node-sass > [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
mkdirp less than version 1 has been deprecated. I will try to submit a pull request later today
mkdirp@1 requires node>=10 while babel-loader@8 still supports [email protected]. It will be a breaking change to bump mkdirp to version 1, that said, I am still happy to review and include it in babel-loader@9.
Just a note that [email protected] depends on [email protected], which has concerning security issues: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598
[email protected] depends on minimist@^1.2.5: https://unpkg.com/browse/[email protected]/package.json
In that case, can babel-loader be upgraded to [email protected] to resolve this? (should I open a new issue for that?)
@cacieprins no need, https://github.com/babel/babel-loader/pull/834, we'll release soon!
Released v8.1.0! 馃帀
Hello guys, I'm working on one project and have same problem that Sampson Crowley mentioned above. So there is no existing version of _babel-loader_ that supports _mkdirp 1.x_ ... or maybe I misunderstood something?
Thanks in advance for reply, cheers...
@BojanJakic that's correct. the minimist dependency issue is not really related to this issue. 0.5.3 is also deprecated
Even if it gives that warning, mkdirp 0.x is still supported: the last release was today (https://www.npmjs.com/package/mkdirp/v/0.5.4), and the last one was one week ago.
mkdirp still works perfectly for babel-loader without any issue, and there aren't any known security problems. Also, mkdirp's README still recommends using v0.x in same cases.
I'd still be happy to update it in the next major version (we can't do it in a minor), but I don't see the urgency to do it now.
@nicolo-ribaudo just because it can't be done until the next release, doesn't mean this is closed. Having a giant warning about using a deprecated package is extremely annoying, and this needs to stay on the roadmap until it's actually fixed
This has been closed because it has been fixed by #839.
Most helpful comment
mkdirp@1requiresnode>=10whilebabel-loader@8still supports[email protected]. It will be a breaking change to bumpmkdirpto version 1, that said, I am still happy to review and include it inbabel-loader@9.