fix: Use make-dir instead of mkdirp

less / less.js

Less. The dynamic stylesheet language.

http://lesscss.org

Apache License 2.0

17.02k stars 3.41k forks source link

fix: Use make-dir instead of mkdirp #3490

Closed eps1lon closed 4 years ago

eps1lon commented 4 years ago

Closes #3487

minimist has the vulnerability. By removing mkdirp@0.x (which is deprecated anyway) we get rid of minimist.

Note that we already have to use an outdated version of make-dir since less supports node 6 (has reached end-of-life a year ago) while make-dir@latest only supports node 8 (which also reached end-of-life since end of last year).

alansemenov commented 4 years ago

@matthew-dean can you prioritise this fix and a new release please? we are getting security warnings in all of our repos that use less.js because of the deprecated/vulnerable mkdirp dependency.

matthew-dean commented 4 years ago

@alansemenov Released!