Skip to content

[Snyk] Upgrade commander from 12.1.0 to 14.0.0#1

Open
SherfeyInv wants to merge 1 commit intomainfrom
snyk-upgrade-5f2ade7ee6c51e64fbdb3eac6da0284f
Open

[Snyk] Upgrade commander from 12.1.0 to 14.0.0#1
SherfeyInv wants to merge 1 commit intomainfrom
snyk-upgrade-5f2ade7ee6c51e64fbdb3eac6da0284f

Conversation

@SherfeyInv
Copy link

@SherfeyInv SherfeyInv commented Sep 1, 2025

snyk-top-banner

Snyk has created this PR to upgrade commander from 12.1.0 to 14.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

  • The recommended version is 4 versions ahead of your current version.

  • The recommended version was released 3 months ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
medium severity Cross-site Scripting (XSS)
SNYK-JS-MARKDOWNIT-12143043		 390 Proof of Concept
Release notes
Package name: commander
  • 14.0.0 - 2025-05-18

    Added

    • support for groups of options and commands in the help using low-level .helpGroup() on Option and Command, and higher
      -level .optionsGroup() and .commandsGroup() which can be used in chaining way to specify group title for following option
      s/commands (#2328)
    • support for unescaped negative numbers as option-arguments and command-arguments (#2339)
    • TypeScript: add parseArg property to Argument class (#2359)

    Fixed

    • remove bogus leading space in help when option has default value but not a description (#2348)
    • .configureOutput() now makes copy of settings instead of modifying in-place, fixing side-effects (#2350)

    Changed

    • Breaking: Commander 14 requires Node.js v20 or higher
    • internal refactor of Help class adding .formatItemList() and .groupItems() methods (#2328)
  • 13.1.0 - 2025-01-20

    Added

    • support a pair of long option flags to allow a memorable shortened flag, like .option('--ws, --workspace') (#2312)
  • 13.0.0 - 2024-12-30

    Added

    • support multiple calls to .parse() with default settings (#2299)
    • add .saveStateBeforeParse() and .restoreStateBeforeParse() for use by subclasses (#2299)
    • style routines like styleTitle() to add color to help using .configureHelp() or Help subclass (#2251)
    • color related support in .configureOutput() for getOutHasColors(), getErrHasColors(), and stripColor() (#2251)
    • Help property for minWidthToWrap (#2251)
    • Help methods for displayWidth(), boxWrap(), preformatted() et al (#2251)

    Changed

    • Breaking: excess command-arguments cause an error by default, see migration tips (#2223)
    • Breaking: throw during Option construction for unsupported option flags, like multiple characters after single - (#2270)
    • Breaking: throw on multiple calls to .parse() if storeOptionsAsProperties: true (#2299)
    • TypeScript: include implicit this in parameters for action handler callback (#2197)

    Deleted

    • Breaking: Help.wrap() refactored into formatItem() and boxWrap() (#2251)

    Migration Tips

    Excess command-arguments

    It is now an error for the user to specify more command-arguments than are expected. (allowExcessArguments is now false by default.)

    Old code:

    program.option('-p, --port <number>', 'port number');
program.action((options) => {
  console.log(program.args);
});

    Now shows an error:

    $ node example.js a b c
error: too many arguments. Expected 0 arguments but got 3.

    You can declare the expected arguments. The help will then be more accurate too. Note that declaring
    new arguments will change what is passed to the action handler.

    program.option('-p, --port <number>', 'port number');
program.argument('[args...]', 'remote command and arguments'); // expecting zero or more arguments
program.action((args, options) => {
  console.log(args);
});

    Or you could suppress the error, useful for minimising changes in legacy code.

    program.option('-p, --port', 'port number');
program.allowExcessArguments();
program.action((options) => {
  console.log(program.args);
});
  • 13.0.0-0 - 2024-12-06

    Added

    • style routines like styleTitle() to add color to help using .configureHelp() or Help subclass (#2251)
    • color related support in .configureOutput() for getOutHasColors(), getErrHasColors(), and stripColor() (#2251)
    • Help property for minWidthToWrap (#2251)
    • Help methods for displayWidth(), boxWrap(), preformatted() et al (#2251)

    Changed

    • Breaking: excess command-arguments cause an error by default, see migration tips (#2223)
    • Breaking: throw during Option construction for unsupported option flags, like multiple characters after single - (#2270)
    • TypeScript: include implicit this in parameters for action handler callback (#2197)

    Deleted

    • Breaking: Help.wrap() refactored into formatItem() and boxWrap() (#2251)

    Migration Tips

    Excess command-arguments

    It is now an error for the user to specify more command-arguments than are expected. (allowExcessArguments is now false by default.)

    Old code:

    program.option('-p, --port <number>', 'port number');
program.action((options) => {
  console.log(program.args);
});

    Now shows an error:

    $ node example.js a b c
error: too many arguments. Expected 0 arguments but got 3.

    You can declare the expected arguments. The help will then be more accurate too. Note that declaring
    new arguments will change what is passed to the action handler.

    program.option('-p, --port <number>', 'port number');
program.argument('[args...]', 'remote command and arguments'); // expecting zero or more arguments
program.action((args, options) => {
  console.log(args);
});

    Or you could suppress the error, useful for minimising changes in legacy code.

    program.option('-p, --port', 'port number');
program.allowExcessArguments();
program.action((options) => {
  console.log(program.args);
});
  • 12.1.0 - 2024-05-18

    Added

    • auto-detect special node flags node --eval and node --print when call .parse() with no arguments (#2164)

    Changed

    • prefix require of Node.js core modules with node: (#2170)
    • format source files with Prettier (#2180)
    • switch from StandardJS to directly calling ESLint for linting (#2153)
    • extend security support for previous major version of Commander (#2150)

    Removed

    • removed unimplemented Option.fullDescription from TypeScript definition (#2191)
from commander GitHub release notes

Important

  • Warning: This PR contains a major version upgrade, and may be a breaking change.
  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
feat: upgrade commander from 12.1.0 to 14.0.0
1643c1c 
Snyk has created this PR to upgrade commander from 12.1.0 to 14.0.0.

See this package in npm:
commander

See this project in Snyk:
https://app.snyk.io/org/sherfeyinv/project/e89bf1d2-0f14-40c3-bdc6-633661922a5c?utm_source=github&utm_medium=referral&page=upgrade-pr
@socket-security
Copy link

socket-security bot commented Sep 1, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedcommander@​12.1.0 ⏵ 14.0.0100100100 +184100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SherfeyInv @snyk-bot