From 8820f035a6ec93f402085d81f680443dd81b3906 Mon Sep 17 00:00:00 2001
From: Eric Cornelissen <ericornelissen@gmail.com>
Date: Sun, 25 Aug 2024 17:03:14 +0200
Subject: [PATCH 1/4] Fix getting npm version through CLI

Update the logic to get the npm version from the npm CLI to use the
synchronous version of `exec`, `execSync`, to ensure the output can be
read correctly. In the previous implementation the output would not be
read correctly, leading to the comparison at `handleInput.ts:14` always
evaluating to false and `'--omit=dev'` always being used.
---
 src/utils/npm.ts            | 7 +++----
 test/handlers/flags.test.ts | 6 +++++-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/utils/npm.ts b/src/utils/npm.ts
index 8b02b67..f55a493 100644
--- a/src/utils/npm.ts
+++ b/src/utils/npm.ts
@@ -1,11 +1,10 @@
-import { exec } from 'child_process';
-import { Readable } from 'stream';
+import { execSync } from 'child_process';
 
 /**
  * Get the current npm version
  * @return {String} The npm version
  */
 export function getNpmVersion(): string {
-  const version = exec('npm --version');
-  return (version.stdout as Readable).toString();
+  const version = execSync('npm --version');
+  return version.toString();
 }
diff --git a/test/handlers/flags.test.ts b/test/handlers/flags.test.ts
index 8268b71..2f12d19 100644
--- a/test/handlers/flags.test.ts
+++ b/test/handlers/flags.test.ts
@@ -1,7 +1,9 @@
 import sinon from 'sinon';
 import { expect } from 'chai';
+import * as semver from 'semver';
 import { CommandOptions } from '../../src/types';
 import handleInput from '../../src/handlers/handleInput';
+import { getNpmVersion } from '../../src/utils/npm';
 
 describe('Flags', () => {
   describe('default', () => {
@@ -92,7 +94,9 @@ describe('Flags', () => {
     it('should be able to set production mode from the command flag correctly', () => {
       const callbackStub = sinon.stub();
       const options = { production: true };
-      const auditCommand = 'npm audit --omit=dev';
+      const npmVersion = getNpmVersion();
+      const flag = semver.satisfies(npmVersion, '<=8.13.2') ? '--production' : '--omit=dev';
+      const auditCommand = `npm audit ${flag}`;
       const auditLevel = 'info';
       const exceptionIds: string[] = [];
 

From 5df4120aeadb5dc1d8750c4d863eee3bd6e1aab6 Mon Sep 17 00:00:00 2001
From: Eric Cornelissen <ericornelissen@gmail.com>
Date: Sun, 1 Sep 2024 16:48:31 +0200
Subject: [PATCH 2/4] Bump micromatch from 4.0.4 to 4.0.8

This addresses CVE-2024-4067 / GHSA-952p-6rrq-rcjv as identified by
`npm audit`.
---
 package-lock.json | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index c77f4f0..277fee5 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1659,12 +1659,14 @@
       }
     },
     "node_modules/micromatch": {
-      "version": "4.0.4",
+      "version": "4.0.8",
+      "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz",
+      "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "braces": "^3.0.1",
-        "picomatch": "^2.2.3"
+        "braces": "^3.0.3",
+        "picomatch": "^2.3.1"
       },
       "engines": {
         "node": ">=8.6"

From 5fef77c50f682e5a631b75ecded9a1d2c268ad01 Mon Sep 17 00:00:00 2001
From: Jee Mok <jee.ict@hotmail.com>
Date: Mon, 2 Sep 2024 10:49:03 +0800
Subject: [PATCH 3/4] Updated CHANGELOG

---
 CHANGELOG.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index beaf858..b4f836c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,8 @@
+## 3.9.0 (September 2, 2024)
+
+- [5df4120](https://github.com/jeemok/better-npm-audit/commit/5df4120aeadb5dc1d8750c4d863eee3bd6e1aab6) Bump micromatch from 4.0.4 to 4.0.8
+- [8820f03](https://github.com/jeemok/better-npm-audit/commit/8820f035a6ec93f402085d81f680443dd81b3906) Fix getting npm version through CLI
+
 ## 3.8.1 - 3.8.3 (August 17, 2024)
 
 - [607f16e](https://github.com/jeemok/better-npm-audit/commit/607f16edd1eebf2c022a8e6279d8061d9529ebd7) fix(build): ensure lib/index.js is executable after build

From 3a997eb9d044707cfa06e6c623c1cc3d96caeff4 Mon Sep 17 00:00:00 2001
From: Jee Mok <jee.ict@hotmail.com>
Date: Mon, 2 Sep 2024 10:49:18 +0800
Subject: [PATCH 4/4] 3.9.0

---
 package-lock.json | 4 ++--
 package.json      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 277fee5..372fb98 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "better-npm-audit",
-  "version": "3.8.3",
+  "version": "3.9.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "better-npm-audit",
-      "version": "3.8.3",
+      "version": "3.9.0",
       "license": "MIT",
       "dependencies": {
         "commander": "^8.0.0",
diff --git a/package.json b/package.json
index dea6165..041de1e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "better-npm-audit",
-  "version": "3.8.3",
+  "version": "3.9.0",
   "author": "Jee Mok <jee.ict@hotmail.com>",
   "description": "Reshape into a better npm audit for the community and encourage more people to include security audit into their process.",
   "license": "MIT",