Possible malicious code injected via npm dependency

[jsayol]

Describe your environment

• Operating System version: Linux 4.19.2
• Browser version: n/a
• Firebase SDK version: 5.5.9
• Firebase Product: core

Describe the problem

I don't think you need to take any immediate action, but I figured I should give you a heads up just in case.

A few days ago a malicious package was added as a dependency to event-stream, which is a dependency to ps-tree, which in turn is a dependency to npm-run-all. This last one is used extensively as part of the build tools on this SDK.

To make sure this does not become a problem, it might be a good idea to update npm-run-all to the recently-published 4.1.5 version (it's currently pinned at 4.1.2 in all the packages/**/package.json files.)

Relevant discussions:
mysticatea/npm-run-all#149
dominictarr/event-stream#116

Edit: The current versions used here are at the moment are not affected, but upgrading is still a good idea to make sure they never are. And just to be clear, this would only affect the machines of those developing the SDK and not the end users of the library.

Steps to reproduce:

n/a

Relevant Code:

n/a

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[Feiyang1]

Thanks for the heads up! I will look into it.

[Feiyang1]

Our repo is not affected by the exploit, thanks to the lock file. As a precaution, I'm updating the npm-run-all to 4.1.5. #1406