Remove mkdirp@^0.5.1 due to CVE warnings, use native recursive `fs.…

…mkdir` (#768)

Summary:
**Summary**

mkdirp was triggering github security warnings.

**Details**

Github security warnings. The ones where you are the owner of a project and you visit the project's home page and get a giant warning from GitHub telling you there are CVE's in libraries within your repo.

I don't know for sure if metro was or was not vunerable. I for sure know this wouldn't affect someone's production code. What I do know is that humans build tolerance and blindness to things over time. Having a security warning linger on a repo/project is a long term risk to other, real security vulnerabilities being seen and fixed.

**Test plan**

`yarn test`

Pull Request resolved: #768

Reviewed By: GijsWeterings

Differential Revision: D33986388

Pulled By: rh389

fbshipit-source-id: c1d3ebc3b4ed0c9bd8d3348cfc052ccd6a5cc4a5

package.json

@@ -32,7 +32,6 @@
     "jest": "^26.6.3",
     "lerna": "2.4.0",
     "micromatch": "^4.0.2",
-    "mkdirp": "^0.5.1",
     "prettier": "^2.4.1",
     "progress": "^2.0.0",
     "promise": "^8.0.3",

packages/buck-worker-tool/package.json

@@ -12,8 +12,7 @@
     "temp": "^0.8.3"
   },
   "devDependencies": {
-    "metro-memory-fs": "0.68.0",
-    "mkdirp": "^0.5.1"
+    "metro-memory-fs": "0.68.0"
   },
   "scripts": {
     "prepare-release": "test -d build && rm -rf src.real && mv src src.real && mv build src",

packages/buck-worker-tool/src/__tests__/worker-test.js

@@ -35,7 +35,6 @@ const buckWorker = require('../worker-tool');
 // mocked
 const {Console} = require('console');
 const fs = require('fs');
-const mkdirp = require('mkdirp');
 const path = require('path');
 
 const {any, anything} = expect;
@@ -123,7 +122,7 @@ describe('Buck worker:', () => {
           fs.writeFileSync(path.join(dirPath, key), entry || '');
         } else {
           const subDirPath = path.join(dirPath, key);
-          mkdirp.sync(subDirPath);
+          fs.mkdirSync(subDirPath, {recursive: true});
           writeFiles(entry, subDirPath);
         }
       }

packages/metro-cache/package.json

@@ -13,7 +13,6 @@
   },
   "dependencies": {
     "metro-core": "0.68.0",
-    "mkdirp": "^0.5.1",
     "rimraf": "^2.5.4"
   },
   "devDependencies": {

packages/metro-cache/src/stores/FileStore.js

@@ -11,7 +11,6 @@
 'use strict';
 
 const fs = require('fs');
-const mkdirp = require('mkdirp');
 const path = require('path');
 const rimraf = require('rimraf');
 
@@ -54,7 +53,7 @@ class FileStore<T> {
       await this._set(filePath, value);
     } catch (err) {
       if (err.code === 'ENOENT') {
-        mkdirp.sync(path.dirname(filePath));
+        fs.mkdirSync(path.dirname(filePath), {recursive: true});
         await this._set(filePath, value);
       } else {
         throw err;
@@ -87,7 +86,9 @@ class FileStore<T> {
 
   _createDirs() {
     for (let i = 0; i < 256; i++) {
-      mkdirp.sync(path.join(this._root, ('0' + i.toString(16)).slice(-2)));
+      fs.mkdirSync(path.join(this._root, ('0' + i.toString(16)).slice(-2)), {
+        recursive: true,
+      });
     }
   }
 

packages/metro-memory-fs/src/index.js

@@ -675,19 +675,57 @@ class MemoryFs {
     }
   };
 
-  mkdirSync: (dirPath: string | Buffer, mode?: number) => void = (
+  mkdirSync: (
     dirPath: string | Buffer,
-    mode?: number,
+    options?: number | {recursive?: boolean, mode?: number},
+  ) => void = (
+    dirPath: string | Buffer,
+    options?: number | {recursive?: boolean, mode?: number},
   ): void => {
-    if (mode == null) {
-      mode = 0o777;
-    }
+    const recursive = typeof options != 'number' && options?.recursive;
+    const mode =
+      (typeof options == 'number' ? options : options?.mode) ?? 0o777;
+
     dirPath = pathStr(dirPath);
-    const {dirNode, node, basename} = this._resolve(dirPath);
-    if (node != null) {
-      throw makeError('EEXIST', dirPath, 'directory or file already exists');
+    if (recursive) {
+      const {drive, entNames} = this._parsePathWithCwd(dirPath);
+      const root = this._getRoot(drive, dirPath);
+      const context = {
+        drive,
+        node: root,
+        nodePath: [['', root]],
+        entNames,
+        symlinkCount: 0,
+        keepFinalSymlink: false,
+      };
+
+      while (context.entNames.length > 0) {
+        const entName = context.entNames.shift();
+        this._resolveEnt(context, dirPath, entName);
+        if (context.node == null) {
+          const [_parentName, parentNode] =
+            context.nodePath[context.nodePath.length - 2];
+          const childPair = context.nodePath[context.nodePath.length - 1];
+          if (parentNode && parentNode.type === 'directory') {
+            context.node = this._makeDir(mode);
+            parentNode.entries.set(entName, context.node);
+            childPair[1] = context.node;
+          } else {
+            throw makeError(
+              'EEXIST',
+              dirPath,
+              'directory or file already exists',
+            );
+          }
+        }
+      }
+    } else {
+      const {dirNode, node, basename} = this._resolve(dirPath);
+      if (node != null) {
+        throw makeError('EEXIST', dirPath, 'directory or file already exists');
+      }
+      dirNode.entries.set(basename, this._makeDir(mode));
     }
-    dirNode.entries.set(basename, this._makeDir(mode));
   };
 
   mkdtempSync: (
@@ -1216,21 +1254,10 @@ class MemoryFs {
     return {entNames: filePath.split(sep), drive};
   }
 
-  /**
-   * Implemented according with
-   * http://man7.org/linux/man-pages/man7/path_resolution.7.html
-   */
-  _resolve(
-    filePath: string,
-    options?: {keepFinalSymlink: boolean, ...},
-  ): Resolution {
-    let keepFinalSymlink = false;
-    if (options != null) {
-      ({keepFinalSymlink} = options);
-    }
-    if (filePath === '') {
-      throw makeError('ENOENT', filePath, 'no such file or directory');
-    }
+  _parsePathWithCwd(filePath: string): {|
+    +drive: string,
+    +entNames: Array<string>,
+  |} {
     let {drive, entNames} = this._parsePath(filePath);
     if (drive == null) {
       const {_cwd} = this;
@@ -1252,6 +1279,25 @@ class MemoryFs {
       }
       entNames = cwPath.entNames.concat(entNames);
     }
+    return {drive, entNames};
+  }
+
+  /**
+   * Implemented according with
+   * http://man7.org/linux/man-pages/man7/path_resolution.7.html
+   */
+  _resolve(
+    filePath: string,
+    options?: {keepFinalSymlink: boolean, ...},
+  ): Resolution {
+    let keepFinalSymlink = false;
+    if (options != null) {
+      ({keepFinalSymlink} = options);
+    }
+    if (filePath === '') {
+      throw makeError('ENOENT', filePath, 'no such file or directory');
+    }
+    const {drive, entNames} = this._parsePathWithCwd(filePath);
     checkPathLength(entNames, filePath);
     const root = this._getRoot(drive, filePath);
     const context = {

packages/metro-transform-worker/package.json

@@ -30,7 +30,6 @@
   "devDependencies": {
     "metro-memory-fs": "0.68.0",
     "metro-minify-uglify": "0.68.0",
-    "metro-react-native-babel-transformer": "0.68.0",
-    "mkdirp": "^0.5.1"
+    "metro-react-native-babel-transformer": "0.68.0"
   }
 }

packages/metro-transform-worker/src/__tests__/index-test.js

@@ -39,7 +39,6 @@ const HEADER_DEV =
 const HEADER_PROD = '__d(function (g, r, i, a, m, e, d) {';
 
 let fs;
-let mkdirp;
 let Transformer;
 
 const baseConfig: JsTransformerConfig = {
@@ -72,12 +71,11 @@ beforeEach(() => {
   jest.mock('fs', () => new (require('metro-memory-fs'))());
 
   fs = require('fs');
-  mkdirp = require('mkdirp');
   Transformer = require('../');
   fs.reset();
 
-  mkdirp.sync('/root/local');
-  mkdirp.sync(path.dirname(babelTransformerPath));
+  fs.mkdirSync('/root/local', {recursive: true});
+  fs.mkdirSync(path.dirname(babelTransformerPath), {recursive: true});
   fs.writeFileSync(babelTransformerPath, transformerContents);
 });
 

packages/metro/package.json

@@ -53,7 +53,6 @@
     "metro-transform-plugins": "0.68.0",
     "metro-transform-worker": "0.68.0",
     "mime-types": "^2.1.27",
-    "mkdirp": "^0.5.1",
     "node-fetch": "^2.2.0",
     "nullthrows": "^1.1.1",
     "rimraf": "^2.5.4",

packages/metro/src/DeltaBundler/__tests__/Transformer-test.js

@@ -22,7 +22,6 @@ var Transformer = require('../Transformer');
 var fs = require('fs');
 var {getDefaultValues} = require('metro-config/src/defaults');
 var {mergeConfig} = require('metro-config/src/loadConfig');
-const mkdirp = require('mkdirp');
 
 describe('Transformer', function () {
   let watchFolders;
@@ -53,8 +52,8 @@ describe('Transformer', function () {
     projectRoot = '/root';
     watchFolders = [projectRoot];
 
