You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Do you want to request a feature or report a bug?
Bug
What is the current behavior?
When installing any global dependency that happens to pull in the event-stream dependency, yarn fails to install the dependency since the malicious event-stream 3.3.6 package and flat-map-stream 0.1.2 packages don't exist in the yarn registry. npm properly finds an updated, not malicious version of event-stream, but yarn fails every time.
npmjs has removed all releases. You may have a lockfile which is used. Please try to update the affected dependencies and inform the affected package owners.
Do you want to request a feature or report a bug?
Bug
What is the current behavior?
When installing any global dependency that happens to pull in the
event-stream
dependency, yarn fails to install the dependency since the maliciousevent-stream
3.3.6 package andflat-map-stream
0.1.2 packages don't exist in the yarn registry.npm
properly finds an updated, not malicious version ofevent-stream
, butyarn
fails every time.More info on
event-stream
vulnerability https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incidentExample:
[steven@work yeoman-workspace]$ yarn global add generator-spring-boot-microservice yarn global v1.13.0 [1/4] 🔍 Resolving packages... [2/4] 🚚 Fetching packages... error An unexpected error occurred: "https://registry.yarnpkg.com/flatmap-stream/-/flatmap-stream-0.1.2.tgz: Request failed \"404 Not Found\"".
What is the expected behavior?
yarn should be able to install these global dependencies like npm does but without the malicious / pulled packages
Please mention your node.js, yarn and operating system version.
macOS Mojave 10.14.5
The text was updated successfully, but these errors were encountered: