Update tap dependency to fix secuirty issue with minimist 1.2.0 #11
Comments
|
Please update, this package Check the paths, all the vulnerabilities I have are via |
|
This is really propagating everywhere, damn, this package is really omnipresent :) |
|
20 pieces here... |
|
This issue is fixed on NPM for this module in v1.0.3. For the audit alert is created by downstream dependencies in In most cases rebuilding package-lock helps resolving this issue in your projects. Please note the remarks on #7 - you should be aware that version 1.0.3 no longer depends on For |
|
@phish108 how do we rebuild the package-lock.json file? Is that all we need to do? |
|
@dosstx you delete the file and then run |
|
@jfoclpf it solves the issue for many dependencies with semver ranges. Sometimes it should hang due to the major release, but it solved it for me. |
|
Created a Pull request in node-tap to fixes the all security issue. Once the pull request get merge and new version get publish we can upgrade node-tap version here to fix the issues. |
Hi @phish108 That usually when declare your dependency using |
|
@ashishkujoy caret ranges do not work exactly as you describe them, but halt at major versions. See: https://docs.npmjs.com/misc/semver Either way, this issue seems to me mostly as a downstream problem, won’t you agree? |
Didn't solve anything for me. Take for example the case of
We need to wait for all that chain to be gradually updated. Furthermore when you install a package via |
|
@jfoclpf you are correct, since the issue is solved here (in a major release), the downstream caret ranges need to get updated, “manually”. This can be annoying, if different dependencies ask for lower versions than the current release. Aside from that, caret ranges are the default when running In your case there are two major release issues in your chain: First is This would not be so much of an issue, because Besides See also: jaredwray/flat-cache#28 |
|
Thanks for opening this issue - This is the last one on my list to finally address all security issues of the week Referencing Cypress so others can easily subscribe for updates: cypress-io/cypress#6793 |
|
Hey @isaacs - Whenever you can, could you please take a look at the PR above, merge and publish a new version of mkdirp? I'm sure you must be busy with daily activities, so we'd appreciate if we could help merge this PR to address this vulnerability as it's causing issues in other packages upstream. Thank you |
|
@heitorlessa there is already a new release, but it is a major release, which requires downstream activity. (please read the discussion above) |
|
thanks for the heads up @phish108 - I blindly assumed 240+ packages affected (transitive deps) were allowing patch updates but major versions. Well, turns out a few packages I checked are using exact version and not ranges :/ this is gonna last for much longer than I thought. |
|
not solving a thing for me |
|
Having similar issue here.
|
|
This one dependency causes almost every package known in the Angular-universe to be flagged as a security vulnerability. For this mkdirp-dependency is the cause of 55 out of 56 indirect, insecure minimist-versions in my repo. Please consider upgrading. It should be a really quick and simple job. |
@josteink it's not a quick job it will take time. More information please have look at this closed PR |
Then the nice and pragmatic thing would be to make a 0.5.5 release (or something like that) based on the older code-base with Node8 support and no breaking changes apart from upgrading minimist. That's a really small job to do, and something which the author of the package could use to garner good-will, rather than frustration. Right now there's no known |
|
Closing this issue as tap has been updated and currently there is no security vulnerabilities. |
|
Why close? mkdirp is a dependency to lots of packages besides tap. Tap updating won’t solve it for anyone else. |
|
@josteink
|
|
Hi! Still have issues with mkdirp -> minimist :(
|
The current version 1.2.0 of minimist which is a transitive dependency of tap has secuirty issue. There is open issue in tap for that. we should upgrade the tap dependency once that get fix.
The text was updated successfully, but these errors were encountered: