Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The ps-tree package may be unsafe now. Better find an alternative. #128

Closed
haoqunjiang opened this issue Nov 26, 2018 · 4 comments
Closed

The ps-tree package may be unsafe now. Better find an alternative. #128

haoqunjiang opened this issue Nov 26, 2018 · 4 comments

Comments

@haoqunjiang
Copy link

See:
indexzero/ps-tree#33
dominictarr/event-stream#116
@indexzero
Copy link

FYI [email protected] locked to [email protected] (which if I read this thread correctly pre-dates the questionable changes).

Thanks to folks for bringing it to my attention: indexzero/ps-tree#34

@jbgraug
Copy link

jbgraug commented Nov 27, 2018

"start-server-and-test": "^1.7.4" Is vulnerable...
A workaround is to include this in you package.json (works only with Yarn)

"resolutions": {
    "event-stream": "3.3.4"
  },

@dervism
Copy link

dervism commented Nov 27, 2018

It's also possible to add the following to the dependencies to lock the affected package to a safe version:

"dependencies": {
     "event-stream": "=3.3.4"
  }

@bahmutov
Copy link
Owner

so right now this package uses [email protected] which uses [email protected] which I believe is safe

$ npm ls event-stream
[email protected] /Users/gleb/git/start-server-and-test
└─┬ [email protected]
  └── [email protected]

If any other changes is necessary, please let me know

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@indexzero @dervism @bahmutov @haoqunjiang @jbgraug