Upgrade mkdirp due to vulnerability in old version

Question

Upgrade mkdirp due to vulnerability in old version

Opened this issue 3 years ago · 3 comments

Trying to work back through each node module for bunyan to fix a vulnerability.

mkdirp@0.5.1 has a vulnerable package minimist@0.0.8 which needs to be fixed. Updating to the latest version of mkdirp will completely remove minimist from the dependency tree.

Here's the CVE: https://nvd.nist.gov/vuln/detail/CVE-2020-7598

This library hasn't had any movement on it for quite a long time. If it's dead, say it's dead so I can discuss this with the maintainers of bunyan

Answer 1 · 2021-05-05T14:06:03.000Z

Opened an issue on bunyan logger to address this issue too.

Answer 2 · 2021-05-27T17:56:13.000Z

@andrewrk are you not maintaining this project anymore?

Answer 3 · 2022-04-12T22:46:14.000Z

mkdirp@0.5.6 uses minimist@1.2.6, so I think this is resolved by regenerating your lock file.