Security fix for semver vulnerability (#7043)

Co-authored-by: Richard Hallows <jeddy3@users.noreply.github.com> Co-authored-by: Masafumi Koba <473530+ybiquitous@users.noreply.github.com>
stylelint · Jul 5, 2023 · 56a545e · 56a545e
1 parent a42f955
commit 56a545e
Show file tree

Hide file tree

Showing 9 changed files with 513 additions and 165 deletions.
diff --git a/.changeset/twenty-camels-promise.md b/.changeset/twenty-camels-promise.md
@@ -0,0 +1,5 @@
+---
+"stylelint": patch
+---
+
+Security: fix for `semver` vulnerability
diff --git a/bin/stylelint.js b/bin/stylelint.js
diff --git a/bin/stylelint.mjs b/bin/stylelint.mjs
@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+
+import cli from '../lib/cli.mjs';
+
+cli(process.argv.slice(2));
diff --git a/lib/__tests__/cli.test.mjs b/lib/__tests__/cli.test.mjs
@@ -10,16 +10,14 @@ import stripAnsi from 'strip-ansi';
 import readJSONFile from '../testUtils/readJSONFile.mjs';
 import replaceBackslashes from '../testUtils/replaceBackslashes.mjs';
 
-import cli from '../cli.js';
+import cli, { buildCLI } from '../cli.mjs';
 
 const pkg = readJSONFile(new URL('../../package.json', import.meta.url));
 
 const fixturesPath = (...elems) =>
 	replaceBackslashes(path.join(fileURLToPath(new URL('./fixtures', import.meta.url)), ...elems));
 
 describe('buildCLI', () => {
-	const { buildCLI } = cli;
-
 	it('flags - default', () => {
 		expect(buildCLI([]).flags).toEqual({
 			allowEmptyInput: false,

diff --git a/lib/cli.js → lib/cli.mjs b/lib/cli.js → lib/cli.mjs
@@ -1,23 +1,28 @@
-'use strict';
-
-const { EOL } = require('os');
-const meow = require('meow');
-const path = require('path');
-const { red, dim } = require('picocolors');
-const resolveFrom = require('resolve-from');
-
-const { isPlainObject } = require('./utils/validateTypes');
-const checkInvalidCLIOptions = require('./utils/checkInvalidCLIOptions');
-const printConfig = require('./printConfig');
-const standalone = require('./standalone');
-const writeOutputFile = require('./writeOutputFile');
-const resolveCustomFormatter = require('./resolveCustomFormatter');
-const {
+import picocolors from 'picocolors';
+const { dim, red } = picocolors;
+
+import { EOL } from 'os';
+import meow from 'meow';
+import path from 'path';
+import resolveFrom from 'resolve-from';
+
+import checkInvalidCLIOptions from './utils/checkInvalidCLIOptions.js';
+import { isPlainObject } from './utils/validateTypes.js';
+import printConfig from './printConfig.js';
+import resolveCustomFormatter from './resolveCustomFormatter.js';
+import standalone from './standalone.js';
+import writeOutputFile from './writeOutputFile.js';
+
+import {
 	DEFAULT_CACHE_LOCATION,
-	DEFAULT_IGNORE_FILENAME,
 	DEFAULT_FORMATTER,
+	DEFAULT_IGNORE_FILENAME,
 	EXIT_CODE_ERROR,
-} = require('./constants');
+} from './constants.js';
+
+import { createRequire } from 'module';
+// @ts-expect-error
+const require = createRequire(import.meta.url);
 
 /**
  * @typedef {{
@@ -376,7 +381,7 @@ const meowOptions = {
  * @param {string[]} argv
  * @returns {Promise<any>}
  */
-module.exports = async function main(argv) {
+export default async function main(argv) {
 	const cli = buildCLI(argv);
 
 	const invalidOptionsMessage = checkInvalidCLIOptions(meowOptions.flags, cli.flags);
@@ -574,7 +579,7 @@ module.exports = async function main(argv) {
 			}
 		})
 		.catch(handleError);
-};
+}
 
 /**
  * @param {{ stack: any, code: any }} err
@@ -628,9 +633,7 @@ async function getStdin() {
  * @param {string[]} argv
  * @returns {CLIOptions}
  */
-function buildCLI(argv) {
+export function buildCLI(argv) {
 	// @ts-expect-error -- TS2322: Type 'Result<AnyFlags>' is not assignable to type 'CLIOptions'.
-	return meow({ ...meowOptions, argv });
+	return meow({ ...meowOptions, argv, importMeta: import.meta });
 }
-
-module.exports.buildCLI = buildCLI;