Possible malicious dependency

Question

Possible malicious dependency

Closed this issue 6 years ago · 4 comments

ef4 commented 6 years ago

This package depends recursively on event-stream, which has malicious versions floating about. See:

dominictarr/event-stream#116
indexzero/ps-tree#33

Answer 1 · 2019-01-29T16:48:27.000Z

I don't see the dependency anywhere, I looked at our yarn.lock from last October and I also don't find it.

Could you help me understand how we depend on event-stream?

Answer 2 · 2019-01-29T17:10:54.000Z

The original chain I observed was

ember-cli-tailwind -> tailwindcss -> nodemon -> pstree.remy -> ps-tree -> event-stream

You can reproduce using ember-animated's yarn.lock as of commit a315e4ed014d72a43df567bdbfac0cc8cd20dcbe

But it looks like since then, tailwindcss decided to remove nodemon as their own fix for the vulnerability.

So this is mostly a concern for people who have existing lock files who haven't updated this area recently.

Answer 3 · 2019-01-29T17:16:50.000Z

I see. (I was able to find a version of Ember CLI Tailwind's yarn.lock with event-stream in it going back much further.)

Any messaging I can or should do for these people?

Answer 4 · 2019-01-29T17:18:29.000Z

Probably not, the original issue was already shouted pretty loudly and if people didn't hear that they probably won't hear you also shouting about it.