Drop mkdirp and replace it with fs.mkdirSync

[HyunSangHan]

Description of the Change

• Replace mkdirp with fs.mkdirSync using {recursive: true}
• Drop the dependency mkdirp from Mocha

Alternate Designs

There is also a way to update to the latest mkdirp version, but Node.js version 10.12.0 has already added a native support for mkdirSync to create a directory recursively with {recursive: true} option as the following:

fs.mkdirSync(pathname, { recursive: true });

So, there is no longer necessary to depend on third-party packages. fs module is enough to us.

Why should this be in core?

mkdirp depends on an old version of minimist, and it has a prototype pollution vulnerability.

Benefits

Can create a new directory and any necessary subdirectories at the directory without mkdirp.

Possible Drawbacks

Can't think of any.

Applicable issues

I think it have to be released with semver-major(maybe v8.0.0), because the {recursive: true} option of fs.mkdir is supported by Node.js v10.12.0 or later.

Closes #4199

[coveralls]

Coverage increased (+0.06%) to 92.867% when pulling d09ad1b on HyunSangHan:issue-4199 into 2f26478 on mochajs:master.

[fabiosantoscode]

An alternative implementation would be to update to the latest mkdirp version, which is not vulnerable.

[HyunSangHan]

@fabiosantoscode
Thank you for your comment.
That's also one of the valid methods, but Mocha is ready to drop Node.js version 8.x.x support (ref: #4164). After Mocha v8.0.0 release, I think, Mocha can use fs.mkdirSync so no longer depend on mkdirp.

[fabiosantoscode]

Uh oh :) I still support node 8 in my library.

[bigman73]

Updating mkdirp seems like an easy fix without breaking backward compatibility

[JimmyBjorklund]

Adding this patch or upgrading to the latest mkdirp ( do not use minimst) is relevant to:
GHSA-7fhm-mqm4-2wp7

[juergba]

The latest version of mkdirp supports Node >=10. It seems we have to drop Node v8 anyway.

[bigman73]

nodejs 8 is not supported as of 2020, so indeed why bother.

[juergba]

@HyunSangHan thank you for this PR.

Please update the engines field in package.json and our docs to >=10.12.0.

[SebastianSpeitel]

An alternative implementation would be to update to the latest mkdirp version, which is not vulnerable.

Updating mkdirp seems like an easy fix without breaking backward compatibility

There is no update of mkdirp that fixes this.
The PR isn't even merged yet.

[pezzullig]

Great work on getting this PR done! 👍 Any chance of getting this reviewed and tagged any time soon?

[Hypnosphi]

An alternative implementation would be to update to the latest mkdirp version, which is not vulnerable.

Or even just to 0.5.3, to make the change minimal:

% npm info mkdirp@0.5.3 dependencies 
{ minimist: '^1.2.5' }

[juergba]

I will update today to mkdirp@0.5.3 and publish as Mocha v7.1.1. This version is new and deprecated, but seems to fix this security issue.
yargs-parser is also reported to have security issues, so I will update to yargs@13.3.2 and yargs-parser@13.1.2 .

@HyunSangHan this PR remains valid for Mocha v8.0.0.

Edit: mocha@7.1.1 published

[juergba]

@HyunSangHan could you rebase, resolve conflicts and squash, please? lgtm

[HyunSangHan]

@juergba
I did rebase and squash just now. Please let me know if there is something wrong. :-)

[juergba]

@HyunSangHan thank you