Upgrade dependencies using obsolete mkdirp (0.0.8 or 0.5.1) to fix CVE scored 9.8 in minimalist package

[mleneveut]

What / Why

The package mkdir 0.5.1 contains a dependency to minimist 0.0.8, which has the CVE-2020-7598, scored 9.8

When

• n/a

Where

• n/a

How

Current Behavior

• n/a

Expected Behavior

Remove the package mkdirp or find a maintained alternative.

Who

• n/a

References

node -v
v12.16.1

npm -v
6.13.4

list mkdirp
npm@6.13.4 /usr/lib/node_modules/npm
+-- cacache@12.0.3
| `-- mkdirp@0.5.1  deduped
+-- cmd-shim@3.0.3
| `-- mkdirp@0.5.1  deduped
+-- gentle-fs@2.3.0
| `-- mkdirp@0.5.1  deduped
+-- libcipm@4.0.7
| `-- mkdirp@0.5.1  deduped
+-- mkdirp@0.5.1
+-- move-concurrently@1.0.1
| +-- copy-concurrently@1.0.5
| | `-- mkdirp@0.5.1  deduped
| `-- mkdirp@0.5.1  deduped
+-- node-gyp@5.0.5
| `-- mkdirp@0.5.1  deduped
+-- pacote@9.5.11
| `-- mkdirp@0.5.1  deduped
`-- tar@4.4.13
  `-- mkdirp@0.5.1  deduped

[mleneveut]

seems to have been forked and released in v1.0.3 without the minimalist deps : https://github.com/isaacs/node-mkdirp

[mleneveut]

We should also upgrade all packages having the obsolete mkdrip package :

cacache@12.0.3 -> cacache@14.0.0+
cmd-shim@3.0.3 -> cmd-shim@4.0.1
gentle-fs@2.3.0 -> no release available : npm/gentle-fs#16
libcipm@4.0.7 -> no release available : npm/libcipm#19
move-concurrently@1.0.1 -> no release available, not maintained for 3 years now
node-gyp@5.0.5 -> no release available : nodejs/node-gyp#2074
pacote@9.5.11 -> pacote@10.0.0+
tar@4.4.13 -> tar@6.0.0+

[mleneveut]

@mikemimik can you have a look at this CVE issue ?

[mleneveut]

FYI, as Isaac released a 0.5.3 of mkdirp, a simple npm update (actually two) fixes the CVE in a node 12.x :

cd /usr/lib/node_modules/npm/node_modules/rc && npm update
cd /usr/lib/node_modules/npm && npm update

[mleneveut]

npm direct mkdirp dependency fixed by e111676

[millette]

Related discussion: https://twitter.com/RoLLodeQc/status/1240426790742614022

Although mkdirp has a new 0.5.3 version, it's marked as deprecated and npm audit fix won't upgrade it automatically.

[isaacs]

Ahh, I didn't realize that the deprecation there will prevent audit fix from working. I'll remove it from 0.5.3 for a while to give folks a chance to upgrade more easily.

EDIT: done

[ruyadorno]

thanks for bringing it up @millette and the quick mkdirp fix @isaacs 🥇

[millette]

@isaacs As least, that's what I noticed from experience. I didn't dig through the code.

Thanks - and sorry about the tone of my original tweet - I really wasn't expecting a response at all.

[isaacs]

Thanks - and sorry about the tone of my original tweet - I really wasn't expecting a response at all.

No worries. Understandable, and after doing this as long as I have, that amount of negativity doesn't even really register :)

[ruyadorno]

6.14.4 updates a remaining transitive version of minimist affected by that CVE, all occurences of mkdirp were updated in the release before.

thanks for reporting that @mleneveut 🎉