[Snyk] Upgrade commander from 4.0.1 to 11.0.0

[naiba4]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade commander from 4.0.1 to 11.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

Warning: This is a major version upgrade, and may be a breaking change.

• The recommended version is 39 versions ahead of your current version.
• The recommended version was released 3 months ago, on 2023-06-16.

Release notes

Package name: commander

• 11.0.0 - 2023-06-16
  

  Fixed

  • help command works when help option is disabled (#1864)

  Changed

  • leading and trailing spaces are now ignored by the .arguments() method (#1874)
  • refine "types" exports for ESM to follow TypeScript guidelines (#1886)
  • Breaking: Commander 11 requires Node.js v16 or higher
• 10.0.1 - 2023-04-15
  

  Added

  • improvements to documentation (#1858, #1859, #1860)

  Fixed

  • remove unused Option.optionFlags property from TypeScript definition (#1844)

  Changed

  • assume boolean option intended if caller passes string instead of hash to .implies() (#1854)
• 10.0.0 - 2023-01-14
  

  Added

  • wrap command description in help (#1804)

  Changed

  • Breaking: Commander 10 requires Node.js v14 or higher
• 9.5.0 - 2023-01-07
  

  Added

  • .getOptionValueSourceWithGlobals() (#1832)
  • showGlobalOptions for .configureHelp{} and Help (#1828)
• 9.4.1 - 2022-09-30
  

  Fixed

  • .setOptionValue() now also clears option source (#1795)
  • TypeScript: add implied to OptionValueSource for option values set by using .implies() (#1794)
  • TypeScript : add undefined to return type of .getOptionValueSource() (#1794)

  Changed

  • additions to README
• 9.4.0 - 2022-07-15
  

  Added

  • preSubcommand hook called before direct subcommands (#1763)

  Fixed

  • export InvalidOptionArgumentError in esm (#1756)

  Changed

  • update dependencies (#1767)
• 9.3.0 - 2022-05-28
  

  Added

  • .summary() for a short summary to use instead of description when listing subcommands in help (#1726)
  • Option.implies() to set other option values when the option is specified (#1724)
  • updated Chinese README with 9.x changes (#1727)

  Fixed

  • TypeScript: add string[] to .options() default value parameter type for use with variadic options (#1721)

  Deprecated

  • multi-character short option flag (e.g. -ws) (#1718)
• 9.2.0 - 2022-04-15
  

  Added

  • conditional export of 'types' for upcoming TypeScript module resolution (#1703)
  • example file showing two ways to add global options to subcommands (#1708)

  Fixed

  • detect option conflicts in parent commands of called subcommand (#1710)

  Changed

  • replace deprecated String.prototype.substr (#1706)
• 9.1.0 - 2022-03-18
  

  Added

  • Option .conflicts() to set conflicting options which can not be specified together (#1678)
  • (developer) CodeQL configuration for GitHub Actions (#1698)
• 9.0.0 - 2022-01-29
  

  Added

  • simpler ECMAScript import (#1589)
  • Option.preset() allows specifying value/arg for option when used without option-argument (especially optional, but also boolean option) (#1652)
  • .executableDir() for custom search for subcommands (#1571)
  • throw with helpful message if pass Option to .option() or .requiredOption() (#1655)
  • .error() for generating errors from client code just like Commander generated errors, with support for .configureOutput (), .exitOverride(), and .showHelpAfterError() (#1675)
  • .optsWithGlobals() to return merged local and global options (#1671)

  Changed

  • Breaking: Commander 9 requires Node.js v12.20.0 or higher
  • update package-lock.json to lockfile@2 format (#1659)
  • showSuggestionAfterError is now on by default (#1657)
  • Breaking: default value specified for boolean option now always used as default value (see .preset() to match some previous behaviours) (#1652)
  • default value for boolean option only shown in help if true/false (#1652)
  • use command name as prefix for subcommand stand-alone executable name (with fallback to script name for backwards compatibility) (#1571)
  • allow absolute path with executableFile (#1571)
  • removed restriction that nested subcommands must specify executableFile (#1571)
  • TypeScript: allow passing readonly string array to .choices() (#1667)
  • TypeScript: allow passing readonly string array to .parse(), .parseAsync(), .aliases() (#1669)

  Fixed

  • option with optional argument not supplied on command line now works when option already has a value, whether from default value or from previous arguments (#1652)

  Removed

  • Breaking: removed internal fallback to require.main.filename when script not known from arguments passed to .parse()
    (can supply details using .name(), and .executableDir() or executableFile) (#1571)
• 9.0.0-1 - 2022-01-14
• 9.0.0-0 - 2021-12-22
• 8.3.0 - 2021-10-22
• 8.2.0 - 2021-09-10
• 8.1.0 - 2021-07-27
• 8.0.0 - 2021-06-25
• 8.0.0-2 - 2021-06-06
• 8.0.0-1 - 2021-05-31
• 8.0.0-0 - 2021-05-22
• 7.2.0 - 2021-03-21
• 7.1.0 - 2021-02-15
• 7.0.0 - 2021-01-15
• 7.0.0-2 - 2020-12-14
• 7.0.0-1 - 2020-11-21
• 7.0.0-0 - 2020-10-25
• 6.2.1 - 2020-12-14
• 6.2.0 - 2020-10-25
• 6.1.0 - 2020-08-28
• 6.0.0 - 2020-07-19
• 6.0.0-0 - 2020-06-20
• 5.1.0 - 2020-04-25
• 5.0.0 - 2020-03-14
• 5.0.0-4 - 2020-03-03
• 5.0.0-3 - 2020-02-20
• 5.0.0-2 - 2020-02-11
• 5.0.0-1 - 2020-02-08
• 5.0.0-0 - 2020-02-01
• 4.1.1 - 2020-02-03
• 4.1.0 - 2020-01-06
• 4.0.1 - 2019-11-11

from commander GitHub release notes

Commit messages

Package name: commander

• 4ef19fa Bump version
• 1be6dfa Adjust date
• 1b8e82d Update CHANGELOG for 11.0.0
• 752900d Lint fixes for latest rules
• 76d3d11 Update to minimum of node 16
• a4c96e6 Add separate type file for esm per TypeScript guidelines (make test removes content created by eosio_build.sh EOSIO/eos#1886)
• ffc7897 Deprecate import from commander/esm.mjs ( GH #1867 Test to verify unspecified transaction expiration throws. EOSIO/eos#1887)
• 2f07c2a trim() input string of .arguments method
• 60958df Add npm run-script to README (DAWN-386 ⁃ port special tests EOSIO/eos#1872)
• 63abdac Have help command call help directly for subcommands, when possible (docker hub EOSIO/eos#1864)
• fac9d8c ci: add 20.x to `node-version`
• 33195f1 Update CHANGELOG and version for 10.0.1
• 321cd76 Could be multiple hooks, pluralise
• 5fbf83a Add new documentation to README
• 28928ed Add parsing life cycle and hooks
• 1aa5271 Describe help description wrapping
• ee78d95 Link to Help class in configure-help.js and README.
• f4c7349 Assume a string parameter to implies is name of boolean option. (Provide better error message for Boost.Test unknown type exception EOSIO/eos#1854)
• 869c3c0 Remove unused property (DAWN-690 ⁃ Enable integration tests  EOSIO/eos#1844)
• 8b03ab7 10.0.0
• d0dac4c Update CHANGELOG (Require checking alignment for all pointer and reference types through wasm interface. EOSIO/eos#1840)
• 2bdd631 Merge branch 'master' into release/10.x
• 7a5bd06 9.5.0
• e6d85fc Fix year for release

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
commander	4.0.1...11.0.0	environment	+0/-0	176 kB	abetomo

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Environment variable access	commander	11.0.0	Env Vars: Location: lib/command.js +2 more instances...	package.json

Next steps

What is environment variable access?

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore [email protected]