Remove minimist dependency via mkdirp (vulnerability CVE-2020-7598)
See original GitHub issueThe version of ESLint you are using.
6.8.0
The problem you want to solve.
Remove the warning about the minimist
vulnerability detailed here https://github.com/advisories/GHSA-7fhm-mqm4-2wp7
This is required via a dependency on the mkdirp
package.
Your take on the correct solution to problem. @mysticatea has already done this in a PR targeting version 7. I suggest making this change in a patch to 6.8.
Are you willing to submit a pull request to implement this change? Yep.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:38
- Comments:12 (5 by maintainers)
Top Results From Across the Web
Prototype Pollution in minimist - Vulners
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, ... indirect vulnerabilities without breaking your dependency tree.
Read more >Solving the indirect vulnerability enigma - fixing indirect ...
In this article, we'll walk you through how solving transitive vulnerabilities can be done manually and, towards the end, show you the Debricked ......
Read more >mkdirp@0.5.1 - Snyk Vulnerability Database
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities (in both your packages & their dependencies) and provides ...
Read more >Node.js minimist security issue even with v1.2.5 - Stack Overflow
After installing express-handlebars and running "npm audit", I'm getting a "low severity vulnerability" ...
Read more >Fixing security vulnerabilities in npm dependencies in less ...
In my case mocha(7.1.0) -> mkdirp(0.5.1) -> minimist(0.0.8) — the vulnerable version. Resolutions key. 3) And finally the fix was: 3.1) First npm...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Update:
mkdirp
published a new version that bumpsminimist
to a safe version.Patching ESLint is no longer unnecessary.
Re-creating
package-lock.json
should fix the issue.Wiping package-lock/minimist from
mode_modules
and reinstalling packages updated the tree: