mkdirp needs another update (to 0.5.4 or better yet, to a still newer 0.5.5)

[brettz9]

Prerequisites

• Checked that your issue hasn't already been filed by cross-referencing issues with the faq label
• Checked next-gen ES issues and syntax problems by using the same environment and/or transpiler configuration without Mocha to ensure it isn't just a feature that actually isn't supported in the environment in question or a bug in your code.
• 'Smoke tested' the code to be tested by running it outside the real test suite to get a better sense of whether the problem is in the code under test, your usage of Mocha, or Mocha itself
• Ensured that there is no discrepancy between the locally and globally installed versions of Mocha. You can find them with: node node_modules/.bin/mocha --version(Local) and mocha --version(Global). We recommend that you not install Mocha globally.

Description

mkdirp needs still another update (now at 0.5.4, fixing an infinite loop issue on Windows: https://github.com/isaacs/node-mkdirp/commits/v0.5.4 ).

Steps to Reproduce

Expected behavior: [What you expect to happen]

Avoid a buggy version.

Actual behavior: [What actually happens]

Getting the old buggy version.

Reproduces how often: [What percentage of the time does it reproduce?]

Always since package.json is pegged to 0.5.3.

Versions

• The output of mocha --version and node node_modules/.bin/mocha --version:

Current: 7.1.1.

Additional Information

[hfiguiere]

I have 5.2.0 and it has the same problem (expected). That would be terrific to have an update for that branch to solve npm audit warnings. (upgrading to 6 or 7 cause some trouble here)

mkdirp is pinned at 0.5.1

[brettz9]

@hfiguiere : mkdirp was pegged earlier at 0.5.1, and apparently fixed to 0.5.3 per #4206 by @juergba but shortly thereafter there was another mkdirp patch bringing it to 0.5.4.

[hfiguiere]

@hfiguiere : mkdirp was pegged earlier at 0.5.1, and apparently fixed to 0.5.3 per #4206 by @juergba but shortly thereafter there was another mkdirp patch bringing it to 0.5.4.

Exactly, so if there could be 5.2.1 with ^0.5.4.

[brettz9]

Apologies, it looks like mkdirp was already removed in master (see f87825a#diff-b9cfc7f2cdf78a7f4b91a753d10865a2 ), so just awaiting a new release.

[hfiguiere]

So no chance this happen for 5.2.0?

[brettz9]

I am not part of the project, so you'd need to file another issue if you wanted them to back-port security fixes for older mocha versions. I'm personally happy just upgrading to the latest 7.* mocha.

[brettz9]

@juergba : Could you put out a new release for the 7 branch to include the latest mkdirp bump (0.5.4+)

[G-Rath]

I've created #4220 requesting the update be backported to the 5.2.x branch.

[brettz9]

Are you referencing the wrong issue or PR, @G-Rath? That looks like it is about the TeamCity reporter, while this is about mkdirp.

[brettz9]

There is now also a 0.5.5 release: https://github.com/isaacs/node-mkdirp/commits/v0.5.5 (removing a deprecated Node feature).

[G-Rath]

@brettz9 yes good catch; that's the issue number for its sister issue over in svg-sprite 😬

I've updated my original title, cheers.

[silkfire]

Can't we upgrade to 1.0.4 to prevent this message?

npm WARN deprecated mkdirp@0.5.3: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)

[juergba]

closed by #4222.