Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#656 Upgrades coverall and mkdirp version to fix security issues #657

Closed
wants to merge 3 commits into from
Closed

#656 Upgrades coverall and mkdirp version to fix security issues #657

wants to merge 3 commits into from

Conversation

ashishkujoy
Copy link

The current version of coverall and mkdirp used in node-tap have a transitive dependency of minimist below 1.2.2 and those versions have security issues. The pull request upgrades and coverall and mkdirp to their current latest version and hence fixes all security issues.

@ashishkujoy ashishkujoy changed the title Upgrades coverall and mkdirp version to fix security issues #656 Upgrades coverall and mkdirp version to fix security issues Mar 19, 2020
@ashishkujoy ashishkujoy mentioned this pull request Mar 19, 2020
Closed
@ashishkujoy
Copy link
Author

ashishkujoy commented Mar 19, 2020
edited

Hi @isaacs @kusor could you guys please have a look at this pr and if things looks good to you, please merge it and publish the version so that other packages which depend on this can resolve the security issues.

@kusor
Copy link
Contributor

kusor commented Mar 19, 2020

Changes looks fine @ashishkujoy. You should wait for @isaacs confirmation anyway, it's being ages since the last time I looked at this code :-)

@mhsalves
Copy link

@isaacs pls ! Don't forget that PR. I'm looking forward :)

@ashishkujoy
Copy link
Author

Changes looks fine @ashishkujoy. You should wait for @isaacs confirmation anyway, it's being ages since the last time I looked at this code :-)

Sure

@coreyfarrell
Copy link
Member

mkdirp cannot be upgraded in tap v14. tap v14 supports node.js 8 where mkdirp 1.x requires node.js 10.

Note tap v15 (still in development) will not use mkdirp.

@ashishkujoy
Copy link
Author

ashishkujoy commented Mar 22, 2020
edited

mkdirp cannot be upgraded in tap v14. tap v14 supports node.js 8 where mkdirp 1.x requires node.js 10.

Note tap v15 (still in development) will not use mkdirp.

If that is the case then how come build passes on the Travis CI even on node8?

https://travis-ci.org/github/tapjs/node-tap/builds/664510495?utm_source=github_status&utm_medium=notification

Even if you guys are planning to remove mkdrp in tapv15, for me it makes sense to get a patch release with resolved security issues till the major release..

@coreyfarrell
Copy link
Member

The fact that mkdirp 1.x currently works on node 8 does not change the fact that it's not supported. A patch release was made to mkdirp 0.x so you can update to latest 0.x.

@ashishkujoy
Copy link
Author

ashishkujoy commented Mar 22, 2020
edited

The fact that mkdirp 1.x currently works on node 8 does not change the fact that it's not supported. A patch release was made to mkdirp 0.x so you can update to latest 0.x.

Well going by that theory then the node JS 8 itself is not even a LTS now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ashishkujoy @kusor @mhsalves @coreyfarrell