Add event-stream as a dep and lock it (security issue) #739
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As identified in dominictarr/event-stream#116,
event-stream
has a major security issue (malware injection) in version 3.3.6 (thanks toflatmap-stream
version 0.1.1).event-stream
3.3.6 is referenced as a child dep in this project, throughtsc-watch
andvscode-apollo
/vscode
.This commit adds
event-stream
as a top level dependency, and locks it to the most recent version that excludesflatmap-stream
(version 3.3.4).This should work for now, but ultimately
tsc-watch
andvscode
should be updated to newer versions, that address this issue (since their child deps are the problem). Both projects have yet to submit fixes to this problem.