feat: remove latest-version dependency (#8035)

* feat: remove latest-version dependency * fix:mock * chore: add changeset
dotansimha · Jul 5, 2022 · e7870ac · e7870ac · vercel · Jul 5, 2022
1 parent 28f8346
commit e7870ac
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 233 deletions.
diff --git a/.changeset/nine-llamas-bathe.md b/.changeset/nine-llamas-bathe.md
@@ -0,0 +1,5 @@
+---
+'@graphql-codegen/cli': patch
+---
+
+Fix security vulnerability by removing `latest-version` dependency.
diff --git a/packages/graphql-codegen-cli/package.json b/packages/graphql-codegen-cli/package.json
@@ -58,13 +58,13 @@
     "chokidar": "^3.5.2",
     "common-tags": "^1.8.0",
     "cosmiconfig": "^7.0.0",
+    "cross-undici-fetch": "^0.4.11",
     "debounce": "^1.2.0",
     "detect-indent": "^6.0.0",
     "graphql-config": "^4.3.1",
     "inquirer": "^8.0.0",
     "is-glob": "^4.0.1",
     "json-to-pretty-yaml": "^1.2.2",
-    "latest-version": "5.1.0",
     "listr": "^0.14.3",
     "listr-update-renderer": "^0.5.0",
     "log-symbols": "^4.0.0",

diff --git a/packages/graphql-codegen-cli/src/init/helpers.ts b/packages/graphql-codegen-cli/src/init/helpers.ts
@@ -4,7 +4,7 @@ import { writeFileSync, readFileSync } from 'fs';
 import { Types } from '@graphql-codegen/plugin-helpers';
 import detectIndent from 'detect-indent';
 import { Answers } from './types.js';
-import getLatestVersion from 'latest-version';
+import { getLatestVersion } from '../utils/get-latest-version.js';
 
 // Parses config and writes it to a file
 export async function writeConfig(answers: Answers, config: Types.Config) {

diff --git a/packages/graphql-codegen-cli/src/utils/get-latest-version.ts b/packages/graphql-codegen-cli/src/utils/get-latest-version.ts
@@ -0,0 +1,12 @@
+import { fetch } from 'cross-undici-fetch';
+
+/**
+ * Fetches the version directly from the registry instead of depending on
+ * an ESM only module as latest-version does.
+ * @param packageName
+ */
+export async function getLatestVersion(packageName: string): Promise<string> {
+  return fetch(`https://unpkg.com/${packageName}/package.json`)
+    .then(res => res.json())
+    .then(pkg => pkg.version);
+}
diff --git a/packages/graphql-codegen-cli/tests/init.spec.ts b/packages/graphql-codegen-cli/tests/init.spec.ts
@@ -1,5 +1,5 @@
-jest.mock('latest-version', () => {
-  return () => Promise.resolve('1.0.0');
+jest.mock('../src/utils/get-latest-version.ts', () => {
+  return { getLatestVersion: () => Promise.resolve('1.0.0') };
 });
 
 import bddStdin from 'bdd-stdin';