Update npm on all supported release lines to address CVE scored 9.8 in minimist package

[mleneveut]

Is your feature request related to a problem? Please describe.
The package mkdir 0.5.1 contains a dependency to minimist 0.0.8, which has the CVE-2020-7598, scored 9.8

Describe the solution you'd like
Remove the package mkdirp or find a maintained alternative.

Others

node -v
v12.16.1

npm -v
6.13.4

list mkdirp
npm@6.13.4 /usr/lib/node_modules/npm
+-- cacache@12.0.3
| `-- mkdirp@0.5.1  deduped
+-- cmd-shim@3.0.3
| `-- mkdirp@0.5.1  deduped
+-- gentle-fs@2.3.0
| `-- mkdirp@0.5.1  deduped
+-- libcipm@4.0.7
| `-- mkdirp@0.5.1  deduped
+-- mkdirp@0.5.1
+-- move-concurrently@1.0.1
| +-- copy-concurrently@1.0.5
| | `-- mkdirp@0.5.1  deduped
| `-- mkdirp@0.5.1  deduped
+-- node-gyp@5.0.5
| `-- mkdirp@0.5.1  deduped
+-- pacote@9.5.11
| `-- mkdirp@0.5.1  deduped
`-- tar@4.4.13
  `-- mkdirp@0.5.1  deduped

[mleneveut]

seems to have been forked and released in v1.0.3 without the minimalist deps : https://github.com/isaacs/node-mkdirp

[mscdex]

This should be posted to the npm issue tracker instead.

[mleneveut]

I did, thx

[mcollina]

I think we should keep this open because we'll need to issue new releases on all LTS line.

[sam-github]

Can the subject be changed to something more specific, is this the plan?

Update npm on all supported release lines to address CVE

Right now, subjects suggests we'll be updating a package deep inside npm's deps, which I assume/hope is not the intention.

[mcollina]

The intention should be for npm to do releases for all those lines and we'll just backport those to all lts lines

[mcollina]

cc @nodejs/tsc this is important.

[targos]

I think this is not important because mkdirp doesn't use minimist in its API (only in the CLI, which is never used by npm or any of its dependencies).

[mcollina]

It is because most vulnerability scanners are going to detect this automatically.

[targos]

If we want to quickly fix this on our side, we can probably just rm -rf deps/npm/node_modules/minimist

[sam-github]

I think hacking deps/npm sets a bad precedent, but given a 10.x is going out tomorrow, maybe it can update npm to the latest (assuming latest fixes this).