Security Issue: Remove `event-stream` dependency.

[TheSeg]

As noted in this issue, event-stream is compromised and the original maintainer doesn't have control over the repo.

[backflip]

Locking it to 3.3.4 might be a quick fix for now (and npm has taken ownership of the package in the meantime).

[ragesoss]

I note that the bad version has been yanked from npm, but the current default with gulp-reload will be to include 3.3.5, which is (I guess?) benign but does include (only) changes by the bad actor who went on to add the malicious code in 3.3.6.

[demurgos]

The dependency was pinned to 3.3.4 in #140 (released as version 4.0.1). Please send a PR (or message) when the problem is resolved.