feat: dropping EOL Node support, bumping shescape (#270)

* feat: dropping EOL Node support

* fix: fixed failing tests

* fix: bumping shescape, removing shell, after author fix

* fix: increase context deadline

* chore: increase test timeouts to 3 minutes

* chore: bumping major version

BREAKING CHANGE:
This plugin now requires at least Node 20 to run.

* chore: OK how about 10 minutes?

---------

Co-authored-by: Andrei Cacio <[email protected]>

Author: dotkas

.circleci/config.yml

@@ -1,7 +1,7 @@
 version: 2.1
 
 orbs:
-  node: circleci/node@5.1.0
+  node: circleci/node@7.1.0
   prodsec: snyk/prodsec-orb@1
 
 defaults: &defaults
@@ -49,6 +49,7 @@ jobs:
           steps:
           - run:
               name: Run tests
+              no_output_timeout: 30m
               command: |
                 BUILDKIT_PROGRESS=plain \
                 DOCKER_BUILDKIT=1 \
@@ -69,6 +70,7 @@ jobs:
           steps:
           - run:
               name: Run tests
+              no_output_timeout: 30m
               command: |
                 BUILDKIT_PROGRESS=plain \
                 DOCKER_BUILDKIT=1 \
@@ -147,9 +149,9 @@ workflows:
           matrix:
             parameters:
               node_version: [
-                '14',
-                '16',
-                '18',
+                '24',
+                '22',
+                '20',
               ]
               python_version: [
                 '3.8',

.nvmrc

@@ -1 +1 @@
-16.16.0
+20

lib/dependencies/sub-process.ts

@@ -1,5 +1,5 @@
-import { spawn, spawnSync, SpawnOptions } from 'child_process';
-import { quoteAll } from 'shescape';
+import { spawn, SpawnOptions, spawnSync } from 'child_process';
+import { quoteAll } from 'shescape/stateless';
 
 interface ProcessOptions {
   cwd?: string;
@@ -39,7 +39,7 @@ export function execute(
   options?: ProcessOptions
 ): Promise<string> {
   const spawnOptions = makeSpawnOptions(options);
-  args = quoteAll(args, spawnOptions);
+  args = quoteAll(args, { flagProtection: false });
   return new Promise((resolve, reject) => {
     let stdout = '';
     let stderr = '';
@@ -67,7 +67,7 @@ export function executeSync(
   options?: ProcessOptions
 ) {
   const spawnOptions = makeSpawnOptions(options);
-  args = quoteAll(args, spawnOptions);
+  args = quoteAll(args, { flagProtection: false });
 
   return spawnSync(command, args, spawnOptions);
 }

package.json

@@ -26,13 +26,13 @@
   "dependencies": {
     "@snyk/cli-interface": "^2.11.2",
     "@snyk/dep-graph": "^1.28.1",
-    "shescape": "1.6.1",
+    "shescape": "2.1.4",
     "snyk-poetry-lockfile-parser": "^1.9.0",
     "tmp": "0.2.3"
   },
   "devDependencies": {
     "@types/jest": "^28.1.3",
-    "@types/node": "^16.11.66",
+    "@types/node": "^20",
     "@types/tmp": "^0.1.0",
     "@typescript-eslint/eslint-plugin": "^4.33.0",
     "@typescript-eslint/parser": "^4.33.0",
@@ -46,6 +46,6 @@
     "sinon": "^2.3.2",
     "ts-jest": "^28.0.8",
     "ts-node": "^8.10.2",
-    "typescript": "^4.8.4"
+    "typescript": "^5.8.3"
   }
 }

test/system/inspect.spec.ts

@@ -14,7 +14,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 
 // Usually the setup of virtual environments can run for a while
-jest.setTimeout(120000);
+jest.setTimeout(180000);
 
 interface Labels {
   pkgIdProvenance?: string;
@@ -251,7 +251,7 @@ describe('inspect', () => {
             pkg: {
               name: 'jsonschema',
             },
-            directDeps: ['openapi-spec-validator'],
+            directDeps: ['jsonschema', 'openapi-spec-validator'],
           },
         ],
       },
@@ -347,7 +347,8 @@ describe('inspect', () => {
         const result = await inspect('.', FILENAMES.pip.manifest, pluginOpts);
 
         compareTransitiveLines(result.dependencyGraph, expected);
-      }
+      },
+      900000
     );
 
     it.each([
@@ -632,7 +633,7 @@ describe('inspect', () => {
             pkg: {
               name: 'jsonschema',
             },
-            directDeps: ['openapi-spec-validator'],
+            directDeps: ['jsonschema', 'openapi-spec-validator'],
           },
         ],
       },

test/test-utils.ts

@@ -176,7 +176,7 @@ function updateSetuptools() {
 
 function setupPyInstall() {
   updateSetuptools();
-  const proc = subProcess.executeSync('pip', ['install', '.']);
+  const proc = subProcess.executeSync('pip', ['install', '-e', '.']);
   if (proc.status !== 0) {
     console.log('' + proc.stderr);
     throw new Error(

test/workspaces/pip-app-with-openapi_spec_validator/requirements.txt

@@ -1 +1,2 @@
 openapi_spec_validator
+jsonschema==4.23.0

test/workspaces/pip-app/requirements.txt

@@ -8,3 +8,4 @@ testtools==\
     2.3.0 # this has a cycle (fixtures ==> testtools);
 ./packages/prometheus_client-0.6.0
 opentelemetry-distro[otlp] == 0.35b0
+jsonschema==4.23.0

test/workspaces/setup_py-app/setup.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 
-from distutils.core import setup
+from setuptools import setup, find_packages
 
 setup(
     name="test_package",
@@ -9,8 +9,9 @@
         "Django==1.6.1",
         "python-etcd==0.4.5",
         "urllib3==1.26.16",
-        "Django-Select2==6.0.1",  # this version installs with lowercase so it catches a previous bug in pip_resolve.py
-        "irc==16.2",  # this has a cyclic dependency (internal jaraco.text <==> jaraco.collections)
-        "testtools==2.3.0",  # this has a cycle (fixtures ==> testtools)
+        "Django-Select2==6.0.1",
+        "irc==16.2",
+        "testtools==2.3.0",
+        "jsonschema==4.23.0"
     ],
 )