please update mkdirp due to prototype pollution in dependent package (CVE-2020-7598)

[sseide]

Bug report

webpack currently depends on the old 0.5.1 version of "mkdirp" which depends on old vulnerable minimist package. The 0.5.x line of mkdirp from the original author is not developed any further and maintenance of this package was taken over by isaacs with the new 1.x versions.

see: https://github.com/substack/node-mkdirp/issues/166
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598

Please update "mkdirp" dependency to the latest 1.x version to fix this vulnerability.
.
What is the current behavior?

old "mkdirp" 0.5.1 fetches dependend package "minimist" 0.0.8 which triggers warning in security checkers blocking new builds.

If the current behavior is a bug, please provide the steps to reproduce.

What is the expected behavior?

Update dependency "mkdirp" to latest version 1.0.3 which has dropped dependency of "minimist" and does not trigger any security warnings anymore.

Other relevant information:
webpack version: 4.42.0
Node.js version: 10.16
Operating System: linux
Additional tools:

[alexander-akait]

Sorry, we can't do it, because it is breaking change

[OZZlE]

@evilebottnawi will it be fixed in V5? don't see it in the changelog

[alexander-akait]

We don't use mkdirp in webpack@5, maybe we should open a issue in mkdirp repo for backport fix, a lot of projects uses mkdirp@0.5.x

[alexander-akait]

Backport: isaacs/node-mkdirp#7

[jomi-se]

The backport fix has been released in 0.5.3 🎉 isaacs/node-mkdirp#7 (comment)

[alexander-akait]

Great, we just update deps

[sseide]

Many thanks! Shall i close this issue?

[alexander-akait]

@sseide Will be great to send a PR with updating dep for webpack@4 https://github.com/webpack/webpack/blob/v4.42.0/package.json#L23

[dev-trilobyte]

no PR needed, just reinstall dependencies with npm and everything picked up automatically... (at least for our projects using webpack)

[almilo]

@dev-trilobyte we upgraded to webpack@4.42.0, removed the package-lock.json file, ran npm i and still get a problematic version of minimist:

└─┬ webpack@4.42.0
  └─┬ watchpack@1.6.0
    └─┬ chokidar@2.1.8
      └─┬ fsevents@1.2.11
        └─┬ node-pre-gyp@0.14.0
          ├─┬ mkdirp@0.5.1
          │ └── minimist@0.0.8 <====
          └─┬ rc@1.2.8
            └── minimist@1.2.0 

did you mean something different than that in #10561 (comment)?
In addition to that, also ran npm audit fix and even installed "mkdirp": "0.5.3", specifically in package.json.
Thanks!

[jomi-se]

@almilo Try doing npm audit fix. If that doesn't manage to fix the issue try to manually remove stuff in the package-lock.json and re-run npm install

Reference #10571 (comment) (although removing the package-lock.json and running npm i would have worked in my case)

[OZZlE]

@amilajack This did the trick for me :) but broke some other code, if you haven't locked down all packages to specific versions in package.json :)

rm package-lock.json
rm -rf node_modules/
npm i

[OZZlE]

However check that you don't have another module depending on the older version also, since npm moves dependencies to the top if the same module is required by different modules and they both work with the same then npm will pick the version that is compatible with both I think so then you might end up with the older one anyway..

For example I have:

eslint-loader > loader-fs-cache > find-cache-dir > mkdirp >  │ minimist 

[sseide]

@almilo either remove entire package-lock.json or manually edit package-lock.json and remove all objects for packages "mkdirp" and "minimist" (but not within the "required" object) and rerun npm i. Than its fixed.

And yes - if other packages require this very version too they need to get fixed too.
@OZZlE there are PRs for loader-fs-cache to fix this

[spuente]

Hi, I have a sample project with webpack ^4.42.0 as its only dependency.
I have deleted package-lock.json and node_modules.
After doing npm i and then npm audit, it shows 3 issues related to minimist version:

webpack > watchpack > chokidar > fsevents > node-pre-gyp > rc > minimist
webpack > watchpack > chokidar > fsevents > node-pre-gyp > tar > mkdirp > minimist
webpack > watchpack > chokidar > fsevents > node-pre-gyp > mkdirp > minimist

Is anyone facing the same issue or has found a solution?
I am on node v12.14.1, npm 6.13.4

[SampsonCrowley]

Sorry, we can't do it, because it is breaking change

@evilebottnawi How so? the only thing mkdirp should be doing is creating folders. it's already a callback based API regardless

everything < 1.x is completely unsupported now:

node-sass > mkdirp@0.5.3: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)

This REALLY should not be a breaking change to update in any way. There is nothing you can do in earlier versions that you can't do in newer versions of the API

[SampsonCrowley]

Also if this library depends on minimist it should be a dependency of this library. I would like someone to point out a single line that would be a breaking change

[Den-dp]

Still observing an old minimist package (on a clean webpack install).
Even npm audit fix can't help with that.

Repro:

PS C:\dev\webpack-demo> npm init -y

PS C:\dev\webpack-demo> npm i webpack
npm WARN deprecated mkdirp@0.5.3: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm notice created a lockfile as package-lock.json. You should commit this file.
...
+ webpack@4.42.0
added 324 packages from 203 contributors and audited 4227 packages in 11.725s

3 packages are looking for funding
  run `npm fund` for details

found 3 low severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

PS C:\dev\webpack-demo> npm audit fix
npm WARN webpack-demo@1.0.0 No description
npm WARN webpack-demo@1.0.0 No repository field.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.11 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.11: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

up to date in 2.358s

3 packages are looking for funding
  run `npm fund` for details

fixed 0 of 3 vulnerabilities in 4227 scanned packages
  3 vulnerabilities required manual review and could not be updated

fixed 0 of 3 vulnerabilities...

PS C:\dev\webpack-demo> npm ls minimist
webpack-demo@1.0.0 C:\dev\webpack-demo
`-- webpack@4.42.0
  +-- loader-utils@1.4.0
  | `-- json5@1.0.1
  |   `-- minimist@1.2.5  deduped
  +-- mkdirp@0.5.3
  | `-- minimist@1.2.5
  `-- watchpack@1.6.0
    `-- chokidar@2.1.8
      `-- UNMET OPTIONAL DEPENDENCY fsevents@1.2.11
        `-- UNMET OPTIONAL DEPENDENCY node-pre-gyp@0.14.0
          +-- UNMET OPTIONAL DEPENDENCY mkdirp@0.5.1
          | `-- UNMET OPTIONAL DEPENDENCY minimist@0.0.8  <======
          `-- UNMET OPTIONAL DEPENDENCY rc@1.2.8
            `-- UNMET OPTIONAL DEPENDENCY minimist@1.2.0  <======

[sseide]

@Den-dp As i'm on Linux fsevents wont be installed, threfore no thread for me. Only the first two "minimist" packages are installed, nothing below fsevents.

But looking at the package.json of node-pre-gyp@0.14.0 it says:

"dependencies": {
    "mkdirp": "^0.5.1",
    "rc": "^1.2.7"
   ...

It allows mkdirp 0.5.3 (fixed) and rc 1.2.8 with "minimist": "^1.2.0" - threfor fixed version 1.2.5 is within semver range. Do you have node-pre-gyp installed globally with older versions or something like it?

[Den-dp]

@sseide looks like this happens because of npm' algorithm of flattening dependencies which tries to install less versions of the same package in cases when version ranges are relaxed enough (tries to use minimal compatible as much as it can).

#10561 (comment) wrote about that

npm moves dependencies to the top if the same module is required by different modules and they both work with the same then npm will pick the version that is compatible with both I think so then you might end up with the older one anyway..

[mtmtcode]

I've found fsevents has been bundled with node-pre-gyp and old versions of minimist are provided in its archve.
https://github.com/fsevents/fsevents/blob/v1.2.11/package.json#L33

[Den-dp]

fsevents/fsevents#310 just got an update (fsevents@1.2.12) so all minimist packages are up-to-date 👍

PS C:\dev\webpack-demo> npm ls minimist
webpack-demo@1.0.0 C:\dev\webpack-demo
`-- webpack@4.42.0
  +-- loader-utils@1.4.0
  | `-- json5@1.0.1
  |   `-- minimist@1.2.5  deduped
  +-- mkdirp@0.5.3
  | `-- minimist@1.2.5
  `-- watchpack@1.6.0
    `-- chokidar@2.1.8
      `-- UNMET OPTIONAL DEPENDENCY fsevents@1.2.12
        `-- UNMET OPTIONAL DEPENDENCY node-pre-gyp@0.14.0
          +-- UNMET OPTIONAL DEPENDENCY mkdirp@0.5.3
          | `-- UNMET OPTIONAL DEPENDENCY minimist@1.2.5
          `-- UNMET OPTIONAL DEPENDENCY rc@1.2.8
            `-- UNMET OPTIONAL DEPENDENCY minimist@1.2.5

[spuente]

fsevents/fsevents#310 just got an update (fsevents@1.2.12) so all minimist packages are up-to-date 👍

PS C:\dev\webpack-demo> npm ls minimist
webpack-demo@1.0.0 C:\dev\webpack-demo
`-- webpack@4.42.0
  +-- loader-utils@1.4.0
  | `-- json5@1.0.1
  |   `-- minimist@1.2.5  deduped
  +-- mkdirp@0.5.3
  | `-- minimist@1.2.5
  `-- watchpack@1.6.0
    `-- chokidar@2.1.8
      `-- UNMET OPTIONAL DEPENDENCY fsevents@1.2.12
        `-- UNMET OPTIONAL DEPENDENCY node-pre-gyp@0.14.0
          +-- UNMET OPTIONAL DEPENDENCY mkdirp@0.5.3
          | `-- UNMET OPTIONAL DEPENDENCY minimist@1.2.5
          `-- UNMET OPTIONAL DEPENDENCY rc@1.2.8
            `-- UNMET OPTIONAL DEPENDENCY minimist@1.2.5

it is picking up the correct minimist version now 👍

[jmfrancois]

Not on my side

├─┬ copy-webpack-plugin@5.1.1
│ └─┬ loader-utils@1.2.3
│   └─┬ json5@1.0.1
│     └── minimist@1.2.0
├─┬ webpack@4.42.0
│ └─┬ mkdirp@0.5.1
│   └── minimist@0.0.8 <<< INFECTED
└─┬ webpack-dev-server@3.10.3
  └─┬ chokidar@2.1.8
    └─┬ fsevents@1.2.12
      └─┬ node-pre-gyp@0.14.0
        ├─┬ mkdirp@0.5.3
        │ └── minimist@1.2.5
        └─┬ rc@1.2.8
          └── minimist@1.2.5  deduped

I have seen the webpack 5 is OK it remove mkdirp

[MichaelDeBoey]

Closed by #10580

[DihiaA]

Hey,guys! please i need your help,i tried to create a new angular project using the command ng new nameOfTheProject at first it worked really well ,but now i've this error,thanks in advance!

Installing packages...npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142
npm WARN deprecated mkdirp@0.5.4: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm ERR! Unexpected end of JSON input while parsing near '...Comment: https://open'

npm ERR! A complete log of this run can be found in:
npm ERR! C:\Users\toshba\AppData\Roaming\npm-cache_logs\2020-03-27T12_32_14_792Z-debug.log
× Package install failed, see above.
The Schematic workflow failed. See above.

[junaid5546]

on mac run this command.
sudo npm install -g mkdirp

[OZZlE]

Feels like a never ending story.. now I have this instead:

Low             Validation Bypass                                             
                                                                            
Package         kind-of                                                       
                                                                            
Dependency of   webpack                                                       
                                                                            
Path            webpack > watchpack > chokidar > readdirp > micromatch >      
              extglob > define-property > is-descriptor > kind-of           
                                                                            
More info       https://npmjs.com/advisories/1490 

https://www.youtube.com/watch?v=Gf1WT8VEZxk

[chenxsan]

@OZZlE It is. But we can use something like yarn resolutions to fix it quickly, no need to wait for libraries like webpack to update their dependencies.

