Skip to content

Downgrade event-stream to 3.3.4 #5523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 27, 2018
Merged

Downgrade event-stream to 3.3.4 #5523

merged 1 commit into from
Nov 27, 2018

Conversation

Duhemm
Copy link
Contributor

@Duhemm Duhemm commented Nov 27, 2018

The NPM package flatmap-stream is considered malicious. A malicious
actor added this package as a dependency to the NPM event-stream package
in versions 3.3.6 and later. Users of event-stream are encouraged to
downgrade to the last non-malicious version, 3.3.4.

See dominictarr/event-stream#116

@Duhemm Duhemm requested a review from smarter November 27, 2018 09:44
@Duhemm Duhemm force-pushed the downgrade-event-stream branch from 598ae0d to 41b9538 Compare November 27, 2018 10:24
smarter
smarter reviewed Nov 27, 2018
View reviewed changes
vscode-dotty/package-lock.json Outdated
@@ -922,7 +912,7 @@
},
"readable-stream": {
"version": "1.0.34",
"resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-1.0.34.tgz",
"resolved": "http://registry.npmjs.org/readable-stream/-/readable-stream-1.0.34.tgz",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you remove all the changes that replace https by http ? My npm doesn't do that

@Duhemm Duhemm force-pushed the downgrade-event-stream branch from 41b9538 to 8758bdd Compare November 27, 2018 11:00
@Duhemm
Copy link
Contributor Author

Duhemm commented Nov 27, 2018

Can you remove all the changes that replace https by http ? My npm doesn't do that

That's super strange, it looks like this a known issue in npm: https://npm.community/t/npm-install-downgrading-resolved-packages-from-https-to-http-registry-in-package-lock-json/1818

I've replaced all http:// by https://, can you check that everything is still working okay for you?

smarter
smarter requested changes Nov 27, 2018
View reviewed changes
Copy link
Member

@smarter smarter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All our transitive dependencies that depend on event-streams have released new versions with 3.3.4 hardcoded (also the malicious 3.3.6 was deleted from the npm registry). So instead of hardcoding it ourselves, we should be able to just do "npm update".

@Duhemm
Downgrade event-stream to 3.3.4
c5ff6e2 
> The NPM package flatmap-stream is considered malicious. A malicious
> actor added this package as a dependency to the NPM event-stream package
> in versions 3.3.6 and later. Users of event-stream are encouraged to
> downgrade to the last non-malicious version, 3.3.4.

See dominictarr/event-stream#116
@Duhemm Duhemm force-pushed the downgrade-event-stream branch from 8758bdd to c5ff6e2 Compare November 27, 2018 15:30
@Duhemm
Copy link
Contributor Author

Duhemm commented Nov 27, 2018
edited
Loading

@smarter npm upgrade hopefully did the trick. flatmap-stream disappeared from our dependencies.

... Though I really don't know why we have so many more dependencies. Did I do something wrong with npm?

@smarter
Copy link
Member

smarter commented Nov 27, 2018

... Though I really don't know why we have so many more dependencies. Did I do something wrong with npm?

They appear to be transitive dependencies of the new vscode, so this is normal.

@smarter smarter merged commit 235a103 into scala:master Nov 27, 2018
@allanrenucci allanrenucci deleted the downgrade-event-stream branch November 27, 2018 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smarter smarter smarter approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Duhemm @smarter