From aaf86f61836c45b254794785f0a2e8f43dc38800 Mon Sep 17 00:00:00 2001
From: Gar <gar+gh@danger.computer>
Date: Mon, 4 Apr 2022 11:43:32 -0700
Subject: [PATCH] deps: @npmcli/metavuln-calculator@3.1.0 (#4674)

* include cwe and cvss in advisories
---
 .../metavuln-calculator/lib/advisory.js       | 44 ++++++++++---------
 .../@npmcli/metavuln-calculator/package.json  | 27 +++++++-----
 package-lock.json                             | 11 +++--
 3 files changed, 46 insertions(+), 36 deletions(-)

diff --git a/node_modules/@npmcli/metavuln-calculator/lib/advisory.js b/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
index 5b58ef6370724..d30838e7384f6 100644
--- a/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
+++ b/node_modules/@npmcli/metavuln-calculator/lib/advisory.js
@@ -39,6 +39,8 @@ class Advisory {
     this.severity = source.severity || 'high'
     this.versions = []
     this.vulnerableVersions = []
+    this.cwe = source.cwe
+    this.cvss = source.cvss
 
     // advisories have the range, metavulns do not
     // if an advisory doesn't specify range, assume all are vulnerable
@@ -326,7 +328,7 @@ class Advisory {
       list.push(v)
     }
 
-    for (const list of versionSets) {
+    for (const set of versionSets) {
       // it's common to have version lists like:
       // 1.0.0
       // 1.0.1-alpha.0
@@ -340,54 +342,54 @@ class Advisory {
       // 1.0.2
       // with a huge number of prerelease versions that are not installable
       // anyway.
-      // If mid has a prerelease tag, and list[0] does not, then walk it
+      // If mid has a prerelease tag, and set[0] does not, then walk it
       // back until we hit a non-prerelease version
-      // If mid has a prerelease tag, and list[list.length-1] does not,
+      // If mid has a prerelease tag, and set[set.length-1] does not,
       // then walk it forward until we hit a version without a prerelease tag
       // Similarly, if the head/tail is a prerelease, but there is a non-pr
-      // version in the list, then start there instead.
+      // version in the set, then start there instead.
       let h = 0
-      const origHeadVuln = this.testVersion(list[h])
-      while (h < list.length && /-/.test(String(list[h]))) {
+      const origHeadVuln = this.testVersion(set[h])
+      while (h < set.length && /-/.test(String(set[h]))) {
         h++
       }
 
       // don't filter out the whole list!  they might all be pr's
-      if (h === list.length) {
+      if (h === set.length) {
         h = 0
       } else if (origHeadVuln) {
         // if the original was vulnerable, assume so are all of these
         for (let hh = 0; hh < h; hh++) {
-          this[_markVulnerable](list[hh])
+          this[_markVulnerable](set[hh])
         }
       }
 
-      let t = list.length - 1
-      const origTailVuln = this.testVersion(list[t])
-      while (t > h && /-/.test(String(list[t]))) {
+      let t = set.length - 1
+      const origTailVuln = this.testVersion(set[t])
+      while (t > h && /-/.test(String(set[t]))) {
         t--
       }
 
       // don't filter out the whole list!  might all be pr's
       if (t === h) {
-        t = list.length - 1
+        t = set.length - 1
       } else if (origTailVuln) {
         // if original tail was vulnerable, assume these are as well
-        for (let tt = list.length - 1; tt > t; tt--) {
-          this[_markVulnerable](list[tt])
+        for (let tt = set.length - 1; tt > t; tt--) {
+          this[_markVulnerable](set[tt])
         }
       }
 
       const headVuln = h === 0 ? origHeadVuln
-        : this.testVersion(list[h])
+        : this.testVersion(set[h])
 
-      const tailVuln = t === list.length - 1 ? origTailVuln
-        : this.testVersion(list[t])
+      const tailVuln = t === set.length - 1 ? origTailVuln
+        : this.testVersion(set[t])
 
       // if head and tail both vulnerable, whole list is thrown out
       if (headVuln && tailVuln) {
         for (let v = h; v < t; v++) {
-          this[_markVulnerable](list[v])
+          this[_markVulnerable](set[v])
         }
         continue
       }
@@ -397,9 +399,9 @@ class Advisory {
         continue
       }
 
-      const mid = Math.floor(list.length / 2)
-      const pre = list.slice(0, mid)
-      const post = list.slice(mid)
+      const mid = Math.floor(set.length / 2)
+      const pre = set.slice(0, mid)
+      const post = set.slice(mid)
 
       // if the parent list wasn't prereleases, then drop pr tags
       // from end of the pre list, and beginning of the post list,
diff --git a/node_modules/@npmcli/metavuln-calculator/package.json b/node_modules/@npmcli/metavuln-calculator/package.json
index 6c05ee529cc82..2c04e0fd420bf 100644
--- a/node_modules/@npmcli/metavuln-calculator/package.json
+++ b/node_modules/@npmcli/metavuln-calculator/package.json
@@ -1,13 +1,16 @@
 {
   "name": "@npmcli/metavuln-calculator",
-  "version": "3.0.1",
+  "version": "3.1.0",
   "main": "lib/index.js",
   "files": [
-    "bin",
-    "lib"
+    "bin/",
+    "lib/"
   ],
   "description": "Calculate meta-vulnerabilities from package security advisories",
-  "repository": "https://github.com/npm/metavuln-calculator",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/npm/metavuln-calculator.git"
+  },
   "author": "GitHub Inc.",
   "license": "ISC",
   "scripts": {
@@ -19,19 +22,20 @@
     "postversion": "npm publish",
     "prepublishOnly": "git push origin --follow-tags",
     "eslint": "eslint",
-    "lint": "eslint '**/*.js'",
+    "lint": "eslint \"**/*.js\"",
     "lintfix": "npm run lint -- --fix",
-    "postlint": "npm-template-check",
-    "template-copy": "npm-template-copy --force"
+    "postlint": "template-oss-check",
+    "template-oss-apply": "template-oss-apply --force"
   },
   "tap": {
     "check-coverage": true,
     "coverage-map": "map.js"
   },
   "devDependencies": {
-    "@npmcli/template-oss": "^2.9.2",
+    "@npmcli/eslint-config": "^3.0.1",
+    "@npmcli/template-oss": "3.2.0",
     "require-inject": "^1.4.4",
-    "tap": "^15.1.6"
+    "tap": "^16.0.1"
   },
   "dependencies": {
     "cacache": "^16.0.0",
@@ -40,9 +44,10 @@
     "semver": "^7.3.5"
   },
   "engines": {
-    "node": "^12.13.0 || ^14.15.0 || >=16"
+    "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
   },
   "templateOSS": {
-    "version": "2.9.2"
+    "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
+    "version": "3.2.0"
   }
 }
diff --git a/package-lock.json b/package-lock.json
index 99d30f961babc..39f3b1bf22b35 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -936,8 +936,9 @@
       }
     },
     "node_modules/@npmcli/metavuln-calculator": {
-      "version": "3.0.1",
-      "license": "ISC",
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/@npmcli/metavuln-calculator/-/metavuln-calculator-3.1.0.tgz",
+      "integrity": "sha512-Q5fbQqGDlYqk7kWrbg6E2j/mtqQjZop0ZE6735wYA1tYNHguIDjAuWs+kFb5rJCkLIlXllfapvsyotYKiZOTBA==",
       "dependencies": {
         "cacache": "^16.0.0",
         "json-parse-even-better-errors": "^2.3.1",
@@ -945,7 +946,7 @@
         "semver": "^7.3.5"
       },
       "engines": {
-        "node": "^12.13.0 || ^14.15.0 || >=16"
+        "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
       }
     },
     "node_modules/@npmcli/move-file": {
@@ -10311,7 +10312,9 @@
       }
     },
     "@npmcli/metavuln-calculator": {
-      "version": "3.0.1",
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/@npmcli/metavuln-calculator/-/metavuln-calculator-3.1.0.tgz",
+      "integrity": "sha512-Q5fbQqGDlYqk7kWrbg6E2j/mtqQjZop0ZE6735wYA1tYNHguIDjAuWs+kFb5rJCkLIlXllfapvsyotYKiZOTBA==",
       "requires": {
         "cacache": "^16.0.0",
         "json-parse-even-better-errors": "^2.3.1",