Backdoored sub-dependency? flatmap-stream-0.1.1 and flatmap-stream-0.1.2 #1451
Comments
wiese
added a commit
to wmde/wikibase-termbox
that referenced
this issue
Nov 27, 2018
nodemon is a tool that helps develop node.js based applications by automatically restarting the node application when files change. This updates it to the latest version to fix a security problem remy/nodemon#1451 Dependency tree before was: $ docker-compose run --rm node npm ls flatmap-stream wikibase-termbox@0.1.0 /app `-- nodemon@1.18.4 `-- pstree.remy@1.1.0 `-- ps-tree@1.1.0 `-- event-stream@3.3.6 `-- flatmap-stream@0.1.1 <- https://www.npmjs.com/advisories/737
This was referenced Nov 27, 2018
This was referenced Feb 12, 2020
This was referenced Apr 19, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
nodemon requires pstree.remy (^1.1.0 - installed 1.1.0) -> ps-tree (^1.1.0 - installed 1.1.0) -> event-stream (~3.3.0 - installed 3.3.6) -> flatmap-stream (^0.1.0 - npm installs 0.1.2).
This last one is very suspicious.
See: dominictarr/event-stream#115
Please either force version 0.1.0 of flatmap-stream or update event-stream to latest version (which no longer requires the affected module).
Regards.
The text was updated successfully, but these errors were encountered: