fix: fix semver vulnerability (#1071)

fixes #1019

packages/conventional-changelog-cli/cli.js → packages/conventional-changelog-cli/cli.mjs

@@ -1,12 +1,19 @@
 #!/usr/bin/env node
-'use strict'
-
-const addStream = require('add-stream')
-const conventionalChangelog = require('conventional-changelog')
-const fs = require('fs')
-const meow = require('meow')
-const tempfile = require('tempfile')
-const resolve = require('path').resolve
+import { resolve } from 'path'
+import { pathToFileURL } from 'url'
+import {
+  createReadStream,
+  createWriteStream
+} from 'fs'
+import { readFile } from 'fs/promises'
+import addStream from 'add-stream'
+import tempfile from 'tempfile'
+import meow from 'meow'
+import conventionalChangelog from 'conventional-changelog'
+
+function relativeResolve (filePath) {
+  return pathToFileURL(resolve(process.cwd(), filePath))
+}
 
 const cli = meow(`
     Usage
@@ -51,61 +58,62 @@ const cli = meow(`
       -t, --tag-prefix          Tag prefix to consider when reading the tags
       --commit-path             Generate a changelog scoped to a specific directory
 `, {
+  importMeta: import.meta,
   booleanDefault: undefined,
   flags: {
     infile: {
-      alias: 'i',
+      shortFlag: 'i',
       type: 'string'
     },
     outfile: {
-      alias: 'o',
+      shortFlag: 'o',
       type: 'string'
     },
-    'same-file': {
-      alias: 's',
+    sameFile: {
+      shortFlag: 's',
       type: 'boolean'
     },
     preset: {
-      alias: 'p',
+      shortFlag: 'p',
       type: 'string'
     },
     pkg: {
-      alias: 'k',
+      shortFlag: 'k',
       type: 'string'
     },
     append: {
-      alias: 'a',
+      shortFlag: 'a',
       type: 'boolean'
     },
-    'release-count': {
-      alias: 'r',
+    releaseCount: {
+      shortFlag: 'r',
       type: 'number'
     },
-    'skip-unstable': {
+    skipUnstable: {
       type: 'boolean'
     },
-    'output-unreleased': {
-      alias: 'u',
+    outputUnreleased: {
+      shortFlag: 'u',
       type: 'boolean'
     },
     verbose: {
-      alias: 'v',
+      shortFlag: 'v',
       type: 'boolean'
     },
     config: {
-      alias: 'n',
+      shortFlag: 'n',
       type: 'string'
     },
     context: {
-      alias: 'c',
+      shortFlag: 'c',
       type: 'string'
     },
-    'lerna-package': {
-      alias: 'l',
+    lernaPackage: {
+      shortFlag: 'l',
       type: 'string'
     },
-    'tag-prefix': {
-      alias: 't',
+    tagPrefix: {
+      shortFlag: 't',
       type: 'string'
     }
   }
@@ -136,9 +144,9 @@ let options = {
   pkg: {
     path: flags.pkg
   },
-  append: append,
-  releaseCount: releaseCount,
-  skipUnstable: skipUnstable,
+  append,
+  releaseCount,
+  skipUnstable,
   outputUnreleased: flags.outputUnreleased,
   lernaPackage: flags.lernaPackage,
   tagPrefix: flags.tagPrefix
@@ -155,11 +163,11 @@ let outStream
 
 try {
   if (flags.context) {
-    templateContext = require(resolve(process.cwd(), flags.context))
+    templateContext = JSON.parse(await readFile(relativeResolve(flags.context), 'utf8'))
   }
 
   if (flags.config) {
-    config = require(resolve(process.cwd(), flags.config))
+    config = (await import(relativeResolve(flags.config))).default
     options.config = config
 
     if (config.options) {
@@ -186,7 +194,7 @@ const gitRawCommitsOpts = {
 if (flags.commitPath) gitRawCommitsOpts.path = flags.commitPath
 
 const changelogStream = conventionalChangelog(options, templateContext, gitRawCommitsOpts, config.parserOpts, config.writerOpts)
-  .on('error', function (err) {
+  .on('error', (err) => {
     if (flags.verbose) {
       console.error(err.stack)
     } else {
@@ -197,7 +205,7 @@ const changelogStream = conventionalChangelog(options, templateContext, gitRawCo
 
 function noInputFile () {
   if (outfile) {
-    outStream = fs.createWriteStream(outfile)
+    outStream = createWriteStream(outfile)
   } else {
     outStream = process.stdout
   }
@@ -207,8 +215,8 @@ function noInputFile () {
 }
 
 if (infile && releaseCount !== 0) {
-  const readStream = fs.createReadStream(infile)
-    .on('error', function () {
+  const readStream = createReadStream(infile)
+    .on('error', () => {
       if (flags.verbose) {
         console.warn('infile does not exist.')
       }
@@ -221,23 +229,23 @@ if (infile && releaseCount !== 0) {
   if (sameFile) {
     if (options.append) {
       changelogStream
-        .pipe(fs.createWriteStream(outfile, {
+        .pipe(createWriteStream(outfile, {
           flags: 'a'
         }))
     } else {
       const tmp = tempfile()
 
       changelogStream
         .pipe(addStream(readStream))
-        .pipe(fs.createWriteStream(tmp))
-        .on('finish', function () {
-          fs.createReadStream(tmp)
-            .pipe(fs.createWriteStream(outfile))
+        .pipe(createWriteStream(tmp))
+        .on('finish', () => {
+          createReadStream(tmp)
+            .pipe(createWriteStream(outfile))
         })
     }
   } else {
     if (outfile) {
-      outStream = fs.createWriteStream(outfile)
+      outStream = createWriteStream(outfile)
     } else {
       outStream = process.stdout
     }

packages/conventional-changelog-cli/package.json

@@ -16,10 +16,10 @@
     "url": "https://github.com/stevemao"
   },
   "bin": {
-    "conventional-changelog": "cli.js"
+    "conventional-changelog": "cli.mjs"
   },
   "files": [
-    "cli.js"
+    "cli.mjs"
   ],
   "keywords": [
     "cli",
@@ -35,7 +35,7 @@
   "dependencies": {
     "add-stream": "^1.0.0",
     "conventional-changelog": "^4.0.0",
-    "meow": "^8.1.2",
+    "meow": "^12.0.1",
     "tempfile": "^3.0.0"
   },
   "scripts": {

packages/conventional-changelog-cli/test/index.spec.js

@@ -2,7 +2,7 @@ import { describe, beforeAll, afterAll, it, expect } from 'vitest'
 import path from 'path'
 import { TestTools } from '../../../tools/test-tools'
 
-const CLI_PATH = path.join(__dirname, '../cli.js')
+const CLI_PATH = path.join(__dirname, '../cli.mjs')
 const FIXTURE_CHANGELOG_PATH = path.join(__dirname, 'fixtures/_CHANGELOG.md')
 let testTools
 

packages/conventional-changelog-core/lib/merge-config.js

@@ -1,4 +1,5 @@
 'use strict'
+const fs = require('fs/promises')
 const dateFormat = require('dateformat')
 const getPkgRepo = require('get-pkg-repo')
 const gitSemverTags = require('git-semver-tags')
@@ -9,8 +10,6 @@ try {
 } catch (err) {
   gitRemoteOriginUrl = () => Promise.reject(err)
 }
-const readPkg = require('read-pkg')
-const readPkgUp = require('read-pkg-up')
 const { URL } = require('url')
 
 const rhosts = /github|bitbucket|gitlab/i
@@ -117,9 +116,17 @@ async function mergeConfig (options, context, gitRawCommitsOpts, parserOpts, wri
 
   if (options.pkg) {
     if (options.pkg.path) {
-      pkgPromise = Promise.resolve(readPkg(options.pkg.path))
+      pkgPromise = import('read-pkg').then(async ({ parsePackage }) => {
+        const json = await fs.readFile(options.pkg.path, 'utf-8')
+
+        return parsePackage(json)
+      })
     } else {
-      pkgPromise = Promise.resolve(readPkgUp({ cwd: options.cwd }))
+      pkgPromise = import('read-pkg-up').then(async ({ readPackageUp }) => {
+        const { packageJson } = await readPackageUp({ cwd: options.cwd })
+
+        return packageJson
+      })
     }
   }
 
@@ -163,12 +170,7 @@ async function mergeConfig (options, context, gitRawCommitsOpts, parserOpts, wri
 
   if (options.pkg) {
     if (pkgObj.status === 'fulfilled') {
-      if (options.pkg.path) {
-        pkg = pkgObj.value
-      } else {
-        pkg = pkgObj.value.pkg || {}
-      }
-
+      pkg = pkgObj.value || {}
       pkg = options.pkg.transform(pkg)
     } else if (options.pkg.path) {
       options.warn(pkgObj.reason.toString())

packages/conventional-changelog-core/package.json

@@ -35,8 +35,8 @@
     "git-remote-origin-url": "^2.0.0",
     "git-semver-tags": "^5.0.0",
     "normalize-package-data": "^5.0.0",
-    "read-pkg": "^3.0.0",
-    "read-pkg-up": "^3.0.0"
+    "read-pkg": "^8.0.0",
+    "read-pkg-up": "^10.0.0"
   },
   "scripts": {
     "test-windows": "mocha --timeout 30000"

packages/conventional-changelog-writer/cli.js → packages/conventional-changelog-writer/cli.mjs

@@ -1,10 +1,15 @@
 #!/usr/bin/env node
-'use strict'
-const conventionalChangelogWriter = require('./')
-const fs = require('fs')
-const meow = require('meow')
-const path = require('path')
-const split = require('split')
+import { resolve } from 'path'
+import { pathToFileURL } from 'url'
+import { createReadStream } from 'fs'
+import { readFile } from 'fs/promises'
+import split from 'split'
+import meow from 'meow'
+import conventionalChangelogWriter from './index.js'
+
+function relativeResolve (filePath) {
+  return pathToFileURL(resolve(process.cwd(), filePath))
+}
 
 const cli = meow(`
     Usage
@@ -19,13 +24,14 @@ const cli = meow(`
       -c, --context    A filepath of a json that is used to define template variables
       -o, --options    A filepath of a javascript object that is used to define options
 `, {
+  importMeta: import.meta,
   flags: {
     context: {
-      alias: 'c',
+      shortFlag: 'c',
       type: 'string'
     },
     options: {
-      alias: 'o',
+      shortFlag: 'o',
       type: 'string'
     }
   }
@@ -39,7 +45,7 @@ let templateContext
 const contextPath = flags.context
 if (contextPath) {
   try {
-    templateContext = require(path.resolve(process.cwd(), contextPath))
+    templateContext = JSON.parse(await readFile(relativeResolve(contextPath), 'utf8'))
   } catch (err) {
     console.error('Failed to get context from file ' + contextPath + '\n' + err)
     process.exit(1)
@@ -50,7 +56,7 @@ let options
 const optionsPath = flags.options
 if (optionsPath) {
   try {
-    options = require(path.resolve(process.cwd(), optionsPath))
+    options = (await import(relativeResolve(optionsPath))).default
   } catch (err) {
     console.error('Failed to get options from file ' + optionsPath + '\n' + err)
     process.exit(1)
@@ -67,25 +73,25 @@ try {
 
 function processFile (fileIndex) {
   const filePath = filePaths[fileIndex]
-  fs.createReadStream(filePath)
-    .on('error', function (err) {
+  createReadStream(filePath)
+    .on('error', (err) => {
       console.warn('Failed to read file ' + filePath + '\n' + err)
       if (++fileIndex < length) {
         processFile(fileIndex)
       }
     })
     .pipe(split(JSON.parse))
-    .on('error', function (err) {
+    .on('error', (err) => {
       console.warn('Failed to split commits in file ' + filePath + '\n' + err)
     })
     .pipe(stream)
-    .on('error', function (err) {
+    .on('error', (err) => {
       console.warn('Failed to process file ' + filePath + '\n' + err)
       if (++fileIndex < length) {
         processFile(fileIndex)
       }
     })
-    .on('end', function () {
+    .on('end', () => {
       if (++fileIndex < length) {
         processFile(fileIndex)
       }
@@ -96,12 +102,12 @@ function processFile (fileIndex) {
 if (!process.stdin.isTTY) {
   process.stdin
     .pipe(split(JSON.parse))
-    .on('error', function (err) {
+    .on('error', (err) => {
       console.error('Failed to split commits\n' + err)
       process.exit(1)
     })
     .pipe(stream)
-    .on('error', function (err) {
+    .on('error', (err) => {
       console.error('Failed to process file\n' + err)
       process.exit(1)
     })