Yo should use esm

[Logicer16]

Type of issue

Bug Report

---

My environment

• OS version/details: macOS Monterey 12.6.7
• Node version: v20.2.0 (run node --version in your terminal)
• npm version: 9.6.6 (run npm --version in your terminal)
• Version of yo : 4.3.1 (run yo --version in your terminal)

Expected behavior

yo has no vulnerable dependancies.

Current behavior

The following are vulnerable package versions from yo and its dependancies, yeoman/doctor and yeoman/insight:

meow: < v6.0.0
bin-version-check: < v5.0.0
got: < v12.0.0
npm-keyword: < v7.0.0
update-notifier: < v6.0.0
latest-version: < v6.0.0

However these packages are now all pure esm. To allow for these dependancies to be updated, and thus for the vulnerabilities to be fixed, yo, yoeman/doctor, and yeoman/insight should switch to esm as well.

This has additionally caused problems with insight as os-name >= v5.0.0 is also pure esm, which resulted in insight being removed.

This has been an ongoing issue for the project. Related issues I've found include (17 total):

• 786

• 780

• 773

• 766

• 753

• 751

• 749

• 716

• 679

• 683

• https://github.com/yeoman/insight/issues/83
• https://github.com/yeoman/insight/pull/82
• https://github.com/yeoman/insight/issues/81
• https://github.com/yeoman/insight/pull/80
• https://github.com/yeoman/insight/issues/78
• https://github.com/yeoman/insight/issues/52
• https://github.com/yeoman/doctor/pull/58

Each of these require this being implemented to be properly fixed.

Other yeoman packages have already made the switch to esm, including update-notifier, stringily-object, and configstore, with environment and generator soon to follow.

Steps to reproduce the behavior

npm audit

Command line output

Output

``` # npm audit report got <=11.8.3 Severity: high Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 Depends on vulnerable versions of cacheable-request fix available via `npm audit fix --force` Will install yo@1.4.5, which is a breaking change node_modules/got node_modules/latest-version/node_modules/got node_modules/npm-keyword/node_modules/got node_modules/yeoman-doctor/node_modules/got npm-keyword <=6.1.0 Depends on vulnerable versions of got node_modules/npm-keyword yo >=1.2.1 Depends on vulnerable versions of got Depends on vulnerable versions of meow Depends on vulnerable versions of npm-keyword Depends on vulnerable versions of update-notifier Depends on vulnerable versions of yeoman-doctor node_modules/yo package-json <=6.5.0 Depends on vulnerable versions of got node_modules/latest-version/node_modules/package-json node_modules/yeoman-doctor/node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version node_modules/yeoman-doctor/node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/update-notifier yeoman-doctor >=1.4.0 Depends on vulnerable versions of bin-version-check Depends on vulnerable versions of latest-version node_modules/yeoman-doctor http-cache-semantics <4.1.1 Severity: high http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j fix available via `npm audit fix --force` Will install yo@1.4.5, which is a breaking change node_modules/cacheable-request/node_modules/http-cache-semantics cacheable-request 0.1.0 - 2.1.4 Depends on vulnerable versions of http-cache-semantics node_modules/cacheable-request semver-regex <=3.1.3 Severity: high Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx fix available via `npm audit fix --force` Will install yo@1.4.5, which is a breaking change node_modules/semver-regex find-versions <=3.2.0 Depends on vulnerable versions of semver-regex node_modules/find-versions bin-version <=4.0.0 Depends on vulnerable versions of find-versions node_modules/bin-version bin-version-check <=4.0.0 Depends on vulnerable versions of bin-version node_modules/bin-version-check trim-newlines <3.0.1 Severity: high Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v fix available via `npm audit fix --force` Will install yo@1.4.5, which is a breaking change node_modules/trim-newlines meow 3.4.0 - 5.0.0 Depends on vulnerable versions of trim-newlines Depends on vulnerable versions of yargs-parser node_modules/meow yargs-parser 6.0.0 - 13.1.1 Severity: moderate yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp fix available via `npm audit fix --force` Will install yo@1.4.5, which is a breaking change node_modules/yargs-parser 16 vulnerabilities (5 moderate, 11 high) ```

[IrrerPolterer]

Is there any progress towards fixinv the vulnerable dependencies? Trying to install yo at the moment fires a ton of vulnerability warnings. In this state yo is unusable for our purposes.

[mshima]

yeoman-generator, yeoman-environment and yeoman-test are ESM now.

Help is wanted to migrate yo to ESM. In the mean time, yeoman-environment is been dynamic loaded to workaround requiring an ESM module.