Security Issue: Remove `event-stream` dependency.

Question

Security Issue: Remove `event-stream` dependency.

TheSeg opened this issue 6 years ago · 3 comments

As noted in this issue, event-stream is compromised and the original maintainer doesn't have control over the repo.

Answer 1 · 2018-11-26T22:43:43.000Z

Locking it to 3.3.4 might be a quick fix for now (and npm has taken ownership of the package in the meantime).

Answer 2 · 2018-11-26T23:06:16.000Z

I note that the bad version has been yanked from npm, but the current default with gulp-reload will be to include 3.3.5, which is (I guess?) benign but does include (only) changes by the bad actor who went on to add the malicious code in 3.3.6.

Answer 3 · 2018-11-27T09:26:55.000Z

The dependency was pinned to 3.3.4 in #140 (released as version 4.0.1). Please send a PR (or message) when the problem is resolved.