Update mkdirp dependency

[mihaifm]

mkdirp 0.5.1 uses minimist 0.0.8 which is reported to have a sec vulnerability CVE-2020-7598

thanks

[LinusU]

Hmm, I don't think we can do this in a non-breaking way? mkdirp 1.x only supports Node.js 10 and up 😬

If this pans out we can update: isaacs/node-mkdirp#7 (comment)

[karlhorky]

Edit: Use mkdirp@0.5.3 - the problem is fixed there.

For anyone using multer and looking for a workaround for the interim, using Yarn Resolutions you can specify this version number, even though it doesn't match the semver range of mkdirp (basically like applying isaacs/node-mkdirp#8).

Add this to your package.json if you're using Yarn and run yarn to update your lockfile:

  "resolutions": {
    "**/mkdirp/minimist": "0.2.1"
  }

[LinusU]

A fix has been published to Npm 👏

You should be able to update that package specifically with something like:

npm update mkdirp --depth=20

Or you could just remove your node_modules and package-lock.json file and run npm install again.

I don't think that we need to take any action here since we are already depending on ^0.5.1 which includes the newly published 0.5.3 🎉

[mihaifm]

thanks everyone for the quick resolution