Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update mkdirp to 0.5.3 which removes the vulnerable dep on minimist #492

Merged
merged 2 commits into from
May 29, 2020
Merged

Update mkdirp to 0.5.3 which removes the vulnerable dep on minimist #492

merged 2 commits into from
May 29, 2020

Conversation

mjziolko
Copy link
Contributor

https://npmjs.com/advisories/1179

mkdirp has a dependency on minimist which has a prototype pollution vulnerability. Manually updating to 0.5.3 fixes this issue.

@mjziolko mjziolko force-pushed the mkdirp-vuln-fix branch 3 times, most recently from aecff14 to c4b09c3 Compare March 18, 2020 06:42
This was referenced Mar 18, 2020
Merged
Merged
@efr-chriswilliams
Copy link

commenting to watch progress

@jrichardsz
Copy link

I tried to get the error details with no luck. How can I help you?

@ChristophWurst ChristophWurst mentioned this pull request Apr 2, 2020
Merged
@Naktibalda
Copy link

This change is unnecessary ^0.5.1 allows any version lower than 0.6.

In fact, I checked out node-pre-gyp repo, ran npm install and got a clean npm audit report:

node-pre-gyp$ npm audit --registry https://registry.npmjs.org/

                       === npm audit security report ===

found 0 vulnerabilities
 in 338 scanned packages

node-pre-gyp$ npm ls minimist
[email protected] /c/Users/Eckoh/sites/node-pre-gyp
├─┬ [email protected]
│ └── [email protected]
├─┬ [email protected]
│ └── [email protected]  deduped
└─┬ [email protected]
  └── [email protected]  deduped

npm ls mkdirp
[email protected] /c/Users/Eckoh/sites/node-pre-gyp
├── [email protected]
├─┬ [email protected]
│ └── [email protected]  deduped
└─┬ [email protected]
  └── [email protected]  deduped

@karlhorky
Copy link

karlhorky commented Apr 6, 2020
edited
Loading

This change is unnecessary ^0.5.1 allows any version lower than 0.6.

@Naktibalda This change removes the possibility for 0.5.1 or 0.5.2 to be selected as a transitive dependency, forcing npm and Yarn to resolve to at least 0.5.3.

These previous versions may be saved in lockfiles. Consider that many users do not know that they can upgrade transitive dependencies in lockfiles. So for those users who have one of the older versions saved in a lockfile, this change will bump this version for them. If one of their top-level dependencies depends on this change, then they just need to upgrade the top-level dependency.

So I would vote for making this change.

@jrichardsz
Copy link

Error continues. Github says:

Upgrade minimist to version 0.2.1 or later.

And bcrypt continues using: 0.0.8
├─┬ [email protected]
│ └─┬ [email protected]
│ ├─┬ [email protected]
│ │ └── [email protected]
│ └─┬ [email protected]
│ └── [email protected]

@nicolasnoble nicolasnoble merged commit d5dfc55 into mapbox:master May 29, 2020
This was referenced Jun 6, 2021
Open
Open
hyj1991 pushed a commit to X-Profiler/node-pre-gyp that referenced this pull request Jun 16, 2023
@nicolasnoble
Merge pull request mapbox#492 from mjziolko/mkdirp-vuln-fix
33c41a4 
Update mkdirp to 0.5.3 which removes the vulnerable dep on minimist
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolasnoble nicolasnoble nicolasnoble approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@mjziolko @efr-chriswilliams @jrichardsz @Naktibalda @karlhorky @nicolasnoble