search

less / less.js

Less. The dynamic stylesheet language.
http://lesscss.org
Apache License 2.0
16.99k stars 3.41k forks source link

Update `make-dir` to resolve vulnerable dependency #3806

Open bloep opened 1 year ago

bloep commented 1 year ago

the less.js dependency make-dir is not up-to-date and causes security warning due to its outdated dependency. see https://github.com/advisories/GHSA-c2qf-rxjj-qqgw

$ npm ls semver  
less@4.1.3 project
└─┬ make-dir@2.1.0
       └── semver@5.7.1

I would suggest updating to a current make-dir version here. A quick search showed that it is only used here, so from my point of view an update should bring little problems. https://github.com/less/less.js/blob/7491578403a5a35464772c730854c3a5169c0de7/packages/less/bin/lessc#L163-L172

stefandobre commented 1 year ago

It appears an outdated version of semver is also referenced as a dev dependency here: https://github.com/less/less.js/blob/4d3189c05175dfd8aab505ec19c7f5724f145295/packages/less/package.json#L100

stefandobre commented 11 months ago

@iChenLei, is there any update on this? If not, would a pull request be welcome?

Den-dp commented 11 months ago

it was fixed on make-dir side, run npm audit fix or try to reinstall less

jorenbroekema commented 7 months ago

it was fixed on make-dir side, run npm audit fix or try to reinstall less

That will only fix it if you use --force because the vulnerability fix has not been done in v2 of make-dir, but rather in the next major(s).

This means it would be best if less can upgrade make-dir to the latest major version.

Dunno if this repo is still maintained but I'd be open to creating a pull request.

iChenLei commented 7 months ago

@jorenbroekema PR welcome

jorenbroekema commented 7 months ago

@iChenLei done https://github.com/less/less.js/pull/4250