-    mkdirp.sync('/path/to');
-    mkdirp.sync('/root');
+    fs.mkdirSync('/path/to', {recursive: true});
+    fs.mkdirSync('/root', {recursive: true});
     fs.writeFileSync('/path/to/transformer.js', '');
 
     require('../getTransformCacheKey').mockClear();

packages/metro/src/__tests__/Assets-test.js

@@ -16,7 +16,6 @@ jest.mock('image-size');
 const {getAsset, getAssetData} = require('../Assets');
 const crypto = require('crypto');
 const fs = require('fs');
-const mkdirp = require('mkdirp');
 const path = require('path');
 
 const mockImageWidth = 300;
@@ -30,7 +29,7 @@ require('image-size').mockReturnValue({
 describe('getAsset', () => {
   beforeEach(() => {
     fs.reset();
-    mkdirp.sync('/root/imgs');
+    fs.mkdirSync('/root/imgs', {recursive: true});
   });
 
   it('should fail if the extension is not registerd', async () => {
@@ -121,7 +120,7 @@ describe('getAsset', () => {
   });
 
   it('should find an image located on a watchFolder', async () => {
-    mkdirp.sync('/anotherfolder');
+    fs.mkdirSync('/anotherfolder', {recursive: true});
 
     writeImages({
       '../../anotherfolder/b.png': 'b image',
@@ -139,7 +138,7 @@ describe('getAsset', () => {
   });
 
   it('should throw an error if an image is not located on any watchFolder', async () => {
-    mkdirp.sync('/anotherfolder');
+    fs.mkdirSync('/anotherfolder', {recursive: true});
 
     writeImages({
       '../../anotherfolder/b.png': 'b image',
@@ -154,7 +153,7 @@ describe('getAsset', () => {
 describe('getAssetData', () => {
   beforeEach(() => {
     fs.reset();
-    mkdirp.sync('/root/imgs');
+    fs.mkdirSync('/root/imgs', {recursive: true});
   });
 
   it('should get assetData', () => {

packages/metro/src/shared/output/RamBundle/as-assets.js

@@ -20,7 +20,7 @@ const buildSourcemapWithMetadata = require('./buildSourcemapWithMetadata');
 const MAGIC_RAM_BUNDLE_NUMBER = require('./magic-number');
 const {joinModules} = require('./util');
 const writeSourceMap = require('./write-sourcemap');
-const mkdirp = require('mkdirp');
+const fsPromises = require('fs').promises;
 const path = require('path');
 // must not start with a dot, as that won't go into the apk
 const MAGIC_RAM_BUNDLE_FILENAME = 'UNBUNDLE';
@@ -85,10 +85,8 @@ function saveAsAssets(
   }
 }
 
-function createDir(dirName: string): Promise<empty> {
-  return new Promise((resolve: void => void, reject: mixed => mixed) =>
-    mkdirp(dirName, error => (error ? reject(error) : resolve())),
-  );
+function createDir(dirName: string): Promise<void> {
+  return fsPromises.mkdir(dirName, {recursive: true});
 }
 
 function writeModuleFile(

scripts/build.js

@@ -29,7 +29,6 @@ const chalk = require('chalk');
 const fs = require('fs');
 const glob = require('glob');
 const micromatch = require('micromatch');
-const mkdirp = require('mkdirp');
 const path = require('path');
 const prettier = require('prettier');
 
@@ -80,7 +79,7 @@ function buildPackage(p) {
 function buildFile(file, silent) {
   const destPath = getBuildPath(file, BUILD_DIR);
 
-  mkdirp.sync(path.dirname(destPath));
+  fs.mkdirSync(path.dirname(destPath), {recursive: true});
   if (micromatch.isMatch(file, IGNORE_PATTERN)) {
     silent ||
       process.stdout.write(

yarn.lock

@@ -5598,7 +5598,7 @@ mixin-deep@^1.2.0:
     for-in "^1.0.2"
     is-extendable "^1.0.1"
 
-mkdirp@^0.5.1, mkdirp@~0.5.0:
+mkdirp@~0.5.0:
   version "0.5.3"
   resolved "https://registry.yarnpkg.com/mkdirp/-/mkdirp-0.5.3.tgz#5a514b7179259287952881e94410ec5465659f8c"
   integrity sha512-P+2gwrFqx8lhew375MQHHeTlY8AuOJSrGf0R5ddkEndUkmwpgUob/vQuBD1V22/Cw1/lJr4x+EjllSezBThzBg==