Update mkdirp to resolve minimist vulnerability

Question

Update mkdirp to resolve minimist vulnerability

G-Rath opened this issue 4 years ago · 1 comments

Currently the latest published version of @node-minify/core depends on mkdirp@0.5.1, which pulls in a flagged version of minimist:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @node-minify/core [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @node-minify/core > mkdirp > minimist                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

To address this, mkdirp released a new version that is not breaking, meaning it should be enough to bump to 0.5.2 (0.5.5 would be the ideal for the 0.x.x branch), until whats on the development branch can be published, as that's using the 1.x.x version branch.

Answer 1 · 2020-06-24T20:48:55.000Z

Fixed in 6.0.0.