search

joscha / gulp-rewrite-css

A gulp plugin that allows rewriting url references in CSS
MIT License
17 stars 12 forks source link

Fix to address event-stream vulnerability #115

Closed BrianAtIgloo closed 5 years ago

BrianAtIgloo commented 5 years ago

Locked event-stream package to 3.3.4 before the compromise. See: blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident

coveralls commented 5 years ago

Coverage Status

Coverage remained the same at 97.849% when pulling 3eb7a0b64f592e5c4f3044a8b99071e02458f6c8 on BrianAtIgloo:patch-1 into f96560f7d686e82c826e51efd4f73a92679b677b on joscha:master.

joscha commented 5 years ago

Given that the offending packages have been unpublished, do you think this is still needed? Given the targeted nature of the attack, this package being fairly niche and the malicious packages having been unpublished since, I think it might be fair to assume that the danger is not imminent any more.

BrianAtIgloo commented 5 years ago

I'm not sure if it is required TBH but I noticed it was flagged during the audit we did so I wanted to create a quick PR. Happy to accept either a :+1: :-1:

BrianAtIgloo commented 5 years ago

Looks like after a cache clean we're now getting this error so it looks like this is much more serious than I first thought. Likely has to do with our package-lock.json files in our projects.

npm ERR! code EINTEGRITY
npm ERR! sha512-ucyr6WkLXjyMuHPtOUq4l+nSAxgWi7v4QO508eQ9resnGj+lSup26oIsUI5aH8k4Qfpjsxa8dDf9UCKkS2KHzQ== integrity check
sum failed when using sha512: wanted sha512-ucyr6WkLXjyMuHPtOUq4l+nSAxgWi7v4QO508eQ9resnGj+lSup26oIsUI5aH8k4Qfpjsxa8dDf9
UCKkS2KHzQ== but got sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==. (0
 bytes)
BrianAtIgloo commented 5 years ago

(and deleting package-lock.json does not resolve the issue)

BrianAtIgloo commented 5 years ago

We resolved the EINTEGRITY errors by forking this and publishing the package with the change in this PR to our internal NPM server so we can continue to work.

joscha commented 5 years ago

@BrianAtIgloo - interesting, the error did not look like me it has anything to do with this package - I can release a new version, do you think that will fix it?

joscha commented 5 years ago

:tada: This issue has been resolved in version 1.1.2 :tada:

The release is available on:

Your semantic-release bot :package::rocket:

BrianAtIgloo commented 5 years ago

Thanks! I'll confirm the fix and report back. Much appreciated @joscha!

BrianAtIgloo commented 5 years ago

Confirmed this fixes the errors we were previously seeing. Thanks again!