Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove transitive event-stream dependencies #159

Closed
pr1sm opened this issue Nov 26, 2018 · 1 comment · Fixed by #165
Closed

Remove transitive event-stream dependencies #159

pr1sm opened this issue Nov 26, 2018 · 1 comment · Fixed by #165
Assignees
Labels
area:api Related to Nebula's Public API area:discord-bot Related to Nebula's Discord Bot area:frontend Related to Nebula's Frontend Electron app area:task-runner Related to Nebula's Task Runner package type:bug Something isn't working

Comments

@pr1sm
Copy link
Collaborator

pr1sm commented Nov 26, 2018

Describe the bug
Looks like there was malicious code published downstream from the npm-run-all package. It looks like this was a hack targeting projects that had a crypto-currency peer package also installed, so I don' think this directly affects us. However, I definitely don't like the idea of malicious code possibly available through our dependency tree.

For more information, see dominictarr/event-stream#116 and mysticatea/npm-run-all#150

To Reproduce
Steps to reproduce the behavior:

  1. Run npm ls event-stream flatmap-stream
  2. Check if there are versions installed from that output ([email protected] contains the malicious code, but I wouldn't trust versions that are higher as well)
  3. If they are, we are affected

I get the following output
vulnerability

Expected behavior
We shouldn't have event-stream installed anywhere in our dependency tree.

Desktop (please complete the following information):

  • OS: MWL
  • Service: frontend
  • Version: alpha

Additional context
The fix is pretty simple, it looks like npm-run-all has already put out a fixed version 4.1.5, so we just need to adjust our dependency for that

@pr1sm pr1sm added the type:bug Something isn't working label Nov 26, 2018
@pr1sm pr1sm added this to the Beta 1 Release milestone Nov 26, 2018
@pr1sm pr1sm self-assigned this Nov 26, 2018
@pr1sm pr1sm added the area:frontend Related to Nebula's Frontend Electron app label Nov 26, 2018
@pr1sm
Copy link
Collaborator Author

pr1sm commented Nov 26, 2018

I've taken a look at the other packages we are using and here are the following screenshots
task-runner:
taskrunnervulnerability
nebula-api:
nebulaapivulnerability
discord-bot:
discordbotvulnerability

It looks like all packages are affected, but to varying degrees. The problem for all stems from nodemon's dependency tree (remy/nodemon#1469 looks like it's tracking the removal of the malicious code from that dependency).

task-runner is the most affected since it contains a version with the potentially malicious code, discord-bot is next because the version of event-stream is bad even though the flatmap-stream version is before the malicious version, and nebula-api looks like it has a version of event-stream that doesn't include the malicious code at all.

For all three of these, we should wait until nodemon gets updated, then update that dependency as well.

@pr1sm pr1sm added area:task-runner Related to Nebula's Task Runner package area:api Related to Nebula's Public API labels Nov 26, 2018
@pr1sm pr1sm changed the title Upgrade npm-run-all dependency Remove transitive event-stream dependencies Nov 26, 2018
@pr1sm pr1sm added the area:discord-bot Related to Nebula's Discord Bot label Nov 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area:api Related to Nebula's Public API area:discord-bot Related to Nebula's Discord Bot area:frontend Related to Nebula's Frontend Electron app area:task-runner Related to Nebula's Task Runner package type:bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant