v8.0.0 - mkdirp should be on 0.5.3 at least #141

jessewlee · 2020-03-25T18:53:13Z

mkdirp should be on 0.5.3 to prevent security exploit introduced from minimist

ref: https://snyk.io/test/npm/mkdirp/0.5.0

sergcen · 2020-11-04T16:11:16Z

peter-mouland · 2021-03-11T12:59:56Z

mind if we close this issue?

LeoniePhiline · 2021-03-16T21:22:52Z

postcss-url 10 requires postcss 8, Not the entire ecosystem is ready yet for a migration from postcss 7 to postcss 8! There are some environments which I simply cannot update yet.

➡️ Would you please consider applying the fix of updating mkdirp also on postcss-url 9?

Thank you so much!

Reference:

# npm audit report

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss-url/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/postcss-url/node_modules/mkdirp
    postcss-url  9.0.0 - 10.0.0
    Depends on vulnerable versions of mkdirp
    node_modules/postcss-url

3 low severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

vladimiry mentioned this issue Nov 4, 2020

Replace mkdirp with make-dir #152

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v8.0.0 - mkdirp should be on 0.5.3 at least #141

v8.0.0 - mkdirp should be on 0.5.3 at least #141

jessewlee commented Mar 25, 2020

sergcen commented Nov 4, 2020

peter-mouland commented Mar 11, 2021

LeoniePhiline commented Mar 16, 2021 •

edited

Loading

v8.0.0 - mkdirp should be on 0.5.3 at least #141

v8.0.0 - mkdirp should be on 0.5.3 at least #141

Comments

jessewlee commented Mar 25, 2020

sergcen commented Nov 4, 2020

peter-mouland commented Mar 11, 2021

LeoniePhiline commented Mar 16, 2021 • edited Loading

LeoniePhiline commented Mar 16, 2021 •

edited

Loading