Closed BrianAtIgloo closed 5 years ago
Given that the offending packages have been unpublished, do you think this is still needed? Given the targeted nature of the attack, this package being fairly niche and the malicious packages having been unpublished since, I think it might be fair to assume that the danger is not imminent any more.
I'm not sure if it is required TBH but I noticed it was flagged during the audit we did so I wanted to create a quick PR. Happy to accept either a :+1: :-1:
Looks like after a cache clean we're now getting this error so it looks like this is much more serious than I first thought. Likely has to do with our package-lock.json files in our projects.
npm ERR! code EINTEGRITY
npm ERR! sha512-ucyr6WkLXjyMuHPtOUq4l+nSAxgWi7v4QO508eQ9resnGj+lSup26oIsUI5aH8k4Qfpjsxa8dDf9UCKkS2KHzQ== integrity check
sum failed when using sha512: wanted sha512-ucyr6WkLXjyMuHPtOUq4l+nSAxgWi7v4QO508eQ9resnGj+lSup26oIsUI5aH8k4Qfpjsxa8dDf9
UCKkS2KHzQ== but got sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==. (0
bytes)
(and deleting package-lock.json does not resolve the issue)
We resolved the EINTEGRITY
errors by forking this and publishing the package with the change in this PR to our internal NPM server so we can continue to work.
@BrianAtIgloo - interesting, the error did not look like me it has anything to do with this package - I can release a new version, do you think that will fix it?
:tada: This issue has been resolved in version 1.1.2 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
Thanks! I'll confirm the fix and report back. Much appreciated @joscha!
Confirmed this fixes the errors we were previously seeing. Thanks again!
Locked
event-stream
package to3.3.4
before the compromise. See: blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident