feat: remove latest-version dependency (#8035)

* feat: remove latest-version dependency * fix:mock * chore: add changeset

Author: n1ru4l

.changeset/nine-llamas-bathe.md

@@ -0,0 +1,5 @@
+---
+'@graphql-codegen/cli': patch
+---
+
+Fix security vulnerability by removing `latest-version` dependency.

packages/graphql-codegen-cli/package.json

@@ -58,13 +58,13 @@
  "chokidar": "^3.5.2",
  "common-tags": "^1.8.0",
  "cosmiconfig": "^7.0.0",
+ "cross-undici-fetch": "^0.4.11",
  "debounce": "^1.2.0",
  "detect-indent": "^6.0.0",
  "graphql-config": "^4.3.1",
  "inquirer": "^8.0.0",
  "is-glob": "^4.0.1",
  "json-to-pretty-yaml": "^1.2.2",
- "latest-version": "5.1.0",
  "listr": "^0.14.3",
  "listr-update-renderer": "^0.5.0",
  "log-symbols": "^4.0.0",

packages/graphql-codegen-cli/src/init/helpers.ts

@@ -4,7 +4,7 @@ import { writeFileSync, readFileSync } from 'fs';
 import { Types } from '@graphql-codegen/plugin-helpers';
 import detectIndent from 'detect-indent';
 import { Answers } from './types.js';
-import getLatestVersion from 'latest-version';
+import { getLatestVersion } from '../utils/get-latest-version.js';
 
 // Parses config and writes it to a file
 export async function writeConfig(answers: Answers, config: Types.Config) {

packages/graphql-codegen-cli/src/utils/get-latest-version.ts

@@ -0,0 +1,12 @@
+import { fetch } from 'cross-undici-fetch';
+
+/**
+ * Fetches the version directly from the registry instead of depending on
+ * an ESM only module as latest-version does.
+ * @param packageName
+ */
+export async function getLatestVersion(packageName: string): Promise<string> {
+ return fetch(`https://unpkg.com/${packageName}/package.json`)
+ .then(res => res.json())
+ .then(pkg => pkg.version);
+}

packages/graphql-codegen-cli/tests/init.spec.ts

@@ -1,5 +1,5 @@
-jest.mock('latest-version', () => {
- return () => Promise.resolve('1.0.0');
+jest.mock('../src/utils/get-latest-version.ts', () => {
+ return { getLatestVersion: () => Promise.resolve('1.0.0') };
 });
 
 import bddStdin from 'bdd-stdin';