fix: CVE-2022-33987 vulnerability with got (#1397)

* update latest-version

* add got resolution and revert latest-version update

* update got to a compatible version

* remove use of latest-version

* remove got resolution

* apply types

---------

Co-authored-by: tracyboehrer <[email protected]>

packages/chatdown/package.json

@@ -15,7 +15,6 @@
     "fs-extra": "^5.0.0",
     "glob": "^7.1.3",
     "intercept-stdout": "^0.1.2",
-    "latest-version": "5.1.0",
     "mime-types": "^2.1.18",
     "minimist": "^1.2.6",
     "axios": "~1.7.5",
@@ -30,7 +29,7 @@
     "@oclif/plugin-help": "^6.2.10",
     "@oclif/test": "^1.2.5",
     "@oclif/tslint": "^3.1.1",
-    "@types/chai": "^4.1.7",
+    "@types/chai": "^4.2.10",
     "@types/fs-extra": "^5.0.5",
     "@types/mocha": "^10.0.6",
     "@types/node": "^11.3.7",

packages/cli/package.json

@@ -84,7 +84,6 @@
     "cli-ux": "^5.3.0",
     "fs-extra": "^7.0.1",
     "is-ci": "2.0.0",
-    "latest-version": "5.1.0",
     "semver": "^7.6.3",
     "tslib": "^2.0.3"
   },

packages/cli/src/hooks/init/inithook.ts

@@ -8,7 +8,7 @@ import cli from 'cli-ux'
 import * as fs from 'fs-extra'
 const chalk = require('chalk')
 const path = require('path')
-const latestVersion = require('latest-version')
+const {exec} = require('child_process')
 const semver = require('semver')
 const isCI = require('is-ci')
 
@@ -35,12 +35,30 @@ const hook: Hook<'init'> = async function (opts) {
       }
     }
 
+    const execPromise = (command: string) => {
+      return new Promise<string>((resolve, reject) => {
+        exec(command, (error: any, stdout: any, stderr: any) => {
+          if (error) {
+            reject(error)
+          } else if (stderr) {
+            reject(new Error(stderr))
+          } else {
+            resolve(stdout.trim())
+          }
+        })
+      })
+    }
+
     const checkForUpdate = async () => {
-      const latest = await latestVersion(opts.config.name, {version: `>${opts.config.version}`})
-      if (semver.gt(latest, opts.config.version)) {
-        this.log('Update available ')
-        this.log('     Run ')
-        this.log(`npm i -g ${opts.config.name} `)
+      try {
+        const latest = await execPromise(`npm view ${opts.config.name} version`)
+        if (semver.gt(latest, opts.config.version)) {
+          this.log('Update available')
+          this.log('     Run ')
+          this.log(`npm i -g ${opts.config.name}`)
+        }
+      } catch (error) {
+        this.log('Error checking for update:', error.message)
       }
     }
 
@@ -59,16 +77,16 @@ const hook: Hook<'init'> = async function (opts) {
     // if there is a timestamp in config and it's not from today, check for updates
     const lastCheck = userConfig.lastVersionCheck ? new Date(userConfig.lastVersionCheck) : null
     if ((opts.id === '-v'
-        || opts.id === '--version')
-        && !isToday(lastCheck, curDateTime)) {
+      || opts.id === '--version')
+      && !isToday(lastCheck, curDateTime)) {
       await checkForUpdate()
       await updateUserConfig(curDateTime)
     }
 
-  /* tslint:disable:no-unused */
+    /* tslint:disable:no-unused */
   } catch (err) {
-      // swallow the exception; we don't want to crash the app
-      // on a failed attempt to check version
+    // swallow the exception; we don't want to crash the app
+    // on a failed attempt to check version
   }
 
   // Ensure telemetry is set
@@ -95,7 +113,7 @@ const hook: Hook<'init'> = async function (opts) {
     }
 
     this.config.pjson.telemetry = userConfig.telemetry === null ? false : userConfig.telemetry
-  /* tslint:disable:no-unused */
+    /* tslint:disable:no-unused */
 
   } catch (err) {
     this.config.pjson.telemetry = false