Update yargs dependency for @wordpress/env to fix CVE-2021-3807. (#…

…37601) * Update yargs dependency for @wordpress/env. Fixes minor vulnerability in dependency tree: https://nvd.nist.gov/vuln/detail/CVE-2021-3807 * Update parseXdebugMode since undefined is now passed to the coerce callback.
WordPress · Dec 23, 2021 · 1246ac5 · 1246ac5
1 parent f00eab0
commit 1246ac5
Show file tree

Hide file tree

Showing 5 changed files with 137 additions and 163 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/env/CHANGELOG.md b/packages/env/CHANGELOG.md
@@ -2,11 +2,13 @@
 
 ## Unreleased
 
+- Updated `yargs` to fix [CVE-2021-3807](https://nvd.nist.gov/vuln/detail/CVE-2021-3807).
+
 ## 4.1.3 (2021-11-07)
 
 ### Bug Fix
 
-- Fix Xdebug installation code to ensure it would fail gracefully
+-  Fix Xdebug installation code to ensure it would fail gracefully
 
 ## 4.0.3 (2021-04-29)
 

diff --git a/packages/env/lib/parse-xdebug-mode.js b/packages/env/lib/parse-xdebug-mode.js
@@ -4,23 +4,24 @@ const XDEBUG_MODES = [
  'coverage',
  'debug',
  'gcstats',
+ 'off',
  'profile',
  'trace',
 ];
 
 /**
- * Custom parsing for the Xdebug mode set via yargs. This function ensures two things:
- * 1. If the --xdebug flag was set by itself, default to 'debug'.
- * 2. If the --xdebug flag includes modes, make sure they are accepted by Xdebug.
+ * Custom parsing for the Xdebug mode set via yargs. This function ensures three things:
+ * 1. If the --xdebug flag was not set, set it to 'off'.
+ * 2. If the --xdebug flag was set by itself, default to 'debug'.
+ * 3. If the --xdebug flag includes modes, make sure they are accepted by Xdebug.
  *
- * Note: ideally, we would also have this handle the case where no xdebug flag
- * is set (and then turn Xdebug off). However, yargs does not pass 'undefined'
- * to the coerce callback, so we cannot handle that case here.
- *
- * @param {string} value The user-set mode of Xdebug
+ * @param {string|undefined} value The user-set mode of Xdebug; undefined if there is no --xdebug flag.
  * @return {string} The Xdebug mode to use with defaults applied.
  */
 module.exports = function parseXdebugMode( value ) {
+ if ( value === undefined ) {
+ return 'off';
+ }
  if ( typeof value !== 'string' ) {
  throwXdebugModeError( value );
  }

diff --git a/packages/env/package.json b/packages/env/package.json
@@ -43,7 +43,7 @@
  "rimraf": "^3.0.2",
  "simple-git": "^2.35.0",
  "terminal-link": "^2.0.0",
- "yargs": "^14.0.0"
+ "yargs": "^17.3.0"
  },
  "publishConfig": {
  "access": "public"

diff --git a/packages/env/test/parse-xdebug-mode.js b/packages/env/test/parse-xdebug-mode.js
@@ -4,10 +4,16 @@
 const parseXdebugMode = require( '../lib/parse-xdebug-mode' );
 
 describe( 'parseXdebugMode', () => {
- it( 'throws an error if the passed value is not a string', () => {
- expect( () => parseXdebugMode() ).toThrow(
- 'is not a mode recognized by Xdebug'
- );
+ it( 'throws an error if the passed value is neither a string nor undefined', () => {
+ const errorMessage = 'is not a mode recognized by Xdebug';
+ expect( () => parseXdebugMode( true ) ).toThrow( errorMessage );
+ expect( () => parseXdebugMode( false ) ).toThrow( errorMessage );
+ expect( () => parseXdebugMode( 1 ) ).toThrow( errorMessage );
+ } );
+
+ it( 'sets the Xdebug mode to "off" if no --xdebug flag is passed', () => {
+ const result = parseXdebugMode( undefined );
+ expect( result ).toEqual( 'off' );
  } );
 
  it( 'sets the Xdebug mode to "debug" if no mode is specified', () => {