Home Original page

Update npm on all supported release lines to address CVE scored 9.8 in minimist package

Is your feature request related to a problem? Please describe.
The package mkdir 0.5.1 contains a dependency to minimist 0.0.8, which has the CVE-2020-7598, scored 9.8

Describe the solution you'd like
Remove the package mkdirp or find a maintained alternative.

Others

node -v
v12.16.1

npm -v
6.13.4

list mkdirp
npm@6.13.4 /usr/lib/node_modules/npm
+-- cacache@12.0.3
| `-- mkdirp@0.5.1  deduped
+-- cmd-shim@3.0.3
| `-- mkdirp@0.5.1  deduped
+-- gentle-fs@2.3.0
| `-- mkdirp@0.5.1  deduped
+-- libcipm@4.0.7
| `-- mkdirp@0.5.1  deduped
+-- mkdirp@0.5.1
+-- move-concurrently@1.0.1
| +-- copy-concurrently@1.0.5
| | `-- mkdirp@0.5.1  deduped
| `-- mkdirp@0.5.1  deduped
+-- node-gyp@5.0.5
| `-- mkdirp@0.5.1  deduped
+-- pacote@9.5.11
| `-- mkdirp@0.5.1  deduped
`-- tar@4.4.13
  `-- mkdirp@0.5.1  deduped