Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

An unexpected error occurred: "https://registry.yarnpkg.com/flatmap-stream/-/flatmap-stream-0.1.1.tgz: Request failed \"404 Not Found\"". #6725

Closed
Neal85 opened this Issue Nov 28, 2018 · 9 comments

Comments

Projects
None yet
6 participants
@Neal85
Copy link

Neal85 commented Nov 28, 2018

yarn install v1.9.4
Do you want to request a feature or report a bug?

bug
What is the current behavior?

If the current behavior is a bug, please provide the steps to reproduce.

What is the expected behavior?

Please mention your node.js, yarn and operating system version.
FROM mhart/alpine-node:10

@ghost ghost assigned kaylie-alexa Nov 28, 2018

@ghost ghost added the triaged label Nov 28, 2018

@claudiocabral

This comment has been minimized.

Copy link

claudiocabral commented Nov 28, 2018

This is not a yarn bug, it's due to the removal of the malicious code in the flatmap package used to steal bitcoin funds from Copay wallets. The fix is to find any packages that depend on event-stream and update them. In my case it was nodemon, and the most recent update removes the event-stream dependency.
https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/

@GreenAsJade

This comment has been minimized.

Copy link

GreenAsJade commented Nov 28, 2018

Isn't it a bug if the package manager gets an "unexpected error" when a dependency can't be met?

I thought it is yarn's job to find dependencies that need to be updated and... update them?

@claudiocabral

This comment has been minimized.

Copy link

claudiocabral commented Nov 28, 2018

Yarn doesn't update anything implicitly to avoid breaking your code with un unexpected update.
This specific case is unnusual because the dependency was mailicous code that was removed from yarn-registry.
I do agree that they should handle the error a bit better and improve the error message, but I think that discussion deserves to be done on a new topic. A feel that yarn errors often tend to be cryptic, and that could definetly be improved.

@GreenAsJade

This comment has been minimized.

Copy link

GreenAsJade commented Nov 28, 2018

It's proving tough to find out what needs to be updated :(

@claudiocabral

This comment has been minimized.

Copy link

claudiocabral commented Nov 28, 2018

well, it can be a bit more complicated then that :(
I regexped my way to it using vim and found nodemon as having added event-stream, which is the package that was infected. Updatin nodemon then solved it because nodemon itself had already removed the dependency.

If the package you depend on has not been updated yet, you'll need to either remove it or create an issue for it on github hoping it gets fixed

@GreenAsJade

This comment has been minimized.

Copy link

GreenAsJade commented Nov 28, 2018

Actually, should have thought of simple things first. I blew everything away (node modules and yarn lock) and it reinstalled clean :)

@chihab

This comment has been minimized.

Copy link

chihab commented Nov 28, 2018

yarn --no-lockfile fixes my CI.
I had the issue on my netlify build, I've added an environment variable named YARN_FLAGS and have set it to --no-lockfile. Just a workaround though, corrupted dependency should be fixed/updated

@Neal85

This comment has been minimized.

Copy link
Author

Neal85 commented Nov 29, 2018

I upgrade the "geoip-lite": "^1.3.3" to 1.3.5, and I removed the event-stream, it is worked. Thanks.

@Neal85 Neal85 closed this Nov 29, 2018

@heymartinadams

This comment has been minimized.

Copy link

heymartinadams commented Dec 6, 2018

Since yarn global wasn’t working for me (the infected packages had been installed globally), I was unable to yarn global remove the affected packages, so I had to remove them manually. In case it helps others, here are my steps:

  1. Go into yarn global folder: cd ~/.config/yarn/global/ (or wherever yarn global lives)
  2. Search for flatmap- in current folder: grep -R flatmap-* ./
  3. Manually and recursively remove all folders that contain it, e.g.: rm -rf ./node_modules/flatmap-stream ./node_modules/event-stream, etc.
  4. Remove yarn lockfile: rm yarn.lock
  5. Rebuilt yarn by typing a command, e.g. yarn global list — so yarn global should work now.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.