fix: Dependency upgrades, remove vulnerable serve (#115)

* chore: dependency upgrades
* chore: remove vulnerable dependency, write own test server

Author: chriswilty

jest-puppeteer.config.js

@@ -1,6 +1,6 @@
 export default {
   server: {
-    command: "npx serve -l 8080",
+    command: "node test/serve.js 8080",
     port: 8080,
   },
   launch: {

package.json

@@ -6,28 +6,28 @@
   "type": "module",
   "license": "MIT",
   "devDependencies": {
-    "@babel/core": "^7.25.2",
-    "@babel/plugin-external-helpers": "^7.24.7",
-    "@babel/preset-env": "^7.25.4",
+    "@babel/core": "^7.25.7",
+    "@babel/plugin-external-helpers": "^7.25.7",
+    "@babel/preset-env": "^7.25.7",
     "@jest/globals": "^29.7.0",
     "@rollup/plugin-babel": "^6.0.4",
-    "@rollup/plugin-node-resolve": "^15.2.3",
-    "@rollup/plugin-replace": "^5.0.7",
+    "@rollup/plugin-node-resolve": "^15.3.0",
+    "@rollup/plugin-replace": "^6.0.1",
     "@rollup/plugin-terser": "^0.4.4",
+    "@types/node": "^20.16.11",
     "jest": "^29.7.0",
-    "jest-puppeteer": "^10.1.0",
+    "jest-puppeteer": "^10.1.1",
     "prettier": "^3.3.3",
-    "puppeteer": "^23.2.2",
-    "rollup": "^4.21.2",
-    "rollup-plugin-import-css": "^3.5.1",
-    "semantic-release": "^24.1.2",
-    "serve": "^14.2.3"
+    "puppeteer": "^23.5.2",
+    "rollup": "^4.24.0",
+    "rollup-plugin-import-css": "^3.5.4",
+    "semantic-release": "^24.1.2"
   },
   "scripts": {
     "test": "yarn run test:prettier && yarn run test:jest",
     "test:jest": "yarn run build && jest",
-    "test:prettier": "prettier --check src/**/*.js",
-    "test:serve": "serve -l 8081",
+    "test:prettier": "prettier --check **/*.js",
+    "test:serve": "node test/serve.js",
     "build": "rollup -c",
     "watch": "rollup -c -w",
     "prepack": "yarn run build",

rollup.config.js

@@ -10,17 +10,13 @@ export default {
     resolve(),
     replace({
       values: {
-        '__VERSION': process.env.npm_package_version,
+        __VERSION: process.env.npm_package_version,
       },
       preventAssignment: true,
     }),
     css({ minify: true, output: "applause-button.css" }),
     babel({
-      presets: [
-        [
-          "@babel/preset-env"
-        ]
-      ],
+      presets: [["@babel/preset-env"]],
       babelHelpers: "bundled",
     }),
     terser(),

src/applause-button.test.js renamed to test/applause-button.test.js

@@ -0,0 +1,53 @@
+#!/usr/bin/env node
+import { createReadStream, existsSync } from "node:fs";
+import http from "node:http";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+/*
+ * Simple node server, restricted to serving only the assets we expect.
+ *
+ * Listens on port 8081 by default; provide port on commandline to override:
+ *
+ * > node test/serve.js 3000
+ */
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const port = +process.argv[2] || 8081;
+const pathToContentType = {
+  "index.html": "text/html; charset=utf-8",
+  "dist/applause-button.js": "text/javascript",
+  "dist/applause-button.css": "text/css",
+};
+
+(() => {
+  const server = http.createServer((req, res) => {
+    if (req.method !== "GET") {
+      res.writeHead(405);
+      res.end();
+      return;
+    }
+    // Find file from URL path
+    const path = req.url?.substring(1) || "index.html"; //chop off leading slash
+    if (!Object.hasOwn(pathToContentType, path)) {
+      res.writeHead(404);
+      res.end();
+      return;
+    }
+    const file = join(__dirname, "..", path);
+    if (!existsSync(file)) {
+      res.writeHead(404);
+      res.write("Did you forget to build?");
+      res.end();
+      return;
+    }
+
+    res.setHeader("Content-Type", pathToContentType[path]);
+    res.writeHead(200);
+    createReadStream(file).pipe(res);
+  });
+
+  server.listen(port, () => {
+    console.log(`Server listening on http://localhost:${port}`);
+  });
+})();