Closed rogierschouten closed 2 years ago
It seems 3.3.5
is also clean or where do you see the code?
https://unpkg.com/event-stream@3.3.5/test/
So should we use 3.3.5? Or better 3.3.4?
3.3.6 has the flatmap-stream malicious package. https://github.com/dominictarr/event-stream/commits/master/package.json
The only use of event-stream here is es.map, which is directly available through the map-stream npm package. Please see https://github.com/tracker1/gulp-footer/pull/13 with this approach (replacing event-stream).
In this case, yes. But see my answer in the other PR.
Also fastest and most direct way is to pin it. No one can remove packages after 24 hours.
Closing as no longer relevant.
A serious issue with event-stream has been found. Please fix the version to either ^4.0.0 or 3.3.4 (exact version). Versions 3.3.5 and 3.3.6 are vulnerable.
https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream