[email protected]

[mysticatea]

The package-lock.json includes [email protected] which includes malicious code: package-lock.json#L1090-L1095.

See also: dominictarr/event-stream#116

The event-stream package looks unsafe. It's better to find an alternative in my 2 cents.

[lmcarreiro]

After the mess, the dependency to flatmap-stream was removed and the event-stream is maintained by the NPM team now.

[alexdima]

Thank you for the heads up. I have locked the dependency to [email protected] which gets rid of flatmap-stream from the dev dependencies.

[shivam183]

Hi, I'm new to MEAN stack and can anyone please tell me how to safely remove or update this dependency from package-lock.json using NPM

[KudMath]

@shivam183 here is how I did it : remove your package-lock.json, lock your dependency to event-stream at version 3.3.4 by adding "event-stream": "3.3.4", to your package.jsonrun npm i (that should work if your flatmap-stream dependency comes from event stream, if not you can repeat those steps for the respective 'ancestors')