Upgrade mkdirp deps to 1.0.3 to fix Critical CVE #2074
Comments
|
Ugh, this is not "critical". So typical of these reports to be overhyped by reporters who have a business interest in the hype (edit: not talking about you @mleneveut, but rather a certain company) node-gyp doesn't use minimist at all even though it might be in the tree, and the vulnerability is super hypothetical since the whole point of minimist is to parse CLI arguments so the attack vector involves getting something to execute via a shell. And it's a ReDOS, so not "critical" inasmuch as it's useful for anything beyond a DOS if you could even pull that off. We try and keep our dependencies roughly in line with npm's so we don't end up inserting a ton of dupes into npm's package list, so we might be best to wait till npm reacts: https://github.com/npm/cli/blob/d9a7b30f6afc0419ad4939bfb478ca8a589e769f/package.json#L94 although I suspect it might be safe to assume a |
|
If we're willing to drop support for Node.js < 10 we could probably drop mkdirp completely and use recursive mkdir on fs. |
|
@richardlau on master I'm +1 on that approach, we'll still have to deal with v5 though where we should probably be more careful |
|
As I mentioned @ nodejs/node#32296 (comment), it's been fixed in mkdirp 0.5.3 and we use a I'll put in a patch to the 5.x branch to formalise it, but I think we can dismiss this as taken care of. |
The package mkdir 0.5.1 contains a dependency to minimist 0.0.8, which has the CVE-2020-7598, scored 9.8
https://nvd.nist.gov/vuln/detail/CVE-2020-7598
npm/cli#1027
The text was updated successfully, but these errors were encountered: