Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
please update mkdirp due to prototype pollution in dependent package (CVE-2020-7598)
See original GitHub issueBug report
webpack currently depends on the old 0.5.1 version of “mkdirp” which depends on old vulnerable minimist package. The 0.5.x line of mkdirp from the original author is not developed any further and maintenance of this package was taken over by isaacs with the new 1.x versions.
see: https://github.com/substack/node-mkdirp/issues/166 CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598
Please update “mkdirp” dependency to the latest 1.x version to fix this vulnerability. . What is the current behavior?
old “mkdirp” 0.5.1 fetches dependend package “minimist” 0.0.8 which triggers warning in security checkers blocking new builds.
If the current behavior is a bug, please provide the steps to reproduce.
What is the expected behavior?
Update dependency “mkdirp” to latest version 1.0.3 which has dropped dependency of “minimist” and does not trigger any security warnings anymore.
Other relevant information: webpack version: 4.42.0 Node.js version: 10.16 Operating System: linux Additional tools:
Issue Analytics
- State:
- Created 4 years ago
- Comments:30 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Sorry, we can’t do it, because it is breaking change
The backport fix has been released in 0.5.3 🎉 https://github.com/isaacs/node-mkdirp/issues/7#issuecomment-600235119