Upgrade nodemon dependency to 1.18.7 to remove event-stream vulnerability

M-Zuber / npm-watch

run npm scripts when files change

MIT License

323 stars 38 forks source link

Upgrade nodemon dependency to 1.18.7 to remove event-stream vulnerability #61

Closed pracucci closed 5 years ago

pracucci commented 5 years ago

As you're probably aware, event-stream ownership has been unintentionally transferred to a malicious user who injected a vulnerability in it.

npm-watch depends on nodemon ^1.12.1, which depends on event-stream. Few hours ago, nodemon released v.1.18.7 which completely remove the dependency from pstree and subsequently from event-stream.

Is there any chance to upgrade to nodemon 1.18.7, to completely remove event-stream from npm-watch as well? Thanks!

pracucci commented 5 years ago

Thanks @M-Zuber and @mfolkeseth !

M-Zuber commented 5 years ago

Thank you for bringing it to my attention, I am publishing a new release now

mfolkeseth commented 5 years ago

Wow, that was quick @M-Zuber! Thanks 👍