Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade dependencies using obsolete mkdirp (0.0.8 or 0.5.1) to fix CVE scored 9.8 in minimalist package #1027

Closed
mleneveut opened this issue Mar 16, 2020 · 11 comments
Labels
Release 6.x work is associated with a specific npm 6 release semver:patch semver patch level for changes

Comments

@mleneveut
Copy link

What / Why

The package mkdir 0.5.1 contains a dependency to minimist 0.0.8, which has the CVE-2020-7598, scored 9.8

When

  • n/a

Where

  • n/a

How

Current Behavior

  • n/a

Expected Behavior

Remove the package mkdirp or find a maintained alternative.

Who

  • n/a

References

node -v
v12.16.1

npm -v
6.13.4

list mkdirp
[email protected] /usr/lib/node_modules/npm
+-- [email protected]
| `-- [email protected]  deduped
+-- [email protected]
| `-- [email protected]  deduped
+-- [email protected]
| `-- [email protected]  deduped
+-- [email protected]
| `-- [email protected]  deduped
+-- [email protected]
+-- [email protected]
| +-- [email protected]
| | `-- [email protected]  deduped
| `-- [email protected]  deduped
+-- [email protected]
| `-- [email protected]  deduped
+-- [email protected]
| `-- [email protected]  deduped
`-- [email protected]
  `-- [email protected]  deduped
@mleneveut
Copy link
Author

seems to have been forked and released in v1.0.3 without the minimalist deps : https://github.com/isaacs/node-mkdirp

@mleneveut mleneveut changed the title Remove package mkdirp (obsolete since 2015) which uses minimalist 0.0.8 having CVE scored 9.8 Upgrade dependency mkdirp to 1.0.3 to fix CVE scored 9.8 in minimalist package Mar 16, 2020
@mleneveut mleneveut changed the title Upgrade dependency mkdirp to 1.0.3 to fix CVE scored 9.8 in minimalist package Upgrade dependencies using obsolete mkdirp (0.0.8 or 0.5.1) to fix CVE scored 9.8 in minimalist package Mar 17, 2020
@mleneveut
Copy link
Author

We should also upgrade all packages having the obsolete mkdrip package :

[email protected] -> [email protected]+
[email protected] -> [email protected]
[email protected] -> no release available : npm/gentle-fs#16
[email protected] -> no release available : npm/libcipm#19
[email protected] -> no release available, not maintained for 3 years now
[email protected] -> no release available : nodejs/node-gyp#2074
[email protected] -> [email protected]+
[email protected] -> [email protected]+

@mleneveut
Copy link
Author

@mikemimik can you have a look at this CVE issue ?

@mleneveut
Copy link
Author

FYI, as Isaac released a 0.5.3 of mkdirp, a simple npm update (actually two) fixes the CVE in a node 12.x :

cd /usr/lib/node_modules/npm/node_modules/rc && npm update
cd /usr/lib/node_modules/npm && npm update

@mleneveut
Copy link
Author

npm direct mkdirp dependency fixed by e111676

@millette
Copy link

millette commented Mar 20, 2020

Related discussion: https://twitter.com/RoLLodeQc/status/1240426790742614022

Although mkdirp has a new 0.5.3 version, it's marked as deprecated and npm audit fix won't upgrade it automatically.

@isaacs
Copy link
Contributor

isaacs commented Mar 20, 2020

Ahh, I didn't realize that the deprecation there will prevent audit fix from working. I'll remove it from 0.5.3 for a while to give folks a chance to upgrade more easily.

EDIT: done

@ruyadorno
Copy link
Contributor

thanks for bringing it up @millette and the quick mkdirp fix @isaacs 🥇

@ruyadorno ruyadorno added Release 6.x work is associated with a specific npm 6 release semver:patch semver patch level for changes labels Mar 20, 2020
@millette
Copy link

@isaacs As least, that's what I noticed from experience. I didn't dig through the code.

Thanks - and sorry about the tone of my original tweet - I really wasn't expecting a response at all.

@isaacs
Copy link
Contributor

isaacs commented Mar 22, 2020

Thanks - and sorry about the tone of my original tweet - I really wasn't expecting a response at all.

No worries. Understandable, and after doing this as long as I have, that amount of negativity doesn't even really register :)

@ruyadorno
Copy link
Contributor

6.14.4 updates a remaining transitive version of minimist affected by that CVE, all occurences of mkdirp were updated in the release before.

thanks for reporting that @mleneveut 🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Release 6.x work is associated with a specific npm 6 release semver:patch semver patch level for changes
Projects
None yet
Development

No branches or pull requests

4 participants