[SECURITY] event-stream incident

[dhaavi]

There was a security issue with the npm package event-stream.

Original issue: dominictarr/event-stream#116 (comment)
Semantic issue: Semantic-Org/Semantic-UI#6687

Please update event-stream to version 3.3.4:

By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to event-stream@3.3.4. This protects people with cached versions of event-stream.

[y0hami]

We are aware of the issue and are trying to come up with a fix. event-stream is in a package called prompt-sui which is maintained by the author of SUI who is currently AFK from development it seems so we don't have an easy way to update the version.

[dhaavi]

I see. Thank you for the information.

Is there a way to override this dependency? It should be fully compatible as I understand.

[y0hami]

@dhaavi See the PR I just created. #269

[dhaavi]

Looks great!
(I am not experienced with node, so I can't tell you how effective this fix is.)

[etshy]

what if I do npm update ? The lock file block the maximum version to 3.3.4 or it will download the 3.3.6 (which is infected if I remember correctly the version number) ?

If the package-lock works the same as composer.lock, it will force this version on install only, If I'm not mistaken. On update it will search dor the highest version that match with the package.json

I also saw this issue yesterday, and seems some packages are updating to 4.0.1 (when the flatmap dep was removed)

[dhaavi]

it will download the 3.3.6 (which is infected if I remember correctly the version number) ?

No, because

npm has yanked the malicious version

The version change is there to defeat caches. For example, if you've downloaded the infected version and do git pull and npm ... it should remove the infected version cached locally.

[etshy]

Oh ok, I missed the information about npm removing the malicious versions.

Nice to know it should be fixed. I don't work with crypto but still good to not have malicious code.

[Atulin]

Wouldn't it be a good idea to think of removing prompt-sui in the future? From what I've seen, it's vanity stuff at best.

Overall, I'd consider removing as many dependencides as possible, but that's a matter for another discussion.