Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Backport removal of mkdirp to 6.x (fixes #13050) #13051

Closed
wants to merge 1 commit into from
Closed

Fix: Backport removal of mkdirp to 6.x (fixes #13050) #13051

wants to merge 1 commit into from

Conversation

evanplaice
Copy link
Contributor

  • the CVE is caused by the mkdirp dependency
  • mkdirp is no longer supported
  • mkdirp has been removed as of 7.0.0-alpha0
  • this back-ports the change to v6.x

Prerequisites checklist

  • I have read the contributing guidelines.
  • The team has reached consensus on the changes proposed in this pull request. If not, I understand that the evaluation process will begin with this pull request and won't be merged until the team has reached consensus.

What is the purpose of this pull request? (put an "X" next to an item)

[ ] Documentation update
[ ] Bug fix (template)
[ ] New rule (template)
[ ] Changes an existing rule (template)
[ ] Add autofixing to a rule
[ ] Add a CLI option
[ ] Add something to the core
[x] Other, please explain:

Other:
This PR removes the mkdirp dependency reflecting a change made in #12753 and included in the 7.0.0-alpha0 tag. This change fixes the security vulnerability CVE-2020-7598. Specifics are outlined in issue #13050.

Patching this into the v6.x line will ensure that users who still depend on v6.x can reliably update ESLint, thereby removing the security vulnerability and related security audit notices.

What changes did you make? (Give an overview)

  • remove the mkdirp dependency from package.json
  • remove the require("mkdirp") statement in /lib/cli.js
  • replace the call to mkdirp.sync with a call to the node built-in fs.mkdirSync() in /lib/cli.js

These changes were extracted from the #12753 diff

Is there anything you'd like reviewers to focus on?

Guess I should start with the obvious question. Does ESLint support back-porting security fixes to previous versions? If so, is this the right way to handle it?

This change has been tested with the pkg.engines specified in the v6.8.0 tag (ie "^8.10.0 || ^10.13.0 || >=11.10.1"). Double-check to make sure this change doesn't break anything.

From what I could gather from the git history, it looks like all changes after v6.8.0 apply to the new 7.x series. I wasn't sure if I should build off a specific commit following v6.8.0 so I branched directly off the tag. If the change needs to be rebased on top of a later commit, let me know.

@eslint-deprecated eslint-deprecated bot added the triage An ESLint team member will look at this issue soon label Mar 16, 2020
@evanplaice
Fix: Backport removal of mkdirp to 6.x (fixes eslint#13050)
555f033 
* the CVE is caused by the mkdirp dependency
* mkdirp is no longer supported
* mkdirp has been removed as of 7.0.0-alpha0
* this back-ports the change to v6.x
@evanplaice evanplaice changed the title WIP on issue13050: Fix: Backport removal of mkdirp to 6.x (#13050) Fix: Backport removal of mkdirp to 6.x (fixes #13050) Mar 16, 2020
@mattdean-digicatapult mattdean-digicatapult mentioned this pull request Mar 16, 2020
Closed
@Rugvip Rugvip mentioned this pull request Mar 16, 2020
Closed
@kaicataldo
Copy link
Member

We don’t have a policy of backporting commits to old versions of ESLint. This situation is one of the downsides of our current major release process, since it takes a while. I think it would be worth evaluating our process for the next major release.

@mattpass
Copy link

We don’t have a policy of backporting commits to old versions of ESLint. This situation is one of the downsides of our current major release process, since it takes a while. I think it would be worth evaluating our process for the next major release.

Hope this PR can be accepted into 6.8.x, the version of mkdirp being used is almost 6 years old. Keeping dependencies up to date is crucial (I love Dependabot for this), but if it's hardly being used (as PR shows), it can be hopefully dropped as a dependency - it's flagging security warnings.

Thanks and keep up the good work on ESLint. 👍

@kaicataldo kaicataldo added core Relates to ESLint's core APIs and features evaluating The team will evaluate this issue to decide whether it meets the criteria for inclusion upgrade This change is related to a dependency upgrade security Relates to security and removed triage An ESLint team member will look at this issue soon labels Mar 17, 2020
@nzakas
Copy link
Member

nzakas commented Mar 17, 2020

Because we're in the middle of a major release, I'd prefer to wait until after v7.0.0 before evaluating if a backport is necessary. As @kaicataldo mentioned, we don't actually have a process for backporting changes to previously released versions, and I'd prefer not to derail v7.0.0 development to try to figure out how to do so.

We can certainly make this change for v7.0.0 and then see if anything further is necessary afterwards.

@mattpass
Copy link

@nzakas bah, that's a pity. We use eslint but it's flagging security warnings for now and as 7 is only an alpha, we're can't to upgrade to it, so a bit stuck for now. OK, I'll inform our team tomorrow and we'll evaluate what to do next if this PR isn't going to be merged soon.

@kaicataldo
Copy link
Member

Please note that mkdirp@0.5.3 has now been released (see here). Since ESLint's package.json has the range ^0.5.1, folks just need to update their lockfiles.

@mattpass
Copy link

Please note that mkdirp@0.5.3 has now been released (see here). Since ESLint's package.json has the range ^0.5.1, folks just need to update their lockfiles.

@kaicataldo Ah I wasn't aware of that and wasn't there when I looked earlier today. Great tip and that'll likely solve things for us folks on 6.x branch, many thanks 👍

@evanplaice
Copy link
Contributor Author

@kaicataldo Thanks for the update.

I'm good with closing this PR now that there's another possible upgrade path.

@kaicataldo
Copy link
Member

@evanplaice We appreciate you being willing to contribute.

@kaicataldo kaicataldo closed this Mar 17, 2020
@evanplaice evanplaice deleted the issue13050 branch March 17, 2020 21:01
This was referenced Mar 19, 2020
Merged
Closed
@KEINOS KEINOS mentioned this pull request Mar 19, 2020
Merged
@yudai-nkt yudai-nkt mentioned this pull request Mar 27, 2020
Closed
@eslint-deprecated eslint-deprecated bot locked and limited conversation to collaborators Sep 15, 2020
@eslint-deprecated eslint-deprecated bot added the archived due to age This issue has been archived; please open a new issue for any further discussion label Sep 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@aladdin-add aladdin-add aladdin-add approved these changes

Assignees
No one assigned
Labels
archived due to age This issue has been archived; please open a new issue for any further discussion core Relates to ESLint's core APIs and features evaluating The team will evaluate this issue to decide whether it meets the criteria for inclusion security Relates to security upgrade This change is related to a dependency upgrade
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@evanplaice @kaicataldo @mattpass @nzakas @aladdin-add