-
-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#656 Upgrades coverall and mkdirp version to fix security issues #657
Conversation
Changes looks fine @ashishkujoy. You should wait for @isaacs confirmation anyway, it's being ages since the last time I looked at this code :-) |
@isaacs pls ! Don't forget that PR. I'm looking forward :) |
Sure |
mkdirp cannot be upgraded in tap v14. tap v14 supports node.js 8 where mkdirp 1.x requires node.js 10. Note tap v15 (still in development) will not use mkdirp. |
If that is the case then how come build passes on the Travis CI even on node8? Even if you guys are planning to remove mkdrp in tapv15, for me it makes sense to get a patch release with resolved security issues till the major release.. |
The fact that mkdirp 1.x currently works on node 8 does not change the fact that it's not supported. A patch release was made to mkdirp 0.x so you can update to latest 0.x. |
Well going by that theory then the node JS 8 itself is not even a LTS now. |
The current version of coverall and mkdirp used in node-tap have a transitive dependency of minimist below 1.2.2 and those versions have security issues. The pull request upgrades and coverall and mkdirp to their current latest version and hence fixes all security issues.