Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove event-stream dependency #149

Closed
XhmikosR opened this issue Nov 22, 2018 · 7 comments
Closed

Remove event-stream dependency #149

XhmikosR opened this issue Nov 22, 2018 · 7 comments

Comments

@XhmikosR
Copy link

@mysticatea please check dominictarr/event-stream#116
@jaydenseric
Copy link

To know if your project is in danger, run:

npm ls event-stream flatmap-stream

The bad actor has publishing rights to event-stream and flatmap-stream contains the malicious code (specifically flatmap-stream@0.1.1, but any future version can't be trusted).

Here is an example result from one of my projects:

[redacted]
└─┬ npm-run-all@4.1.3
  └─┬ ps-tree@1.1.0
    └─┬ event-stream@3.3.6
      └── flatmap-stream@0.1.2

@mysticatea
Copy link
Owner

Wow, thank you for the pointing.

@XhmikosR
Copy link
Author

@mysticatea Maybe try replacing the unmaintained ps-tree with something else like https://github.com/sindresorhus/fkill?

@mysticatea
Copy link
Owner

mysticatea commented Nov 24, 2018
edited
Loading

I have removed ps-tree in this dependency and published 4.1.4. (But 4.1.4 can be buggy because it does not kill descendant processes). The fkill's tree option looks supported only on Windows. I'm considering.

@XhmikosR
Copy link
Author

Hmm, maybe it's not wise to have released it as a minor bump if if 4.1.4 is buggy?

@mysticatea
Copy link
Owner

I will try pidtree package and publish fixed version ASAP.

@mysticatea
Copy link
Owner

I have published 4.1.5. Thank you!

yhatt added a commit to marp-team/marpit that referenced this issue Nov 24, 2018
@yhatt
Upgrade dependent packages to latest
ad8e110 
It includes an upgrade to avoid the malicious attack included in
dependency of npm-run-all.

See: mysticatea/npm-run-all#149
@yhatt yhatt mentioned this issue Nov 24, 2018
Merged
yhatt added a commit to marp-team/marp-core that referenced this issue Nov 24, 2018
@yhatt
Upgrade dependent packages to latest
292231b 
It includes an upgrade to prevent the malicious attack included in
dependency of npm-run-all.

See: mysticatea/npm-run-all#149
yhatt added a commit to marp-team/marp-cli that referenced this issue Nov 24, 2018
@yhatt
Upgrade dependent packages to latest
f4ef36a 
It includes an upgrade to prevent the malicious attack included in
dependency of npm-run-all.

See: mysticatea/npm-run-all#149
@jsayol jsayol mentioned this issue Nov 26, 2018
Closed
gitgrimbo added a commit to gitgrimbo/harviewer that referenced this issue Nov 26, 2018
@gitgrimbo
fix: npm-run-all security issue
287ef33 
mysticatea/npm-run-all#149
This was referenced Nov 27, 2018
Merged
Merged
sihoang pushed a commit to sihoang/charity-staking that referenced this issue Nov 27, 2018
fix backdoor in event-stream mysticatea/npm-run-all#149
5590a29
This was referenced Nov 27, 2018
Closed
Closed
@silentworks silentworks mentioned this issue Nov 27, 2018
Closed
@TehShrike TehShrike mentioned this issue Nov 27, 2018
Closed
@amclin amclin mentioned this issue Nov 27, 2018
Closed
amclin added a commit to amclin/aem-packager that referenced this issue Nov 27, 2018
@amclin
Fixes #34 by updating npm-run-all dependency reported in mysticatea/n…
6a565a0 
…pm-run-all#149
@amclin amclin mentioned this issue Nov 27, 2018
Merged
@kpajdzik kpajdzik mentioned this issue Nov 28, 2018
Merged
@nicu-chiciuc nicu-chiciuc mentioned this issue Dec 10, 2018
Closed
bryanstearns added a commit to infinitered/ignite-bowser that referenced this issue Dec 27, 2018
@bryanstearns
Bump npm-run-all version for security
eb8e352 
npm-run-all 4.1.3 depends indirectly on flatmap-stream, which has been yanked
from npm because it contained malicious code:

https://www.npmjs.com/advisories/737
mysticatea/npm-run-all#149
@bryanstearns bryanstearns mentioned this issue Dec 27, 2018
Merged
jamonholmgren pushed a commit to infinitered/ignite-bowser that referenced this issue Dec 27, 2018
@bryanstearns @jamonholmgren
fix(security): Bump npm-run-all version for security (#137)
54e4707 
npm-run-all 4.1.3 depends indirectly on flatmap-stream, which has been yanked
from npm because it contained malicious code:

https://www.npmjs.com/advisories/737
mysticatea/npm-run-all#149
@mysticatea mysticatea mentioned this issue Jun 4, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@XhmikosR @jaydenseric @mysticatea