Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix getting npm version through CLI #99

Merged
merged 1 commit into from
Sep 2, 2024
Merged

Fix getting npm version through CLI #99

merged 1 commit into from
Sep 2, 2024

Conversation

ericcornelissen
Copy link
Contributor

Followup to #86
Closes #98

Update the logic to get the npm version from the npm CLI to use the synchronous version of exec, execSync, to ensure the output can be read correctly. In the previous implementation the output would not be read correctly, leading to the comparison at handleInput.ts:14 always evaluating to false and '--omit=dev' always being used.

@jeemok
Copy link
Owner

jeemok commented Aug 29, 2024

thanks @ericcornelissen! now that is actually working the test is failing due to older npm version in certain builds. Do you mind to update the test file at /test/handlers/flags.test.ts:

import semver from 'semver';
import { getNpmVersion } from '../../src/utils/npm';

...

describe('--production', () => {
    it('should be able to set production mode from the command flag correctly', () => {
      const callbackStub = sinon.stub();
      const options = { production: true };
      const npmVersion = getNpmVersion();
      const flag = semver.satisfies(npmVersion, '<=8.13.2') ? '--production' : '--omit=dev';
      const auditCommand = `npm audit ${flag}`;
      const auditLevel = 'info';
      const exceptionIds: string[] = [];

      expect(callbackStub.called).to.equal(false);
      handleInput(options, callbackStub);
      expect(callbackStub.called).to.equal(true);
      expect(callbackStub.calledWith(auditCommand, auditLevel, exceptionIds)).to.equal(true);
    });
  });

Update the logic to get the npm version from the npm CLI to use the
synchronous version of `exec`, `execSync`, to ensure the output can be
read correctly. In the previous implementation the output would not be
read correctly, leading to the comparison at `handleInput.ts:14` always
evaluating to false and `'--omit=dev'` always being used.
@ericcornelissen
Copy link
Contributor Author

now that is actually working the test is failing due to older npm version in certain builds. Do you mind to update the test file at /test/handlers/flags.test.ts:

Updated, thank you for the suggested change :) Tested it locally with Node.js v14 and the tests pass after the last change

@jeemok
Copy link
Owner

jeemok commented Sep 1, 2024

hey @ericcornelissen sorry, there's a new vulnerability reported and we have audit check running in our pipeline, report details: npm run audit

  • micromatch <4.0.8
  • Severity: moderate
  • Regular Expression Denial of Service (ReDoS) in micromatch - GHSA-952p-6rrq-rcjv
  • fix available via npm audit fix
  • node_modules/micromatch
  • 1 moderate severity vulnerability

Can you run npm audit fix and commit the fix please?

@ericcornelissen
Copy link
Contributor Author

Sure thing @jeemok, see #101. I created a separate PR to avoid the upgrade being blocked by any remaining problems in this PR.

@jeemok jeemok merged commit f1f7ab1 into jeemok:master Sep 2, 2024
0 of 5 checks passed
@ericcornelissen ericcornelissen deleted the patch-1 branch September 2, 2024 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

production flag in Version 3.8.3 does not work for older npm versions
2 participants