Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in event-stream dependency #150

Closed
ChrisBAshton opened this issue Nov 26, 2018 · 3 comments
Closed

Vulnerability in event-stream dependency #150

ChrisBAshton opened this issue Nov 26, 2018 · 3 comments

Comments

@ChrisBAshton
Copy link

ChrisBAshton commented Nov 26, 2018
edited
Loading

There's a serious vulnerability in event-stream, which is used by npm-run-all.

Please consider locking into v3.3.4 or lower, which appears to be before the vulnerability was introduced.

EDIT: the vulnerable package is pulled in via your dependency ps-tree, which has an issue open to fix it: indexzero/ps-tree#33
@mysticatea
Copy link
Owner

Thank you for the report.
But I have already published v4.1.5 to address it.

@ChrisBAshton ChrisBAshton mentioned this issue Nov 26, 2018
Closed
2 tasks
ChrisBAshton added a commit to bbc/simorgh that referenced this issue Nov 26, 2018
@ChrisBAshton
upgrade npm-run-all to v4.1.5
dcd98bf 
Fixes vulnerability: dominictarr/event-stream#116
See mysticatea/npm-run-all#150 (comment)
@ChrisBAshton ChrisBAshton mentioned this issue Nov 26, 2018
Merged
2 tasks
@pieh pieh mentioned this issue Nov 26, 2018
Merged
vladimiry added a commit to vladimiry/ElectronMail that referenced this issue Nov 26, 2018
@vladimiry
upgrade "npm-run-all" to 4.1.5
2104eec 
* 4.1.5 version get rids of backdoored "event-stream" 3.3.5/3.3.6 use
* see mysticatea/npm-run-all#150
* see dominictarr/event-stream#116
@indexzero
Copy link

FYI [email protected] locked to [email protected] (which if I read the thread correctly pre-dates the questionable changes).

Thanks to folks for bringing it to my attention: indexzero/ps-tree#34

@vladimiry vladimiry mentioned this issue Nov 26, 2018
Closed
@code-for-coffee
Copy link

@mysticatea thank you so much for being on top of this issue.

@IllusionMH IllusionMH mentioned this issue Nov 26, 2018
Merged
4 tasks
@pr1sm pr1sm mentioned this issue Nov 26, 2018
Closed
pr1sm added a commit to walmat/nebula-old that referenced this issue Nov 26, 2018
@pr1sm
Upgrade npm-run-all dependency
6144244 
This commit updates the npm-run-all dependency to remove the security bug referenced in mysticatea/npm-run-all#150
majecty added a commit to majecty/codechain-dashboard that referenced this issue Nov 27, 2018
@majecty
Fix vulnerable dependency in npm-run-all
77eccd4 
See mysticatea/npm-run-all#150
@majecty majecty mentioned this issue Nov 27, 2018
Merged
xpdlf1004 pushed a commit to CodeChain-io/codechain-dashboard that referenced this issue Nov 27, 2018
@majecty @xpdlf1004
Fix vulnerable dependency in npm-run-all
5f37041 
See mysticatea/npm-run-all#150
This was referenced Nov 27, 2018
Closed
Closed
@jgribonvald jgribonvald mentioned this issue Nov 27, 2018
Merged
@TehShrike TehShrike mentioned this issue Nov 27, 2018
Closed
@JianqinWang JianqinWang mentioned this issue Nov 28, 2018
Merged
walmat pushed a commit to walmat/nebula-old that referenced this issue Nov 30, 2018
@pr1sm @walmat
Remove Event-Stream Dependency from all Projects (#165)
e58f7ca 
* Upgrade npm-run-all dependency

This commit updates the npm-run-all dependency to remove the security bug referenced in mysticatea/npm-run-all#150

* Bump nodemon dependency

This commit updates the nodemon dependency to a version that removes the event-stream vulnerability (https://github.com/remy/nodemon/releases/tag/v1.18.7). For more details on the vulnerability, see dominictarr/event-stream#116.
This was referenced Dec 11, 2018
Closed
Merged
devDefiWeb added a commit to devDefiWeb/electron-mail-app that referenced this issue May 28, 2022
@devDefiWeb
upgrade "npm-run-all" to 4.1.5
61138b2 
* 4.1.5 version get rids of backdoored "event-stream" 3.3.5/3.3.6 use
* see mysticatea/npm-run-all#150
* see dominictarr/event-stream#116
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@indexzero @code-for-coffee @mysticatea @ChrisBAshton