Remove minimist dependency via mkdirp (vulnerability CVE-2020-7598) #13050
Comments
davidgilbertson
added
core
|
@davidgilbertson Do you mind if I submit a PR with a fix for this issue? |
|
Go for it! |
* the CVE is caused by the mkdirp dependency * mkdirp is no longer supported * mkdirp has been removed as of 7.0.0-alpha0 * this back-ports the change to v6.x
* the CVE is caused by the mkdirp dependency * mkdirp is no longer supported * mkdirp has been removed as of 7.0.0-alpha0 * this back-ports the change to v6.x
|
The PR is in, all tests are passing. That's as far as I can go for now. |
|
Thank you, I've been seeing this for days |
|
Release to npm welcome or tell which git branch should be used ? |
|
Update: Patching ESLint is no longer unnecessary. Re-creating |
Still failing and not updated: |
|
Wiping package-lock/minimist from |
|
I decided to ignore this security warning. I missed that in |
kaicataldo
added
evaluating
|
Given the workaround listed here, we have made the decision not to backport this change to the 6.x line. |
This fixes the problems with ESLint, as described here: eslint/eslint#13050 (comment) The problematic dependency `mkdirp` published a new version that bumps `minimist` to a safe version.
As per: eslint/eslint#13050 This gives us a clean `yarn audit`, getting rid of: ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ eslint │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ eslint > file-entry-cache > flat-cache > write > mkdirp > │ │ │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1179 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ eslint │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ eslint > mkdirp > minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1179 │ └───────────────┴──────────────────────────────────────────────────────────────┘ 2 vulnerabilities found - Packages audited: 596
|
For those with really old That will update all the subdependencies in |
|
@oliikit The latest SemVer major release (ie v6.x) of ESLint removes the need for this change altogether. Id recommend upgrading if possible |
eslint-deprecated
bot
added
the
archived due to age
The version of ESLint you are using.
6.8.0The problem you want to solve.
Remove the warning about the
minimistvulnerability detailed here GHSA-7fhm-mqm4-2wp7This is required via a dependency on the
mkdirppackage.Your take on the correct solution to problem.
@mysticatea has already done this in a PR targeting version 7. I suggest making this change in a patch to 6.8.
Are you willing to submit a pull request to implement this change?
Yep.
The text was updated successfully, but these errors were encountered: