Upstream dependency has a vulnerability (minimist 0.0.8 from mkdirp 0.5.1)

[DarthHater]

Hi there!

I work on a tool called auditjs, and in one of our scans of our tool, we discovered that:

(base) 527 auditjs (DependencyBumps)$ npm ls minimist --production
[email protected] /Users/jeffryhesse/code/sonatype/auditjs
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected] 

CVE for minimist is here:

https://nvd.nist.gov/vuln/detail/CVE-2020-7598

You'll want to examine the actual risk to your application, but my suggestion would be to just remove the mkdirp dependency:

The suggestion from me (and I'd gladly send you the PR to do so) is to remove the mkdirp and use fs.mkDirSync in node 10.12 forward. Node 8 is sunset at this point.

You can do: fs.mkdirSync(targetDir, { recursive: true }); to accomplish what mkdir -p does.

Let me know if you'd like a PR, glad to help out!

We use node-persist by the way and I love it. Thanks a ton for creating this!

[akhoury]

sure @DarthHater PR is welcomed, sorry for the late reply, been crazy busy lately

[DarthHater]

@akhoury PR sent!

[akhoury]

thanks! [email protected] published

[DarthHater]

Appreciate it, you and this project @akhoury !