-
-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop mkdirp and replace it with fs.mkdirSync #4200
Conversation
bc05d0c
to
58e8216
Compare
An alternative implementation would be to update to the latest |
4946a1a
to
c94e09e
Compare
@fabiosantoscode |
Uh oh :) I still support node 8 in my library. |
Updating mkdirp seems like an easy fix without breaking backward compatibility |
Adding this patch or upgrading to the latest mkdirp ( do not use minimst) is relevant to: |
The latest version of mkdirp supports Node >=10. It seems we have to drop Node v8 anyway. |
nodejs 8 is not supported as of 2020, so indeed why bother. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@HyunSangHan thank you for this PR.
Please update the engines
field in package.json
and our docs to >=10.12.0.
There is no update of mkdirp that fixes this. |
Great work on getting this PR done! 👍 Any chance of getting this reviewed and tagged any time soon? |
Or even just to
|
I will update today to [email protected] and publish as Mocha v7.1.1. This version is new and deprecated, but seems to fix this security issue. @HyunSangHan this PR remains valid for Mocha v8.0.0. Edit: [email protected] published |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@HyunSangHan could you rebase, resolve conflicts and squash, please? lgtm
- Replace mkdirp with fs.mkdirSync using {recursive: true} - Drop the dependency mkdirp from Mocha - Fix version number of docs and package.json
@juergba |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@HyunSangHan thank you
Description of the Change
mkdirp
withfs.mkdirSync
using{recursive: true}
mkdirp
from MochaAlternate Designs
There is also a way to update to the latest
mkdirp
version, but Node.js version 10.12.0 has already added a native support formkdirSync
to create a directory recursively with{recursive: true}
option as the following:So, there is no longer necessary to depend on third-party packages.
fs
module is enough to us.Why should this be in core?
mkdirp
depends on an old version ofminimist
, and it has a prototype pollution vulnerability.Benefits
Can create a new directory and any necessary subdirectories at the directory without mkdirp.
Possible Drawbacks
Can't think of any.
Applicable issues
I think it have to be released with
semver-major
(maybe v8.0.0), because the{recursive: true}
option offs.mkdir
is supported by Node.js v10.12.0 or later.Closes #4199