Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Use make-dir instead of mkdirp #3490

Merged
merged 2 commits into from
Apr 30, 2020
Merged

fix: Use make-dir instead of mkdirp #3490

merged 2 commits into from
Apr 30, 2020

Conversation

eps1lon
Copy link
Contributor

@eps1lon eps1lon commented Apr 1, 2020

Closes #3487

minimist has the vulnerability. By removing mkdirp@0.x (which is deprecated anyway) we get rid of minimist.

Note that we already have to use an outdated version of make-dir since less supports node 6 (has reached end-of-life a year ago) while make-dir@latest only supports node 8 (which also reached end-of-life since end of last year).

@alansemenov
Copy link

@matthew-dean can you prioritise this fix and a new release please? we are getting security warnings in all of our repos that use less.js because of the deprecated/vulnerable mkdirp dependency.

@matthew-dean matthew-dean merged commit 0715d90 into less:master Apr 30, 2020
@eps1lon eps1lon deleted the fix/security-alerts branch April 30, 2020 19:16
matthew-dean added a commit that referenced this pull request May 5, 2020
* fix: Use make-dir instead of mkdirp
* Use compatible make-dir version
@matthew-dean
Copy link
Member

@alansemenov Released!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Prototype Pollution for minimist
3 participants