yarn-audit-fix
Version:
The missing `yarn audit fix`
11 lines (8 loc) • 10.7 kB
JavaScript
import{dirname as Ue,join as c,relative as qe}from"node:path";import p from"fs-extra";import y from"semver";import le from"synp";import w from"semver";import K from"@yarnpkg/lockfile";import{keyBy as Ve}from"lodash-es";import ke from"node:crypto";import{createRequire as Te}from"node:module";import T,{dirname as xe,resolve as he}from"node:path";import{fileURLToPath as ve}from"node:url";import be from"node:os";import Se from"chalk";import S from"fs-extra";import Fe from"fast-glob";import V from"js-yaml";import{reduce as je}from"lodash-es";var we=Fe.sync,_e=Te(import.meta.url)("child_process"),{ensureDirSync:Le,readFileSync:Oe}=S,Re=xe(ve(import.meta.url)),l=(e,t,r,n=!1,o=!0,s=!1)=>{!n&&console.log(Se.bold("invoke"),e,...t);let i=o?["inherit","inherit","inherit"]:[null,null,null],a=_e.spawnSync(e,t,{cwd:r,stdio:i,shell:!0});if(!s&&(a.error||a.status))throw a;return String(a.stdout?.toString().trim())},Ce=(e,t,r,n)=>t!=="false"&&!r.includes(e)&&(n.length===0||n.includes(e)),Ae=e=>(e.length===1?"-":"--")+e,Ee=e=>e.replace(/([\da-z]|(?=[A-Z]))([A-Z])/g,"$1-$2").toLowerCase(),D=e=>Object.keys(e).reduce((t,r)=>(t[Ee(r)]=e[r],t),{}),f=(e,...t)=>Object.keys(e).reduce((r,n)=>{let o=["_","--"],s=e[n],i=Ae(n);return Ce(n,s,o,t)&&(Array.isArray(s)?s.forEach(a=>{r.push(i,String(a))}):(r.push(i),s!==!0&&r.push(String(s)))),r},[]),x=(e,t)=>je(e,(r,n,o)=>{let s=t[o],i=o,a=n;return s&&(typeof s=="string"?i=s:(i=s?.key??i,a=s?.value??s?.values?.[n]??a)),r[i]=a,r},{}),F=()=>process.platform==="win32"||/^(msys|cygwin)$/.test(process.env.OSTYPE),M=e=>e||(F()?"junction":"dir"),N=()=>F()?"yarn.cmd":"yarn",$e=e=>G(`./node_modules/.bin/${e}`),Y=(e="system",t=F())=>{let r=t?"npm.cmd":"npm";return e==="system"?r:e==="local"?$e(r):e},B=(e,t)=>{let r=t.workspaces;return r&&r.packages&&(r=r.packages),!r||r.length===0?[]:we(r.map(n=>n.replace(/\/?$/,"/package.json")),{cwd:e,onlyFiles:!0,absolute:!0,gitignore:!0})},j=e=>JSON.parse(Oe(e).toString("utf-8").trim()),Pe=e=>(Le(e),e),J=(e,t)=>t?Pe(he(e,t)):S.mkdtempSync(T.join(be.tmpdir(),`tempy-${ke.randomBytes(16).toString("hex")}`)),I=e=>{try{return e()}catch{return null}},U=e=>{try{return V.load(e)}catch(t){throw new Error(`YAML required: ${t}`)}},q=V.dump,h=(e,t=process.cwd())=>l(e,["--version"],t,!0,!1),v=()=>j(G("package.json")),W=(e,t,r)=>Object.defineProperty(e,t,{value:r,enumerable:!1}),z=(e,t)=>{if(S.existsSync(T.join(e,t)))return e;let r=T.resolve(e,"..");return e===r?null:z(r,t)},G=(e,t=Re)=>{let r=z(t,e);return r?T.join(r,e):null},H=e=>e&&Object.keys(e).sort((t,r)=>t.localeCompare(r)).reduce((t,r)=>(t[r]=e[r],t),Object.create(null));var Z=e=>{let t=K.parse(e);if(t.type!=="success")throw new Error("Merge conflict in yarn lockfile, aborting");return t.object},Q=(e,t,r)=>(e.version=r,e.dependencies={},e.integrity="",e.resolved="",e),X=e=>K.stringify(e),ee=(e,t,r)=>{let n=e.reporter==="npm"?r.npm:r.yarn,s=f(x(e,{"audit-level":"level",only:{key:"groups",values:{prod:"dependencies",dev:"devDependencies"}}}),"groups","verbose","level"),i=l(n,["audit","--json",...s],t,!!e.silent,!1,!0);return De(i)},De=e=>Ve(e.toString().split(`
`).map(t=>I(()=>JSON.parse(t))).map(t=>t?.data?.advisory).filter(t=>t!==void 0).map(t=>({module_name:t.module_name,vulnerable_versions:t.vulnerable_versions,patched_versions:t.patched_versions})),t=>t.module_name);var te=e=>{let t=U(e),{__metadata:r}=t;return delete t.__metadata,Object.entries(t).reduce((n,[o,s])=>(o.split(", ").forEach(i=>{n[i]=s}),n),W({},"__metadata",r))},re=(e,t,r,n)=>(e.version=r,e.resolution=`${t}@npm:${r}`,e.dependencies=H(JSON.parse(l(n,["view",`${t}@${r}`,"dependencies","--json"],process.cwd(),!0,!1)||"null")||void 0),delete e.checksum,e),ne=e=>{let t=Object.entries(e).reduce((n,[o,{resolution:s}])=>((n[s]||(n[s]=[])).push(o),n),{}),r=Object.values(e).reduce((n,o)=>{let s=t[o.resolution].join(", ");return n[s]=o,n},{__metadata:e.__metadata||{version:5,cacheKey:8}});return`# This file is generated by running "yarn install" inside your project.
# Manual changes might be lost - proceed with caution!
${q(r,{quotingType:'"',flowLevel:-1,lineWidth:-1}).replace(/\n([^\s"].+):\n/g,`
"$1":
`).replace(/\n(\S)/g,`
$1`).replace(/resolution: ([^\n"]+)/g,'resolution: "$1"')}`},oe=(e,t,r)=>{let o=f(x(e,{"audit-level":"severity",level:"severity",groups:{key:"environment",values:{dependencies:"production"}},only:{key:"environment",values:{prod:"production"}}}),"exclude","ignore","groups","verbose"),s=l(r.yarn,["npm","audit","--all","--json","--recursive",...o],t,!!e.silent,!1,!1);return Me(s)},Me=e=>Object.values(JSON.parse(e).advisories).reduce((t,{vulnerable_versions:r,module_name:n,patched_versions:o})=>(t[n]={patched_versions:o,vulnerable_versions:r,module_name:n},t),{});var se=e=>{if(e.includes("yarn lockfile v1"))return"yarn1";if(e.includes("__metadata"))return"yarn2"},Ne=(e,t)=>{if(t===void 0)throw new Error("Unsupported lockfile format");return t==="yarn2"?te(e):Z(e)},Ye=(e,t)=>t==="yarn2"?ne(e):X(e),Be=(e,t,{flags:r,bins:n},o)=>{if(Object.keys(t).length===0)return!r.silent&&console.log("Audit check found no issues"),e;let s=[];for(let i of Object.keys(e)){let[,a,k]=/^(@?[^@]+)@(?:\w+:)?(.+)$/.exec(i)||[],u=t[a];if(!u)continue;let m=e[i];if(w.satisfies(m.version,u.vulnerable_versions)){let d=w.minVersion(u.patched_versions)?.format();if(d===void 0){console.error("Can't find satisfactory version for",u.module_name,u.patched_versions);continue}if(!w.satisfies(d,k)&&!r.force){console.error("Can't find patched version that satisfies",i,"in",u.patched_versions);continue}s.push(`${a}@${d}`),o==="yarn1"?Q(m,a,d):re(m,a,d,n.npm)}}return!r.silent&&console.log("Upgraded deps:",s.length>0?s.join(", "):"<none>"),e},Je=({flags:e,temp:t,bins:r},n)=>n==="yarn2"?oe(e,t,r):ee(e,t,r),b={_parse:Ne,_audit:Je,_patch:Be,_format:Ye},ie=(...e)=>b._parse(...e),ae=(...e)=>b._audit(...e),ce=(...e)=>b._patch(...e),pe=(...e)=>b._format(...e);var _=({ctx:e,flags:t})=>{let r=v();e.bins={yarn:N(),npm:Y(t["npm-path"])},e.versions={node:h("node"),npm:h(e.bins.npm),yarn:h(e.bins.yarn),yaf:r.version,yafLatest:l(e.bins.npm,["view",r.name,"version"],process.cwd(),!0,!1)}},L=({temp:e,cwd:t,flags:r,bins:n,versions:o,manifest:s})=>{if(r.silent)return;let i=!!s.workspaces;i&&y.parse(o.npm)?.major<7&&console.warn("This project looks like monorepo, so it's recommended to use `npm v7+` to process workspaces"),y.gt("3.3.0",o.yarn)&&(r.exclude||r.ignore)&&console.warn(`This project yarn version ${o.yarn} doesn't support the 'exclude' and 'ignore' flags. Please upgrade to yarn 3.3.0 or higher to use those flags`),y.gt(o.yafLatest,o.yaf)&&console.warn(`yarn-audit-fix version ${o.yaf} is out of date. Install the latest ${o.yafLatest} for better results`),console.log(JSON.stringify({isMonorepo:i,bins:n,versions:o,temp:e,cwd:t,flags:r},void 0,2).replace(/[",:{}]/g,""))},O=({cwd:e,temp:t})=>{p.copyFileSync(c(e,"yarn.lock"),c(t,"yarn.lock")),p.copyFileSync(c(e,"package.json"),c(t,"package.json")),p.existsSync(c(e,".npmrc"))&&p.copyFileSync(c(e,".npmrc"),c(t,".npmrc")),p.existsSync(c(e,".yarnrc"))&&p.copyFileSync(c(e,".yarnrc"),c(t,".yarnrc"))},R=({temp:e,flags:t,cwd:r,manifest:n})=>{let o=M(t.symlink),s=B(r,n);[c(r,"node_modules"),c(r,".yarn"),...s.map(a=>Ue(a))].forEach(a=>{let k=qe(r,a),u=c(r,k),m=c(e,k);p.existsSync(u)&&p.createSymlinkSync(u,m,o)})},ue=({temp:e,flags:t})=>{let r=le.yarnToNpm(e,!0);p.writeFileSync(c(e,"package-lock.json"),r),t.flow!=="patch"&&p.removeSync(c(e,"yarn.lock"))},fe=({temp:e,flags:t,bins:r})=>{let s=["audit","fix",...f({...{"package-lock-only":!0},...t},"audit-level","dry-run","exclude","force","ignore","loglevel","legacy-peer-deps","only","package-lock-only","registry","silent","verbose"),"--prefix",e];l(r.npm,s,e,t.silent)},ge=({temp:e})=>{let t=le.npmToYarn(e,!0);p.writeFileSync(c(e,"yarn.lock"),t)},C=({temp:e,flags:t})=>{t.dryRun||p.copyFileSync(c(e,"yarn.lock"),"yarn.lock")},A=({cwd:e,flags:t,versions:r,bins:n})=>{t.dryRun||(y.gte(r.yarn,"2.0.0")?l(n.yarn,["install","--mode=update-lockfile"],e,t.silent):l(n.yarn,["install","--update-checksums",...f(t,"verbose","silent","registry","ignore-engines")],e,t.silent))},g=({temp:e})=>p.emptyDirSync(e),E=({flags:e,err:t})=>{!e.silent&&console.error(t),process.exitCode=t?.status|0||1},me=({temp:e,ctx:t})=>{let r=c(e,"yarn.lock"),n=p.readFileSync(r,"utf-8"),o=se(n),s=ie(n,o),i=ae(t,o),a=ce(s,i,t,o);p.writeFileSync(r,pe(a,o))},$=({cwd:e,versions:t,flags:r})=>{let n=["yarn.lock","package.json"];(r.flow==="convert"||y.lt(t.yarn,"2.0.0"))&&n.push("node_modules"),n.forEach(o=>{if(!p.existsSync(c(e,o)))throw new Error(`not found: ${o}`)})};var We={main:["Resolve bins",_,"Runtime digest",L,"Verifying package structure...",$,"Preparing temp assets...",g,O,R,"Generating package-lock.json from yarn.lock...",ue,"Applying npm audit fix...",fe,["Updating yarn.lock from package-lock.json...",ge,C,g],"Installing deps update...",A,"Done"],fallback:["Failure!",g,E]},ze={main:["Resolve bins",_,"Runtime digest",L,"Verifying package structure...",$,"Preparing temp assets...",g,O,R,["Patching yarn.lock with audit data...",me,C,g],"Installing deps update...",A,"Done"],fallback:["Failure!",g,E]},P=(e="patch")=>{if(e==="convert")return We;if(e==="patch")return ze;throw new Error(`Unsupported flow: ${e}`)};import{join as Ge}from"node:path";import He from"chalk";var Ke=(e={})=>{let t=e.cwd||process.cwd(),r=j(Ge(t,"package.json")),n=J(t,e.temp),o={cwd:t,temp:n,flags:e,manifest:r,versions:{},bins:{}};return o.ctx=o,o},de=(e,t)=>{for(let r of e.flat(5))typeof r=="string"?!t.flags.silent&&console.log(He.bold(r)):typeof r=="function"&&r(t)},ye=(e={},t)=>{if(e.V){console.log(v().version);return}let r=D(e),n=Ke(r),o=t||P(r.flow);try{de(o.main,n)}catch(s){throw n.err=s,!r.silent&&console.error(s.stderr?.toString?.()||s.stdout?.toString?.()||s.error||s.status||s),de(o.fallback,n),s}},Ze=(e={},t)=>new Promise((r,n)=>{try{ye(e,t),r()}catch(o){n(o)}});Ze.sync=ye;export{Je as _audit,Ye as _format,b as _internal,Ne as _parse,Be as _patch,W as addHiddenProp,I as attempt,ae as audit,g as clear,R as createSymlinks,O as createTempAssets,Pe as ensureDir,de as exec,E as exit,pe as format,f as formatFlags,q as formatYaml,h as getBinVersion,$e as getClosestBin,Ke as getContext,P as getFlow,se as getLockfileType,Y as getNpm,v as getSelfManifest,M as getSymlinkType,J as getTemp,B as getWorkspaces,N as getYarn,l as invoke,F as isWindows,x as mapFlags,D as normalizeFlags,fe as npmAuditFix,ie as parse,U as parseYaml,ce as patch,me as patchLockfile,L as printRuntimeDigest,j as readJson,_ as resolveBins,Ze as run,ye as runSync,H as sortObject,C as syncLockfile,$ as verify,ge as yarnImport,A as yarnInstall,ue as yarnLockToPkgLock};
//# sourceMappingURL=index.mjs.map