Critical Vulnerability

[jrwiegand]

A critical vulnerability has popped up today with event-stream, can this be updated ASAP?

Related links:

• https://www.npmjs.com/advisories/737
• I don't know what to say. dominictarr/event-stream#116
• Insecure dependency remy/nodemon#1469

NPM Audit

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Malicious Package                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ flatmap-stream                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-nodemon [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-nodemon > event-stream > flatmap-stream                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/737                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Malicious Package                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ flatmap-stream                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-nodemon [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-nodemon > nodemon > pstree.remy > ps-tree >             │
│               │ event-stream > flatmap-stream                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/737                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Malicious Package                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ flatmap-stream                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nodemon > pstree.remy > ps-tree > event-stream >             │
│               │ flatmap-stream                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/737                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 critical severity vulnerabilities in 17907 scanned packages
  3 vulnerabilities require manual review. See the full report for details.

[yoelfme]

any update about this?, is going to be really helpful, please, merge the PR 👍

[aal89]

Yeah, but which one? Mine or @sebaplaza's one?

I might be missing something but I am not trusting @right9ctrl right now. So I followed advise and not updated to version 4 of event-stream*, instead pinned it to version 3.3.4 so that all malicious packages in peoples cache also gets flushed. This also means my PR is of lowest impact.

Not sure which one is better tho. Do people have any ideas on which one to merge?

*@right9ctrl seemed to have created v4 deliberately in his plan to deliver the malicious code. So what does v4 really do?

[yoelfme]

@aal89 yours, because the recommended action is update event-stream to 3.3.4, so your PR makes the same thing that people in ps-tree did https://github.com/indexzero/ps-tree/pull/34/files, go ahead!

[sebaplaza]

@aal89 i agree with you, the v4 was possibly created to hide the old malicious code.

anyways, the v4 also add the flatmap function (a clean one).
dominictarr/event-stream@908fee5

and flatmap-stream dependency has been removed
dominictarr/event-stream@2bd63d5

@right9ctrl user doesn't exists anymore on github, and the repo owner is still @dominictarr.

npm owner has been removed too.

$ npm owner ls event-stream
npm <npm@npmjs.com>

We must upgrade old nodemon dependency too.

[yoelfme]

so the final PR will include lock the event-stream package and upgrade nodemon?

[aflext]

Why haven't this issue been solved? So many days have past

[aal89]

I have updated my PR removing the event-stream dependency entirely and also updated nodemon to 1.18.7. The test ran fine(?). Why was it (event-stream) being used in the first place?

[sebaplaza]

you're right @aal89, event-stream is not being used at all. So, if @JacksonGariety is ok, we should remove event-stream dependency.

looking at the source, the module colors is useless too.

i think this project needs a clean up.

about your PR, i think you should commit package-lock.json too, as a good practice.

[aal89]

Yeah you're right, this project could use cleaning. Right now I'm going to stay focussed on this issue alone. I will update the PR and include the package-lock.json too. Thanks for the feedback!

[sebaplaza]

Well, this is not only a vulnerability anymore, as you know event-stream@3.3.6 has been unpublished.

This means that gulp-nodemon is actually broken.

Well, as a workaround, you can use @aal89 version...

    "gulp-nodemon": "github:aal89/gulp-nodemon#8c46ee1ffe02c4b80b0452bd6b3b8c587ab17b79",

[jrwiegand]

I am not sure if others have reached out to @JacksonGariety but he seems quite unresponsive. I think the workaround may be the best bet for the near-future. I hope that I am wrong.

[simison]

I am not sure if others have reached out to @JacksonGariety but he seems quite unresponsive.

2-3 days to respond isn't that long time to wait in open source world, especially in the middle of the week. ;-)

Pinged directly at #164 (comment)

[binarykitchen]

yeah come on, it's important - waiting here too!

[binarykitchen]

Looks like it's done but not on npm yet ... publish it now?

[jrwiegand]

Looks like it's done but not on npm yet ... publish it now?

@binarykitchen Version 2.4.2 is the fixed version and that version is published to npm.

See here: https://www.npmjs.com/package/gulp-nodemon

2.4.2 does not have release on GitHub yet.

BTW, thank you @JacksonGariety for moving quickly on this issue.

[binarykitchen]

well @jrwiegand, yarn outdated gives me a different version:

└─❱❱❱ yarn outdated                                                                                                                                                    +9998 17:40 ❰─┘
yarn outdated v1.12.3
info Color legend :
 "<red>"    : Major Update backward-incompatible updates
 "<yellow>" : Minor Update backward-compatible features
 "<green>"  : Patch Update backward-compatible bug fixes
Package       Current Wanted Latest Package Type    URL
gulp-nodemon  2.4.1   exotic exotic devDependencies github:aal89/gulp-nodemon#8c46ee1ffe02c4b80b0452bd6b3b8c587ab17b79

Why it is suggesting exotic over 2.4.2 and why is the URL pointing to a fork, from github:aal89/gulp-nodemon?

[jrwiegand]

@binarykitchen I do not use yarn and cannot speak to the reason that package would be outdated there. It is clearly available in npm's registry as I comment above.