Merge branch 'main' into try-codeql-actions

.github/workflows/checks.yml

@@ -89,18 +89,18 @@ jobs:
         with:
           persist-credentials: false
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         if: ${{ matrix.what == 'actions' }}
         with:
           languages: ${{ matrix.what }}
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         if: ${{ matrix.what == 'javascript' }}
         with:
           config-file: ./.github/codeql.yml
           languages: ${{ matrix.what }}
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
+        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
   odgen:
     name: ODGen
     runs-on: ubuntu-24.04
@@ -385,7 +385,7 @@ jobs:
       - name: Run mutation tests
         run: npm run mutation:unit
       - name: Upload mutation report
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         if: ${{ failure() || success() }}
         with:
           name: mutation-unit-report
@@ -438,7 +438,7 @@ jobs:
       - name: Run mutation tests
         run: npm run mutation:integration
       - name: Upload mutation report
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         if: ${{ failure() || success() }}
         with:
           name: mutation-integration-report

.github/workflows/reusable-fuzz.yml

@@ -113,7 +113,7 @@ jobs:
           exit 1
       - name: Upload crash (if any)
         if: ${{ steps.fuzz.outputs.fuzz-error == 'true' }}
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: fuzz-crash-${{ steps.run-id.outputs.result }}
           path: |

.github/workflows/semgrep.yml

@@ -24,7 +24,7 @@ jobs:
         env:
           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
       - name: Upload Semgrep report to GitHub
-        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         if: ${{ failure() || success() }}
         with:
           sarif_file: semgrep.sarif

.licensee.json

@@ -16,13 +16,8 @@
     ]
   },
   "packages": {
-    "@andrewbranch/untar.js": "1.0.3",
-    "atomically": "2.0.3",
     "depreman": "^0.3.0",
-    "jsonp": "0.2.1",
-    "shescape": "*",
-    "stubborn-fs": "1.2.5",
-    "when-exit": "2.1.3"
+    "shescape": "*"
   },
   "corrections": true
 }

CONTRIBUTING.md

@@ -451,9 +451,9 @@ Parameterized tests in this project are written by looping over a list and
 running a test (or multiple tests) in each iteration of the loop. For example:
 
 ```javascript
-for (const case of cases) {
-  test(`parameterized test, ${case.name}`, (t) => {
-    t.is(functionUnderTest(case.input), case.expected);
+for (const { name, input, expected } of cases) {
+  test(`parameterized test, ${name}`, (t) => {
+    t.is(functionUnderTest(input), expected);
   });
 }
 ```

README.md

@@ -52,7 +52,7 @@ opening [an issue].
 3. Initialize `Shescape`.
 
    ```javascript
-   const shescape = new Shescape(/* options */);
+   const shescape = new Shescape(/* Options */);
    ```
 
 4. Use `shescape`.

config/eslint.js

@@ -4,6 +4,7 @@ import ava from "eslint-plugin-ava";
 import depend from "eslint-plugin-depend";
 import jsdoc from "eslint-plugin-jsdoc";
 import json from "@eslint/json";
+import markdown from "@eslint/markdown";
 import regexp from "eslint-plugin-regexp";
 import top from "@ericcornelissen/eslint-plugin-top";
 import unicorn from "eslint-plugin-unicorn";
@@ -1021,22 +1022,6 @@ export default [
       "json/top-level-interop": ["error"],
     },
   },
-  {
-    name: "JSONC",
-    files: ["config/**/*.jsonc"],
-    plugins: { json },
-    language: "json/jsonc",
-    languageOptions: {
-      allowTrailingCommas: true,
-    },
-    rules: {
-      // https://github.com/eslint/json/blob/main/README.md#rules
-      "json/no-duplicate-keys": ["error"],
-      "json/no-empty-keys": ["error"],
-      "json/no-unnormalized-keys": ["error"],
-      "json/no-unsafe-values": ["error"],
-    },
-  },
   {
     name: "YAML",
     files: [".github/**/*.yml", "config/**/*.yml", ".lockfile-lintrc.yml"],
@@ -1102,6 +1087,26 @@ export default [
       "yml/vue-custom-block/no-parsing-error": ["off"],
     },
   },
+  {
+    name: "Documentation Snippets",
+    files: ["**/*.md/*.js"],
+    rules: {
+      "id-length": ["off"],
+      "no-console": ["off"],
+      "no-magic-numbers": ["off"],
+
+      // https://github.com/gajus/eslint-plugin-jsdoc#readme
+      "jsdoc/require-description-complete-sentence": ["off"],
+      "jsdoc/require-returns-check": ["off"],
+      "jsdoc/require-file-overview": ["off"],
+      "jsdoc/require-jsdoc": ["off"],
+      "jsdoc/valid-types": ["off"],
+
+      // https://github.com/sindresorhus/eslint-plugin-unicorn#readme
+      "unicorn/filename-case": ["off"],
+      "unicorn/switch-case-braces": ["off"],
+    },
+  },
   {
     ignores: [
       "_reports/",
@@ -1113,5 +1118,6 @@ export default [
     ],
   },
 
+  ...markdown.configs.processor,
   ...yml.configs["flat/base"],
 ];

docs/recipes.md

@@ -200,7 +200,7 @@ const shescape = new Shescape({
 });
 
 /* 2. Collect user input */
-const userInput = "\x00world";
+const userInput = "\u0000world";
 
 /* 3. Execute shell command */
 execFile(
@@ -277,7 +277,7 @@ const shescape = new Shescape({
 });
 
 /* 2. Collect user input */
-const userInput = "\x00world";
+const userInput = "\u0000world";
 
 /* 3. Execute shell command */
 try {
@@ -347,7 +347,7 @@ When using `child_process.fork` without the `options` argument, use
 `Shescape#escapeAll` to escape all `args`.
 
 ```javascript
-// echo.js
+// File: echo.js
 
 import { fork } from "node:child_process";
 import { argv } from "node:process";
@@ -363,7 +363,7 @@ if (argv[2] === "Hello") {
   });
 
   /* 2. Collect user input */
-  const userInput = "\x00world";
+  const userInput = "\u0000world";
 
   /* 3. Execute a Node.js module */
   const echo = fork("echo.js", shescape.escapeAll(["Hello", userInput, "!"]));
@@ -379,7 +379,7 @@ When using `child_process.fork` with the `options` argument, use
 `Shescape#escapeAll` to escape all `args`.
 
 ```javascript
-// echo.js
+// File: echo.js
 
 import { fork } from "node:child_process";
 import { argv } from "node:process";
@@ -400,7 +400,7 @@ if (argv[2] === "Hello") {
   });
 
   /* 2. Collect user input */
-  const userInput = "\x00world";
+  const userInput = "\u0000world";
 
   /* 3. Execute a Node.js module */
   const echo = fork(
@@ -431,7 +431,7 @@ const shescape = new Shescape({
 });
 
 /* 2. Collect user input */
-const userInput = "\x00world";
+const userInput = "\u0000world";
 
 /* 3. Execute shell command */
 const echo = spawn("echo", shescape.escapeAll(["Hello", userInput, "!"]));
@@ -503,7 +503,7 @@ const shescape = new Shescape({
 });
 
 /* 2. Collect user input */
-const userInput = "\x00world";
+const userInput = "\u0000world";
 
 /* 3. Execute shell command */
 const echo = spawnSync("echo", shescape.escapeAll(["Hello", userInput, "!"]));

docs/testing.md

@@ -73,7 +73,7 @@ usage may lead to a false belief that Shescape is being used effectively.
 In contrast to stubs, these values should be used in tests that invoke Shescape.
 
 ```javascript
-// my-module.test.js
+// File: my-module.test.js
 
 import assert from "node:assert";
 import { injectionStrings } from "shescape/testing";