flatiron/prompt

Move off abandoned utile dependency

mriedem opened this issue · 1 comments

mriedem commented

utile was last updated in 2014 [1] and has an open security vulnerability issue reported against it [2] but it's pretty clearly abandoned [3].

It looks like utile is only used here:

prompt/lib/prompt.js

Line 321 in c071b85

async.forEachSeries(iterator, function (branch, next) {

and here:

prompt/lib/prompt.js

Line 412 in c071b85

async.rejectSeries(vars, confirm, function(result) {

Maybe the async library could be used instead which has similar functionality and is actively maintained:

https://caolan.github.io/async/v3/docs.html#eachOfSeries

https://caolan.github.io/async/v3/docs.html#rejectSeries

[1] https://github.com/flatiron/utile/releases
[2] flatiron/utile#28
[3] https://github.com/flatiron/utile/commits/master

caub commented

Good point, and for utile.mixin, what could we do? I think it's like Object.assign, but since this package tries to support node 0.6+, we could have a loop

var options = {
  description: typeof target === 'string' ? target : target.description||'yes/no',
  pattern: target.pattern || RX_YN,
  name: 'confirm',
  message: target.message || 'yes/no'
};
Object.keys(opts || {}).forEach(function (k) {
  options[k] = opts[k];
}):

Object.keys is node 0.10+, maybe then a for in loop with hasOwnProperties

Do you think you could try a quick MR with your replacement utile -> async?