New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

flatmap-stream@0.1.1 #1211

mysticatea opened this Issue Nov 25, 2018 · 4 comments


None yet
5 participants
Copy link

mysticatea commented Nov 25, 2018

The package-lock.json includes flatmap-stream@0.1.1 which includes malicious code: package-lock.json#L1090-L1095.

See also: dominictarr/event-stream#116

The event-stream package looks unsafe. It's better to find an alternative in my 2 cents.

@thecodingdude thecodingdude referenced this issue Nov 27, 2018


deleted #24663


This comment has been minimized.

Copy link

lmcarreiro commented Nov 27, 2018

After the mess, the dependency to flatmap-stream was removed and the event-stream is maintained by the NPM team now.


This comment has been minimized.

Copy link

alexandrudima commented Nov 28, 2018

Thank you for the heads up. I have locked the dependency to event-stream@3.3.4 which gets rid of flatmap-stream from the dev dependencies.


This comment has been minimized.

Copy link

shivam183 commented Nov 28, 2018

Hi, I'm new to MEAN stack and can anyone please tell me how to safely remove or update this dependency from package-lock.json using NPM


This comment has been minimized.

Copy link

KudMath commented Nov 29, 2018

@shivam183 here is how I did it : remove your package-lock.json, lock your dependency to event-stream at version 3.3.4 by adding "event-stream": "3.3.4", to your package.jsonrun npm i (that should work if your flatmap-stream dependency comes from event stream, if not you can repeat those steps for the respective 'ancestors')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment