Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

migrate to mkdirp v1 #112

Closed
Hypnosphi opened this issue Oct 12, 2020 · 9 comments
Closed

migrate to mkdirp v1 #112

Hypnosphi opened this issue Oct 12, 2020 · 9 comments

Comments

@Hypnosphi
Copy link

npm says that mkdirp v0.x has been deprecated:

npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
@jimmywarting
Copy link

jimmywarting commented May 17, 2021
edited

how about dropping it and use nodes built in mkdir (recursive option) instead?

@eriktrom
Copy link
Member

how about dropping it and use nodes built in mkdir (recursive option) instead?

we have to support node 0.10.x - that said - neither of the above (built in mkdir or promises) can be merged in...

is there a security issue here or just 'lets keep node modern' which is totally legit, just not with this lib unfortunately

open to discussion if there is a reason outside of staying modern...

@Hypnosphi
Copy link
Author

lets keep node modern

it's rather 'lets not depend on deprecated things'

@jimmywarting
Copy link

jimmywarting commented Jul 30, 2021
edited

... and use less dependencies and making it smaller

@eriktrom
Copy link
Member

I actually feel the same way and have opened an issue (that I need to clean up b/c it was a brain dump) #122

perhaps it should just say:

'lets not depend on deprecated things'

at least that's what I am trying to say, in a very round about way :)

@DavideBecker
Copy link

You should consider updating mkdirp at least to a version that fixes GHSA-xvch-5gv4-984h. See:

isaacs/node-mkdirp#27
https://github.com/substack/minimist/issues/164

@ext
Copy link

ext commented Apr 4, 2022

how about dropping it and use nodes built in mkdir (recursive option) instead?

we have to support node 0.10.x - that said - neither of the above (built in mkdir or promises) can be merged in...

I'm not fully understanding the reasoning here but skimming through some older comments it seems to be related to embedded machines running older node versions? Correct me if I'm wrong though.

My two cents about this is that some systems are using older nodejs versions and will not / cannot update but they would probably not update portfinder either? I suggest to release a new breaking 2.0.0 release dropping support for older nodejs versions and if needed critical bugfixes could be backported to v1 while v2 could be kept a bit more modern.

mkdirp can be replaced since Node 10 and Node 10 is so old by now it is end-of-life already (since a year ago). Node 0.10.x is almost 6 years after EOL.

@cdeutsch cdeutsch mentioned this issue Apr 6, 2022
Open
@Glandos
Copy link

Glandos commented Apr 15, 2022

mkdirp has a new 0.5.6 version with updated minimist dependency. It should fix the issue for now.

@eriktrom
Copy link
Member

eriktrom commented Aug 2, 2022

@see #131

also minimist has been updated tonight, it will go out in the next release this week.

@eriktrom eriktrom closed this as completed Aug 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ext @Glandos @eriktrom @jimmywarting @Hypnosphi @DavideBecker