Insecure dependency: event-stream 3.3.6

Question

Insecure dependency: event-stream 3.3.6

Closed this issue 6 years ago · 1 comments

dependabot-preview commented 6 years ago

We noticed this repo pulls in event-stream at version 3.3.6 as a dependency. This version has had malicious code injected into it (see dominictarr/event-stream#116 for more information) and we recommend that you either upgrade to 4.0.1 or downgrade to 3.3.4 as soon as possible. You can do this by setting a Yarn resolution in your package.json.

(Dependabot can't generate downgrade PRs for sub-dependencies at the moment, but we wanted to warn you about the issue all the same.)

Armour commented 6 years ago

Solved.