chore: backport fork changes to upstream (#7)

* feat: v5

* docs: license

* docs: add section r.e. alternatives

* fix: correctly handle ignores even if limited to administrators

* fix: ensure the expiry date is 30 days in future and not today

* chore: eslint v9 upgrade

* fix: need to force install to workaround incorrect peer deps on npm

.github/workflows/publish.yml

@@ -8,10 +8,10 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 20
           registry-url: https://registry.npmjs.org/
           always-auth: true
       - run: yarn install --frozen-lockfile

.github/workflows/test.yml

@@ -10,10 +10,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v1
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 20
       - run: yarn install --frozen-lockfile
       - run: yarn ci
         env:

.nvmrc

@@ -1 +1 @@
-16
+20

README.md

@@ -35,7 +35,7 @@ yarn global add @asos/snyker
 
 ## About
 
-The Snyk CLI is great for reporting vulnerabilities and providing top level dependency upgrades and patches, but struggles when the vulnerability rests within a nested sub-dependency. This is despite the fact that many sub-dependencies have reasonable flexibility in the version ranges they allow for their own dependencies.
+The Snyk CLI is great for reporting vulnerabilities and providing top level dependency upgrades and patches, but struggles when the vulnerability rests within a nested "transitive" sub-dependency. This is despite the fact that many sub-dependencies have reasonable flexibility in the version ranges they allow for their own dependencies.
 
 This CLI takes a brute-force approach to solving this limitation of Snyk. It purges the `.snyk` file from a project, checks for vulnerable paths using Snyk, then forces `yarn` / `npm` to try to upgrade any dependency along the vulnerable paths before finally ignoring any vulnerability that cannot be fixed in the previous steps. If a patch is available for any outstanding vulnerability then it is also added to the Snyk policy.
 
@@ -45,7 +45,7 @@ This tool also does not make use of Snyk's ability to perform package major upgr
 
 Snyker will list the known vulnerabilities it has been unable to fix. If Snyk reports that there are major upgrades available to fix one or more of the outstanding vulnerabilities, Snyker will output a recommended `yarn` / `npm` command for performing the upgrade(s).
 
-It is recommended that you use this tool alongside the official Snyk wizard CLI, not replace it completely.
+It is recommended that you use this tool alongside the official Snyk CLI, not replace it completely.
 
 ## Usage
 
@@ -60,14 +60,35 @@ snyker --retries 3 --lockfile package-lock.json
 | `--lockfile <string>` | Specify the lockfile to use (e.g. `yarn.lock` or `package-lock.json`). | `yarn.lock` |
 | `--retries <int>`     | Will set the number of times to retry logical steps of Snyker.         | `2`         |
 
-### Post Execution
+## Alternatives
 
-It is recommended that you manually perform the following to ensure that you apply any upgrades that are available and currently unsupported by this CLI.
+### Snyk Pull Requests
 
-```console
-rm .snyk
-snyk wizard --dev
-```
+[Snyk supports a pull or merge request integration](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests) for your source control repositories which can upgrade your dependencies based on scan results.
+
+This behaves similar to Snyker in providing a capability to upgrade dependencies, but is not available as a CLI and does not bundle ignore behaviours at the same time.
+
+### Snyk Ignore
+
+The Snyk CLI supports a [`snyk ignore` command](https://github.com/snyk/cli/blob/main/help/cli-commands/ignore.md) to ignore a stated issue according to its snyk ID for all occurrences, its expiry date, a reason, or according to paths in the filesystem.
+
+This commands does not perform any dependency upgrades and requires you to manually look up the vulnerability's ID to execute the correct ignore command.
+
+Snyker currently includes the `snyk ignore` capability as part of it's process.
+
+### Snyk Protect
+
+Snyk supports a separate [`@snyk/protect`](https://github.com/snyk/cli/tree/main/packages/snyk-protect#readme) CLI, replacing the older `snyk protect` command for patching vulnerable dependencies.
+
+The Snyker maintainers generally advise against the usage of closed source patches for your dependencies.
+
+### Snyk Fix
+
+Snyk has released a [closed beta](https://docs.snyk.io/getting-started/snyk-release-process#closed-beta) [`snyk fix` command](https://docs.snyk.io/snyk-cli/scan-and-maintain-projects-using-the-cli/automatic-fixing-with-snyk-fix) that aims to automatically apply the recommended updates, but this is currently only available for Enterprise customers using Python.
+
+### Snyk Wizard
+
+Snyk used to support a `snyk wizard` command which would perform dependency upgrades and policy ignores [but this was removed on 31 March 2022](https://updates.snyk.io/snyk-wizard-and-snyk-protect-removal-224137).
 
 ## Contributing
 
@@ -81,4 +102,4 @@ Please check out the [CHANGELOG](./docs/CHANGELOG.md) docs.
 
 ## License
 
-Snyker is licensed under the [MIT License](./LICENSE.md).
+Snyker is licensed under the [MIT License](./LICENSE).

docs/CHANGELOG.md

@@ -1,5 +1,13 @@
 # ChangeLog
 
+## [5.0.0] - 31-08-2024
+
+- feat: upgrade dependencies to latest versions
+- feat: bump to Node 20 and NPM >=9
+- fix: correctly handle ignores even if limited to administrators
+- chore: eslint v9 upgrade
+- fix: need to force install to workaround incorrect peer deps on npm
+
 ## [4.0.2] - 16-12-2021
 
 - fix: don't rely on hardcoded paths to `snyk` binary

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@asos/snyker",
-  "version": "4.0.2",
+  "version": "5.0.0",
   "description": "An opinionated, heavy-handed wrapper around Snyk.",
   "author": {
     "name": "Craig Morten",
@@ -25,19 +25,19 @@
     "lib": "lib"
   },
   "engines": {
-    "npm": ">=5.2.0"
+    "npm": ">=9.0.0"
   },
   "main": "lib/index.js",
   "bin": {
     "snyker": "bin/snyker"
   },
   "scripts": {
-    "build": "cross-env BABEL_ENV=node rollup -c server.rollup.js",
+    "build": "cross-env BABEL_ENV=node rollup -c server.rollup.js --bundleConfigAsCjs",
     "ci": "yarn clean && yarn lint && yarn build && yarn snyker && yarn snyker:npm",
     "clean": "yarn clean:lib && yarn clean:lock",
     "clean:lib": "rimraf lib",
     "clean:lock": "rimraf package-lock.json",
-    "lint": "eslint ./src",
+    "lint": "ESLINT_USE_FLAT_CONFIG=false eslint ./src",
     "lint:fix": "yarn lint --fix",
     "snyker": "bin/snyker",
     "snyker:npm": "bin/snyker --lockfile=package-lock.json && yarn clean:lock",
@@ -51,18 +51,18 @@
   },
   "devDependencies": {
     "@babel/core": "^7.16.5",
+    "@rollup/plugin-babel": "^6.0.4",
+    "@rollup/plugin-commonjs": "^26.0.1",
+    "@rollup/plugin-json": "^6.1.0",
+    "@rollup/plugin-node-resolve": "^15.2.3",
+    "@rollup/plugin-terser": "^0.4.4",
     "cross-env": "^7.0.3",
-    "eslint": "^8.4.1",
-    "eslint-config-prettier": "^8.3.0",
-    "eslint-plugin-import": "^2.25.3",
-    "eslint-plugin-prettier": "^4.0.0",
-    "prettier": "^2.5.1",
-    "rimraf": "^3.0.2",
-    "rollup": "^2.61.1",
-    "rollup-plugin-babel": "^4.4.0",
-    "rollup-plugin-commonjs": "^10.1.0",
-    "rollup-plugin-json": "^4.0.0",
-    "rollup-plugin-node-resolve": "^5.2.0",
-    "rollup-plugin-terser": "^7.0.2"
+    "eslint": "^9.10.0",
+    "eslint-config-prettier": "^9.1.0",
+    "eslint-plugin-import": "^2.30.0",
+    "eslint-plugin-prettier": "^5.2.1",
+    "prettier": "^3.3.3",
+    "rimraf": "^6.0.1",
+    "rollup": "^4.21.2"
   }
 }

server.rollup.js

@@ -1,8 +1,8 @@
-import babel from "rollup-plugin-babel";
-import commonjs from "rollup-plugin-commonjs";
-import nodeResolve from "rollup-plugin-node-resolve";
-import json from "rollup-plugin-json";
-import { terser } from "rollup-plugin-terser";
+import babel from "@rollup/plugin-babel";
+import commonjs from "@rollup/plugin-commonjs";
+import nodeResolve from "@rollup/plugin-node-resolve";
+import json from "@rollup/plugin-json";
+import terser  from "@rollup/plugin-terser";
 import pkg from "./package.json";
 
 export default {
@@ -27,6 +27,7 @@ export default {
     }),
     babel({
       exclude: [/node_modules/],
+      babelHelpers: 'bundled'
     }),
     terser(),
   ],