Fix event-stream vulnerability issue

[JavierCane]

We have the following two security alerts opened by GitHub:

These security bugs are related to the just published vulnerabilities on the event-stream package in versions 3.3.6 and later. Here we can find more information about it:

• Twitter thread by garybernhardt
• Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)
• Exploiting developer infrastructure is insanely easy

Seeking for the usage of the event-stream package in the examples, I've found the following occurrences:

• Lesson 13-ssr-nuxt -> yarn.lock
• Lesson 13-ssr-nuxt -> package-lock.json

It seems to be added as a transitive dependency by the ps-tree@^1.1.0 package, which is added by the pstree.remy@^1.1.0 one, added by the nodemon@^1.11.0 one. This nodemon package is the one we really ask for in our package.json.

Searching for related issues, we can see the following ones in the nodemon repo:

• Insecure dependency remy/nodemon#1469
• pstree vuln / pstree upgrade / Error: listen EADDRINUSE: address already in use remy/nodemon#1463 (comment)

The commit referenced as a fix for the vulnerability doesn't contain the removal of the pstree[.remy] dependency, however, they explicitly claim it solves it.

@juanmaguitar:

• Can you please help us out in how to solve this issue?
• It would be enough just bumping from "nodemon": "^1.11.0" to "nodemon": "^1.18.7" in our package.json?
• Would it be compatible with the rest of the app?
• Additionally, I would recommend checking out the servers where you've deployed the app in order to fix this vulnerability 👼

[juanmaguitar]

@JavierCane nodemon package is a package only needed for development so:

• Is not a critical issue because the vulnerability only affects to development environment (not production)
• Updating the nodemon package (as you say) should be enough.