As you're probably aware, event-stream ownership has been unintentionally transferred to a malicious user who injected a vulnerability in it.
npm-watch depends on nodemon^1.12.1, which depends on event-stream. Few hours ago, nodemon released v.1.18.7 which completely remove the dependency from pstree and subsequently from event-stream.
Is there any chance to upgrade to nodemon1.18.7, to completely remove event-stream from npm-watch as well? Thanks!
As you're probably aware,
event-stream
ownership has been unintentionally transferred to a malicious user who injected a vulnerability in it.npm-watch
depends onnodemon
^1.12.1
, which depends onevent-stream
. Few hours ago,nodemon
releasedv.1.18.7
which completely remove the dependency frompstree
and subsequently fromevent-stream
.Is there any chance to upgrade to
nodemon
1.18.7
, to completely removeevent-stream
fromnpm-watch
as well? Thanks!