-
-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ship a fix for mkdirp@0.5.1 due minimist #7
Comments
@isaacs if there's any way to help with that such as pushing out a PR or something that helps you keep up to date let me know please, happy to lend a hand ❤️ |
Edit: Use For anyone looking for a fix for the interim, using Yarn Resolutions you can specify this version number, even though it doesn't match the semver range of Add this to your "resolutions": {
"**/mkdirp/minimist": "0.2.1"
} |
This is still an issue, there needs to be a 0.5.2 version as other project seem to depend on the 0.5 version of this package. Parcel v1 to be exact. version 1 of this package is a break in the API and would require a rewrite of a lot of code (beyond me) and this seems like a better solution. |
@isaacs this is a problem for Multer as well, since the 1.x release line is still supported and we cannot drop support for Node.js <10 without making that a breaking change, thus we cannot upgrade to If it would be possible to release a new 0.5.x package that just bumps |
Same applies to https://github.com/less/less.js/ which still locks |
Isaac is going to publish a fix soon 🙏 |
I think Isaac is still working on it since there's no 0.5.x releases at all on npmjs |
0.5.3 is released to Npm, but it's deprecated (as it probably should be 👍) https://www.npmjs.com/package/mkdirp/v/0.5.3 It include an upgraded dependency on I think that this issue can now be closed |
Ahh yes indeed! 0.5.3 is the latest version and the one that should be used. |
Thanks 🎉 🎉 🎉 🎉 🎉 ! I think this can be closed! |
Fixing https://www.npmjs.com/advisories/1179 by relaxing mkdirp versions range to allow 0.5.2 or 0.5.3 which contains a fix as per isaacs/node-mkdirp#7 (comment)
Fixing https://www.npmjs.com/advisories/1179 by relaxing mkdirp versions range to allow 0.5.2 or 0.5.3 which contains a fix as per isaacs/node-mkdirp#7 (comment)
Fixing https://www.npmjs.com/advisories/1179 by relaxing mkdirp versions range to allow 0.5.2 or 0.5.3 which contains a fix as per isaacs/node-mkdirp#7 (comment)
How should I go about adding this? In resolutions? |
@kbarnesweb If you use Yarn, a resolution like this will do it: "resolutions": {
"mkdirp": "^0.5.3"
} Once you have run |
`mkdirp` has been updated to version `0.5.3` isaacs/node-mkdirp#7 (comment) This addresses this prototype pollution vulnerability in `minimist`: https://app.snyk.io/vuln/SNYK-JS-MINIMIST-559764
@karlhorky and if we don't use Yarn? |
@jmz527 : You can use People should note that unless a project has updated to mkdirp 1.0, the 0.5.3 update is supposed to give a deprecated warning when getting the new patched version (the version is deprecated, but at least it fixes the vulnerability). |
Edit: There are critical shortcomings in
npm will also at some point probably receive full Resolutions support: npm/rfcs#56 |
For me running |
Nice, cool that To compare, @dependabot can't do that trick yet: https://twitter.com/karlhorky/status/1239183753911701504 |
@brettz9 thanks for the suggestions! @karlhorky I did try out |
hi,
I've been using
mkdirp
for a while in the0.x
version. https://www.npmjs.com/package/mkdirp your library has a massive amount of downloads and still many dependencies use it.Recently was announced a security vulnerability at minimist,
https://app.snyk.io/vuln/SNYK-JS-MINIMIST-559764
a dependency which
mkdirp@0.5.1
still use and it is pinnedhttps://github.com/isaacs/node-mkdirp/blob/d4eff0f06093aed4f387e88e9fc301cb76beedc7/package.json
I'm asking to ship a fix for
mkdirp@0.5.x
updating minimist. At Verdaccio also we use it, I had some breaking changes but was an easy fix, but we have several transitive dependencies that might not update anytime soon due to the breaking changes.The text was updated successfully, but these errors were encountered: