Skip to content

Upgrade dependencies using obsolete mkdirp (0.0.8 or 0.5.1) to fix CVE scored 9.8 in minimalist package #1027

New issue
New issue
Closed
Closed
Upgrade dependencies using obsolete mkdirp (0.0.8 or 0.5.1) to fix CVE scored 9.8 in minimalist package#1027
Labels
Release 6.xwork is associated with a specific npm 6 releasesemver:patchsemver patch level for changes
@mleneveut

Description

@mleneveut
mleneveut
opened on Mar 16, 2020

What / Why

The package mkdir 0.5.1 contains a dependency to minimist 0.0.8, which has the CVE-2020-7598, scored 9.8

When

  • n/a

Where

  • n/a

How

Current Behavior

  • n/a

Expected Behavior

Remove the package mkdirp or find a maintained alternative.

Who

  • n/a

References

node -v
v12.16.1

npm -v
6.13.4

list mkdirp
npm@6.13.4 /usr/lib/node_modules/npm
+-- cacache@12.0.3
| `-- mkdirp@0.5.1  deduped
+-- cmd-shim@3.0.3
| `-- mkdirp@0.5.1  deduped
+-- gentle-fs@2.3.0
| `-- mkdirp@0.5.1  deduped
+-- libcipm@4.0.7
| `-- mkdirp@0.5.1  deduped
+-- mkdirp@0.5.1
+-- move-concurrently@1.0.1
| +-- copy-concurrently@1.0.5
| | `-- mkdirp@0.5.1  deduped
| `-- mkdirp@0.5.1  deduped
+-- node-gyp@5.0.5
| `-- mkdirp@0.5.1  deduped
+-- pacote@9.5.11
| `-- mkdirp@0.5.1  deduped
`-- tar@4.4.13
  `-- mkdirp@0.5.1  deduped

Metadata

Metadata

Assignees

No one assigned

    Labels

    Release 6.xwork is associated with a specific npm 6 releasesemver:patchsemver patch level for changes

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions