event-stream malicious code

Question

event-stream malicious code

fcastilloec opened this issue 6 years ago · 9 comments

The latest version of dbus-native in npm has a dependency to flatmap-stream which is not available anymore because of malaware see dominictarr/event-stream#116 (comment). I notice that the main branch is using a new version of event-stream which solves this issue.
Would it be possible to release a new version to npm?
Right now, this module is impossible to install, unless you have a cache version of it, and if the cache version is used, then we're running malaware.

sidorares commented 6 years ago

done

🎉1

Answer 1 · 2018-11-27T23:17:23.000Z

Thanks @fcastilloec , I'll publish master now

Answer 2 · 2018-11-27T23:26:42.000Z

please try v0.3.0

Answer 3 · 2018-11-28T00:05:59.000Z

I can't install v0.3.0 but it's a different error this time. I'm getting

ENOENT: no such file or directory, chmod '.../node_modules/dbus-native/bin/dbus2js.js'

I can seee that the file is in your repo, but for some reason npm can't find it. I've deleted all my cache, so it's something to do with this specific version.

Answer 4 · 2018-11-28T00:11:04.000Z

Which os are you using?

Answer 5 · 2018-11-28T00:12:07.000Z

Ubuntu 18.04 64bit

EDIT: I've also tested on Fedora 29 and macOS 10.13.6 and they all show the same error

Answer 6 · 2018-11-28T00:32:41.000Z

the script was not listed under package.json files section, added that. Hope will help. Can you try to install v0.4.0?

Answer 7 · 2018-11-28T00:35:06.000Z

v0.4.0 works! Thanks for updating!

Answer 8 · 2018-11-28T01:00:39.000Z

@sidorares just a last optional tip, it might be a good idea to delete v0.3.0 from npm since it's broken anyway and nobody will be able to install it.