Skip to content

Update mkdirp to 0.5.3 which removes the vulnerable dep on minimist#492

Merged
nicolasnoble merged 2 commits intomapbox:masterfrom
mjziolko:mkdirp-vuln-fix
May 29, 2020
Merged

Update mkdirp to 0.5.3 which removes the vulnerable dep on minimist#492
nicolasnoble merged 2 commits intomapbox:masterfrom
mjziolko:mkdirp-vuln-fix

Conversation

@mjziolko
Copy link
Copy Markdown
Contributor

@mjziolko mjziolko commented Mar 18, 2020

https://npmjs.com/advisories/1179

mkdirp has a dependency on minimist which has a prototype pollution vulnerability. Manually updating to 0.5.3 fixes this issue.

@mjziolko mjziolko force-pushed the mkdirp-vuln-fix branch 3 times, most recently from aecff14 to c4b09c3 Compare March 18, 2020 06:42
This was referenced Mar 18, 2020
Merged
Merged
@efr-chriswilliams
Copy link
Copy Markdown

efr-chriswilliams commented Mar 18, 2020

commenting to watch progress

@jrichardsz
Copy link
Copy Markdown

jrichardsz commented Mar 23, 2020

I tried to get the error details with no luck. How can I help you?

@ChristophWurst ChristophWurst mentioned this pull request Apr 2, 2020
Merged
@Naktibalda
Copy link
Copy Markdown

Naktibalda commented Apr 3, 2020

This change is unnecessary ^0.5.1 allows any version lower than 0.6.

In fact, I checked out node-pre-gyp repo, ran npm install and got a clean npm audit report:

node-pre-gyp$ npm audit --registry https://registry.npmjs.org/

                       === npm audit security report ===

found 0 vulnerabilities
 in 338 scanned packages

node-pre-gyp$ npm ls minimist
node-pre-gyp@0.14.0 /c/Users/Eckoh/sites/node-pre-gyp
├─┬ mkdirp@0.5.4
│ └── minimist@1.2.5
├─┬ rc@1.2.8
│ └── minimist@1.2.5  deduped
└─┬ tape@4.13.2
  └── minimist@1.2.5  deduped

npm ls mkdirp
node-pre-gyp@0.14.0 /c/Users/Eckoh/sites/node-pre-gyp
├── mkdirp@0.5.4
├─┬ nock@9.6.1
│ └── mkdirp@0.5.4  deduped
└─┬ tar@4.4.13
  └── mkdirp@0.5.4  deduped

@karlhorky
Copy link
Copy Markdown

karlhorky commented Apr 6, 2020
edited
Loading

This change is unnecessary ^0.5.1 allows any version lower than 0.6.

@Naktibalda This change removes the possibility for 0.5.1 or 0.5.2 to be selected as a transitive dependency, forcing npm and Yarn to resolve to at least 0.5.3.

These previous versions may be saved in lockfiles. Consider that many users do not know that they can upgrade transitive dependencies in lockfiles. So for those users who have one of the older versions saved in a lockfile, this change will bump this version for them. If one of their top-level dependencies depends on this change, then they just need to upgrade the top-level dependency.

So I would vote for making this change.

@jrichardsz
Copy link
Copy Markdown

jrichardsz commented Apr 14, 2020

Error continues. Github says:

Upgrade minimist to version 0.2.1 or later.

And bcrypt continues using: 0.0.8
├─┬ bcrypt@4.0.1
│ └─┬ node-pre-gyp@0.14.0
│ ├─┬ mkdirp@0.5.1
│ │ └── minimist@0.0.8
│ └─┬ rc@1.2.8
│ └── minimist@1.2.0

@nicolasnoble nicolasnoble merged commit d5dfc55 into mapbox:master May 29, 2020
This was referenced Jun 6, 2021
Open
Open
hyj1991 pushed a commit to X-Profiler/node-pre-gyp that referenced this pull request Jun 16, 2023
@nicolasnoble
Merge pull request mapbox#492 from mjziolko/mkdirp-vuln-fix
33c41a4 
Update mkdirp to 0.5.3 which removes the vulnerable dep on minimist
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@nicolasnoble nicolasnoble nicolasnoble approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@mjziolko @efr-chriswilliams @jrichardsz @Naktibalda @karlhorky @nicolasnoble