search

mysticatea / npm-run-all

A CLI tool to run multiple npm-scripts in parallel or sequential.
MIT License
5.7k stars 242 forks source link

Malicious dependency? #153

Closed jeremyrajan closed 5 years ago

jeremyrajan commented 5 years ago

Hi @mysticatea ,

Thanks a lot for the lib :). I was reading through the latest vulnerability that was reported here:

  1. https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/
  2. https://github.com/dominictarr/event-stream/issues/116

(2) explains more in detail regarding the dependency. I ran the checks, and seems one of the versions has that... image

Should this be dealt with? Or is it already patched :).

Thank you!

deniaz commented 5 years ago

We're now even seeing errors in our CI pipeline since flatmap-stream was removed from the registry:

npm ERR! code E404
npm ERR! 404 Not Found: flatmap-stream@0.1.1

Edit: nvm, see below.

isnifer commented 5 years ago

@jeremyrajan just upgrade to 4.1.5

jeremyrajan commented 5 years ago

yup that works @isnifer! thank you 👍