chore: bump yargs parser version to avoid flagged vulnerable dependen…

…cies (#23839) * Bump the yargs version to address some 'low' security vulnerability warnings. 'npm audit' complains for: - yargs > os-locale > mem (https://npmjs.com/advisories/1084) - yargs > yargs-parser (https://npmjs.com/advisories/1500) This is obviously a big jump in major version numbers, but the usage looks reasonably vanilla, so I'm hoping it's obvious whether this breaks anything. * Bump the yargs version to address a 'low' security vulnerability warning in yargs-parser. 'npm audit' complains about 'yargs > yargs-parser' (https://npmjs.com/advisories/1500). * sync yarn.lock * move parserConfiguration from package.json to code (yargs no longer support package.json field) Co-authored-by: Michal Piechowiak <misiek.piechowiak@gmail.com> Co-authored-by: gatsbybot <mathews.kyle+gatsbybot@gmail.com>
gatsbyjs · May 8, 2020 · 2b1de8c · 2b1de8c
1 parent 197614e
commit 2b1de8c
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 40 deletions.
diff --git a/packages/gatsby-cli/package.json b/packages/gatsby-cli/package.json
@@ -48,7 +48,7 @@
     "strip-ansi": "^5.2.0",
     "update-notifier": "^3.0.1",
     "uuid": "3.4.0",
-    "yargs": "^12.0.5",
+    "yargs": "^15.3.1",
     "yurnalist": "^1.1.2"
   },
   "devDependencies": {
@@ -83,9 +83,6 @@
     "watch": "babel -w src --out-dir lib --ignore \"**/__tests__\"  --extensions \".ts,.js,.tsx\"",
     "postinstall": "node scripts/postinstall.js"
   },
-  "yargs": {
-    "boolean-negation": false
-  },
   "engines": {
     "node": ">=10.13.0"
   }

diff --git a/packages/gatsby-cli/src/create-cli.js b/packages/gatsby-cli/src/create-cli.js
@@ -342,7 +342,9 @@ Gatsby version: ${gatsbyVersion}
 }
 
 module.exports = argv => {
-  const cli = yargs()
+  const cli = yargs().parserConfiguration({
+    "boolean-negation": false,
+  })
   const isLocalSite = isLocalGatsbySite()
 
   cli

diff --git a/packages/gatsby-dev-cli/package.json b/packages/gatsby-dev-cli/package.json
@@ -22,7 +22,7 @@
     "request": "2.88.2",
     "signal-exit": "^3.0.3",
     "verdaccio": "^4.6.2",
-    "yargs": "^8.0.2"
+    "yargs": "^15.3.1"
   },
   "devDependencies": {
     "@babel/cli": "^7.8.4",

diff --git a/yarn.lock b/yarn.lock
@@ -7287,14 +7287,6 @@ clipboardy@^2.3.0:
     execa "^1.0.0"
     is-wsl "^2.1.1"
 
-cliui@^3.2.0:
-  version "3.2.0"
-  resolved "https://registry.yarnpkg.com/cliui/-/cliui-3.2.0.tgz#120601537a916d29940f934da3b48d585a39213d"
-  dependencies:
-    string-width "^1.0.1"
-    strip-ansi "^3.0.1"
-    wrap-ansi "^2.0.0"
-
 cliui@^4.0.0:
   version "4.1.0"
   resolved "https://registry.yarnpkg.com/cliui/-/cliui-4.1.0.tgz#348422dbe82d800b3022eef4f6ac10bf2e4d1b49"
@@ -26246,12 +26238,6 @@ yargs-parser@^18.1.1:
     camelcase "^5.0.0"
     decamelize "^1.2.0"
 
-yargs-parser@^7.0.0:
-  version "7.0.0"
-  resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-7.0.0.tgz#8d0ac42f16ea55debd332caf4c4038b3e3f5dfd9"
-  dependencies:
-    camelcase "^4.1.0"
-
 yargs-parser@^8.1.0:
   version "8.1.0"
   resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-8.1.0.tgz#f1376a33b6629a5d063782944da732631e966950"
@@ -26264,7 +26250,7 @@ yargs-parser@^9.0.2:
   dependencies:
     camelcase "^4.1.0"
 
-yargs@12.0.5, yargs@^12.0.2, yargs@^12.0.5:
+yargs@12.0.5, yargs@^12.0.2:
   version "12.0.5"
   resolved "https://registry.yarnpkg.com/yargs/-/yargs-12.0.5.tgz#05f5997b609647b64f66b81e3b4b10a368e7ad13"
   dependencies:
@@ -26298,7 +26284,7 @@ yargs@13.2.4:
     y18n "^4.0.0"
     yargs-parser "^13.1.0"
 
-yargs@15.3.1, yargs@^15.0.2:
+yargs@15.3.1, yargs@^15.0.2, yargs@^15.3.1:
   version "15.3.1"
   resolved "https://registry.yarnpkg.com/yargs/-/yargs-15.3.1.tgz#9505b472763963e54afe60148ad27a330818e98b"
   integrity sha512-92O1HWEjw27sBfgmXiixJWT5hRBp2eobqXicLtPBIDBhYB+1HpwZlXmbW2luivBJHBzki+7VyCLRtAkScbTBQA==
@@ -26383,24 +26369,6 @@ yargs@^14.2.0, yargs@^14.2.2:
     y18n "^4.0.0"
     yargs-parser "^15.0.0"
 
-yargs@^8.0.2:
-  version "8.0.2"
-  resolved "https://registry.yarnpkg.com/yargs/-/yargs-8.0.2.tgz#6299a9055b1cefc969ff7e79c1d918dceb22c360"
-  dependencies:
-    camelcase "^4.1.0"
-    cliui "^3.2.0"
-    decamelize "^1.1.1"
-    get-caller-file "^1.0.1"
-    os-locale "^2.0.0"
-    read-pkg-up "^2.0.0"
-    require-directory "^2.1.1"
-    require-main-filename "^1.0.1"
-    set-blocking "^2.0.0"
-    string-width "^2.0.0"
-    which-module "^2.0.0"
-    y18n "^3.2.1"
-    yargs-parser "^7.0.0"
-
 yauzl@^2.10.0, yauzl@^2.4.2:
   version "2.10.0"
   resolved "https://registry.yarnpkg.com/yauzl/-/yauzl-2.10.0.tgz#c7eb17c93e112cb1086fa6d8e51fb0667b79a5f9"