migrate to mkdirp v1

Question

migrate to mkdirp v1

Hypnosphi opened this issue 4 years ago · 9 comments

npm says that mkdirp v0.x has been deprecated:

npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)

Answer 1 · 2021-05-17T09:56:16.000Z

how about dropping it and use nodes built in mkdir (recursive option) instead?

Answer 2 · 2021-07-29T20:08:40.000Z

how about dropping it and use nodes built in mkdir (recursive option) instead?

we have to support node 0.10.x - that said - neither of the above (built in mkdir or promises) can be merged in...

is there a security issue here or just 'lets keep node modern' which is totally legit, just not with this lib unfortunately

open to discussion if there is a reason outside of staying modern...

Answer 3 · 2021-07-30T00:40:55.000Z

lets keep node modern

it's rather 'lets not depend on deprecated things'

Answer 4 · 2021-07-30T07:08:19.000Z

... and use less dependencies and making it smaller

Answer 5 · 2021-07-30T18:55:46.000Z

I actually feel the same way and have opened an issue (that I need to clean up b/c it was a brain dump) #122

perhaps it should just say:

'lets not depend on deprecated things'

at least that's what I am trying to say, in a very round about way :)

Answer 6 · 2022-03-31T13:23:43.000Z

You should consider updating mkdirp at least to a version that fixes GHSA-xvch-5gv4-984h. See:

isaacs/node-mkdirp#27
https://github.com/substack/minimist/issues/164

Answer 7 · 2022-04-04T15:48:05.000Z

how about dropping it and use nodes built in mkdir (recursive option) instead?

we have to support node 0.10.x - that said - neither of the above (built in mkdir or promises) can be merged in...

I'm not fully understanding the reasoning here but skimming through some older comments it seems to be related to embedded machines running older node versions? Correct me if I'm wrong though.

My two cents about this is that some systems are using older nodejs versions and will not / cannot update but they would probably not update portfinder either? I suggest to release a new breaking 2.0.0 release dropping support for older nodejs versions and if needed critical bugfixes could be backported to v1 while v2 could be kept a bit more modern.

mkdirp can be replaced since Node 10 and Node 10 is so old by now it is end-of-life already (since a year ago). Node 0.10.x is almost 6 years after EOL.

Answer 8 · 2022-04-15T08:05:35.000Z

mkdirp has a new 0.5.6 version with updated minimist dependency. It should fix the issue for now.

Answer 9 · 2022-08-02T04:24:09.000Z

@see #131

also minimist has been updated tonight, it will go out in the next release this week.