Update npm-run-all due to malicious subdependency #4930

jjanssen · 2018-11-28T10:45:38Z

In the past week somebody notifed a Bitcoin stealer within the flatmap-stream module. As this commonly found with the sub-dependency (of its sub-dependencies) this became a huge deal for the development infrastructure of a lot of people.

Within our current setup flatmap-stream is used by npm-run-all as part of our front-end tooling chain for building. This PR updates npm-run-all and makes sure flatmap-stream is removed from its sub-dependencies.

More reading about this:
dominictarr/event-stream#116
mysticatea/npm-run-all#154

https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/
https://medium.com/@jsoverson/exploiting-developer-infrastructure-is-insanely-easy-9849937e81d4

…bilities

jjanssen · 2018-11-28T10:47:00Z

Command for double-checking your local environment:
npm ls event-stream flatmap-stream

wagtail (master)*$ npm ls event-stream flatmap-stream
wagtail@1.0.0 /Users/j.janssen/Sites/git-projects/wagtail-jjanssen
└── (empty)

Which should now return empty.

Update npm-run-all due to its flatmap-stream and event-stream vulnera…

3be4555

…bilities

jjanssen added component:Security component:Frontend labels Nov 28, 2018

mikedingjan self-requested a review November 28, 2018 10:53

mikedingjan approved these changes Nov 28, 2018

View reviewed changes

gasman merged commit 80ef955 into wagtail:master Nov 28, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update npm-run-all due to malicious subdependency #4930

Update npm-run-all due to malicious subdependency #4930

jjanssen commented Nov 28, 2018

jjanssen commented Nov 28, 2018

Update npm-run-all due to malicious subdependency #4930

Update npm-run-all due to malicious subdependency #4930

Conversation

jjanssen commented Nov 28, 2018

jjanssen commented Nov 28, 2018