swap in yargs for optimist and patch a few other security vulnerabilities (#157)

jgravois · web-flow · commit dc1f389b1d56 · 2021-01-15T09:04:06.000+01:00
* swap in yargs for optimist and patch a few other vulns

* isolate the require statement

* drop node8 from test matrix

* make the require look like it used to
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,5 @@
 *.sw*
 node_modules
 static/reporter.js
+.nyc_output/
+package-lock.json
diff --git a/.travis.yml b/.travis.yml
@@ -1,6 +1,5 @@
 language: node_js
 node_js:
-  - 8
   - 10
   - 12
   - 14
diff --git a/bin/bin.js b/bin/bin.js
@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 
 var run = require('..');
-var optimist = require('optimist');
+var yargs = require('yargs/yargs')
 
-var argv = optimist
+var argv = yargs(process.argv.slice(2))
   .usage(
     'Run JavaScript in a browser.\n' +
     'Write code to stdin and receive console output on stdout.\n' +
@@ -34,13 +34,13 @@ var argv = optimist
 
   .describe('basedir', 'Set this if you need to require node modules in node mode')
 
+  .help('h')
   .describe('help', 'Print help')
   .alias('h', 'help')
 
   .argv;
 
 argv.nodeIntegration = argv['node-integration']
-if (argv.help) return optimist.showHelp();
 
 process.stdin
   .pipe(run(argv))
diff --git a/package.json b/package.json
@@ -23,19 +23,19 @@
     "ecstatic": "^4.1.2",
     "electron-stream": "^8.0.0",
     "enstore": "^1.0.1",
-    "html-inject-script": "^1.1.0",
-    "optimist": "^0.6.1",
+    "html-inject-script": "^2.0.0",
     "server-destroy": "^1.0.1",
     "source-map-support": "^0.4.0",
     "through": "^2.3.8",
     "xhr-write-stream": "^0.1.2",
-    "xtend": "^4.0.1"
+    "xtend": "^4.0.1",
+    "yargs": "^16.2.0"
   },
   "devDependencies": {
     "browserify": "^14.1.0",
     "concat-stream": "^1.5.1",
     "np": "^6.2.3",
-    "tap": "^10.0.1",
+    "tap": "^14.11.0",
     "tree-kill": "^1.0.0",
     "utf8-stream": "^0.0.0"
   },
