Update mkdirp to resolve minimist vulnerability
G-Rath opened this issue · 1 comments
G-Rath commented
Currently the latest published version of @node-minify/core
depends on mkdirp@0.5.1
, which pulls in a flagged version of minimist
:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @node-minify/core [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @node-minify/core > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
To address this, mkdirp
released a new version that is not breaking, meaning it should be enough to bump to 0.5.2
(0.5.5
would be the ideal for the 0.x.x
branch), until whats on the development branch can be published, as that's using the 1.x.x
version branch.
srod commented
Fixed in 6.0.0.