Switch from CJS (CommonJS) to ESM (ECMAScript Modules)

[Logicer16]

Type of issue

Bug Report

---

My environment

• OS version/details: macOS Monterey 12.6.7
• Node version: v20.2.0 (run node --version in your terminal)
• npm version: 9.6.6 (run npm --version in your terminal)
• Version of yo : 4.3.1 (run yo --version in your terminal)

Expected behavior

yo has no vulnerable dependancies.

Current behavior

The following are vulnerable package versions from yo and its dependancies, yeoman/doctor and yeoman/insight:

meow: < v6.0.0
bin-version-check: < v5.0.0
got: < v12.0.0
npm-keyword: < v7.0.0
update-notifier: < v6.0.0
latest-version: < v6.0.0

However these packages are now all pure esm.
To allow for these dependancies to be updated, and thus for the vulnerabilities to be fixed, yo, yoeman/doctor, and yeoman/insight should switch to esm as well.

This has additionally caused problems with insight as os-name >= v5.0.0 is also pure esm, which resulted in insight being removed.

This has been an ongoing issue for the project. Related issues I've found include (17 total):

• yo depends on deprecated module.parent, should update meow #786
• Vulnerability in dependency for Yo #780
• Bump got from 8.3.2 to 12.5.3 #773
• Bump meow from 5.0.0 to 11.0.0 #766
• Unable to run yo on macOS Ventura Beta #753
• Bump npm-keyword from 6.1.0 to 7.0.0 #751
• Bump update-notifier from 5.1.0 to 6.0.2 #749
• 15 vulnerabilities when installing #716
• Update vulnerable dependencies trim-newlines and glob-parent #679
• Can't run yo on macos monterey #683
• Support macOS 13 Ventura sindresorhus/insight#83
• update os-name  sindresorhus/insight#82
• Error in macOS venture sindresorhus/insight#81
• Support macOS 13 Ventura sindresorhus/insight#80
• Any one could share insight roadmap ? (for macos monterey ) sindresorhus/insight#78
• Consider using got over request. sindresorhus/insight#52
• chore: update bin-version-check doctor#58

Each of these require this being implemented to be properly fixed.

Other yeoman packages have already made the switch to esm, including update-notifier, stringily-object, and configstore, with environment and generator soon to follow.

Steps to reproduce the behavior

npm audit

Command line output

Output

# npm audit report

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
node_modules/latest-version/node_modules/got
node_modules/npm-keyword/node_modules/got
node_modules/yeoman-doctor/node_modules/got
  npm-keyword  <=6.1.0
  Depends on vulnerable versions of got
  node_modules/npm-keyword
    yo  >=1.2.1
    Depends on vulnerable versions of got
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of npm-keyword
    Depends on vulnerable versions of update-notifier
    Depends on vulnerable versions of yeoman-doctor
    node_modules/yo
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/latest-version/node_modules/package-json
  node_modules/yeoman-doctor/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
    node_modules/yeoman-doctor/node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
      yeoman-doctor  >=1.4.0
      Depends on vulnerable versions of bin-version-check
      Depends on vulnerable versions of latest-version
      node_modules/yeoman-doctor

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cacheable-request/node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/cacheable-request

semver-regex  <=3.1.3
Severity: high
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/semver-regex
  find-versions  <=3.2.0
  Depends on vulnerable versions of semver-regex
  node_modules/find-versions
    bin-version  <=4.0.0
    Depends on vulnerable versions of find-versions
    node_modules/bin-version
      bin-version-check  <=4.0.0
      Depends on vulnerable versions of bin-version
      node_modules/bin-version-check

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/yargs-parser

16 vulnerabilities (5 moderate, 11 high)

[IrrerPolterer]

Is there any progress towards fixinv the vulnerable dependencies? Trying to install yo at the moment fires a ton of vulnerability warnings. In this state yo is unusable for our purposes.

[mshima]

yeoman-generator, yeoman-environment and yeoman-test are ESM now.

Help is wanted to migrate yo to ESM.
In the mean time, yeoman-environment is been dynamic loaded to workaround requiring an ESM module.

[JoshuaKGoldberg]

Marking as actionable because yo specifies Node versions that all support ESM:

yo/package.json

Lines 14 to 16 in d317eab

	"engines": {
	"node": "^18.17.0 || >=20.5.0"
	},

...but this is a pretty huge task and not likely to be easy or resolved soon.