DanielRuf
commented
5 years ago It seems 3.3.5 is also clean or where do you see the code?
https://unpkg.com/event-stream@3.3.5/test/
So should we use 3.3.5? Or better 3.3.4?
Closed rogierschouten closed 2 years ago
DanielRuf
commented
5 years ago It seems 3.3.5 is also clean or where do you see the code?
https://unpkg.com/event-stream@3.3.5/test/
So should we use 3.3.5? Or better 3.3.4?
TwoAbove
commented
5 years ago 3.3.6 has the flatmap-stream malicious package. https://github.com/dominictarr/event-stream/commits/master/package.json
Basa0
commented
5 years ago The only use of event-stream here is es.map, which is directly available through the map-stream npm package. Please see https://github.com/tracker1/gulp-footer/pull/13 with this approach (replacing event-stream).
DanielRuf
commented
5 years ago In this case, yes. But see my answer in the other PR.
DanielRuf
commented
5 years ago Also fastest and most direct way is to pin it. No one can remove packages after 24 hours.
tracker1
commented
2 years ago Closing as no longer relevant.
A serious issue with event-stream has been found. Please fix the version to either ^4.0.0 or 3.3.4 (exact version). Versions 3.3.5 and 3.3.6 are vulnerable.
https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream