Skip to content

Update make-dir to resolve vulnerable dependency #3806

New issue
New issue
Open
#4250
Open
Update make-dir to resolve vulnerable dependency#3806
#4250
Assignees
iChenLei
Labels
bug
@bloep

Description

@bloep
bloep
opened on Jul 6, 2023

the less.js dependency make-dir is not up-to-date and causes security warning due to its outdated dependency.
see GHSA-c2qf-rxjj-qqgw

$ npm ls semver  
less@4.1.3 project
└─┬ make-dir@2.1.0
       └── semver@5.7.1

I would suggest updating to a current make-dir version here.
A quick search showed that it is only used here, so from my point of view an update should bring little problems.

less.js/packages/less/bin/lessc

Lines 163 to 172 in 7491578

if (mkdirp === undefined) {
try {
mkdirp = require('make-dir');
} catch (e) {
mkdirp = null;
}
}
cmd = mkdirp && mkdirp.sync || fs.mkdirSync;
cmd(dir);

Activity

bloep
added
bug
on Jul 6, 2023
iChenLei
assigned
matthew-dean
on Jul 6, 2023
stefandobre

stefandobre commented on Jul 6, 2023

@stefandobre
stefandobre
on Jul 6, 2023

It appears an outdated version of semver is also referenced as a dev dependency here:

less.js/packages/less/package.json

Line 100 in 4d3189c

"semver": "^6.3.0",

matthew-dean
assigned
iChenLei
and unassigned
matthew-dean
on Jul 18, 2023
stefandobre

stefandobre commented on Aug 1, 2023

@stefandobre
stefandobre
on Aug 1, 2023

@iChenLei, is there any update on this? If not, would a pull request be welcome?

Den-dp

Den-dp commented on Aug 2, 2023

@Den-dp
Den-dp
on Aug 2, 2023

it was fixed on make-dir side, run npm audit fix or try to reinstall less

jorenbroekema

jorenbroekema commented on Dec 7, 2023

@jorenbroekema
jorenbroekema
on Dec 7, 2023

it was fixed on make-dir side, run npm audit fix or try to reinstall less

That will only fix it if you use --force because the vulnerability fix has not been done in v2 of make-dir, but rather in the next major(s).

This means it would be best if less can upgrade make-dir to the latest major version.

Dunno if this repo is still maintained but I'd be open to creating a pull request.

iChenLei

iChenLei commented on Dec 7, 2023

@iChenLei
iChenLei
on Dec 7, 2023
Member

@jorenbroekema PR welcome

jorenbroekema
mentioned this on Dec 7, 2023
jorenbroekema
linked a pull request that will close this issue on Dec 7, 2023
jorenbroekema

jorenbroekema commented on Dec 7, 2023

@jorenbroekema
jorenbroekema
on Dec 7, 2023

@iChenLei done #4250

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    Participants

    @matthew-dean@Den-dp@iChenLei@stefandobre@bloep

    Issue actions
      Update `make-dir` to resolve vulnerable dependency · Issue #3806 · less/less.js