New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] event-stream incident #268

Closed
dhaavi opened this Issue Nov 28, 2018 · 10 comments

Comments

Projects
None yet
5 participants
@dhaavi
Copy link

dhaavi commented Nov 28, 2018

There was a security issue with the npm package event-stream.

Original issue: dominictarr/event-stream#116 (comment)
Semantic issue: Semantic-Org/Semantic-UI#6687

Please update event-stream to version 3.3.4:

By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to event-stream@3.3.4. This protects people with cached versions of event-stream.

@hammy2899

This comment has been minimized.

Copy link
Member

hammy2899 commented Nov 28, 2018

We are aware of the issue and are trying to come up with a fix. event-stream is in a package called prompt-sui which is maintained by the author of SUI who is currently AFK from development it seems so we don't have an easy way to update the version.

@dhaavi

This comment has been minimized.

Copy link

dhaavi commented Nov 28, 2018

I see. Thank you for the information.

Is there a way to override this dependency? It should be fully compatible as I understand.

hammy2899 added a commit that referenced this issue Nov 28, 2018

fix(security): changed event-stream version
Change `event-stream` version to fix security exploit.
Refs:
  dominictarr/event-stream#116
  dominictarr/event-stream#115

Closes #268
@hammy2899

This comment has been minimized.

Copy link
Member

hammy2899 commented Nov 28, 2018

@dhaavi See the PR I just created. #269

@dhaavi

This comment has been minimized.

Copy link

dhaavi commented Nov 28, 2018

Looks great!
(I am not experienced with node, so I can't tell you how effective this fix is.)

hammy2899 added a commit that referenced this issue Nov 28, 2018

fix(security): changed event-stream version
Change `event-stream` version to fix security exploit.
Refs:
  dominictarr/event-stream#116
  dominictarr/event-stream#115

Closes #268
@etshy

This comment has been minimized.

Copy link

etshy commented Nov 28, 2018

what if I do npm update ? The lock file block the maximum version to 3.3.4 or it will download the 3.3.6 (which is infected if I remember correctly the version number) ?

If the package-lock works the same as composer.lock, it will force this version on install only, If I'm not mistaken. On update it will search dor the highest version that match with the package.json

I also saw this issue yesterday, and seems some packages are updating to 4.0.1 (when the flatmap dep was removed)

@dhaavi

This comment has been minimized.

Copy link

dhaavi commented Nov 28, 2018

it will download the 3.3.6 (which is infected if I remember correctly the version number) ?

No, because

npm has yanked the malicious version

The version change is there to defeat caches. For example, if you've downloaded the infected version and do git pull and npm ... it should remove the infected version cached locally.

@etshy

This comment has been minimized.

Copy link

etshy commented Nov 28, 2018

Oh ok, I missed the information about npm removing the malicious versions.

Nice to know it should be fixed. I don't work with crypto but still good to not have malicious code.

@lubber-de lubber-de added this to the 2.7.0 milestone Nov 28, 2018

@Atulin

This comment has been minimized.

Copy link

Atulin commented Nov 28, 2018

Wouldn't it be a good idea to think of removing prompt-sui in the future? From what I've seen, it's vanity stuff at best.

Overall, I'd consider removing as many dependencides as possible, but that's a matter for another discussion.

@hammy2899

This comment has been minimized.

Copy link
Member

hammy2899 commented Nov 28, 2018

@Atulin We currently have plans to rewrite the build process when we do 3.0 but that is a whole other project. When we do this we will be getting rid of a lot of the dependencies.

@Atulin

This comment has been minimized.

Copy link

Atulin commented Nov 28, 2018

That + removing the dependency on jQuery would be a dream come true. Glad there are steps being taken in that direction 👌

hammy2899 added a commit that referenced this issue Dec 18, 2018

fix(security): changed event-stream version
Change `event-stream` version to fix security exploit.
Refs:
  dominictarr/event-stream#116
  dominictarr/event-stream#115

Closes #268

This was referenced Dec 21, 2018

@hammy2899 hammy2899 closed this in 4eedd99 Dec 21, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment