Closed JeroenReumkens closed 5 years ago
https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
For npm users, you can check if your project contains the vulnerable dependency by running npm audit. If you have installed the impacted version of this event-stream, we recommend that you update to a later version as soon as possible.
Based on this info from npm, everything should be good. Running npm audit
reveals zero vulnerabilities and the package.json specifies a later version.
@jonkemp The latest versions, 4.0 and 4.0.1, appear to have been released by the same user: https://github.com/dominictarr/event-stream/releases
See more details see this blog post: https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502
Please reconsider reverting to an earlier version. Thank you.
There is no need. You should read the npm update on the incident I linked above. The affected package has been removed and is no longer a dependency of event-stream.
Hi,
I just noticed while checking my dependencies that this project uses event-steam 3.3.5+ which has just been discovered as malicious. Is it possible for you to revert the upgrade and use 3.3.4 again?
See this ticket: https://github.com/dominictarr/event-stream/issues/116
Thanks a lot!
Jeroen.