Fix vulnerabilities found with npm audit (cloudhead#222)

Switched to a different option parser to keep things simple

Author: fidian

CHANGES.md

@@ -6,6 +6,8 @@ Fork from `node-static`
 
 ### User-facing
 
+- Security: Fix dependency vulnerabilities by switching from `optimist` to
+    `neodoc`
 - Fix: Avoid octal (@bgao / @Ilrilan)
 - Fix: Support `bytes=0-0` Range header (@prajwalkman)
 - Fix: For `spa`, allow dots after path (@gjuchault)
@@ -19,7 +21,7 @@ Fork from `node-static`
 - Optimization: Remove unused `colors`
 - Docs: Fix header example (@emmanouil)
 - Docs: Sp. (@EdwardBetts)
-- npm: Update `mime` (updating to latest minor update only)
+- npm: Update `mime` (@fidian)
 - npm: Set engines to 10.11.0+
 
 ### Dev-facing

bin/cli.js

@@ -2,61 +2,47 @@
 
 'use strict';
 
+function help () {
+    return `Node-Static CLI - simple, RFC 2616 compliant file streaming module for Node.
+
+USAGE: cli.js [OPTIONS] [-p PORT] [<directory>]
+
+Options:
+    -p PORT, --port PORT
+            TCP port at which the files will be served. [default: 8080]
+    -a ADDRESS, --host-address ADDRESS
+            The local network interface at which to listen. [default: "127.0.0.1"]
+    -c SECONDS, --cache SECONDS
+            "Cache-Control" header setting. [default: 3600]
+    -v, --version
+            Node-static version
+    -H HEADERS, --headers HEADERS
+            Additional headers in JSON format.
+    -f FILE, --header-file FILE
+            JSON file of additional headers.
+    -z, --gzip
+            Enable compression (tries to serve file of same name plus ".gz").
+    --spa
+            Serve the content as a single page app by redirecting all non-file requests to the index HTML file.
+    -i FILENAME, --indexFile FILENAME
+            Specify a custom index file when serving up directories. [default: "index.html"]
+    -h, --help
+            Display this help message.
+`;
+}
+
 const fs = require('fs'),
     tty = require('tty'),
     url = require('url'),
-    statik = require('./../lib/node-static');
-
-const argv = require('optimist')
-    .usage([
-        'USAGE: $0 [-p <port>] [<directory>]',
-        'simple, rfc 2616 compliant file streaming module for node']
-        .join('\n\n'))
-    .option('port', {
-        alias: 'p',
-        'default': 8080,
-        description: 'TCP port at which the files will be served'
-    })
-    .option('host-address', {
-        alias: 'a',
-        'default': '127.0.0.1',
-        description: 'the local network interface at which to listen'
-    })
-    .option('cache', {
-        alias: 'c',
-        description: '"Cache-Control" header setting, defaults to 3600'
-    })
-    .option('version', {
-        alias: 'v',
-        description: '@brettz9/node-static version'
-    })
-    .option('headers', {
-        alias: 'H',
-        description: 'additional headers (in JSON format)'
-    })
-    .option('header-file', {
-        alias: 'f',
-        description: 'JSON file of additional headers'
-    })
-    .option('gzip', {
-        alias: 'z',
-        description: 'enable compression (tries to serve file of same name plus \'.gz\')'
-    })
-    .option('spa', {
-        description: 'serve the content as a single page app by redirecting all non-file requests to the index html file'
-    })
-    .option('indexFile', {
-        alias: 'i',
-        'default': 'index.html',
-        description: 'specify a custom index file when serving up directories'
-    })
-    .option('help', {
-        alias: 'h',
-        description: 'display this help message'
-    })
-    .argv;
-
-const dir = argv._[0] || '.';
+    statik = require('./../lib/node-static'),
+    neodoc = require('neodoc');
+
+const args = neodoc.run(help(), {
+    laxPlacement: true,
+    helpFlags: ['-h', '--help']
+});
+
+const dir = args['<directory>'] || '.';
 
 const log = function(request, response, statusCode) {
     const d = new Date();
@@ -74,37 +60,31 @@ const log = function(request, response, statusCode) {
     console.log(colorized);
 };
 
-let options;
-
-if (argv.help) {
-    require('optimist').showHelp(console.log);
-    process.exit(0);
-}
+const options = {};
 
-if (argv.version) {
+if (args['--version']) {
     console.log('@brettz9/node-static', statik.version.join('.'));
     process.exit(0);
 }
 
-if ('cache' in argv) {
-    (options = options || {}).cache = argv.cache;
+if ('--cache' in args) {
+    options.cache = args['--cache']
 }
 
-if (argv.headers) {
-    (options = options || {}).headers = JSON.parse(argv.headers);
+if (args['--headers']) {
+    options.headers = JSON.parse(args['--headers']);
 }
 
-if (argv['header-file']) {
-    (options = options || {}).headers =
-        JSON.parse(fs.readFileSync(argv['header-file']));
+if (args['--header-file']) {
+    options.headers = JSON.parse(fs.readFileSync(args['--header-file']));
 }
 
-if (argv.gzip) {
-    (options = options || {}).gzip = true;
+if (args['--gzip']) {
+    options.gzip = true;
 }
 
-if (argv.indexFile) {
-    (options = options || {}).indexFile = argv['indexFile'];
+if (args['--index-file']) {
+    options.indexFile = args['--index-file'];
 }
 
 const file = new(statik.Server)(dir, options);
@@ -124,21 +104,21 @@ const server = require('http').createServer(function (request, response) {
         // Parsing catches:
         //   npm start -- --spa --indexFile test/fixtures/there/index.html
         //   with http://127.0.0.1:8080/test/fixtures/there?email=john.cena
-        if (argv['spa'] && !url.parse(request.url).pathname.includes(".")) {
-            file.serveFile(argv['indexFile'], 200, {}, request, response);
+        if (args['spa'] && !url.parse(request.url).pathname.includes(".")) {
+            file.serveFile(args['--index-file'], 200, {}, request, response);
         } else {
             file.serve(request, response, callback);
         }
     }).resume();
 });
 
-if (argv['host-address'] === '127.0.0.1') {
-    server.listen(+argv.port);
+if (args['host-address'] === '127.0.0.1') {
+    server.listen(+args['--port']);
 } else {
-    server.listen(+argv.port, argv['host-address']);
+    server.listen(+args['--port'], args['--host-address']);
 }
 
-console.log('serving "' + dir + '" at http://' + argv['host-address'] + ':' + argv.port);
-if (argv.spa) {
-    console.log('serving as a single page app (all non-file requests redirect to ' + argv['indexFile'] +')');
+console.log('serving "' + dir + '" at http://' + args['--host-address'] + ':' + args['--port']);
+if (args['--spa']) {
+    console.log('serving as a single page app (all non-file requests redirect to ' + args['--index-file'] +')');
 }

lib/node-static.js

@@ -375,7 +375,7 @@ Server.prototype.respondNoGzip = function (pathname, status, contentType, _heade
 
 Server.prototype.respond = function (pathname, status, _headers, files, stat, req, res, finish) {
     const contentType = _headers['Content-Type'] ||
-                      mime.lookup(files[0]) ||
+                      mime.getType(files[0]) ||
                       'application/octet-stream';
 
     if(this.options.gzip) {