[Snyk] Upgrade commander from 2.11.0 to 13.1.0

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade commander from 2.11.0 to 13.1.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 71 versions ahead of your current version.

• The recommended version was released 3 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Prototype Pollution SNYK-JS-AJV-584908	165	No Known Exploit
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	165	No Known Exploit
	Incomplete List of Disallowed Inputs SNYK-JS-BABELTRAVERSE-5962462	165	Proof of Concept
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	165	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	165	Proof of Concept
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	165	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-HAWK-2808852	165	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	165	Proof of Concept
	Prototype Pollution SNYK-JS-UNSETVALUE-2400660	165	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GLOBPARENT-1016905	165	Proof of Concept
	Authentication Bypass SNYK-JS-HAWK-6969142	165	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	165	Proof of Concept
	Insecure Randomness npm:cryptiles:20180710	165	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	165	Proof of Concept

Release notes

Package name: commander

• 13.1.0 - 2025-01-20
  

  Added

  • support a pair of long option flags to allow a memorable shortened flag, like .option('--ws, --workspace') (#2312)
• 13.0.0 - 2024-12-30
  

  Added

  • support multiple calls to .parse() with default settings (#2299)
  • add .saveStateBeforeParse() and .restoreStateBeforeParse() for use by subclasses (#2299)
  • style routines like styleTitle() to add color to help using .configureHelp() or Help subclass (#2251)
  • color related support in .configureOutput() for getOutHasColors(), getErrHasColors(), and stripColor() (#2251)
  • Help property for minWidthToWrap (#2251)
  • Help methods for displayWidth(), boxWrap(), preformatted() et al (#2251)

  Changed

  • Breaking: excess command-arguments cause an error by default, see migration tips (#2223)
  • Breaking: throw during Option construction for unsupported option flags, like multiple characters after single - (#2270)
  • Breaking: throw on multiple calls to .parse() if storeOptionsAsProperties: true (#2299)
  • TypeScript: include implicit this in parameters for action handler callback (#2197)

  Deleted

  • Breaking: Help.wrap() refactored into formatItem() and boxWrap() (#2251)

  Migration Tips

  Excess command-arguments

  It is now an error for the user to specify more command-arguments than are expected. (allowExcessArguments is now false by default.)

  Old code:

  program.option('-p, --port <number>', 'port number');
  program.action((options) => {
    console.log(program.args);
  });

  Now shows an error:

  $ node example.js a b c
  error: too many arguments. Expected 0 arguments but got 3.

  You can declare the expected arguments. The help will then be more accurate too. Note that declaring
  new arguments will change what is passed to the action handler.

  program.option('-p, --port <number>', 'port number');
  program.argument('[args...]', 'remote command and arguments'); // expecting zero or more arguments
  program.action((args, options) => {
    console.log(args);
  });

  Or you could suppress the error, useful for minimising changes in legacy code.

  program.option('-p, --port', 'port number');
  program.allowExcessArguments();
  program.action((options) => {
    console.log(program.args);
  });

• 13.0.0-0 - 2024-12-06
  

  Added

  • style routines like styleTitle() to add color to help using .configureHelp() or Help subclass (#2251)
  • color related support in .configureOutput() for getOutHasColors(), getErrHasColors(), and stripColor() (#2251)
  • Help property for minWidthToWrap (#2251)
  • Help methods for displayWidth(), boxWrap(), preformatted() et al (#2251)

  Changed

  • Breaking: excess command-arguments cause an error by default, see migration tips (#2223)
  • Breaking: throw during Option construction for unsupported option flags, like multiple characters after single - (#2270)
  • TypeScript: include implicit this in parameters for action handler callback (#2197)

  Deleted

  • Breaking: Help.wrap() refactored into formatItem() and boxWrap() (#2251)

  Migration Tips

  Excess command-arguments

  It is now an error for the user to specify more command-arguments than are expected. (allowExcessArguments is now false by default.)

  Old code:

  program.option('-p, --port <number>', 'port number');
  program.action((options) => {
    console.log(program.args);
  });

  Now shows an error:

  $ node example.js a b c
  error: too many arguments. Expected 0 arguments but got 3.

  You can declare the expected arguments. The help will then be more accurate too. Note that declaring
  new arguments will change what is passed to the action handler.

  program.option('-p, --port <number>', 'port number');
  program.argument('[args...]', 'remote command and arguments'); // expecting zero or more arguments
  program.action((args, options) => {
    console.log(args);
  });

  Or you could suppress the error, useful for minimising changes in legacy code.

  program.option('-p, --port', 'port number');
  program.allowExcessArguments();
  program.action((options) => {
    console.log(program.args);
  });

• 12.1.0 - 2024-05-18
  

  Added

  • auto-detect special node flags node --eval and node --print when call .parse() with no arguments (#2164)

  Changed

  • prefix require of Node.js core modules with node: (#2170)
  • format source files with Prettier (#2180)
  • switch from StandardJS to directly calling ESLint for linting (#2153)
  • extend security support for previous major version of Commander (#2150)

  Removed

  • removed unimplemented Option.fullDescription from TypeScript definition (#2191)
• 12.0.0 - 2024-02-03
  

  Added

  • .addHelpOption() as another way of configuring built-in help option (#2006)
  • .helpCommand() for configuring built-in help command (#2087)

  Fixed

  • Breaking: use non-zero exit code when spawned executable subcommand terminates due to a signal (#2023)
  • Breaking: check passThroughOptions constraints when using .addCommand and throw if parent command does not have .enablePositionalOptions() enabled (#1937)

  Changed

  • Breaking: Commander 12 requires Node.js v18 or higher (#2027)
  • Breaking: throw an error if add an option with a flag which is already in use (#2055)
  • Breaking: throw an error if add a command with name or alias which is already in use (#2059)
  • Breaking: throw error when calling .storeOptionsAsProperties() after setting an option value (#1928)
  • replace non-standard JSDoc of @ api private with documented @ private (#1949)
  • .addHelpCommand() now takes a Command (passing string or boolean still works as before but deprecated) (#2087)
  • refactor internal implementation of built-in help option (#2006)
  • refactor internal implementation of built-in help command (#2087)

  Deprecated

  • .addHelpCommand() passing string or boolean (use .helpCommand() or pass a Command) (#2087)

  Removed

  • Breaking: removed default export of a global Command instance from CommonJS (use the named program export instead) (#2017)

  Migration Tips

  global program

  If you are using the deprecated default import of the global Command object, you need to switch to using a named import (or create a new Command).

  // const program = require('commander');
  const { program } = require('commander');

  option and command clashes

  A couple of configuration problems now throw an error, which will pick up issues in existing programs:

  • adding an option which uses the same flag as a previous option
  • adding a command which uses the same name or alias as a previous command
• 12.0.0-1 - 2024-01-19
  

  Added

  • .addHelpOption() as another way of configuring built-in help option (#2006)
  • .helpCommand() for configuring built-in help command (#2087)

  Changed

  • .addHelpCommand() now takes a Command (passing string or boolean still works as before but deprecated) (#2087)
  • refactor internal implementation of built-in help option (#2006)
  • refactor internal implementation of built-in help command (#2087)

  Deprecated

  • .addHelpCommand() passing string or boolean (use .helpCommand() or pass a Command) (#2087)
• 12.0.0-0 - 2023-11-11
  

  Fixed

  • Breaking: use non-zero exit code when spawned executable subcommand terminates due to a signal (#2023)
  • Breaking: check passThroughOptions constraints when using .addCommand and throw if parent command does not have .enablePositionalOptions() enabled (#1937)

  Changed

  • Breaking: Commander 12 requires Node.js v18 or higher (#2027)
  • Breaking: throw an error if add an option with a flag which is already in use (#2055)
  • Breaking: throw an error if add a command with name or alias which is already in use (#2059)
  • Breaking: throw error when calling .storeOptionsAsProperties() after setting an option value (#1928)
  • replace non-standard JSDoc of @ api private with documented @ private (#1949)

  Removed

  • Breaking: removed default export of a global Command instance from CommonJS (use the named program export instead) (#2017)

  Migration Tips

  global program

  If you are using the deprecated default import of the global Command object, you need to switch to using a named import (or create a new Command).

  // const program = require('commander');
  const { program } = require('commander');

  option and command clashes

  A couple of configuration problems now throw an error, which will pick up issues in existing programs:

  • adding an option which uses the same flag as a previous option
  • adding a command which uses the same name or alias as a previous command
• 11.1.0 - 2023-10-13
  

  Fixed

  • TypeScript: update OptionValueSource to allow any string, to match supported use of custom sources (#1983)
  • TypeScript: add that Command.version() can also be used as getter (#1982)
  • TypeScript: add null return type to Commands.executableDir(), for when not configured (#1965)
  • subcommands with an executable handler and only a short help flag are now handled correctly by the parent's help command (#1930)

  Added

  • registeredArguments property on Command with the array of defined Argument (like Command.options for Option) (#2010)
  • TypeScript declarations for Option properties: envVar, presetArg (#2019)
  • TypeScript declarations for Argument properties: argChoices, defaultValue, defaultValueDescription (#2019)
  • example file which shows how to configure help to display any custom usage in the list of subcommands (#1896)

  Changed

  • (developer) refactor TypeScript configs for multiple use-cases, and enable checks in JavaScript files in supporting editors (#1969)

  Deprecated

  • Command._args was private anyway, but now available as registeredArguments (#2010)
• 11.0.0 - 2023-06-16
  

  Fixed

  • help command works when help option is disabled (#1864)

  Changed

  • leading and trailing spaces are now ignored by the .arguments() method (#1874)
  • refine "types" exports for ESM to follow TypeScript guidelines (#1886)
  • Breaking: Commander 11 requires Node.js v16 or higher
• 10.0.1 - 2023-04-15
  

  Added

  • improvements to documentation (#1858, #1859, #1860)

  Fixed

  • remove unused Option.optionFlags property from TypeScript definition (#1844)

  Changed

  • assume boolean option intended if caller passes string instead of hash to .implies() (#1854)
• 10.0.0 - 2023-01-14
• 9.5.0 - 2023-01-07
• 9.4.1 - 2022-09-30
• 9.4.0 - 2022-07-15
• 9.3.0 - 2022-05-28
• 9.2.0 - 2022-04-15
• 9.1.0 - 2022-03-18
• 9.0.0 - 2022-01-29
• 9.0.0-1 - 2022-01-14
• 9.0.0-0 - 2021-12-22
• 8.3.0 - 2021-10-22
• 8.2.0 - 2021-09-10
• 8.1.0 - 2021-07-27
• 8.0.0 - 2021-06-25
• 8.0.0-2 - 2021-06-06
• 8.0.0-1 - 2021-05-31
• 8.0.0-0 - 2021-05-22
• 7.2.0 - 2021-03-21
• 7.1.0 - 2021-02-15
• 7.0.0 - 2021-01-15
• 7.0.0-2 - 2020-12-14
• 7.0.0-1 - 2020-11-21
• 7.0.0-0 - 2020-10-25
• 6.2.1 - 2020-12-14
• 6.2.0 - 2020-10-25
• 6.1.0 - 2020-08-28
• 6.0.0 - 2020-07-19
• 6.0.0-0 - 2020-06-20
• 5.1.0 - 2020-04-25
• 5.0.0 - 2020-03-14
• 5.0.0-4 - 2020-03-03
• 5.0.0-3 - 2020-02-20
• 5.0.0-2 - 2020-02-11
• 5.0.0-1 - 2020-02-08
• 5.0.0-0 - 2020-02-01
• 4.1.1 - 2020-02-03
• 4.1.0 - 2020-01-06
• 4.0.1 - 2019-11-11
• 4.0.0 - 2019-11-01
• 4.0.0-1 - 2019-10-08
• 4.0.0-0 - 2019-10-01
• 3.0.2 - 2019-09-26
• 3.0.1 - 2019-08-30
• 3.0.0 - 2019-08-09
  

  Added

  • support multiple calls to .parse() with default settings (#2299)
  • add .saveStateBeforeParse() and .restoreStateBeforeParse() for use by subclasses (#2299)
  • style routines like styleTitle() to add color to help using .configureHelp() or Help subclass (#2251)
  • color related support in .configureOutput() for getOutHasColors(), getErrHasColors(), and stripColor() (#2251)
  • Help property for minWidthToWrap (#2251)
  • Help methods for displayWidth(), boxWrap(), preformatted() et al (#2251)

  Changed

  • Breaking: excess command-arguments cause an error by default, see migration tips (#2223)
  • Breaking: throw during Option construction for unsupported option flags, like multiple characters after single - (#2270)
  • Breaking: throw on multiple calls to .parse() if storeOptionsAsProperties: true (#2299)
  • TypeScript: include implicit this in parameters for action handler callback (#2197)

  Deleted

  • Breaking: Help.wrap() refactored into formatItem() and boxWrap() (#2251)

  Migration Tips

  Excess command-arguments

  It is now an error for the user to specify more command-arguments than are expected. (allowExcessArguments is now false by default.)

  Old code:

  program.option('-p, --port <number>', 'port number');
  program.action((options) => {
    console.log(program.args);
  });

  Now shows an error:

  $ node example.js a b c
  error: too many arguments. Expected 0 arguments but got 3.

  You can declare the expected arguments. The help will then be more accurate too. Note that declaring
  new arguments will change what is passed to the action handler.

  program.option('-p, --port <number>', 'port number');
  program.argument('[args...]', 'remote command and arguments'); // expecting zero or more arguments
  program.action((args, options) => {
    console.log(args);
  });

  Or you could suppress the error, useful for minimising changes in legacy code.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request upgrades the commander dependency from version 2.11.0 to version 13.1.0. This upgrade includes several new features, breaking changes, and bug fixes, including fixes for multiple high and critical severity vulnerabilities.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
The pull request upgrades the commander dependency from version 2.11.0 to version 13.1.0.	Upgraded the commander dependency to the latest version.	deps/v8/tools/clusterfuzz/js_fuzzer/package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!
• Generate a plan of action for an issue: Comment @sourcery-ai plan on
  an issue to generate a plan of action for it.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.