Get latest version direct from package-json

This pulls in security patches from the latest non-ESM version of `got`. https://app.snyk.io/vuln/SNYK-JS-GOT-2932019
seek-oss · Jun 19, 2022 · f21cbb1 · f21cbb1
1 parent 1a6a1aa
commit f21cbb1
Show file tree

Hide file tree

Showing 5 changed files with 153 additions and 122 deletions.
diff --git a/.changeset/eighty-spoons-draw.md b/.changeset/eighty-spoons-draw.md
@@ -0,0 +1,7 @@
+---
+'skuba': patch
+---
+
+deps: package-json ^7.0.0
+
+Resolves [SNYK-JS-GOT-2932019](https://security.snyk.io/vuln/SNYK-JS-GOT-2932019).
diff --git a/package.json b/package.json
@@ -27,11 +27,11 @@
     "isomorphic-git": "^1.11.1",
     "jest": "^28.1.0",
     "jest-watch-typeahead": "^1.1.0",
-    "latest-version": "^5.1.0",
     "lodash.mergewith": "^4.6.2",
     "normalize-package-data": "^4.0.0",
     "npm-run-path": "^4.0.1",
     "npm-which": "^3.0.1",
+    "package-json": "^7.0.0",
     "picomatch": "^2.2.2",
     "prettier": "~2.7.0",
     "read-pkg-up": "^7.0.1",

diff --git a/src/cli/configure/analyseDependencies.ts b/src/cli/configure/analyseDependencies.ts
@@ -1,14 +1,13 @@
 import path from 'path';
 
 import fs from 'fs-extra';
-import latestVersion from 'latest-version';
 import type { NormalizedReadResult } from 'read-pkg-up';
 
 import type { TextProcessor } from '../../utils/copy';
 import { copyFiles } from '../../utils/copy';
 import { log } from '../../utils/logging';
 import type { ProjectType } from '../../utils/manifest';
-import { getSkubaVersion } from '../../utils/version';
+import { getSkubaVersion, latestNpmVersion } from '../../utils/version';
 
 import { diffDependencies, generateNotices } from './analysis/package';
 import * as dependencyMutators from './dependencies';
@@ -42,7 +41,7 @@ const pinUnspecifiedVersions = async (
       .map(async ([name]) => {
         const version = await (name === 'skuba'
           ? getSkubaVersion()
-          : latestVersion(name));
+          : latestNpmVersion(name));
 
         return [name, version] as const;
       }),

diff --git a/src/utils/version.ts b/src/utils/version.ts
@@ -1,11 +1,23 @@
-import latestVersion from 'latest-version';
+import packageJson from 'package-json';
 
 import { getSkubaManifest } from './manifest';
 import { withTimeout } from './wait';
 
+export const latestNpmVersion = async (
+  packageName: string,
+): Promise<string> => {
+  const { version } = await packageJson(packageName);
+
+  if (typeof version !== 'string') {
+    throw new Error(`No version found for package "${packageName}"`);
+  }
+
+  return version;
+};
+
 const latestSkubaVersion = async (): Promise<string | null> => {
   try {
-    const result = await withTimeout(latestVersion('skuba'), { s: 2 });
+    const result = await withTimeout(latestNpmVersion('skuba'), { s: 2 });
 
     return result.ok ? result.value : null;
   } catch {