From 7466552d79e1f97a602e96882e4ce344a944f0cc Mon Sep 17 00:00:00 2001 From: Jordan Tucker Date: Mon, 21 Mar 2022 11:00:34 -0500 Subject: [PATCH 1/3] fix: remove minimist --- CHANGELOG.md | 3 + lib/cli.js | 90 +++++++++++++++++++++--------- package-lock.json | 3 +- package.json | 3 - test/cli.js | 139 +++++++++++++++++++++++++++++++++++++++++++--- 5 files changed, 201 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5b9aa0d2..cb0e0096 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ### Unreleased [[code][c-unreleased], [diff][d-unreleased]] +- Fix: Remove dependence on minimist to patch CVE-2021-44906. ([#266]) + [c-unreleased]: https://github.com/json5/json5/tree/master [d-unreleased]: https://github.com/json5/json5/compare/v2.2.0...HEAD @@ -360,3 +362,4 @@ parser for the regular JSON format. [#229]: https://github.com/json5/json5/issues/229 [#236]: https://github.com/json5/json5/issues/236 [#244]: https://github.com/json5/json5/issues/244 +[#266]: https://github.com/json5/json5/issues/266 diff --git a/lib/cli.js b/lib/cli.js index de852f15..93cb8092 100644 --- a/lib/cli.js +++ b/lib/cli.js @@ -2,37 +2,17 @@ const fs = require('fs') const path = require('path') -const minimist = require('minimist') const pkg = require('../package.json') const JSON5 = require('./') -const argv = minimist(process.argv.slice(2), { - alias: { - 'convert': 'c', - 'space': 's', - 'validate': 'v', - 'out-file': 'o', - 'version': 'V', - 'help': 'h', - }, - boolean: [ - 'convert', - 'validate', - 'version', - 'help', - ], - string: [ - 'space', - 'out-file', - ], -}) +const argv = parseArgs() if (argv.version) { version() } else if (argv.help) { usage() } else { - const inFilename = argv._[0] + const inFilename = argv.defaults[0] let readStream if (inFilename) { @@ -65,7 +45,7 @@ if (argv.version) { // --convert is for backward compatibility with v0.5.1. If // specified with and not --out-file, then a file with // the same name but with a .json extension will be written. - if (argv.convert && inFilename && !argv.o) { + if (argv.convert && inFilename && !argv.outFile) { const parsedFilename = path.parse(inFilename) const outFilename = path.format( Object.assign( @@ -75,8 +55,8 @@ if (argv.version) { ) writeStream = fs.createWriteStream(outFilename) - } else if (argv.o) { - writeStream = fs.createWriteStream(argv.o) + } else if (argv.outFile) { + writeStream = fs.createWriteStream(argv.outFile) } else { writeStream = process.stdout } @@ -90,6 +70,66 @@ if (argv.version) { }) } +function parseArgs () { + let convert + let space + let validate + let outFile + let version + let help + const defaults = [] + + const args = process.argv.slice(2) + for (let i = 0; i < args.length; i++) { + const arg = args[i] + switch (arg) { + case '--convert': + case '-c': + convert = true + break + + case '--space': + case '-s': + space = args[++i] + break + + case '--validate': + case '-v': + validate = true + break + + case '--out-file': + case '-o': + outFile = args[++i] + break + + case '--version': + case '-V': + version = true + break + + case '--help': + case '-h': + help = true + break + + default: + defaults.push(arg) + break + } + } + + return { + convert, + space, + validate, + outFile, + version, + help, + defaults, + } +} + function version () { console.log(pkg.version) } diff --git a/package-lock.json b/package-lock.json index 56c0f4de..972a303d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2184,7 +2184,8 @@ "minimist": { "version": "1.2.5", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz", - "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==" + "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==", + "dev": true }, "minipass": { "version": "2.3.5", diff --git a/package.json b/package.json index 31c43e5f..f33153b1 100644 --- a/package.json +++ b/package.json @@ -48,9 +48,6 @@ "url": "https://github.com/json5/json5/issues" }, "homepage": "http://json5.org/", - "dependencies": { - "minimist": "^1.2.5" - }, "devDependencies": { "core-js": "^2.6.5", "eslint": "^5.15.3", diff --git a/test/cli.js b/test/cli.js index 8ddef73a..c52dd926 100644 --- a/test/cli.js +++ b/test/cli.js @@ -43,7 +43,7 @@ tap.test('CLI', t => { }) }) - t.test('indents output with the number of spaces specified', t => { + t.test('indents output with the number of spaces specified with -s', t => { const proc = child.spawn( process.execPath, [ @@ -65,7 +65,29 @@ tap.test('CLI', t => { }) }) - t.test('indents output with tabs when specified', t => { + t.test('indents output with the number of spaces specified with --space', t => { + const proc = child.spawn( + process.execPath, + [ + cliPath, + path.resolve(__dirname, 'test.json5'), + '--space', + '4', + ] + ) + + let output = '' + proc.stdout.on('data', data => { + output += data + }) + + proc.stdout.on('end', () => { + assert.strictEqual(output, '{\n "a": 1,\n "b": 2\n}') + t.end() + }) + }) + + t.test('indents output with tabs when specified with -s', t => { const proc = child.spawn( process.execPath, [ @@ -87,7 +109,7 @@ tap.test('CLI', t => { }) }) - t.test('outputs to the specified file', t => { + t.test('outputs to the specified file with -o', t => { const proc = child.spawn( process.execPath, [ @@ -116,7 +138,36 @@ tap.test('CLI', t => { }) }) - t.test('validates valid JSON5 files', t => { + t.test('outputs to the specified file with --out-file', t => { + const proc = child.spawn( + process.execPath, + [ + cliPath, + path.resolve(__dirname, 'test.json5'), + '--out-file', + path.resolve(__dirname, 'output.json'), + ] + ) + + proc.on('exit', () => { + assert.strictEqual( + fs.readFileSync( + path.resolve(__dirname, 'output.json'), + 'utf8' + ), + '{"a":1,"b":2}' + ) + t.end() + }) + + t.tearDown(() => { + try { + fs.unlinkSync(path.resolve(__dirname, 'output.json')) + } catch (err) {} + }) + }) + + t.test('validates valid JSON5 files with -v', t => { const proc = child.spawn( process.execPath, [ @@ -132,7 +183,23 @@ tap.test('CLI', t => { }) }) - t.test('validates invalid JSON5 files', t => { + t.test('validates valid JSON5 files with --validate', t => { + const proc = child.spawn( + process.execPath, + [ + cliPath, + path.resolve(__dirname, 'test.json5'), + '--validate', + ] + ) + + proc.on('exit', code => { + assert.strictEqual(code, 0) + t.end() + }) + }) + + t.test('validates invalid JSON5 files with -v', t => { const proc = child.spawn( process.execPath, [ @@ -157,7 +224,7 @@ tap.test('CLI', t => { }) }) - t.test('outputs the version number when specified', t => { + t.test('outputs the version number when specified with -V', t => { const proc = child.spawn(process.execPath, [cliPath, '-V']) let output = '' @@ -171,7 +238,21 @@ tap.test('CLI', t => { }) }) - t.test('outputs usage information when specified', t => { + t.test('outputs the version number when specified with --version', t => { + const proc = child.spawn(process.execPath, [cliPath, '--version']) + + let output = '' + proc.stdout.on('data', data => { + output += data + }) + + proc.stdout.on('end', () => { + assert.strictEqual(output, pkg.version + '\n') + t.end() + }) + }) + + t.test('outputs usage information when specified with -h', t => { const proc = child.spawn(process.execPath, [cliPath, '-h']) let output = '' @@ -185,7 +266,21 @@ tap.test('CLI', t => { }) }) - t.test('is backward compatible with v0.5.1', t => { + t.test('outputs usage information when specified with --help', t => { + const proc = child.spawn(process.execPath, [cliPath, '--help']) + + let output = '' + proc.stdout.on('data', data => { + output += data + }) + + proc.stdout.on('end', () => { + assert(/Usage/.test(output)) + t.end() + }) + }) + + t.test('is backward compatible with v0.5.1 with -c', t => { const proc = child.spawn( process.execPath, [ @@ -213,5 +308,33 @@ tap.test('CLI', t => { }) }) + t.test('is backward compatible with v0.5.1 with --convert', t => { + const proc = child.spawn( + process.execPath, + [ + cliPath, + '--convert', + path.resolve(__dirname, 'test.json5'), + ] + ) + + proc.on('exit', () => { + assert.strictEqual( + fs.readFileSync( + path.resolve(__dirname, 'test.json'), + 'utf8' + ), + '{"a":1,"b":2}' + ) + t.end() + }) + + t.tearDown(() => { + try { + fs.unlinkSync(path.resolve(__dirname, 'test.json')) + } catch (err) {} + }) + }) + t.end() }) From 905e17ae04f3bc6b6293b27a30034373ac6e2347 Mon Sep 17 00:00:00 2001 From: Jordan Tucker Date: Mon, 21 Mar 2022 11:28:11 -0500 Subject: [PATCH 2/3] docs: update CHANGELOG for v2.2.1 --- CHANGELOG.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cb0e0096..06688a3f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,15 @@ ### Unreleased [[code][c-unreleased], [diff][d-unreleased]] -- Fix: Remove dependence on minimist to patch CVE-2021-44906. ([#266]) - [c-unreleased]: https://github.com/json5/json5/tree/master [d-unreleased]: https://github.com/json5/json5/compare/v2.2.0...HEAD +### v2.2.1 [[code][c2.2.1], [diff][d2.2.1]] + +[c2.2.1]: https://github.com/json5/json5/tree/v2.2.1 +[d2.2.1]: https://github.com/json5/json5/compare/v2.2.0...v2.2.1 + +- Fix: Removed dependence on minimist to patch CVE-2021-44906. ([#266]) + ### v2.2.0 [[code][c2.2.0], [diff][d2.2.0]] [c2.2.0]: https://github.com/json5/json5/tree/v2.2.0 From 502da86f8e8e2168e301dc5157919935082d0f7b Mon Sep 17 00:00:00 2001 From: Jordan Tucker Date: Mon, 21 Mar 2022 11:30:35 -0500 Subject: [PATCH 3/3] 2.2.1 --- package-lock.json | 2 +- package.json | 2 +- package.json5 | 5 +---- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index 972a303d..c4e0207d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "json5", - "version": "2.2.0", + "version": "2.2.1", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index f33153b1..ec68d1c5 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "json5", - "version": "2.2.0", + "version": "2.2.1", "description": "JSON for humans.", "main": "lib/index.js", "module": "dist/index.mjs", diff --git a/package.json5 b/package.json5 index afcfbe26..2bbfb413 100644 --- a/package.json5 +++ b/package.json5 @@ -1,7 +1,7 @@ // This is a generated file. Do not edit. { name: 'json5', - version: '2.2.0', + version: '2.2.1', description: 'JSON for humans.', main: 'lib/index.js', module: 'dist/index.mjs', @@ -49,9 +49,6 @@ url: 'https://github.com/json5/json5/issues', }, homepage: 'http://json5.org/', - dependencies: { - minimist: '^1.2.5', - }, devDependencies: { 'core-js': '^2.6.5', eslint: '^5.15.3',