Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v8.0.0 - mkdirp should be on 0.5.3 at least #141

Open
jessewlee opened this issue Mar 25, 2020 · 3 comments
Open

v8.0.0 - mkdirp should be on 0.5.3 at least #141

jessewlee opened this issue Mar 25, 2020 · 3 comments

Comments

@jessewlee
Copy link

mkdirp should be on 0.5.3 to prevent security exploit introduced from minimist

ref: https://snyk.io/test/npm/mkdirp/0.5.0

@sergcen
Copy link
Collaborator

sergcen commented Nov 4, 2020

fixed 10.1.0

@peter-mouland
Copy link

mind if we close this issue?

@LeoniePhiline
Copy link

LeoniePhiline commented Mar 16, 2021

postcss-url 10 requires postcss 8, Not the entire ecosystem is ready yet for a migration from postcss 7 to postcss 8! There are some environments which I simply cannot update yet.

➡️ Would you please consider applying the fix of updating mkdirp also on postcss-url 9?

Thank you so much!

Reference:

# npm audit report

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss-url/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/postcss-url/node_modules/mkdirp
    postcss-url  9.0.0 - 10.0.0
    Depends on vulnerable versions of mkdirp
    node_modules/postcss-url

3 low severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants