Security vulnerability due to a npm script ⚠️

[kulbhushanchand]

By the time this issue was filed, GitHub may have reporter you about the recent security vulnerability detected in a npm script - event-stream flatmap-stream.

Here is the screenshot about my website using minimal-mistakes theme -

To know in detail -

• I don't know what to say. dominictarr/event-stream#116
• https://www.theregister.co.uk/AMP/2018/11/26/npm_repo_bitcoin_stealer/

Possible solution - We may need to revert back to previous version of script.

[kulbhushanchand]

If you are using a crypto-currency related library and if you see flatmap-stream@0.1.1 after running npm ls event-stream flatmap-stream, you are most likely affected.

Update - Minimal mistakes shows flatmap-stream@0.1.0 and not using any crypto-currency related library, So may be not affected. 🤔

[mmistakes]

I don't think we have to do anything. Looks like NPM has removed the malicious version.

> npm ls event-stream flatmap-stream
minimal-mistakes@4.14.1 \minimal-mistakes
`-- npm-run-all@1.8.0
  `-- ps-tree@1.1.0
    `-- event-stream@3.3.4

[mmistakes]

Regardless I updated the NPM dependencies used as part of the build:js scripts when developing the theme. They were quite old.

Doing so, looks like event-stream is no longer used so we should be in the clear now.

> npm ls event-stream flatmap-stream
minimal-mistakes@4.14.1 \minimal-mistakes
`-- (empty)