-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade dependencies using obsolete mkdirp (0.0.8 or 0.5.1) to fix CVE scored 9.8 in minimalist package #1027
Comments
seems to have been forked and released in v1.0.3 without the minimalist deps : https://github.com/isaacs/node-mkdirp |
We should also upgrade all packages having the obsolete mkdrip package : [email protected] -> [email protected]+ |
@mikemimik can you have a look at this CVE issue ? |
FYI, as Isaac released a 0.5.3 of mkdirp, a simple npm update (actually two) fixes the CVE in a node 12.x :
|
npm direct mkdirp dependency fixed by e111676 |
Related discussion: https://twitter.com/RoLLodeQc/status/1240426790742614022 Although |
Ahh, I didn't realize that the deprecation there will prevent audit fix from working. I'll remove it from 0.5.3 for a while to give folks a chance to upgrade more easily. EDIT: done |
@isaacs As least, that's what I noticed from experience. I didn't dig through the code. Thanks - and sorry about the tone of my original tweet - I really wasn't expecting a response at all. |
No worries. Understandable, and after doing this as long as I have, that amount of negativity doesn't even really register :) |
thanks for reporting that @mleneveut 🎉 |
What / Why
The package mkdir 0.5.1 contains a dependency to minimist 0.0.8, which has the CVE-2020-7598, scored 9.8
When
Where
How
Current Behavior
Expected Behavior
Remove the package mkdirp or find a maintained alternative.
Who
References
The text was updated successfully, but these errors were encountered: