search

jonkemp / gulp-useref

Parse build blocks in HTML files to replace references to non-optimized scripts or stylesheets.
MIT License
705 stars 93 forks source link

Revert event-stream to 3.3.4 #256

Closed JeroenReumkens closed 5 years ago

JeroenReumkens commented 5 years ago

Hi,

I just noticed while checking my dependencies that this project uses event-steam 3.3.5+ which has just been discovered as malicious. Is it possible for you to revert the upgrade and use 3.3.4 again?

See this ticket: https://github.com/dominictarr/event-stream/issues/116

Thanks a lot!

Jeroen.

jonkemp commented 5 years ago

https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

For npm users, you can check if your project contains the vulnerable dependency by running npm audit. If you have installed the impacted version of this event-stream, we recommend that you update to a later version as soon as possible.

Based on this info from npm, everything should be good. Running npm audit reveals zero vulnerabilities and the package.json specifies a later version.

boaz-amit commented 5 years ago

@jonkemp The latest versions, 4.0 and 4.0.1, appear to have been released by the same user: https://github.com/dominictarr/event-stream/releases

See more details see this blog post: https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502

Please reconsider reverting to an earlier version. Thank you.

jonkemp commented 5 years ago

There is no need. You should read the npm update on the incident I linked above. The affected package has been removed and is no longer a dependency of event-stream.