Upgrade mkdirp due to vulnerability in old version
Opened this issue · 3 comments
Prophet32j commented
Trying to work back through each node module for bunyan
to fix a vulnerability.
mkdirp@0.5.1
has a vulnerable package minimist@0.0.8
which needs to be fixed. Updating to the latest version of mkdirp
will completely remove minimist
from the dependency tree.
Here's the CVE: https://nvd.nist.gov/vuln/detail/CVE-2020-7598
This library hasn't had any movement on it for quite a long time. If it's dead, say it's dead so I can discuss this with the maintainers of bunyan
Prophet32j commented
Opened an issue on bunyan logger to address this issue too.
Prophet32j commented
@andrewrk are you not maintaining this project anymore?
jasonnutter commented
mkdirp@0.5.6
uses minimist@1.2.6
, so I think this is resolved by regenerating your lock file.