultOps).to.deep.include({
+			host: 'foo',
+			port: '2376',
+			protocol: 'https',
+			socketPath: undefined,
+		});
+	});
+});
+
+describe('generateConnectOpts() function', function () {
+	it('should use a Unix socket when --docker is used', async () => {
+		const cliFlags: DockerConnectionCliFlags = {
+			docker: 'foo',
+		};
+		const connectOpts = await generateConnectOpts(cliFlags);
+		expect(connectOpts).to.deep.include({
+			protocol: 'http',
+			socketPath: 'foo',
+		});
+		expect(connectOpts).to.not.have.any.keys('host', 'port');
+	});
+
+	it('should use the HTTP protocol when --dockerPort is 2375', async () => {
+		const cliFlags: DockerConnectionCliFlags = {
+			dockerHost: 'foo',
+			dockerPort: 2375,
+		};
+		const connectOpts = await generateConnectOpts(cliFlags);
+		expect(connectOpts).to.deep.include({
+			host: 'foo',
+			port: 2375,
+			protocol: 'http',
+		});
+		expect(connectOpts).to.not.have.any.keys('socketPath');
+	});
+
+	it('should use the HTTPS protocol when --dockerPort is 2376', async () => {
+		const cliFlags: DockerConnectionCliFlags = {
+			dockerHost: 'foo',
+			dockerPort: 2376,
+		};
+		const connectOpts = await generateConnectOpts(cliFlags);
+		expect(connectOpts).to.deep.include({
+			host: 'foo',
+			port: 2376,
+			protocol: 'https',
+		});
+		expect(connectOpts).to.not.have.any.keys('socketPath');
+	});
+
+	it('should use the HTTPS protocol when ca/cert/key are used', async () => {
+		const path = await import('path');
+		const aFile = path.join(
+			__dirname,
+			'../test-data/projects/no-docker-compose/dockerignore1/a.txt',
+		);
+		const cliFlags: DockerConnectionCliFlags = {
+			ca: aFile,
+			cert: aFile,
+			key: aFile,
+		};
+		const connectOpts = await generateConnectOpts(cliFlags);
+		expect(connectOpts).to.deep.include({
+			ca: 'a',
+			cert: 'a',
+			key: 'a',
+			host: undefined,
+			port: undefined,
+			protocol: 'https',
+			socketPath: defaultSocketPath,
+		});
+	});
+});

tests/utils/eol-conversion.spec.ts

@@ -71,7 +71,6 @@ describe('detectEncoding() function', function () {
 			'node_modules/.bin/etcher-image-write',
 			'node_modules/.bin/mocha',
 			'node_modules/.bin/rimraf',
-			'node_modules/.bin/gulp',
 			'node_modules/.bin/tsc',
 			'node_modules/.bin/balena-lint',
 			'node_modules/.bin/catch-uncommitted',

tests/utils/update.spec.ts

@@ -0,0 +1,79 @@
+/**
+ * @license
+ * Copyright 2022 Balena Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { expect } from 'chai';
+import * as stripIndent from 'common-tags/lib/stripIndent';
+
+import { getNotifierMessage } from '../../build/utils/update';
+
+import type { UpdateInfo } from 'update-notifier';
+
+describe('getNotifierMessage() unit test', function () {
+	const template: UpdateInfo = {
+		current: '',
+		latest: '',
+		type: 'latest',
+		name: '',
+	};
+
+	it('should return a simple update message including installation instructions', () => {
+		const mockUpdateInfo = {
+			...template,
+			current: '12.1.1',
+			latest: '12.3.0',
+		};
+		const msg = getNotifierMessage(mockUpdateInfo);
+		expect(msg).to.equal(stripIndent`
+			Update available 12.1.1 → 12.3.0
+			https://github.com/balena-io/balena-cli/blob/master/INSTALL.md`);
+	});
+
+	it('should include a release notes link when a new major version is available', () => {
+		const mockUpdateInfo = {
+			...template,
+			current: '12.1.1',
+			latest: '13.3.0',
+		};
+		const msg = getNotifierMessage(mockUpdateInfo);
+		expect(msg).to.equal(stripIndent`
+			Update available 12.1.1 → 13.3.0
+			https://github.com/balena-io/balena-cli/blob/master/INSTALL.md
+
+			Check the v13 release notes at:
+			https://github.com/balena-io/balena-cli/wiki/CLI-v13-Release-Notes`);
+	});
+
+	it('should return an empty string if no updates are available', () => {
+		const mockUpdateInfo = {
+			...template,
+			current: '12.1.1',
+			latest: '12.1.1',
+		};
+		const msg = getNotifierMessage(mockUpdateInfo);
+		expect(msg).to.equal('');
+	});
+
+	it('should return an empty string if no updates are available', () => {
+		const mockUpdateInfo = {
+			...template,
+			current: '14.1.1',
+			latest: '12.1.1',
+		};
+		const msg = getNotifierMessage(mockUpdateInfo);
+		expect(msg).to.equal('');
+	});
+});

tsconfig.dev.json

@@ -1,11 +1,14 @@
 {
 	"extends": "./tsconfig.json",
+	"compilerOptions": {
+		"allowJs": true,
+		"checkJs": true
+	},
 	"include": [
 		"./automation/**/*",
 		"./lib/**/*",
 		"./patches/*",
 		"./tests/**/*",
-		"./typings/**/*",
-		"gulpfile.js"
+		"./typings/**/*"
 	]
 }

tsconfig.js.json

@@ -1,7 +0,0 @@
-{
-	"extends": "./tsconfig.dev.json",
-	"compilerOptions": {
-		"noImplicitAny": false,
-		"checkJs": true
-	}
-}

tsconfig.json

@@ -18,8 +18,7 @@
 			"./node_modules/etcher-sdk/typings",
 			"./typings"
 		],
-		"preserveSymlinks": true,
-		"allowJs": true
+		"preserveSymlinks": true
 	},
 	"include": [
 		"./lib/**/*",

typings/common-tags/index.d.ts

@@ -0,0 +1,22 @@
+/**
+ * @license
+ * Copyright 2022 Balena Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+declare module 'common-tags/lib/stripIndent' {
+	import { stripIndent } from 'common-tags';
+
+	export = stripIndent;
+}