Remove mkdirp@^0.5.1 due to CVE warnings, use native recursive fs.mkdir

[ericanderson]

Summary

mkdirp was triggering github security warnings. Upgrading version will resolve that.

Details

Github security warnings. The ones where you are the owner of a project and you visit the project's home page and get a giant warning from GitHub telling you there are CVE's in libraries within your repo.

I don't know for sure if metro was or was not vulnerable. I for sure know this wouldn't affect someone's production code. What I do know is that humans build tolerance and blindness to things over time. Having a security warning linger on a repo/project is a long term risk to other, real security vulnerabilities being seen and fixed.

This version bump fixes the issue because it is the recommended version to resolve the CVE.

The code delta is to deal with the vulnerable library having a major semver change and thus the code needed to be adapted.

Test plan

yarn test

[facebook-github-bot]

Hi @ericanderson!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@fb.com. Thanks!

[facebook-github-bot]

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

[philIip]

thanks @ericanderson for working on this! in the diff summary, can you give some examples of the security warnings and why this version bump and implementation change fixes them? thanks!

[ericanderson]

@philIip Github security warnings. The ones where you are the owner of a project and you visit the project's home page and get a giant warning from GitHub telling you there are CVE's in libraries within your repo.

I don't know for sure if metro was or was not vulnerable. I'm sure this wouldn't affect someone's production code. What I do know is that humans build tolerance and blindness to things over time. Having a security warning linger on a repo/project is a long term risk to other, real security vulnerabilities being seen and fixed.

This version bump fixes the issue because it is the recommended version to resolve the CVE.

The code delta is to deal with the vulnerable library having a major semver change and thus the code needed to be adapted.

[facebook-github-bot]

@philIip has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

[ericanderson]

As an aside which shouldn't block this change, it seems like maintaining metro-memory-fs is an unnecessary use of resources. This package is only used for tests (at least within this repo).

The memfs library seems complete and well maintained. It is what webpack switched to after abandoning its own memory-fs (top right corner see deprecation notice).

[facebook-github-bot]

@rh389 has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

[robhogan]

Hi @ericanderson - thanks for working on this. Unfortunately, it's proving problematic to merge internally due to the way we manage direct dependencies across the containing workspace (upshot being we'd have to update mkdirp in a lot of other places in order to merge this). Sorry that has an effect on a perfectly good PR.

To be honest, I'm thinking it'd be simpler to eliminate mkdirp from metro entirely - we support node >= 12 so the native recursive option is available to us and should be all we need. If you're interested in pivoting this PR in that direction it'd be very welcome, completely understand if not - apologies again for the wasted time.

[ericanderson]

@rh389 fair enough, will pivot as I'd prefer to get these warnings out of my repos.

[robhogan]

I think we could just tidy up the async call with the fs promises API, otherwise perfect (and thanks again)

Edit: Ah, also looks like we'll need to beef up the implementation of recursive in metro-memory-fs a bit

[robhogan]

Suggested change

	const mkdirPromised = util.promisify(fs.mkdir);
	return mkdirPromised(dirName, {recursive: true}).then(() => undefined);
	return fsPromises.mkdir(dirName, {recursive: true});

[robhogan]

Suggested change

	function createDir(dirName: string): Promise<empty> {
	function createDir(dirName: string): Promise<void> {

[robhogan]

Suggested change

	const fs = require('fs');
	const util = require('util');
	const fsPromises = require('fs').promises;

[facebook-github-bot]

@rh389 has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

[facebook-github-bot]

@rh389 has imported this pull request. If you are a Meta employee, you can view this diff on Phabricator.

[ericanderson]

Thanks for the help getting it through @rh389. Sorry about the false start earlier. I was in and out of meetings and pushed before running tests.

[robhogan]

Not at all - I was just keen to get it pulled in before the end of my day yesterday. It's waiting for internal review now but everything's green so I'd expect it to be in the next fortnightly release, this PR will auto-close when it lands. Thanks again for the contribution (and patience!)