Comments (14)
Eyas
commented on June 29, 2024
2
Note that mkdirp 1.0.0 requires node >= 10 but tslint still claims to support node >= 4.8.0
The right solution is probably to update mkdirp to 0.5.3 first and make a minor version bump.
You might consider a major version cump to update to mkdirp 1.x, but you'd need to move engine to node >= 10 (which is probably reasonable).
from tslint.
praneetloke
commented on June 29, 2024
1
It looks like tslint depends on mkdirp, which has minimist as a direct dependency. Someone opened a PR to upgrade the minimist version here: isaacs/node-mkdirp#8.
EDIT: It actually looks like the latest version (1.0.0+) of mkdirp no longer has a direct dependency on minimist. It was removed in this commit. tslint uses [email protected], which does have a very old version of minimist.
from tslint.
hansnull
commented on June 29, 2024
1
FYI:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Prototype Pollution
Package minimist
Patched in >=1.2.3
Dependency of tslint [dev]
Path tslint > mkdirp > minimist
More info https://npmjs.com/advisories/1179
from tslint.
WPMGPRoSToTeMa
commented on June 29, 2024
1
@adidahiya are you going to release a new version with the fix for this?
from tslint.
JoshuaKGoldberg
commented on June 29, 2024
Quick reference: GHSA-7fhm-mqm4-2wp7
TSLint is also affected
Is it? There aren't any security vulnerabilities posted to TSLint right now. https://github.com/palantir/tslint/security/advisories
If there are, accepting PRs to fix for them. Until then, I don't believe there's any action that needs to be taken? (we don't depend on acorn, for example)
from tslint.
WPMGPRoSToTeMa
commented on June 29, 2024
@JoshuaKGoldberg that is weird. TSLint has minimist dependency which is affected by the vulnerability.
from tslint.
JoshuaKGoldberg
commented on June 29, 2024
It's possible that only devDependency versions are affected. Or, GitHub is still processing the alert, and we haven't gotten it yet 😄
from tslint.
JoshuaKGoldberg
commented on June 29, 2024
Excellent, thanks for the additional info folks! Accepting PRs to bump to a version of minimist mkdirp that doesn't have the dependency on (an old version of) minimist.
from tslint.
JoshuaKGoldberg
commented on June 29, 2024
tslint still claims to support node >= 4.8.0
That is... quite far back, and probably no longer true in practice 😬. Amusing.
Per https://www.npmjs.com/package/mkdirp#platform-support:
This module works on node v8, but only v10 and above are officially supported, as Node v8 reached its LTS end of life 2020-01-01, which is in the past, as of this writing.
We can take a dependency on the unofficial v8 support decision, for those same reasons.
from tslint.
Eyas
commented on June 29, 2024
I just opened a PR before seeing this. I can switch to 1.x and increase node version if you think that's preferable.
from tslint.
JoshuaKGoldberg
commented on June 29, 2024
0.5.3 works too! So long as minimist is updated.
from tslint.
dscalzi
commented on June 29, 2024
If you delete your lockfile and minimist + mkdirp in node_modules it will automatically fix this.
from tslint.
adidahiya
commented on June 29, 2024
just released 6.1.1
from tslint.
JoshuaKGoldberg
commented on June 29, 2024
🤖 Beep boop! 👉 TSLint is deprecated 👈 and you should switch to typescript-eslint! 🤖
🔒 This issue is being locked to prevent further unnecessary discussions. Thank you! 👋
from tslint.
Related Issues (20)
- TypeScript >=3.8 Support HOT 8
- Why is there a version 6.1 when 6.0 is deprecated? HOT 3
- run tslint to specific folder HOT 1
- Vulnerability in minimist, need to upgrade to latest version HOT 5
- Support Typescript 3.8 both type-only import and regular import HOT 2
- Update issue templates to mention deprecation HOT 3
- Make `case-insensitive-legacy` part of possible `ordered-imports` options HOT 3
- error HOT 7
- TSLint 6.1 requires TS 3.8 to compile HOT 4
- Build failed with TypeScript 3.8.3 HOT 2
- tslint wouldn't prompt error if I put before initialized `this` inside a JavaScript getter? HOT 1
- Update https://palantir.github.io/tslint/ to mention deprecation HOT 2
- Compiler option in tsconfig.json not considered causing rule violations of "typescript:S4328" HOT 5
- Improve codeFrame formatter to include rule severity with each failure HOT 1
- Update deps and devDeps? HOT 2
- align rule (and possibly others) broken with TypeScript 4.0.0-dev HOT 1
- Version 6.1.3 is not marked as deprecated HOT 1
- Error thrown in 'align' rule HOT 1
- Angular app not install HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tslint.