mkdirp is vulnerable to prototype pollution

[priegger]

What's going wrong?

npm audit report a low severity vulnerability in the mkdirp version used by pm2.

How could we reproduce this issue?

• git clone the pm2 repo
• npm install
• npm audit --production

Supporting information

The vulnerable package is also a dev dependency (of mocha).

                       === npm audit security report ===                        
                                                                                
# Run  npm install mkdirp@1.0.3  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mkdirp                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mkdirp > minimist                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mocha > mkdirp > minimist                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 low severity vulnerabilities in 491 scanned packages
  1 vulnerability requires semver-major dependency updates.
  1 vulnerability requires manual review. See the full report for details.

[kav2k]

The issue is version pinning to exactly "mkdirp": "0.5.1".

Even though mkdirp version 0.x is deprecated, there's a fix in version 0.5.2.

Please update the dependency to (preferably) 1.x, minimally to ^0.5.4 if you don't have the engineering effort to spare right now.

[sagarpanchal]

[kav2k]

This is now considered a high severity vulnerability.

CVE score: Critical 9.8 https://nvd.nist.gov/vuln/detail/CVE-2020-7598
Github advisory severity: High GHSA-vh95-rmgr-6w4m

[tvler]

+1

[robertjamesmiller]

please prioritize this because it's breaking our builds, thanks

[Unitech]

PM2 4.3.0 published:

npm install pm2@latest -g
pm2 update