fix(*): remove shelljs dependency

petebacondarwin · petebacondarwin · commit 18a1c0b0692c · 2019-07-12T16:02:18.000+01:00
Using `shelljs.exec()` has been flagged as a security issue, so this  commit
removes it as a dependency and uses `child_process.spanSync()` instead.
diff --git a/git/mocks/mocks.js b/git/mocks/mocks.js
@@ -57,7 +57,7 @@ var mockGitDescribe = {
   stdout: 'v0.10.15'
 };
 
-var mockShellDefault = {
+var mockDefaultFail = {
   code: 1,
   stdout: "default"
 };
@@ -84,5 +84,5 @@ module.exports = {
   mockGitDescribe: mockGitDescribe,
   mockGitLsRemoteTags: mockGitLsRemoteTags,
   mockGitRevParse: mockGitRevParse,
-  mockShellDefault: mockShellDefault
+  mockDefaultFail: mockDefaultFail
 };
diff --git a/git/services/getPreviousVersions.js b/git/services/getPreviousVersions.js
@@ -1,6 +1,6 @@
 'use strict';
 
-var shell = require('shelljs');
+var child = require('child_process');
 var _ = require('lodash');
 var semver = require('semver');
 
@@ -15,9 +15,8 @@ module.exports = function getPreviousVersions(decorateVersion, packageInfo) {
     // not contain all commits when cloned with git clone --depth=...
     // Needed e.g. for Travis
     var repo_url = packageInfo.repository.url;
-    var tagResults = shell.exec('git ls-remote --tags ' + repo_url,
-                                {silent: true});
-    if (tagResults.code === 0) {
+    var tagResults = child.spawnSync('git', ['ls-remote', '--tags', repo_url], {encoding: 'utf8'});
+    if (tagResults.status === 0) {
       return _(tagResults.stdout.match(/v[0-9].*[0-9]$/mg))
         .map(function(tag) {
           var version = semver.parse(tag);
diff --git a/git/services/getPreviousVersions.spec.js b/git/services/getPreviousVersions.spec.js
@@ -7,10 +7,10 @@ var mocks = require('../mocks/mocks.js');
 var mockPackageFactory = require('../mocks/mockPackage');
 
 describe("getPreviousVersions", function() {
-  var getPreviousVersions, shell;
+  var getPreviousVersions, child;
 
   beforeEach(function() {
-    shell = getPreviousVersionsFactory.__get__('shell');
+    child = getPreviousVersionsFactory.__get__('child');
 
     var mockPackage = mockPackageFactory()
       .factory(getPreviousVersionsFactory);
@@ -22,59 +22,59 @@ describe("getPreviousVersions", function() {
   });
 
   it("should have called exec", function() {
-    spyOn(shell, 'exec').and.returnValue({});
+    spyOn(child, 'spawnSync').and.returnValue({});
     getPreviousVersions();
-    expect(shell.exec).toHaveBeenCalled();
+    expect(child.spawnSync).toHaveBeenCalled();
   });
 
   it("should return an empty list for no tags", function() {
-    spyOn(shell, 'exec').and.returnValue({});
+    spyOn(child, 'spawnSync').and.returnValue({});
     expect(getPreviousVersions()).toEqual([]);
   });
 
   it("should return an array of semvers matching tags", function() {
-    spyOn(shell, 'exec').and.returnValue({
-      code: 0,
+    spyOn(child, 'spawnSync').and.returnValue({
+      status: 0,
       stdout: 'v0.1.1'
     });
     expect(getPreviousVersions()).toEqual([semver('v0.1.1')]);
   });
 
   it("should match v0.1.1-rc1", function() {
-    spyOn(shell, 'exec').and.returnValue({
-      code: 0,
+    spyOn(child, 'spawnSync').and.returnValue({
+      status: 0,
       stdout: 'v0.1.1-rc1'
     });
     expect(getPreviousVersions()).toEqual([semver('v0.1.1-rc1')]);
   });
 
   it("should not match v1.1.1.1", function() {
-    spyOn(shell, 'exec').and.returnValue({
-      code: 0,
+    spyOn(child, 'spawnSync').and.returnValue({
+      status: 0,
       stdout: 'v1.1.1.1'
     });
     expect(getPreviousVersions()).toEqual([]);
   });
 
   it("should not match v1.1.1-rc", function() {
-    spyOn(shell, 'exec').and.returnValue({
-      code: 0,
+    spyOn(child, 'spawnSync').and.returnValue({
+      status: 0,
       stdout: 'v1.1.1-rc'
     });
     expect(getPreviousVersions()).toEqual([]);
   });
 
   it("should match multiple semvers", function() {
-    spyOn(shell, 'exec').and.returnValue({
-      code: 0,
+    spyOn(child, 'spawnSync').and.returnValue({
+      status: 0,
       stdout: 'v0.1.1\nv0.1.2'
     });
     expect(getPreviousVersions()).toEqual([semver('v0.1.1'), semver('v0.1.2')]);
   });
 
   it("should sort multiple semvers", function() {
-    spyOn(shell, 'exec').and.returnValue({
-      code: 0,
+    spyOn(child, 'spawnSync').and.returnValue({
+      status: 0,
       stdout: 'v0.1.1\nv0.1.1-rc1'
     });
     expect(getPreviousVersions()).toEqual([semver('v0.1.1-rc1'), semver('v0.1.1')]);
@@ -84,8 +84,8 @@ describe("getPreviousVersions", function() {
   it("should decorate all versions", function() {
     mocks.decorateVersion.calls.reset();
 
-    spyOn(shell, 'exec').and.returnValue({
-      code: 0,
+    spyOn(child, 'spawnSync').and.returnValue({
+      status: 0,
       stdout: 'v0.1.1\nv0.1.2'
     });
     var versions = getPreviousVersions();
diff --git a/git/services/versionInfo.js b/git/services/versionInfo.js
@@ -1,6 +1,6 @@
 'use strict';
 
-var shell = require('shelljs');
+var child = require('child_process');
 var semver = require('semver');
 var _ = require('lodash');
 
@@ -27,7 +27,7 @@ var satisfiesVersion = function(version) {
  * @return {String}         The codename if found, otherwise null/undefined
  */
 var getCodeName = function(tagName) {
-  var gitCatOutput = shell.exec('git cat-file -p ' + tagName, {silent:true}).stdout;
+  var gitCatOutput = child.spawnSync('git', ['cat-file', '-p ' + tagName], {encoding:'utf8'}).stdout;
   var match = gitCatOutput.match(/^.*codename.*$/mg);
   var tagMessage = match && match[0];
   return tagMessage && tagMessage.match(/codename\((.*)\)/)[1];
@@ -38,15 +38,15 @@ var getCodeName = function(tagName) {
  * @return {String} The commit SHA
  */
 function getCommitSHA() {
-  return shell.exec('git rev-parse HEAD', {silent: true}).stdout.replace('\n', '');
+  return child.spawnSync('git', ['rev-parse', 'HEAD'], {encoding:'utf8'}).stdout.replace('\n', '');
 }
 
 /**
  * Compute a build segment for the version, from the Jenkins build number and current commit SHA
  * @return {String} The build segment of the version
  */
 function getBuild() {
-  var hash = shell.exec('git rev-parse --short HEAD', {silent: true}).stdout.replace('\n', '');
+  var hash = child.spawnSync('git', ['rev-parse', '--short', 'HEAD'], {encoding:'utf8'}).stdout.replace('\n', '');
   return 'sha.' + hash;
 }
 
@@ -56,7 +56,7 @@ function getBuild() {
  * @return {SemVer} The version or null
  */
 var getTaggedVersion = function() {
-  var gitTagResult = shell.exec('git describe --exact-match', {silent:true});
+  var gitTagResult = child.spawnSync('git', ['describe', '--exact-match'], {encoding:'utf8'});
 
   if (gitTagResult.code === 0) {
     var tag = gitTagResult.stdout.trim();
@@ -107,7 +107,7 @@ var getSnapshotVersion = function() {
     // last release was a non beta release. Increment the patch level to
     // indicate the next release that we will be doing.
     // E.g. last release was 1.3.0, then the snapshot will be
-    // 1.3.1-build.1, which is lesser than 1.3.1 accorind the semver!
+    // 1.3.1-build.1, which is lesser than 1.3.1 according to semver!
 
     // If the last release was a beta release we don't update the
     // beta number by purpose, as otherwise the semver comparison
diff --git a/git/services/versionInfo.spec.js b/git/services/versionInfo.spec.js
@@ -9,28 +9,28 @@ var versionInfoFactory = rewire('./versionInfo.js');
 
 
 describe("versionInfo", function() {
-  var versionInfo, mockPackage, shellMocks, ciBuild;
+  var versionInfo, mockPackage, gitMocks, ciBuild;
 
   beforeEach(function() {
     mocks.getPreviousVersions.calls.reset();
 
-    var shell = versionInfoFactory.__get__('shell');
+    var child = versionInfoFactory.__get__('child');
 
-    shellMocks = {
+    gitMocks = {
       rev: mocks.mockGitRevParse,
-      describe: mocks.mockShellDefault,
-      cat: mocks.mockShellDefault
+      describe: mocks.mockDefaultFail,
+      cat: mocks.mockDefaultFail
     };
 
-    spyOn(shell, 'exec').and.callFake(function (input) {
-      if (input.indexOf('git rev-parse') == 0) {
-        return shellMocks.rev;
-      } else if (input.indexOf('git describe --exact-match') == 0) {
-        return shellMocks.describe;
-      } else if (input.indexOf('git cat-file') == 0) {
-        return shellMocks.cat;
+    spyOn(child, 'spawnSync').and.callFake(function (command, args) {
+      if (args[0] === 'rev-parse') {
+        return gitMocks.rev;
+      } else if (args[0] === 'describe') {
+        return gitMocks.describe;
+      } else if (args[0] === 'cat-file') {
+        return gitMocks.cat;
       } else {
-        return mocks.mockShellDefault;
+        return mocks.mockDefaultFail;
       }
     });
 
@@ -138,8 +138,8 @@ describe("versionInfo", function() {
   describe("currentVersion with annotated tag", function() {
 
     beforeEach(function() {
-      shellMocks.cat = mocks.mockGitCatFile;
-      shellMocks.describe = mocks.mockGitDescribe;
+      gitMocks.cat = mocks.mockGitCatFile;
+      gitMocks.describe = mocks.mockGitDescribe;
 
       versionInfo = versionInfoFactory(
         function() {},
@@ -148,7 +148,7 @@ describe("versionInfo", function() {
     });
 
     it("should have a version matching the tag", function() {
-      var tag = shellMocks.describe.stdout.trim();
+      var tag = gitMocks.describe.stdout.trim();
       var version = semver.parse(tag);
       expect(versionInfo.currentVersion.version).toBe(version.version);
     });
@@ -158,7 +158,7 @@ describe("versionInfo", function() {
     });
 
     it("should set codeName to null if it doesn't have a codename specified", function() {
-      shellMocks.cat = mocks.mockGitCatFileNoCodeName;
+      gitMocks.cat = mocks.mockGitCatFileNoCodeName;
 
       var dgeni = new Dgeni([mockPackage]);
       var injector = dgeni.configureInjector();
@@ -167,7 +167,7 @@ describe("versionInfo", function() {
     });
 
     it("should set codeName to falsy if it has a badly formatted codename", function() {
-      shellMocks.cat = mocks.mockGitCatFileBadFormat;
+      gitMocks.cat = mocks.mockGitCatFileBadFormat;
 
       var dgeni = new Dgeni([mockPackage]);
       var injector = dgeni.configureInjector();
diff --git a/package.json b/package.json
@@ -55,7 +55,6 @@
     "nunjucks": "^3.1.6",
     "rehype": "^8.0.0",
     "semver": "^5.2.0",
-    "shelljs": "^0.7.0",
     "source-map-support": "^0.4.15",
     "spdx-license-list": "^2.1.0",
     "stringmap": "^0.2.2",
diff --git a/yarn.lock b/yarn.lock
@@ -1924,7 +1924,7 @@ set-value@^2.0.0:
     is-plain-object "^2.0.3"
     split-string "^3.0.1"
 
-shelljs@^0.7.0, shelljs@^0.7.4:
+shelljs@^0.7.4:
   version "0.7.8"
   resolved "https://registry.yarnpkg.com/shelljs/-/shelljs-0.7.8.tgz#decbcf874b0d1e5fb72e14b164a9683048e9acb3"
   integrity sha1-3svPh0sNHl+3LhSxZKloMEjprLM=
