Security Issue: Remove `event-stream` dependency.
TheSeg opened this issue · 3 comments
TheSeg commented
As noted in this issue, event-stream
is compromised and the original maintainer doesn't have control over the repo.
backflip commented
Locking it to 3.3.4
might be a quick fix for now (and npm
has taken ownership of the package in the meantime).
ragesoss commented
I note that the bad version has been yanked from npm, but the current default with gulp-reload
will be to include 3.3.5
, which is (I guess?) benign but does include (only) changes by the bad actor who went on to add the malicious code in 3.3.6
.