New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
please update mkdirp due to prototype pollution in dependent package (CVE-2020-7598) #10561
Comments
Sorry, we can't do it, because it is breaking change |
@evilebottnawi will it be fixed in V5? don't see it in the changelog |
We don't use |
Backport: isaacs/node-mkdirp#7 |
The backport fix has been released in 0.5.3 🎉 isaacs/node-mkdirp#7 (comment) |
Great, we just update deps |
Many thanks! Shall i close this issue? |
@sseide Will be great to send a PR with updating dep for webpack@4 https://github.com/webpack/webpack/blob/v4.42.0/package.json#L23 |
no PR needed, just reinstall dependencies with npm and everything picked up automatically... (at least for our projects using webpack) |
@dev-trilobyte we upgraded to
did you mean something different than that in #10561 (comment)? |
@almilo Try doing Reference #10571 (comment) (although removing the package-lock.json and running |
@amilajack This did the trick for me :) but broke some other code, if you haven't locked down all packages to specific versions in package.json :)
|
However check that you don't have another module depending on the older version also, since npm moves dependencies to the top if the same module is required by different modules and they both work with the same then npm will pick the version that is compatible with both I think so then you might end up with the older one anyway.. For example I have:
|
@almilo either remove entire package-lock.json or manually edit package-lock.json and remove all objects for packages "mkdirp" and "minimist" (but not within the "required" object) and rerun And yes - if other packages require this very version too they need to get fixed too. |
Hi, I have a sample project with
Is anyone facing the same issue or has found a solution? |
@evilebottnawi How so? the only thing mkdirp should be doing is creating folders. it's already a callback based API regardless everything < 1.x is completely unsupported now: node-sass > mkdirp@0.5.3: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) This REALLY should not be a breaking change to update in any way. There is nothing you can do in earlier versions that you can't do in newer versions of the API |
Also if this library depends on |
Still observing an old minimist package (on a clean webpack install). Repro:
fixed 0 of 3 vulnerabilities...
|
@Den-dp As i'm on Linux fsevents wont be installed, threfore no thread for me. Only the first two "minimist" packages are installed, nothing below fsevents. But looking at the package.json of node-pre-gyp@0.14.0 it says:
It allows mkdirp 0.5.3 (fixed) and rc 1.2.8 with |
@sseide looks like this happens because of npm' algorithm of flattening dependencies which tries to install less versions of the same package in cases when version ranges are relaxed enough (tries to use minimal compatible as much as it can). #10561 (comment) wrote about that
|
I've found fsevents has been bundled with node-pre-gyp and old versions of minimist are provided in its archve. |
fsevents/fsevents#310 just got an update (fsevents@1.2.12) so all minimist packages are up-to-date 👍
|
Address `npm audit` CI block. Webpack issues were backported for an older dependency, reference webpack/webpack#10561
Address `npm audit` CI block. Webpack issues were backported for an older dependency, reference webpack/webpack#10561
it is picking up the correct |
Not on my side
I have seen the webpack 5 is OK it remove mkdirp |
Closed by #10580 |
Hey,guys! please i need your help,i tried to create a new angular project using the command ng new nameOfTheProject at first it worked really well ,but now i've this error,thanks in advance! Installing packages...npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142 npm ERR! A complete log of this run can be found in: |
on mac run this command. |
Feels like a never ending story.. now I have this instead:
|
@OZZlE It is. But we can use something like yarn resolutions to fix it quickly, no need to wait for libraries like webpack to update their dependencies. |
I have 29K 🤯 of that warning flowing when I run
it recommended me to run this to fix the issue:
but I couldn't get it to finish running before my computer ran out of memory 🤦♂️:
|
Bug report
webpack currently depends on the old 0.5.1 version of "mkdirp" which depends on old vulnerable minimist package. The 0.5.x line of mkdirp from the original author is not developed any further and maintenance of this package was taken over by isaacs with the new 1.x versions.
see: https://github.com/substack/node-mkdirp/issues/166
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598
Please update "mkdirp" dependency to the latest 1.x version to fix this vulnerability.
.
What is the current behavior?
old "mkdirp" 0.5.1 fetches dependend package "minimist" 0.0.8 which triggers warning in security checkers blocking new builds.
If the current behavior is a bug, please provide the steps to reproduce.
What is the expected behavior?
Update dependency "mkdirp" to latest version 1.0.3 which has dropped dependency of "minimist" and does not trigger any security warnings anymore.
Other relevant information:
webpack version: 4.42.0
Node.js version: 10.16
Operating System: linux
Additional tools:
The text was updated successfully, but these errors were encountered: