New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backdoored sub-dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2 #1451

Closed
NewEraCracker opened this Issue Nov 19, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@NewEraCracker
Copy link

NewEraCracker commented Nov 19, 2018

nodemon requires pstree.remy (^1.1.0 - installed 1.1.0) -> ps-tree (^1.1.0 - installed 1.1.0) -> event-stream (~3.3.0 - installed 3.3.6) -> flatmap-stream (^0.1.0 - npm installs 0.1.2).

This last one is very suspicious.
See: dominictarr/event-stream#115

Please either force version 0.1.0 of flatmap-stream or update event-stream to latest version (which no longer requires the affected module).

Regards.

FallingSnow added a commit to FallingSnow/nodemon that referenced this issue Nov 21, 2018

fix: Update audit dependencies and remove pstree.remy
pstree.remy has a dependency with a compromised dependency

Fixes: remy#1442
Fixes: remy#1451

@remy remy closed this in b35c532 Nov 22, 2018

wiese added a commit to wmde/wikibase-termbox that referenced this issue Nov 27, 2018

nodemon: update to lose malicious package
nodemon is a tool that helps develop node.js based applications by
automatically restarting the node application when files change.
This updates it to the latest version to fix a security problem
remy/nodemon#1451

Dependency tree before was:
$ docker-compose run --rm node npm ls flatmap-stream
wikibase-termbox@0.1.0 /app
`-- nodemon@1.18.4
  `-- pstree.remy@1.1.0
    `-- ps-tree@1.1.0
      `-- event-stream@3.3.6
        `-- flatmap-stream@0.1.1      <- https://www.npmjs.com/advisories/737
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment