fix: remove minimist

jordanbtucker · jordanbtucker · commit 7466552d79e1 · 2022-03-21T11:18:40.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,7 @@
 ### Unreleased [[code][c-unreleased], [diff][d-unreleased]]
 
+- Fix: Remove dependence on minimist to patch CVE-2021-44906. ([#266])
+
 [c-unreleased]: https://github.com/json5/json5/tree/master
 [d-unreleased]: https://github.com/json5/json5/compare/v2.2.0...HEAD
 
@@ -360,3 +362,4 @@ parser for the regular JSON format.
 [#229]: https://github.com/json5/json5/issues/229
 [#236]: https://github.com/json5/json5/issues/236
 [#244]: https://github.com/json5/json5/issues/244
+[#266]: https://github.com/json5/json5/issues/266
diff --git a/lib/cli.js b/lib/cli.js
@@ -2,37 +2,17 @@
 
 const fs = require('fs')
 const path = require('path')
-const minimist = require('minimist')
 const pkg = require('../package.json')
 const JSON5 = require('./')
 
-const argv = minimist(process.argv.slice(2), {
-    alias: {
-        'convert': 'c',
-        'space': 's',
-        'validate': 'v',
-        'out-file': 'o',
-        'version': 'V',
-        'help': 'h',
-    },
-    boolean: [
-        'convert',
-        'validate',
-        'version',
-        'help',
-    ],
-    string: [
-        'space',
-        'out-file',
-    ],
-})
+const argv = parseArgs()
 
 if (argv.version) {
     version()
 } else if (argv.help) {
     usage()
 } else {
-    const inFilename = argv._[0]
+    const inFilename = argv.defaults[0]
 
     let readStream
     if (inFilename) {
@@ -65,7 +45,7 @@ if (argv.version) {
                 // --convert is for backward compatibility with v0.5.1. If
                 // specified with <file> and not --out-file, then a file with
                 // the same name but with a .json extension will be written.
-                if (argv.convert && inFilename && !argv.o) {
+                if (argv.convert && inFilename && !argv.outFile) {
                     const parsedFilename = path.parse(inFilename)
                     const outFilename = path.format(
                         Object.assign(
@@ -75,8 +55,8 @@ if (argv.version) {
                     )
 
                     writeStream = fs.createWriteStream(outFilename)
-                } else if (argv.o) {
-                    writeStream = fs.createWriteStream(argv.o)
+                } else if (argv.outFile) {
+                    writeStream = fs.createWriteStream(argv.outFile)
                 } else {
                     writeStream = process.stdout
                 }
@@ -90,6 +70,66 @@ if (argv.version) {
     })
 }
 
+function parseArgs () {
+    let convert
+    let space
+    let validate
+    let outFile
+    let version
+    let help
+    const defaults = []
+
+    const args = process.argv.slice(2)
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i]
+        switch (arg) {
+        case '--convert':
+        case '-c':
+            convert = true
+            break
+
+        case '--space':
+        case '-s':
+            space = args[++i]
+            break
+
+        case '--validate':
+        case '-v':
+            validate = true
+            break
+
+        case '--out-file':
+        case '-o':
+            outFile = args[++i]
+            break
+
+        case '--version':
+        case '-V':
+            version = true
+            break
+
+        case '--help':
+        case '-h':
+            help = true
+            break
+
+        default:
+            defaults.push(arg)
+            break
+        }
+    }
+
+    return {
+        convert,
+        space,
+        validate,
+        outFile,
+        version,
+        help,
+        defaults,
+    }
+}
+
 function version () {
     console.log(pkg.version)
 }
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -48,9 +48,6 @@
     "url": "https://github.com/json5/json5/issues"
   },
   "homepage": "http://json5.org/",
-  "dependencies": {
-    "minimist": "^1.2.5"
-  },
   "devDependencies": {
     "core-js": "^2.6.5",
     "eslint": "^5.15.3",
diff --git a/test/cli.js b/test/cli.js
@@ -43,7 +43,7 @@ tap.test('CLI', t => {
         })
     })
 
-    t.test('indents output with the number of spaces specified', t => {
+    t.test('indents output with the number of spaces specified with -s', t => {
         const proc = child.spawn(
             process.execPath,
             [
@@ -65,7 +65,29 @@ tap.test('CLI', t => {
         })
     })
 
-    t.test('indents output with tabs when specified', t => {
+    t.test('indents output with the number of spaces specified with --space', t => {
+        const proc = child.spawn(
+            process.execPath,
+            [
+                cliPath,
+                path.resolve(__dirname, 'test.json5'),
+                '--space',
+                '4',
+            ]
+        )
+
+        let output = ''
+        proc.stdout.on('data', data => {
+            output += data
+        })
+
+        proc.stdout.on('end', () => {
+            assert.strictEqual(output, '{\n    "a": 1,\n    "b": 2\n}')
+            t.end()
+        })
+    })
+
+    t.test('indents output with tabs when specified with -s', t => {
         const proc = child.spawn(
             process.execPath,
             [
@@ -87,7 +109,7 @@ tap.test('CLI', t => {
         })
     })
 
-    t.test('outputs to the specified file', t => {
+    t.test('outputs to the specified file with -o', t => {
         const proc = child.spawn(
             process.execPath,
             [
@@ -116,7 +138,36 @@ tap.test('CLI', t => {
         })
     })
 
-    t.test('validates valid JSON5 files', t => {
+    t.test('outputs to the specified file with --out-file', t => {
+        const proc = child.spawn(
+            process.execPath,
+            [
+                cliPath,
+                path.resolve(__dirname, 'test.json5'),
+                '--out-file',
+                path.resolve(__dirname, 'output.json'),
+            ]
+        )
+
+        proc.on('exit', () => {
+            assert.strictEqual(
+                fs.readFileSync(
+                    path.resolve(__dirname, 'output.json'),
+                    'utf8'
+                ),
+                '{"a":1,"b":2}'
+            )
+            t.end()
+        })
+
+        t.tearDown(() => {
+            try {
+                fs.unlinkSync(path.resolve(__dirname, 'output.json'))
+            } catch (err) {}
+        })
+    })
+
+    t.test('validates valid JSON5 files with -v', t => {
         const proc = child.spawn(
             process.execPath,
             [
@@ -132,7 +183,23 @@ tap.test('CLI', t => {
         })
     })
 
-    t.test('validates invalid JSON5 files', t => {
+    t.test('validates valid JSON5 files with --validate', t => {
+        const proc = child.spawn(
+            process.execPath,
+            [
+                cliPath,
+                path.resolve(__dirname, 'test.json5'),
+                '--validate',
+            ]
+        )
+
+        proc.on('exit', code => {
+            assert.strictEqual(code, 0)
+            t.end()
+        })
+    })
+
+    t.test('validates invalid JSON5 files with -v', t => {
         const proc = child.spawn(
             process.execPath,
             [
@@ -157,7 +224,7 @@ tap.test('CLI', t => {
         })
     })
 
-    t.test('outputs the version number when specified', t => {
+    t.test('outputs the version number when specified with -V', t => {
         const proc = child.spawn(process.execPath, [cliPath, '-V'])
 
         let output = ''
@@ -171,7 +238,21 @@ tap.test('CLI', t => {
         })
     })
 
-    t.test('outputs usage information when specified', t => {
+    t.test('outputs the version number when specified with --version', t => {
+        const proc = child.spawn(process.execPath, [cliPath, '--version'])
+
+        let output = ''
+        proc.stdout.on('data', data => {
+            output += data
+        })
+
+        proc.stdout.on('end', () => {
+            assert.strictEqual(output, pkg.version + '\n')
+            t.end()
+        })
+    })
+
+    t.test('outputs usage information when specified with -h', t => {
         const proc = child.spawn(process.execPath, [cliPath, '-h'])
 
         let output = ''
@@ -185,7 +266,21 @@ tap.test('CLI', t => {
         })
     })
 
-    t.test('is backward compatible with v0.5.1', t => {
+    t.test('outputs usage information when specified with --help', t => {
+        const proc = child.spawn(process.execPath, [cliPath, '--help'])
+
+        let output = ''
+        proc.stdout.on('data', data => {
+            output += data
+        })
+
+        proc.stdout.on('end', () => {
+            assert(/Usage/.test(output))
+            t.end()
+        })
+    })
+
+    t.test('is backward compatible with v0.5.1 with -c', t => {
         const proc = child.spawn(
             process.execPath,
             [
@@ -213,5 +308,33 @@ tap.test('CLI', t => {
         })
     })
 
+    t.test('is backward compatible with v0.5.1 with --convert', t => {
+        const proc = child.spawn(
+            process.execPath,
+            [
+                cliPath,
+                '--convert',
+                path.resolve(__dirname, 'test.json5'),
+            ]
+        )
+
+        proc.on('exit', () => {
+            assert.strictEqual(
+                fs.readFileSync(
+                    path.resolve(__dirname, 'test.json'),
+                    'utf8'
+                ),
+                '{"a":1,"b":2}'
+            )
+            t.end()
+        })
+
+        t.tearDown(() => {
+            try {
+                fs.unlinkSync(path.resolve(__dirname, 'test.json'))
+            } catch (err) {}
+        })
+    })
+
     t.end()
 })
