Handlebars.js: Use yargs instead of deprecated optimist in 4.x release

Created on 6 Mar 2020 · 7Comments · Source: handlebars-lang/handlebars.js

Before filing issues, please check the following points first:

[x] Please don't open issues for security issues. Instead, file a report at https://www.npmjs.com/advisories/report?package=handlebars
[x] Have a look at https://github.com/wycats/handlebars.js/blob/master/CONTRIBUTING.md
[x] Read the FAQ at https://github.com/wycats/handlebars.js/blob/master/FAQ.md
[x] Use the jsfiddle-template at https://jsfiddle.net/4nbwjaqz/4/ to reproduce problems or bugs

We are using the latest handlebars 4.7.3, but we noticed that one of the dependencies optimist is deprecated. There is a ticket to switch to yargs instead (https://github.com/wycats/handlebars.js/issues/1179) and it was closed with the merged PR (https://github.com/wycats/handlebars.js/pull/1180). However, the merged PR is not in 4.x release yet. Please fix this in 4.x release.

Source

ShintaroOkuda

👍29

Most helpful comment

OK, I think we can give it a shot. The yargs API really seems to be like the optimist API. Does anybody want to create a PR for 4.x?

I would really feel better if there were some more tests verifying that the CLI still works the same after the migration.

There is currently only one here. It would be cool to have some test using different parameters.

Create some tests, check that they work with optimist, then migrate to yargs and see if they still work.

Could anybody do that?

nknapp on 17 Mar 2020

👍11

All 7 comments

I think it may break the cli, so I'd rather not update in the 4.x branch.

I am sometimes working on 5.0 in the master, but since this is all voluntary work and I have a lot of other duties, I cannot tell when it with be ready.

nknapp on 7 Mar 2020

Moving from optimist to minimist or yargs would also allow for easier mitigation of the SNYK-JS-MINIMIST-559764 security vulnerability (which requires [email protected], which does not fit optimist's semver range of minimist@~0.0.1).

This would be something I would imagine that Handlebars would want to backport to the 4.x branch.

An alternative that I have proposed is to relax the dependencies in optimist, but since it's deprecated, I think there's a high chance it will not receive any fixes anymore:

https://github.com/substack/node-optimist/pull/150

Edit: Workaround below, using Yarn: https://github.com/wycats/handlebars.js/issues/1658#issuecomment-603768912

karlhorky on 14 Mar 2020

👍11

OK, I think we can give it a shot. The yargs API really seems to be like the optimist API. Does anybody want to create a PR for 4.x?

I would really feel better if there were some more tests verifying that the CLI still works the same after the migration.

There is currently only one here. It would be cool to have some test using different parameters.

Create some tests, check that they work with optimist, then migrate to yargs and see if they still work.

Could anybody do that?

nknapp on 17 Mar 2020

👍11

If you use Yarn, here's a workaround for now until this is fixed (maybe with #1662):

Add the following resolution to your package.json and run yarn.

  "resolutions": {
    "**/optimist/minimist": "0.2.1"
  }

This will force all versions of optimist to use [email protected], regardless of which package is depending on optimist.

karlhorky on 25 Mar 2020

😕1

The latest optimist version (0.6.1, released 6 years ago) depends on a vulnerable version range of minimist which causes npm audit errors in projects that depend on handlebars directly or indirectly. A removal of optimist would be very appreciated, thank you!