postcss-url icon indicating copy to clipboard operation
postcss-url copied to clipboard
verified publisher icon postcss

v8.0.0 - mkdirp should be on 0.5.3 at least

Open jessewlee opened this issue 5 years ago • 3 comments

mkdirp should be on 0.5.3 to prevent security exploit introduced from minimist

ref: https://snyk.io/test/npm/mkdirp/0.5.0

jessewlee avatar Mar 25 '20 18:03 jessewlee

fixed 10.1.0

sergcen avatar Nov 04 '20 16:11 sergcen

mind if we close this issue?

peter-mouland avatar Mar 11 '21 12:03 peter-mouland

postcss-url 10 requires postcss 8, Not the entire ecosystem is ready yet for a migration from postcss 7 to postcss 8! There are some environments which I simply cannot update yet.

➡️ Would you please consider applying the fix of updating mkdirp also on postcss-url 9?

Thank you so much!

Reference:

# npm audit report

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss-url/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/postcss-url/node_modules/mkdirp
    postcss-url  9.0.0 - 10.0.0
    Depends on vulnerable versions of mkdirp
    node_modules/postcss-url

3 low severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

LeoniePhiline avatar Mar 16 '21 21:03 LeoniePhiline