Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove event-stream dependency #149

Closed
XhmikosR opened this issue Nov 22, 2018 · 7 comments
Closed

Remove event-stream dependency #149

XhmikosR opened this issue Nov 22, 2018 · 7 comments

Comments

@XhmikosR
Copy link

@mysticatea please check dominictarr/event-stream#116

@jaydenseric
Copy link

To know if your project is in danger, run:

npm ls event-stream flatmap-stream

The bad actor has publishing rights to event-stream and flatmap-stream contains the malicious code (specifically flatmap-stream@0.1.1, but any future version can't be trusted).

Here is an example result from one of my projects:

[redacted]
└─┬ npm-run-all@4.1.3
  └─┬ ps-tree@1.1.0
    └─┬ event-stream@3.3.6
      └── flatmap-stream@0.1.2

@mysticatea
Copy link
Owner

Wow, thank you for the pointing.

@XhmikosR
Copy link
Author

@mysticatea Maybe try replacing the unmaintained ps-tree with something else like https://github.com/sindresorhus/fkill?

@mysticatea
Copy link
Owner

mysticatea commented Nov 24, 2018

I have removed ps-tree in this dependency and published 4.1.4. (But 4.1.4 can be buggy because it does not kill descendant processes). The fkill's tree option looks supported only on Windows. I'm considering.

@XhmikosR
Copy link
Author

Hmm, maybe it's not wise to have released it as a minor bump if if 4.1.4 is buggy?

@mysticatea
Copy link
Owner

I will try pidtree package and publish fixed version ASAP.

@mysticatea
Copy link
Owner

I have published 4.1.5. Thank you!

yhatt added a commit to marp-team/marpit that referenced this issue Nov 24, 2018
It includes an upgrade to avoid the malicious attack included in
dependency of npm-run-all.

See: mysticatea/npm-run-all#149
yhatt added a commit to marp-team/marp-core that referenced this issue Nov 24, 2018
It includes an upgrade to prevent the malicious attack included in
dependency of npm-run-all.

See: mysticatea/npm-run-all#149
yhatt added a commit to marp-team/marp-cli that referenced this issue Nov 24, 2018
It includes an upgrade to prevent the malicious attack included in
dependency of npm-run-all.

See: mysticatea/npm-run-all#149
gitgrimbo added a commit to gitgrimbo/harviewer that referenced this issue Nov 26, 2018
sihoang pushed a commit to sihoang/charity-staking that referenced this issue Nov 27, 2018
bryanstearns added a commit to infinitered/ignite-bowser that referenced this issue Dec 27, 2018
npm-run-all 4.1.3 depends indirectly on flatmap-stream, which has been yanked
from npm because it contained malicious code:

https://www.npmjs.com/advisories/737
mysticatea/npm-run-all#149
jamonholmgren pushed a commit to infinitered/ignite-bowser that referenced this issue Dec 27, 2018
npm-run-all 4.1.3 depends indirectly on flatmap-stream, which has been yanked
from npm because it contained malicious code:

https://www.npmjs.com/advisories/737
mysticatea/npm-run-all#149
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants