Insecure dependency

[skarbovskiy]

dominictarr/event-stream#116

[kbariotis]

I'm trying to understand which versions of nodemon would have been affected but I don't seem to be able to follow the trail. @remy maybe you have a better view?

[martdavidson]

Fails for me on 1.18.5, as it's looking for the 3.3.6 of event-stream, which npm removed.

[martdavidson]

It's the ps-tree inclusion: indexzero/ps-tree#33

[inderpreet99]

The fix is already implemented through remy/pstree, which no longer depends on ps-tree. The problem is a newer version of nodemon is not packaged and put up on npm.

@remy, can this be expedited?

Thanks.

[lydell]

Uninstalling nodemon and then installing it again got rid of the vulnerable sub-dependency for me.

npm uninstall nodemon
npm install --save-dev nodemon

[dcporter]

Yeah, @remy already removed the bad dependency from pstree.remy. nodemon could help force the issue by pinning to the new version of pstree.remy (and it would be very nice if it did), but the current version of nodemon is "correct" in that a fresh install of its dependencies will not include the compromised package.

[jerroydmoore]

FYI npm audit is flagging this as a critical vulnerability. It would be nice if a patch was available through nodemon

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Malicious Package                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ flatmap-stream                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nodemon > pstree.remy > ps-tree > event-stream >             │
│               │ flatmap-stream                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/737                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[dtb]

Would be nice to bump pstree.remy to ^1.1.2 so that people can be sure to get the fixed version. Took a little bit of finagling with cache and stuff to get the right version over here (not sure why, tbh.)

[lxcid]

For me, I go direct to ps-tree and up the version to 1.2.0 in my lockfile.

[mateeyowt]

Failed for nodemon v^1.12.0

[artoodeeto]

so is it alright to use nodemon while on development mode or it's still insecure?

[hejiaji]

I believe this can be closed by upgrade to the latest version.

9920e62

[remy]

I'm glad we're all jump on the npm audit train without actually looking at existing issues to see why it's not been released yet… The issue is also marked with "help wanted", but meh.

So, copied here, verbatim, again help wanted - I can't get the test to pass yet:

I've been trying to work on a fix, but work life and personal life has been keeping me away from coding on this.

The issue is in remy/pstree - and although I fixed the core of this issue, there's a new issue that leaves processes running in the background instead of killing them (which is exactly what pstree intends to address).

The tests pass fine in a mac environment (my dev machine), but not in linux - which travis runs in. I am able to replicate with docker (this branch: /new-pstree@fix ) but I don't know what's leaving the process in the background (it's definitely that pstree.remy isn't returning all the PIDs properly).

#1459 (comment)

Please don't comment, please help fix.

@artoodeet yes, this is safe in your own development environment so long as you're not leveraging the exploit yourself. nodemon recommends against using in production. This does not mean the issue should remain.

[jzlxiaohei]

i have a try. it works

yarn remove nodemon
yarn add nodemon

then no event-stream in yarn.lock

[remy]

Track here: #1463 (comment)