Babel-loader: Mkdirp < 1 deprecated

Created on 18 Mar 2020  路  11Comments  路  Source: babel/babel-loader

node-sass > [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)

mkdirp less than version 1 has been deprecated. I will try to submit a pull request later today

Most helpful comment

mkdirp@1 requires node>=10 while babel-loader@8 still supports [email protected]. It will be a breaking change to bump mkdirp to version 1, that said, I am still happy to review and include it in babel-loader@9.

All 11 comments

mkdirp@1 requires node>=10 while babel-loader@8 still supports [email protected]. It will be a breaking change to bump mkdirp to version 1, that said, I am still happy to review and include it in babel-loader@9.

Just a note that [email protected] depends on [email protected], which has concerning security issues: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598

In that case, can babel-loader be upgraded to [email protected] to resolve this? (should I open a new issue for that?)

@cacieprins no need, https://github.com/babel/babel-loader/pull/834, we'll release soon!

Released v8.1.0! 馃帀

Hello guys, I'm working on one project and have same problem that Sampson Crowley mentioned above. So there is no existing version of _babel-loader_ that supports _mkdirp 1.x_ ... or maybe I misunderstood something?
Thanks in advance for reply, cheers...

@BojanJakic that's correct. the minimist dependency issue is not really related to this issue. 0.5.3 is also deprecated

Even if it gives that warning, mkdirp 0.x is still supported: the last release was today (https://www.npmjs.com/package/mkdirp/v/0.5.4), and the last one was one week ago.

mkdirp still works perfectly for babel-loader without any issue, and there aren't any known security problems. Also, mkdirp's README still recommends using v0.x in same cases.

I'd still be happy to update it in the next major version (we can't do it in a minor), but I don't see the urgency to do it now.

@nicolo-ribaudo just because it can't be done until the next release, doesn't mean this is closed. Having a giant warning about using a deprecated package is extremely annoying, and this needs to stay on the roadmap until it's actually fixed

This has been closed because it has been fixed by #839.

Was this page helpful?
0 / 5 - 0 ratings