Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mkdirp < 1 deprecated #833

Closed
SampsonCrowley opened this issue Mar 18, 2020 · 11 comments · Fixed by #839
Closed

Mkdirp < 1 deprecated #833

SampsonCrowley opened this issue Mar 18, 2020 · 11 comments · Fixed by #839

Comments

@SampsonCrowley
Copy link 

node-sass > mkdirp@0.5.3: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)

mkdirp less than version 1 has been deprecated. I will try to submit a pull request later today
@JLHwung
Copy link
Contributor

JLHwung commented Mar 18, 2020

mkdirp@1 requires node>=10 while babel-loader@8 still supports node@6.9. It will be a breaking change to bump mkdirp to version 1, that said, I am still happy to review and include it in babel-loader@9.

@cacieprins
Copy link

Just a note that mkdirp@0.5 depends on minimist@0.0.8, which has concerning security issues: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598

@nicolo-ribaudo
Copy link
Member

mkdirp@0.5.3 depends on minimist@^1.2.5: https://unpkg.com/browse/mkdirp@0.5.3/package.json

@cacieprins
Copy link

In that case, can babel-loader be upgraded to mkdirp@0.5.3 to resolve this? (should I open a new issue for that?)

@existentialism
Copy link
Member

existentialism commented Mar 19, 2020
edited

@cacieprins no need, #834, we'll release soon!

@existentialism
Copy link
Member

Released v8.1.0! 🎉

@BojanJakic
Copy link

Hello guys, I'm working on one project and have same problem that Sampson Crowley mentioned above. So there is no existing version of babel-loader that supports mkdirp 1.x ... or maybe I misunderstood something?
Thanks in advance for reply, cheers...

@SampsonCrowley
Copy link
Author

@BojanJakic that's correct. the minimist dependency issue is not really related to this issue. 0.5.3 is also deprecated

@nicolo-ribaudo
Copy link
Member

nicolo-ribaudo commented Mar 23, 2020
edited

Even if it gives that warning, mkdirp 0.x is still supported: the last release was today (https://www.npmjs.com/package/mkdirp/v/0.5.4), and the last one was one week ago.

mkdirp still works perfectly for babel-loader without any issue, and there aren't any known security problems. Also, mkdirp's README still recommends using v0.x in same cases.

I'd still be happy to update it in the next major version (we can't do it in a minor), but I don't see the urgency to do it now.

@JLHwung JLHwung mentioned this issue Mar 23, 2020
Merged
3 tasks
@SampsonCrowley
Copy link
Author

@nicolo-ribaudo just because it can't be done until the next release, doesn't mean this is closed. Having a giant warning about using a deprecated package is extremely annoying, and this needs to stay on the roadmap until it's actually fixed

@nicolo-ribaudo
Copy link
Member

This has been closed because it has been fixed by #839.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: replace mkdirp by make-dir@2 babel/babel-loader
6 participants
@existentialism @cacieprins @JLHwung @nicolo-ribaudo @BojanJakic @SampsonCrowley