New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove minimist dependency via mkdirp (vulnerability CVE-2020-7598) #13050
Comments
@davidgilbertson Do you mind if I submit a PR with a fix for this issue? |
Go for it! |
* the CVE is caused by the mkdirp dependency * mkdirp is no longer supported * mkdirp has been removed as of 7.0.0-alpha0 * this back-ports the change to v6.x
* the CVE is caused by the mkdirp dependency * mkdirp is no longer supported * mkdirp has been removed as of 7.0.0-alpha0 * this back-ports the change to v6.x
The PR is in, all tests are passing. That's as far as I can go for now. |
Thank you, I've been seeing this for days |
Release to npm welcome or tell which git branch should be used ? |
Update: Patching ESLint is no longer unnecessary. Re-creating |
Still failing and not updated:
|
Wiping package-lock/minimist from
|
I decided to ignore this security warning. I missed that in |
Given the workaround listed here, we have made the decision not to backport this change to the 6.x line. |
This fixes the problems with ESLint, as described here: eslint/eslint#13050 (comment) The problematic dependency `mkdirp` published a new version that bumps `minimist` to a safe version.
As per: eslint/eslint#13050 This gives us a clean `yarn audit`, getting rid of: ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ eslint │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ eslint > file-entry-cache > flat-cache > write > mkdirp > │ │ │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1179 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ eslint │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ eslint > mkdirp > minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://www.npmjs.com/advisories/1179 │ └───────────────┴──────────────────────────────────────────────────────────────┘ 2 vulnerabilities found - Packages audited: 596
For those with really old
That will update all the subdependencies in |
@oliikit The latest SemVer major release (ie v6.x) of ESLint removes the need for this change altogether. Id recommend upgrading if possible |
The version of ESLint you are using.
6.8.0
The problem you want to solve.
Remove the warning about the
minimist
vulnerability detailed here GHSA-7fhm-mqm4-2wp7This is required via a dependency on the
mkdirp
package.Your take on the correct solution to problem.
@mysticatea has already done this in a PR targeting version 7. I suggest making this change in a patch to 6.8.
Are you willing to submit a pull request to implement this change?
Yep.
The text was updated successfully, but these errors were encountered: