fix: address npm audit security report

.eslintrc

@@ -1,3 +1,3 @@
 {
-  "extends": "groupon/node4"
+  "extends": "groupon/node6"
 }

.gitignore

@@ -1,5 +1,4 @@
-/yarn.lock
-/package-lock.json
+/.nyc_output
 node_modules/
 /tmp
 npm-debug.log

.travis.yml

@@ -1,12 +1,12 @@
 language: node_js
 node_js:
-  - 4.6.1
-  - 6.11.5
-  - 8.9.0
+  - 6.14.3
+  - 8.11.3
+  - 10.5.0
 deploy:
   - provider: script
-    script: ./bin/nlm.js release
+    script: ./node_modules/.bin/nlm release
     skip_cleanup: true
     'on':
       branch: master
-      node: 8.9.0
+      node: 10.5.0

lib/cli.js

@@ -97,6 +97,7 @@ if (argv.version) {
 } else {
   const cwd = process.cwd();
   const packageJsonFile = path.join(cwd, 'package.json');
+  // eslint-disable-next-line import/no-dynamic-require
   const pkg = require(packageJsonFile);
   command(cwd, pkg, pkg.nlm ? _.merge({}, pkg.nlm, argv) : argv)
     .catch(prettyPrintErrorAndExit)

lib/git/commits.js

@@ -40,7 +40,7 @@ const run = require('../run');
 
 const SEPARATOR = '---nlm-split---';
 const GIT_LOG_FORMAT = `--format=%H %P\n%B${SEPARATOR}`;
-const PR_MERGE_PATTERN = /^Merge pull request #(\d+) from ([^/]+)\/([\S]+)/;
+const PR_MERGE_PATTERN = /^Merge pull request #(\d+) from ([^\/]+)\/([\S]+)/;
 
 function parseCommit(commit) {
   const metaEndIdx = commit.indexOf('\n');
@@ -54,14 +54,14 @@ function parseCommit(commit) {
   const parentSha = meta.shift() || null;
 
   const data = commitParser.sync(message, {
-    issuePrefixes: ['#', 'https?://\\w[\\w.-]*[\\w/-]+?'],
+    issuePrefixes: ['#', 'https?://\\w[\\w.-]*[\\D/-]+'],
   });
   const prMatch = message.match(PR_MERGE_PATTERN);
   if (prMatch) {
     const prId = prMatch[1];
     data.type = 'pr';
     data.pullId = prId;
-    data.references.push({
+    Object.assign(data.references[0], {
       action: 'Merges',
       owner: prMatch[2],
       repository: null,

lib/git/ensure-tag.js

@@ -52,12 +52,12 @@ function fetchTag(cwd, tag) {
 function ensureTag(cwd, tag) {
   if (tag === 'v0.0.0') {
     // There is no such thing (most likely)
-    return undefined;
+    return null;
   }
 
   const tagFile = path.join(cwd, '.git', 'refs', 'tags', tag);
   try {
-    fs.readFileSync(tagFile);
+    return fs.readFileSync(tagFile);
   } catch (error) {
     if (error.code !== 'ENOENT') {
       throw error;

lib/github/setup-labels.js

@@ -42,7 +42,7 @@ const REQUIRED_LABELS = [
 ];
 
 function findMissingLabels(labels) {
-  return _.reject(REQUIRED_LABELS, function exists(label) {
+  return _.reject(REQUIRED_LABELS, label => {
     return _.find(labels, { name: label.name });
   });
 }

lib/license/index.js

@@ -48,7 +48,7 @@ const COMMENT_TYPES = {
     getLicenseHeader: function getLicenseHeader(licenseText) {
       const body = licenseText
         .split('\n')
-        .map(function prefixLine(line) {
+        .map(line => {
           return ` ${`* ${line}`.trim()}`;
         })
         .join('\n');
@@ -78,7 +78,7 @@ function collectFiles(cwd, whitelist, optionalExclude) {
 
   return Bluebird.map(whitelist || ['.'], scanDirectory)
     .then(_.flatten)
-    .map(function loadFile(relFilename) {
+    .map(relFilename => {
       const filename = path.join(cwd, relFilename);
       return Bluebird.props({
         filename: filename,
@@ -103,7 +103,7 @@ function addMissingLicenseHeaders(licenseText, files) {
     '.coffee': COMMENT_TYPES['.coffee'].getLicenseHeader(licenseText),
   };
   return files
-    .map(function buildLicenseHeader(file) {
+    .map(file => {
       file.licenseHeader = licenseHeaders[path.extname(file.filename)];
       return file;
     })
@@ -114,7 +114,7 @@ function addMissingLicenseHeaders(licenseText, files) {
 function getLicenseText(cwd) {
   return readFileAsync(path.join(cwd, 'LICENSE'), 'utf8')
     .then(_.trim)
-    .catch(function catchNotFound(error) {
+    .catch(error => {
       if (error.code === 'ENOENT') {
         return null;
       }

lib/run.js

@@ -40,17 +40,17 @@ const _ = require('lodash');
 
 module.exports = function run(command, args, options) {
   debug(command, args, _.omit(options, 'env'));
-  return new Bluebird(function resolveExec(resolve, reject) {
+  return new Bluebird((resolve, reject) => {
     function onExecDone(error, stdout) {
       if (error) return reject(error);
-      resolve(stdout);
+      return resolve(stdout);
     }
 
     const child = childProcess.execFile(command, args, options, onExecDone);
-    child.stdout.on('data', function forwardStdOut(chunk) {
+    child.stdout.on('data', chunk => {
       debug('stdout', chunk.toString().trim());
     });
-    child.stderr.on('data', function forwardStdErr(chunk) {
+    child.stderr.on('data', chunk => {
       debug('stderr', chunk.toString().trim());
     });
   });

lib/steps/changelog.js

@@ -44,19 +44,19 @@ function addPullRequestCommits(pkg, commits, pr) {
     github.pull.get(pr.pullId),
     github.pull.commits(pr.pullId),
   ])
-    .spread(function expandCommitInfo(info, prCommits) {
+    .spread((info, prCommits) => {
       pr.author = {
         name: info.user.login,
         href: info.user.html_url,
       };
       pr.href = info.html_url;
       pr.title = info.title || info.header;
       const shas = (pr.shas = _.map(prCommits, 'sha'));
-      pr.commits = commits.filter(function isPartOfPR(commit) {
+      pr.commits = commits.filter(commit => {
         return shas.indexOf(commit.sha) !== -1;
       });
     })
-    .catch(function handle404(err) {
+    .catch(err => {
       if (err.statusCode !== 404) throw err;
       // If the PR doesn't exist, handle it gracefully.
       pr.commits = pr.shas = null;
@@ -65,7 +65,7 @@ function addPullRequestCommits(pkg, commits, pr) {
 
 function removePRCommits(commits, prs) {
   const prShas = _.flatten(_.map(prs, 'shas'));
-  return _.filter(commits, function isNotInAnyPR(commit) {
+  return _.filter(commits, commit => {
     return commit.type !== 'pr' && prShas.indexOf(commit.sha) === -1;
   });
 }
@@ -74,16 +74,14 @@ function extractBreakingChanges(commit) {
   if (!commit.notes || !commit.notes.length) {
     return [];
   }
-  return _.filter(commit.notes, { title: 'BREAKING CHANGE' }).map(
-    function buildChangeNote(note) {
-      return { text: note.text, commit: commit };
-    }
-  );
+  return _.filter(commit.notes, { title: 'BREAKING CHANGE' }).map(note => {
+    return { text: note.text, commit: commit };
+  });
 }
 
 function removeInvalidPRs(prs) {
   // Warning: We're doing something evil here and mutate the input array.
-  const filtered = prs.filter(function allCommitsFound(pr) {
+  const filtered = prs.filter(pr => {
     return pr.shas && pr.shas.length === pr.commits.length;
   });
   prs.length = filtered.length;
@@ -152,7 +150,7 @@ function generateChangeLog(cwd, pkg, options) {
   }
 
   function formatPR(pr) {
-    const changes = pr.commits.map(formatCommit).map(function withDashes(line) {
+    const changes = pr.commits.map(formatCommit).map(line => {
       return `  - ${line}`;
     });
 
@@ -172,7 +170,7 @@ function generateChangeLog(cwd, pkg, options) {
     const changes = prs
       .map(formatPR)
       .concat(orphans.map(formatCommit))
-      .map(function star(line) {
+      .map(line => {
         return `* ${line}`;
       });
 
@@ -184,7 +182,7 @@ function generateChangeLog(cwd, pkg, options) {
     .then(_.partial(removePRCommits, commits, prs))
     .then(formatCommits)
     .then(prependBreakingChanges)
-    .then(function setChangelog(changelog) {
+    .then(changelog => {
       options.changelog = changelog;
       return changelog;
     });

lib/steps/pending-changes.js

@@ -89,7 +89,7 @@ function normalizeReferences(meta, commit) {
 
 function getPendingChanges(cwd, pkg, options) {
   const meta = parseRepository(pkg.repository);
-  return getCommits(cwd, `v${pkg.version}`).then(function setCommits(commits) {
+  return getCommits(cwd, `v${pkg.version}`).then(commits => {
     options.commits = commits.map(_.partial(normalizeReferences, meta));
   });
 }

lib/steps/publish-to-npm.js

@@ -72,7 +72,7 @@ function checkPublishRequired(cwd, pkg, options) {
     cwd: cwd,
     env: options.npmEnv,
   })
-    .then(function parseNpmList(content) {
+    .then(content => {
       // If we get an empty response, we'll assume it was not found.
       if (content.trim() === '') {
         return 'publish';
@@ -87,7 +87,7 @@ function checkPublishRequired(cwd, pkg, options) {
       }
       return 'none';
     })
-    .catch(function handle404(error) {
+    .catch(error => {
       if (error.message.indexOf('ERR! 404') !== -1) {
         return 'publish';
       }
@@ -176,7 +176,7 @@ function publishToNPM(cwd, pkg, options) {
     checkPublishRequired(cwd, pkg, options),
     getCurrentCommit(cwd),
   ])
-    .spread(function checkAndPublish(publishRequired, currentCommit) {
+    .spread((publishRequired, currentCommit) => {
       if (currentCommit !== `v${pkg.version}`) {
         console.log(
           '[nlm] Skipping publish, not a version commit:',
@@ -204,7 +204,7 @@ function publishToNPM(cwd, pkg, options) {
           return null;
       }
     })
-    .finally(function removeTmpRcFile() {
+    .finally(() => {
       fs.unlinkSync(rcFile);
     });
 }

lib/steps/tag-pr.js

@@ -50,21 +50,19 @@ function tagPullRequest(cwd, pkg, options) {
     return null;
   }
   const github = Github.forRepository(pkg.repository);
-  return github.labels
-    .listByIssue(options.pr)
-    .then(function checkAndChangeLabels(labels) {
-      const releaseType = options.releaseType;
-      const name = `semver-${releaseType}`;
-      if (_.find(labels, { name: name })) {
-        debug('Already tagged with %j', name);
-        return null;
-      }
-      const newLabels = _.map(labels, 'name')
-        .filter(nonSemverTag)
-        .concat(name);
+  return github.labels.listByIssue(options.pr).then(labels => {
+    const releaseType = options.releaseType;
+    const name = `semver-${releaseType}`;
+    if (_.find(labels, { name: name })) {
+      debug('Already tagged with %j', name);
+      return null;
+    }
+    const newLabels = _.map(labels, 'name')
+      .filter(nonSemverTag)
+      .concat(name);
 
-      debug('Tagging %s', options.pr, newLabels);
-      return github.labels.setForIssue(options.pr, newLabels);
-    });
+    debug('Tagging %s', options.pr, newLabels);
+    return github.labels.setForIssue(options.pr, newLabels);
+  });
 }
 module.exports = tagPullRequest;

lib/steps/version-commit.js

@@ -85,7 +85,7 @@ function createVersionCommit(cwd, pkg, options) {
   return addFiles(cwd)
     .then(_.partial(commit, cwd, `v${pkg.version}`))
     .then(_.partial(getHEAD, cwd))
-    .then(function setVersionCommitSha(output) {
+    .then(output => {
       options.versionCommitSha = output.trim();
       return options.versionCommitSha;
     });