Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade event-stream to 3.3.4 #259

Closed
wants to merge 1 commit into from
Closed

Conversation

chrisseto
Copy link

@chrisseto chrisseto commented Nov 26, 2018

  • A dep of event-stream (flatmap-stream) was recently removed from NPM

See flatmap-stream and the dependencies tab of event-stream.

Note: To reproduce the installation failure, remove package-lock.json, node_modules and run npm install --cache /tmp/empty

@chrimesdev
Copy link

@chrisseto should it be a downgrade to 3.3.4 rather than upgrade to 4.0.0?

Vulnerable versions: > 3.3.4
Patched version: No fix
The NPM package flatmap-stream is considered malicious. A malicious actor added this package as a dependency to the NPM event-stream package in versions 3.3.6 and later. Users of event-stream are encouraged to downgrade to the last non-malicious version, 3.3.4.

@durandt
Copy link

durandt commented Nov 27, 2018

Agreed with AdamChrimes, the right fix is to target no later version than 3.3.4 ( like lijunle@3e7f933 )
4.0.0 may not contain the malicious code BUT there is yet no guarantee about what future releases will bring.

Even better, remove the dependency toward event-stream since it is not (poorly) maintained.

  * A dep of event-stream (flatmap-stream) was recently removed from NPM
    for containing malicous code.
@chrisseto chrisseto changed the title Upgrade event-stream to 4.x.x Upgrade event-stream to 3.3.4 Nov 27, 2018
Copy link

@muuki88 muuki88 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@dbemiller
Copy link
Contributor

dbemiller commented Nov 30, 2018

Even better, remove the dependency toward event-stream since it is not (poorly) maintained.

This turned out to be really easy, so... I did it. See #261.

@chrisseto
Copy link
Author

Closed in favor of #261

@chrisseto chrisseto closed this Dec 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants