Use yargs instead of deprecated optimist in 4.x release

[ShintaroOkuda]

Before filing issues, please check the following points first:

• Please don't open issues for security issues. Instead, file a report at https://www.npmjs.com/advisories/report?package=handlebars
• Have a look at https://github.com/wycats/handlebars.js/blob/master/CONTRIBUTING.md
• Read the FAQ at https://github.com/wycats/handlebars.js/blob/master/FAQ.md
• Use the jsfiddle-template at https://jsfiddle.net/4nbwjaqz/4/ to reproduce problems or bugs

We are using the latest handlebars 4.7.3, but we noticed that one of the dependencies optimist is deprecated. There is a ticket to switch to yargs instead (#1179) and it was closed with the merged PR (#1180). However, the merged PR is not in 4.x release yet. Please fix this in 4.x release.

[nknapp]

I think it may break the cli, so I'd rather not update in the 4.x branch.

I am sometimes working on 5.0 in the master, but since this is all voluntary work and I have a lot of other duties, I cannot tell when it with be ready.

[karlhorky]

Moving from optimist to minimist or yargs would also allow for easier mitigation of the SNYK-JS-MINIMIST-559764 security vulnerability (which requires minimist@0.2.1, which does not fit optimist's semver range of minimist@~0.0.1).

This would be something I would imagine that Handlebars would want to backport to the 4.x branch.

An alternative that I have proposed is to relax the dependencies in optimist, but since it's deprecated, I think there's a high chance it will not receive any fixes anymore:

https://github.com/substack/node-optimist/pull/150

---

Edit: Workaround below, using Yarn: #1658 (comment)

[nknapp]

OK, I think we can give it a shot. The yargs API really seems to be like the optimist API. Does anybody want to create a PR for 4.x?

I would really feel better if there were some more tests verifying that the CLI still works the same after the migration.

There is currently only one here. It would be cool to have some test using different parameters.

Create some tests, check that they work with optimist, then migrate to yargs and see if they still work.

Could anybody do that?

[karlhorky]

If you use Yarn, here's a workaround for now until this is fixed (maybe with #1662):

Add the following resolution to your package.json and run yarn.

  "resolutions": {
    "**/optimist/minimist": "0.2.1"
  }

This will force all versions of optimist to use minimist@0.2.1, regardless of which package is depending on optimist.

[fabb]

The latest optimist version (0.6.1, released 6 years ago) depends on a vulnerable version range of minimist which causes npm audit errors in projects that depend on handlebars directly or indirectly. A removal of optimist would be very appreciated, thank you!

[nknapp]

See #1661

[ErisDS]

Released in 4.7.4