New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Malicious code used in dependency #3014

Closed
aparajita opened this Issue Nov 27, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@aparajita
Copy link

aparajita commented Nov 27, 2018

Version

3.1.3

Reproduction link

https://github.com/vuejs/vue-cli

Node and OS info

Node 10.13.0 / npm 6.4.1 / macOS 10.14.1

Steps to reproduce

npm i -g @vue/cli@3.1.3
npm ls | grep event-stream

What is expected?

A version of event-stream that is not 3.3.6, as this is a malicious version.

What is actually happening?

vue-cli depends on @vue/cli-ui@3.1.2, which depends on terminate@2.1.0, which depends on ps-tree@1.1.0, which depends on event-stream@3.3.6.


Please see https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/ for a summary of why it's a real bad idea to have event-stream@3.3.6 anywhere in the dependency tree.

@virtuoushub

This comment has been minimized.

Copy link

virtuoushub commented Nov 27, 2018

Looks like terminate@2.1.2 has a fix for this.
See: dwyl/terminate#35

However, it also looks like the dependency on terminate has been removed. See:
2baddaa and
8fd8082#diff-3e40e81d7f4e7bd8a8f9e819c8fa747a

@aparajita

This comment has been minimized.

Copy link

aparajita commented Nov 27, 2018

I figured a fix would come quickly, thanks.

@aparajita aparajita closed this Nov 27, 2018

@virtuoushub

This comment has been minimized.

Copy link

virtuoushub commented Nov 27, 2018

To confirm, I ran npm ls event-stream flatmap-stream on 2baddaa

~/vue-cli   dev ≣                                            [10:01:15 PM]
❯ 
git rev-parse HEAD
2baddaa35eda4f51404e28ba05fdf63cd10b1ae3
~/vue-cli   dev ≣                                            [10:01:18 PM]
❯ 
npm ls event-stream flatmap-stream
F:/oo/vue-cli
`-- (empty)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment