daed
commented
5 years ago It seems npm has removed the package anyway, so it would have failed and needed to be removed regardless of whether the malware was present or not.
Closed daed closed 5 years ago
daed
commented
5 years ago It seems npm has removed the package anyway, so it would have failed and needed to be removed regardless of whether the malware was present or not.
See https://github.com/dominictarr/event-stream/issues/116 for all the sordid details.
gulp-nightwatch depended on event-stream which contained a version of flatmap-stream (which was the infected package). The version of the flatmap-stream package we used did not contain the malware according to the people handling the forensics in the above linked issue, but it's been removed from npm, thus causing npm/yarn to fail when setting up encryptic.
Actions taken: I've removed gulp-nightwatch for the time being. All of the gulp stuff needs to be updated anyway.
Hooray npm!