Bump dependency escodegen to ^2.0.0 (!19) · Merge requests · GitLab.org / security-products / analyzers / fuzzers / Jsfuzz

Eric Cornelissen requested to merge ericcornelissen/jsfuzz:bump-escodegen into master Jun 28, 2023

Upgrade the dependency escodegen from ^1.12.0 to ^2.0.0. This is a major version bump because the minimum Node.js version changed from 4.0 to 6.0 which doesn't affect this package because 6.0 is already the minimum version required by some other dependencies (e.g. get-caller-file).

This change is motivated by a vulnerability reported in word-wrap, which is introduced in the dependency tree through escodegen and then optionator. The package optionator has resolved this problem starting in v0.9.2. This upgrade path will likely, if ever, only become available in the escodegen v2.0.0 release line (it already is on its development head).

For more information see: https://github.com/estools/escodegen/issues/456

Also, while working on this I noticed that it actually looks like escodegen is unused and could be removed as a dependency (along with @types/escodegen). I opted to submit this patch first because it is more clearly correct - I'm not necessarily familiar enough with the internals of this project to say if a dependency is actually unused.

For completeness, I ran both depcheck and unimported against this project and found (after manual evaluation) the following dependencies appear to be unused:

escodegen (and @types/escodegen)
esprima (and @types/esprima)
estraverse (and `@types/estraverse)
@types/estree
inversify

Edited Jun 28, 2023 by Eric Cornelissen

Bump dependency escodegen to ^2.0.0

Merge request reports