[jeemok]

I have 29K 🤯 of that warning flowing when I run npm audit

  Low             Validation Bypass                                             

  Package         kind-of                                                       

  Dependency of   webpack                                                       

  Path            webpack > watchpack > chokidar > readdirp > micromatch >      
                  nanomatch > snapdragon > base > define-property >             
                  is-descriptor > is-accessor-descriptor > kind-of              

  More info       https://npmjs.com/advisories/1490  

it recommended me to run this to fix the issue:

# Run  npm update kind-of --depth 26  to resolve 28971 vulnerabilities

but I couldn't get it to finish running before my computer ran out of memory 🤦‍♂️:

<--- Last few GCs --->

[36576:000001DD3561D6D0]   318114 ms: Mark-sweep 1092.6 (1433.4) -> 1092.6 (1426.4) MB, 677.3 / 0.0 ms  (average mu = 0.129, current mu = 0.192) last resort GC in old space requested
[36576:000001DD3561D6D0]   318908 ms: Mark-sweep 1092.6 (1426.4) -> 1092.6 (1426.4) MB, 793.6 / 0.0 ms  (average mu = 0.067, current mu = 0.000) last resort GC in old space requested


<--- JS stacktrace --->

==== JS stack trace =========================================

    0: ExitFrame [pc: 000002B590C5C5C1]
Security context: 0x02ae9f29e6e9 <JSObject>
    1: isExtraneous(aka isExtraneous) [0000037FB2C94161] [C:\Users\mok.liu\AppData\Roaming\npm\node_modules\npm\lib\install\is-extraneous.js:~4] [pc=000002B59105B216](this=0x01cf1af026f1 <undefined>,tree=0x033cb7d6c7f9 <Node map = 0000006626F56109>)
    2: /* anonymous */ [000000291D67FD99] [C:\Users\mok.liu\AppData\Roaming\npm\node_modules\npm\lib\outdate...

FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory
 1: 00007FF7D921F04A v8::internal::GCIdleTimeHandler::GCIdleTimeHandler+5114
 2: 00007FF7D91FA0C6 node::MakeCallback+4518
 3: 00007FF7D91FAA30 node_module_register+2032
 4: 00007FF7D94820EE v8::internal::FatalProcessOutOfMemory+846
 5: 00007FF7D948201F v8::internal::FatalProcessOutOfMemory+639
 6: 00007FF7D99A2BC4 v8::internal::Heap::MaxHeapGrowingFactor+9556
 7: 00007FF7D99A10CB v8::internal::Heap::MaxHeapGrowingFactor+2651
 8: 00007FF7D955CBE8 v8::internal::Factory::AllocateRawArray+56
 9: 00007FF7D9562CFA v8::internal::Factory::NewTransitionArray+58
10: 00007FF7D9A46684 v8::internal::CodeStubAssembler::InitializeFunctionContext+26932
11: 00007FF7D977CBFE v8::internal::JSReceiver::GetOwnPropertyDescriptor+17550
12: 00007FF7D977CD69 v8::internal::JSReceiver::GetOwnPropertyDescriptor+17913
13: 00007FF7D977EB9B v8::internal::JSReceiver::GetOwnPropertyDescriptor+25643
14: 00007FF7D976DD94 v8::internal::JSReceiver::class_name+4132
15: 00007FF7D977E2D9 v8::internal::JSReceiver::GetOwnPropertyDescriptor+23401
16: 00007FF7D964ACFE v8::internal::LookupIterator::PrepareTransitionToDataProperty+478
17: 00007FF7D9771E11 v8::internal::JSReceiver::class_name+20641
18: 00007FF7D954CFE9 v8::internal::wasm::WasmCodeManager::LookupCode+17993
19: 00007FF7D95500A4 v8::internal::wasm::WasmCodeManager::LookupCode+30468
20: 000002B590C5C5C1