Remove transitive event-stream
dependencies
#159
Labels
area:api
Related to Nebula's Public API
area:discord-bot
Related to Nebula's Discord Bot
area:frontend
Related to Nebula's Frontend Electron app
area:task-runner
Related to Nebula's Task Runner package
type:bug
Something isn't working
Milestone
Describe the bug
Looks like there was malicious code published downstream from the
npm-run-all
package. It looks like this was a hack targeting projects that had a crypto-currency peer package also installed, so I don' think this directly affects us. However, I definitely don't like the idea of malicious code possibly available through our dependency tree.For more information, see dominictarr/event-stream#116 and mysticatea/npm-run-all#150
To Reproduce
Steps to reproduce the behavior:
npm ls event-stream flatmap-stream
[email protected]
contains the malicious code, but I wouldn't trust versions that are higher as well)I get the following output
Expected behavior
We shouldn't have
event-stream
installed anywhere in our dependency tree.Desktop (please complete the following information):
Additional context
The fix is pretty simple, it looks like
npm-run-all
has already put out a fixed version4.1.5
, so we just need to adjust our dependency for thatThe text was updated successfully, but these errors were encountered: