Remove ts-common/azure-js-dev-tools to solve security issue (#9009)

* Fix high security issue

* Add test

tools/js-sdk-release-tools/package.json

@@ -27,14 +27,14 @@
   "dependencies": {
     "@azure-tools/openapi-tools-common": "^1.2.2",
     "@npmcli/package-json": "^5.2.0",
-    "@ts-common/azure-js-dev-tools": "^21.1.0",
     "colors": "1.4.0",
     "command-line-args": "^5.1.1",
     "comment-json": "^4.1.0",
     "copyfiles": "^2.4.1",
     "fs-extra": "^11.2.0",
     "glob": "^11.0.0",
     "js-yaml": "^4.1.0",
+    "npm-registry-fetch": "^17.1.0",
     "parse-ts-to-ast": "^0.1.1",
     "semver": "^7.3.5",
     "shelljs": "^0.8.4",
@@ -49,6 +49,7 @@
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",
     "@types/node": "^20.12.12",
+    "@types/npm-registry-fetch": "^8.0.7",
     "@types/npmcli__package-json": "^4.0.4",
     "@types/shelljs": "^0.8.15",
     "@types/unixify": "^1.0.2",

tools/js-sdk-release-tools/src/common/npmUtils.ts

@@ -1,5 +1,6 @@
 import { load } from '@npmcli/package-json';
 import { NpmPackageInfo } from './types';
+import * as fetch from 'npm-registry-fetch';
 
 export async function getNpmPackageInfo(packageDirectory): Promise<NpmPackageInfo> {
     const packageJson = await load(packageDirectory);
@@ -29,3 +30,11 @@ export function getArtifactName(info: NpmPackageInfo) {
     const version = info.version;
     return `${name}-${version}.tgz`;
 }
+
+export async function tryGetNpmView(packageName: string): Promise<{[id: string]: any} | undefined> {
+    try {
+        return await fetch.json(`/${packageName}`);
+    } catch (err) {
+        return undefined;
+    }
+}

tools/js-sdk-release-tools/src/common/utils.ts

@@ -4,7 +4,6 @@ import fs from 'fs';
 import { SDKType } from './types';
 import { logger } from '../utils/logger';
 import { Project, ScriptTarget, SourceFile } from 'ts-morph';
-import { replaceAll } from '@ts-common/azure-js-dev-tools';
 import { readFile } from 'fs/promises';
 import { parse } from 'yaml';
 import { access } from 'node:fs/promises';
@@ -27,6 +26,10 @@ function removeLastNewline(line: string): string {
     return line.replace(/\n$/, '')
 }
 
+function replaceAll(original: string, from: string, to: string) { 
+    return original.split(from).join(to);
+}
+
 function printErrorDetails(
     output: { stdout: string; stderr: string; code: number | null } | undefined,
     printDetails: boolean = false

tools/js-sdk-release-tools/src/hlc/utils/automaticGenerateChangeLogAndBumpVersion.ts

@@ -4,7 +4,6 @@ import shell from 'shelljs';
 
 import { extractExportAndGenerateChangelog } from "../../changelog/extractMetaData";
 import { Changelog } from "../../changelog/changelogGenerator";
-import { NPMScope, NPMViewResult } from "@ts-common/azure-js-dev-tools";
 import {
     makeChangesForFirstRelease,
     makeChangesForMigrateTrack1ToTrack2, makeChangesForPatchReleasingTrack2,
@@ -23,22 +22,22 @@ import { getversionDate } from "../../utils/version";
 import { ApiVersionType, SDKType } from "../../common/types"
 import { getApiVersionType } from '../../xlc/apiVersion/apiVersionTypeExtractor'
 import { fixChangelogFormat, getApiReviewPath, getNpmPackageName, getSDKType, tryReadNpmPackageChangelog } from '../../common/utils';
+import { tryGetNpmView } from '../../common/npmUtils';
 
 export async function generateChangelogAndBumpVersion(packageFolderPath: string) {
     const jsSdkRepoPath = String(shell.pwd());
     packageFolderPath = path.join(jsSdkRepoPath, packageFolderPath);
     const ApiType = await getApiVersionType(packageFolderPath);
     const isStableRelease = ApiType != ApiVersionType.Preview;
     const packageName = getNpmPackageName(packageFolderPath);
-    const npm = new NPMScope({ executionFolderPath: packageFolderPath });
-    const npmViewResult: NPMViewResult = await npm.view({ packageName });
-    const stableVersion = getVersion(npmViewResult,"latest");
+    const npmViewResult = await tryGetNpmView(packageName);
+    const stableVersion = getVersion(npmViewResult, "latest");
     const nextVersion = getVersion(npmViewResult, "next");
 
