Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

COMPROMISED DEPENDENCY event-stream / flatmap-stream #678

Closed
TomDemulierChevret opened this issue Nov 29, 2018 · 5 comments
Closed

COMPROMISED DEPENDENCY event-stream / flatmap-stream #678

TomDemulierChevret opened this issue Nov 29, 2018 · 5 comments
Assignees
@markwhitfeld

Comments

@TomDemulierChevret
Copy link

I'm submitting a...


[ ] Regression (a behavior that used to work and stopped working in a new release)
[ ] Bug report  
[ ] Performance issue
[ ] Feature request
[ ] Documentation issue or request
[ ] Support request => https://github.com/ngxs/store/blob/master/CONTRIBUTING.md
[x] Other... Please describe: Security issue

Current behavior

Currently ngxs contains dependencies to 1 compromised npm package : flatmap-stream :

npm ls event-stream flatmap-stream
ngxs@3.3.0 C:\Users\tdemulier\WebstormProjects\ngxs
`-- npm-run-all@4.1.3
  `-- ps-tree@1.1.0
    `-- event-stream@3.3.6
      `-- flatmap-stream@0.1.1

The author of event-stream has given npm publishing right to a another user who used them to publish malicious code (via flatmap-stream).

This dependency is linked to ngxs via npm-run-all which is only a devDependency, so it shouldn't put at risk end users of the library.
But you should still get rid of it.

If you want to read more this issue :

Expected behavior

The dependencies should be updated to not contains a compromised package.
@TomDemulierChevret TomDemulierChevret changed the title /!\ COMPROMISED DEPENDENCY event-stream / flatmap-stream /!\ COMPROMISED DEPENDENCY event-stream / flatmap-stream Nov 29, 2018
@splincode
Copy link
Member

@markwhitfeld ping

@Thenis
Copy link
Contributor

Thenis commented Nov 29, 2018

Updating npm-run-all to v4.1.5 will fix the issue mysticatea/npm-run-all#155

@eranshmil
Copy link
Member

The locked version is 4.1.5, as you can see in the yarn.lock: https://github.com/ngxs/store/blob/master/yarn.lock#L5937

@splincode splincode mentioned this issue Dec 1, 2018
Merged
3 tasks
@splincode
Copy link
Member

@markwhitfeld please publish new version 3.3.2

@eranshmil
Copy link
Member

I guess that you can close this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@markwhitfeld markwhitfeld

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@markwhitfeld @eranshmil @splincode @Thenis @TomDemulierChevret