please update mkdirp due to prototype pollution in dependent package (CVE-2020-7598)

[sseide]

Bug report

webpack currently depends on the old 0.5.1 version of "mkdirp" which depends on old vulnerable minimist package. The 0.5.x line of mkdirp from the original author is not developed any further and maintenance of this package was taken over by isaacs with the new 1.x versions.

see: https://github.com/substack/node-mkdirp/issues/166
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598

Please update "mkdirp" dependency to the latest 1.x version to fix this vulnerability.
.
What is the current behavior?

old "mkdirp" 0.5.1 fetches dependend package "minimist" 0.0.8 which triggers warning in security checkers blocking new builds.

If the current behavior is a bug, please provide the steps to reproduce.

What is the expected behavior?

Update dependency "mkdirp" to latest version 1.0.3 which has dropped dependency of "minimist" and does not trigger any security warnings anymore.

Other relevant information:
webpack version: 4.42.0
Node.js version: 10.16
Operating System: linux
Additional tools:

[alexander-akait]

Sorry, we can't do it, because it is breaking change

[OZZlE]

@evilebottnawi will it be fixed in V5? don't see it in the changelog

[alexander-akait]

We don't use mkdirp in webpack@5, maybe we should open a issue in mkdirp repo for backport fix, a lot of projects uses mkdirp@0.5.x

[alexander-akait]

Backport: isaacs/node-mkdirp#7

[jomi-se]

The backport fix has been released in 0.5.3 🎉 isaacs/node-mkdirp#7 (comment)

[alexander-akait]

Great, we just update deps

[sseide]

Many thanks! Shall i close this issue?

[alexander-akait]

@sseide Will be great to send a PR with updating dep for webpack@4 https://github.com/webpack/webpack/blob/v4.42.0/package.json#L23

[dev-trilobyte]

no PR needed, just reinstall dependencies with npm and everything picked up automatically... (at least for our projects using webpack)

[almilo]

@dev-trilobyte we upgraded to webpack@4.42.0, removed the package-lock.json file, ran npm i and still get a problematic version of minimist:

└─┬ webpack@4.42.0
  └─┬ watchpack@1.6.0
    └─┬ chokidar@2.1.8
      └─┬ fsevents@1.2.11
        └─┬ node-pre-gyp@0.14.0
          ├─┬ mkdirp@0.5.1
          │ └── minimist@0.0.8 <====
          └─┬ rc@1.2.8
            └── minimist@1.2.0 

did you mean something different than that in #10561 (comment)?
In addition to that, also ran npm audit fix and even installed "mkdirp": "0.5.3", specifically in package.json.
Thanks!

[jomi-se]

@almilo Try doing npm audit fix. If that doesn't manage to fix the issue try to manually remove stuff in the package-lock.json and re-run npm install

Reference #10571 (comment) (although removing the package-lock.json and running npm i would have worked in my case)