Bump event-stream version to remove flatmap-stream dependency #451

pedro823 · 2018-12-11T20:24:45Z

tl;dr: There is a backdoored dependency on VTEX toolbelt that has malicious code. This does not affect VTEX in specific, however this should be removed anyway. This is important -- It could have been targeted toward VTEX.

On line 2379 of yarn.lock:

flatmap-stream@^0.1.0:
  version "0.1.1"
  resolved "https://registry.yarnpkg.com/flatmap-stream/-/flatmap-stream-0.1.1.tgz#d34f39ef3b9aa5a2fc225016bd3adf28ac5ae6ea"

this is the exact dependency, exact version, that contains malicious code. Version 0.1.2 doesn't have malicious code, and was completely removed by event-stream in the latest version.

For complete information of what that code did, read this article.

Mentioning the original issues of the backdoored code:

dominictarr/event-stream#116
dominictarr/event-stream#115

Possible Solution

Update the dependencies to fully remove the malicious code.

The text was updated successfully, but these errors were encountered:

ghost · 2019-01-04T13:06:11Z

hi

pedro823 added the review-needed label Dec 11, 2018

pedro823 assigned pedro823 and unassigned pedro823 Dec 11, 2018

pedro823 mentioned this issue Dec 12, 2018

Remove 'flatmap-stream' dependency from yarn.lock #452

Closed

4 tasks

pedro823 closed this as completed Jan 7, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump event-stream version to remove flatmap-stream dependency #451

Bump event-stream version to remove flatmap-stream dependency #451

pedro823 commented Dec 11, 2018

ghost commented Jan 4, 2019

Bump event-stream version to remove flatmap-stream dependency #451

Bump event-stream version to remove flatmap-stream dependency #451

Comments

pedro823 commented Dec 11, 2018

Possible Solution

ghost commented Jan 4, 2019