Cli: Upgrade dependencies using obsolete mkdirp (0.0.8 or 0.5.1) to fix CVE scored 9.8 in minimalist package
What / Why
The package mkdir 0.5.1 contains a dependency to minimist 0.0.8, which has the CVE-2020-7598, scored 9.8
When
- n/a
Where
- n/a
How
Current Behavior
- n/a
Expected Behavior
Remove the package mkdirp or find a maintained alternative.
Who
- n/a
References
node -v
v12.16.1
npm -v
6.13.4
list mkdirp
[email protected] /usr/lib/node_modules/npm
+-- [email protected]
| `-- [email protected] deduped
+-- [email protected]
| `-- [email protected] deduped
+-- [email protected]
| `-- [email protected] deduped
+-- [email protected]
| `-- [email protected] deduped
+-- [email protected]
+-- [email protected]
| +-- [email protected]
| | `-- [email protected] deduped
| `-- [email protected] deduped
+-- [email protected]
| `-- [email protected] deduped
+-- [email protected]
| `-- [email protected] deduped
`-- [email protected]
`-- [email protected] deduped
mleneveut
All 11 comments
seems to have been forked and released in v1.0.3 without the minimalist deps : https://github.com/isaacs/node-mkdirp
mleneveut
on 16 Mar 2020
We should also upgrade all packages having the obsolete mkdrip package :
[email protected] -> [email protected]+
[email protected] -> [email protected]
[email protected] -> no release available : https://github.com/npm/gentle-fs/issues/16
[email protected] -> no release available : https://github.com/npm/libcipm/issues/19
[email protected] -> no release available, not maintained for 3 years now
[email protected] -> no release available : https://github.com/nodejs/node-gyp/issues/2074
[email protected] -> [email protected]+
[email protected] -> [email protected]+
mleneveut
on 17 Mar 2020
@mikemimik can you have a look at this CVE issue ?
mleneveut
on 17 Mar 2020
FYI, as Isaac released a 0.5.3 of mkdirp, a simple npm update (actually two) fixes the CVE in a node 12.x :
cd /usr/lib/node_modules/npm/node_modules/rc && npm update
cd /usr/lib/node_modules/npm && npm update
npm direct mkdirp dependency fixed by https://github.com/npm/cli/commit/e111676467f090f73802b97e8da7ece481b18f99
mleneveut
on 19 Mar 2020
Related discussion: https://twitter.com/RoLLodeQc/status/1240426790742614022
Although mkdirp has a new 0.5.3 version, it's marked as deprecated and npm audit fix won't upgrade it automatically.
millette
on 20 Mar 2020
Ahh, I didn't realize that the deprecation there will prevent audit fix from working. I'll remove it from 0.5.3 for a while to give folks a chance to upgrade more easily.
EDIT: done
isaacs
on 20 Mar 2020
thanks for bringing it up @millette and the quick mkdirp fix @isaacs 馃
ruyadorno
on 20 Mar 2020
@isaacs As least, that's what I noticed from experience. I didn't dig through the code.
Thanks - and sorry about the tone of my original tweet - I really wasn't expecting a response at all.
millette
on 20 Mar 2020
Thanks - and sorry about the tone of my original tweet - I really wasn't expecting a response at all.
No worries. Understandable, and after doing this as long as I have, that amount of negativity doesn't even really register :)
isaacs
on 22 Mar 2020
6.14.4 updates a remaining transitive version of minimist affected by that CVE, all occurences of mkdirp were updated in the release before.
thanks for reporting that @mleneveut 馃帀
ruyadorno
on 26 Mar 2020
Related issues
Cohen-Carlisle
路
4Comments
millerick
路
3Comments
darcyclarke
路
4Comments
OnkelTem
路
4Comments
chrisspen
路
3Comments
Most helpful comment
Ahh, I didn't realize that the deprecation there will prevent audit fix from working. I'll remove it from 0.5.3 for a while to give folks a chance to upgrade more easily.
EDIT: done