-    if (npmViewResult.exitCode !== 0 || (!!stableVersion && isBetaVersion(stableVersion) && isStableRelease)) {
-        logger.info(`Package ${packageName} is first ${npmViewResult.exitCode !== 0? ' ': ' stable'} release, start to generate changelogs and set version for first ${npmViewResult.exitCode !== 0? ' ': ' stable'} release.`);
+    if (!npmViewResult || (!!stableVersion && isBetaVersion(stableVersion) && isStableRelease)) {
+        logger.info(`Package ${packageName} is first ${!npmViewResult ? ' ': ' stable'} release, start to generate changelogs and set version for first ${!npmViewResult ? ' ': ' stable'} release.`);
         makeChangesForFirstRelease(packageFolderPath, isStableRelease);
-        logger.info(`Generated changelogs and setting version for first${npmViewResult.exitCode !== 0? ' ': ' stable'} release successfully`);
+        logger.info(`Generated changelogs and setting version for first${!npmViewResult ? ' ': ' stable'} release successfully`);
     } else {
         if (!stableVersion) {
             logger.error(`Invalid latest version ${stableVersion}`);

tools/js-sdk-release-tools/src/llc/utils/generateChangelog.ts

@@ -1,10 +1,10 @@
 import * as fs from "fs";
 import * as path from "path";
-import { NPMScope } from "@ts-common/azure-js-dev-tools";
 import { logger } from "../../utils/logger";
 import { getLatestStableVersion } from "../../utils/version";
 import { extractExportAndGenerateChangelog } from "../../changelog/extractMetaData";
 import { fixChangelogFormat, getApiReviewPath, getSDKType, tryReadNpmPackageChangelog } from "../../common/utils";
+import { tryGetNpmView } from "../../common/npmUtils";
 
 const shell = require('shelljs');
 const todayDate = new Date();
@@ -38,9 +38,8 @@ export async function generateChangelog(packagePath) {
     const packageJson = JSON.parse(fs.readFileSync(path.join(packagePath, 'package.json'), {encoding: 'utf-8'}));
     const packageName = packageJson.name;
     const version = packageJson.version;
-    const npm = new NPMScope({executionFolderPath: packagePath});
-    const npmViewResult = await npm.view({packageName});
-    if (npmViewResult.exitCode !== 0) {
+    const npmViewResult = await tryGetNpmView(packageName);
+    if (!npmViewResult) {
         logger.info(`'${packageName}' is first release, start to generate changelog.`);
         generateChangelogForFirstRelease(packagePath, version);
         logger.info(`Generated changelog successfully.`);

tools/js-sdk-release-tools/src/llc/utils/utils.ts

@@ -1,8 +1,8 @@
 import * as fs from "fs";
 import * as path from "path";
 import {logger} from "../../utils/logger";
-import {NPMScope} from "@ts-common/azure-js-dev-tools";
 import {getLatestStableVersion} from "../../utils/version";
+import { tryGetNpmView } from "../../common/npmUtils";
 const readline = require('readline');
 
 export function validPackageName(packageName) {
@@ -55,8 +55,7 @@ export function getPackageFolderName(packageName) {
 }
 
 export async function getLatestCodegen(packagePath) {
-    const npm = new NPMScope({executionFolderPath: packagePath});
-    const npmViewResult = await npm.view({packageName: '@autorest/typescript'});
+    const npmViewResult = await tryGetNpmView('@autorest/typescript');
     const stableVersion = getLatestStableVersion(npmViewResult);
     if (!stableVersion)
         return '6.0.0-beta.14';

tools/js-sdk-release-tools/src/test/npm/npm.test.ts

@@ -2,6 +2,7 @@ import { describe, expect, test } from "vitest";
 import { updatePackageVersion } from "../../mlc/clientGenerator/utils/typeSpecUtils";
 import { join } from "path";
 import { load } from '@npmcli/package-json';
+import { tryGetNpmView } from "../../common/npmUtils";
 
 describe('Npm package json', () => {
     test('Replace package version', async () => {
@@ -10,4 +11,14 @@ describe('Npm package json', () => {
         const packageJson = await load(packageDirectory);        
         expect(packageJson.content.version).toBe('2.0.0');
     });
-});
+});
+
+describe("Npm view", () => {
+    test("View package version", async () => {
+        const nonExistResult = await tryGetNpmView("non-exist");
+        expect(nonExistResult).toBeUndefined();
+
+        const normalResult = await tryGetNpmView("connect");
+        expect(normalResult!["name"]).toBe("connect");
+    });
+});

tools/js-sdk-release-tools/src/utils/version.ts

@@ -1,19 +1,18 @@
-import {NPMViewResult, StringMap, tr} from "@ts-common/azure-js-dev-tools";
 import {logger} from "./logger";
 const semverInc = require('semver/functions/inc')
 
-export function getVersion(npmViewResult: NPMViewResult,tag: string) {
-    const distTags: StringMap<string> | undefined = npmViewResult['dist-tags'];
+export function getVersion(npmViewResult: Record<string, any> | undefined, tag: string) {
+    const distTags: Record<string, any> | undefined = npmViewResult?.['dist-tags'];
     return distTags && distTags[tag];
 }
 
-export function getversionDate(npmViewResult: NPMViewResult, version : string){
-    const time: StringMap<string> | undefined = npmViewResult['time'];
+export function getversionDate(npmViewResult: Record<string, any>, version : string){
+    const time: Record<string, any> | undefined = npmViewResult['time'];
     return time && time[version];
 }
 
-export function getLatestStableVersion(npmViewResult: NPMViewResult) {
-    const distTags: StringMap<string> | undefined = npmViewResult['dist-tags'];
+export function getLatestStableVersion(npmViewResult: Record<string, any> | undefined) {
+    const distTags: Record<string, any> | undefined = npmViewResult?.['dist-tags'];
     const stableVersion = distTags && distTags['latest'];
     return stableVersion;
 }