Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade mkdirp 0.5.1 -> 0.5.3 to resolve minimist vulnerability #86

Closed
prios-ben-beckerman opened this issue Mar 18, 2020 · 10 comments
Closed

Upgrade mkdirp 0.5.1 -> 0.5.3 to resolve minimist vulnerability #86

prios-ben-beckerman opened this issue Mar 18, 2020 · 10 comments

Comments

@prios-ben-beckerman
Copy link

The dependency mkdirp is pinned to 0.5.1. Mkdirp 0.5.1 has its own pinned dependency, minimist 0.0.8, which has a vulnerability. extract-zip should be upgraded to use mkdirp 0.5.3 which uses a newer version of minimist.

See isaacs/node-mkdirp#7
@hadaabhi201 hadaabhi201 mentioned this issue Mar 18, 2020
Closed
@brettz9 brettz9 mentioned this issue Mar 19, 2020
Closed
@heitorlessa
Copy link

mkdirp has a new major version that no longer depends on minimist - v1.0.3, please use that instead.

@mnepita
Copy link

mnepita commented Mar 21, 2020

I am having the same issue , can we please get an update ?

77218456-b5023880-6ae8-11ea-8d2f-41b235a4e63c

@cyclingzealot
Copy link

cyclingzealot commented Mar 21, 2020
edited

@mnepita : plenty of discussion in #85. We're basically waiting on the repo owner (not me) to execute & deploy the pull request. In the meantime, I'm going to try vuejs/vue-cli#5285 (comment) and report back here, #85 and / or stack overflow.

@jfoclpf
Copy link

jfoclpf commented Mar 22, 2020

Same here, please update asap

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ words-pt [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ words-pt > extract-zip > mkdirp > minimist                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@cyclingzealot
Copy link

As suggested by @SakiiCode, I used https://www.npmjs.com/package/npm-force-resolutions as a temporary fix. I documented on SO at https://stackoverflow.com/a/60795003/1611925 and https://stackoverflow.com/a/60794976/1611925 . It installed without difficulty but I have not tested execution yet.

@castaneai castaneai mentioned this issue Mar 22, 2020
Closed
@jdneo jdneo mentioned this issue Mar 23, 2020
Merged
@DanielRuf
Copy link

Bump.

@DanielRuf
Copy link

cc @malept

@prios-ben-beckerman
Copy link
Author

Owner of this project is @maxogden

@DanielRuf
Copy link

Owner of this project is @maxogden

I know, but @malept is another contributor here.

@malept malept closed this as completed in 30ab06c Mar 24, 2020
@malept
Copy link
Collaborator

malept commented Mar 24, 2020

Thanks for your patience in these uncertain times. I've released a version of extract-zip depending on mkdir 0.5.4 in version 1.6.8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@malept @DanielRuf @cyclingzealot @heitorlessa @jfoclpf @mnepita @prios-ben-beckerman