Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update make-dir to resolve vulnerable dependency #3806

Open
bloep opened this issue Jul 6, 2023 · 6 comments · May be fixed by #4250
Open

Update make-dir to resolve vulnerable dependency #3806

bloep opened this issue Jul 6, 2023 · 6 comments · May be fixed by #4250
Assignees
@iChenLei
Labels
bug

Comments

@bloep
Copy link

bloep commented Jul 6, 2023

the less.js dependency make-dir is not up-to-date and causes security warning due to its outdated dependency.
see GHSA-c2qf-rxjj-qqgw

$ npm ls semver  
less@4.1.3 project
└─┬ make-dir@2.1.0
       └── semver@5.7.1

I would suggest updating to a current make-dir version here.
A quick search showed that it is only used here, so from my point of view an update should bring little problems.

less.js/packages/less/bin/lessc

Lines 163 to 172 in 7491578

if (mkdirp === undefined) {
try {
mkdirp = require('make-dir');
} catch (e) {
mkdirp = null;
}
}
cmd = mkdirp && mkdirp.sync || fs.mkdirSync;
cmd(dir);

@bloep bloep added the bug label Jul 6, 2023
@stefandobre
Copy link

It appears an outdated version of semver is also referenced as a dev dependency here:

less.js/packages/less/package.json

Line 100 in 4d3189c

"semver": "^6.3.0",

@stefandobre
Copy link

@iChenLei, is there any update on this? If not, would a pull request be welcome?

@Den-dp
Copy link

Den-dp commented Aug 2, 2023

it was fixed on make-dir side, run npm audit fix or try to reinstall less

@jorenbroekema
Copy link

it was fixed on make-dir side, run npm audit fix or try to reinstall less

That will only fix it if you use --force because the vulnerability fix has not been done in v2 of make-dir, but rather in the next major(s).

This means it would be best if less can upgrade make-dir to the latest major version.

Dunno if this repo is still maintained but I'd be open to creating a pull request.

@iChenLei
Copy link
Member

iChenLei commented Dec 7, 2023

@jorenbroekema PR welcome

This was referenced Dec 7, 2023
Closed
Open
@jorenbroekema
Copy link

@iChenLei done #4250

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@iChenLei iChenLei

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(less): upgrade make-dir to v4 to fix security vulnerability jorenbroekema/less.js
7 participants
@matthew-dean @Den-dp @iChenLei @stefandobre @bloep @jorenbroekema and others