API Broken Semver Not Respected

[ALMaclaine]

If you came here to report this:

Yes, I know, I'm sorry.

There was a security vulnerability in yarg. Replace was updated. The API Broke. It was reverted.

But I've chosen security over the 1 test the api breaks for (single quotes in replacement string on command line).

That's not an excuse to break semver, but it's going to require a re-write to fix, something I can't do right away, and I don't want to bump a new version over something that should be patchable.

Please report any other breaking issues so I can mull over how to resolve the problem.

[ljharb]

Which version did this breakage occur in?

Updating replace from v0.x to v1 latest is breaking my one command-line usage of it: https://github.com/nvm-sh/nvm/pull/2428/checks?check_run_id=1810967042 https://github.com/nvm-sh/nvm/blob/master/Makefile#L83 - but i can't figure out why it'd not be working.

[ALMaclaine]

@ljharb In either 1.1.5 or 1.2.0

[ljharb]

k, that wasn't it - v0.x works and any v1.x breaks :-(

update: figured it out. in v0.x, replace a b -- paths/to/files works, but in v1.x, replace a b paths/to/files is required.

[ALMaclaine]

@ljharb

Yeah, unfortunately I had to switch from nomnom to yargs for security reasons and yargs doesn't respect the --. I filed an issue years ago, and it was never followed up on.

I don't have a solution for this, you'll need to update your code or propose a solution for the package.

[ljharb]

I've updated my code to unblock myself. I'm reasonably sure yargs does support -- tho, altho you might need to manually process those args.

[ALMaclaine]

If you can point me towards any information that indicates that I will attempt to support it, however multiple other people in the issue thread seemed to think it wasn't possible.

[ljharb]

yargs/yargs-parser#177 suggests it was fixed in yargs v13.something?

[ALMaclaine]

I'll take a look, thank you.