Closed Regaddi closed 5 years ago
ritwickdey
commented
5 years ago Thank you so much.. Upgrading all library.. This will resolve.. I hope...
anyway the strange think is that flatmap-stream is not mentioned in even package-lock.json.. Even when I did npm ls flatmap-stream... there is no result. But the file exist in the extension package.
Regaddi
commented
5 years ago This is my npm ls output:
LiveServer@5.2.0 /Users/me/.vscode/extensions/ritwickdey.liveserver-5.2.0
├── http-shutdown@1.2.0
├─┬ ips@2.1.3
│ ├─┬ internal-ip@1.2.0
│ │ └─┬ meow@3.7.0
│ │ ├─┬ camelcase-keys@2.1.0
│ │ │ ├── camelcase@2.1.1
│ │ │ └── map-obj@1.0.1 deduped
│ │ ├── decamelize@1.2.0
│ │ ├─┬ loud-rejection@1.6.0
│ │ │ ├─┬ currently-unhandled@0.4.1
│ │ │ │ └── array-find-index@1.0.2
│ │ │ └── signal-exit@3.0.2
│ │ ├── map-obj@1.0.1
│ │ ├── minimist@1.2.0
│ │ ├─┬ normalize-package-data@2.4.0
│ │ │ ├── hosted-git-info@2.7.1
│ │ │ ├─┬ is-builtin-module@1.0.0
│ │ │ │ └── builtin-modules@1.1.1
│ │ │ ├── semver@5.6.0
│ │ │ └─┬ validate-npm-package-license@3.0.4
│ │ │ ├─┬ spdx-correct@3.0.2
│ │ │ │ ├── spdx-expression-parse@3.0.0 deduped
│ │ │ │ └── spdx-license-ids@3.0.2
│ │ │ └─┬ spdx-expression-parse@3.0.0
│ │ │ ├── spdx-exceptions@2.2.0
│ │ │ └── spdx-license-ids@3.0.2 deduped
│ │ ├── object-assign@4.1.1 deduped
│ │ ├─┬ read-pkg-up@1.0.1
│ │ │ ├─┬ find-up@1.1.2
│ │ │ │ ├─┬ path-exists@2.1.0
│ │ │ │ │ └── pinkie-promise@2.0.1 deduped
│ │ │ │ └── pinkie-promise@2.0.1 deduped
│ │ │ └─┬ read-pkg@1.1.0
│ │ │ ├─┬ load-json-file@1.1.0
│ │ │ │ ├── graceful-fs@4.1.15
│ │ │ │ ├── parse-json@2.2.0 deduped
│ │ │ │ ├── pify@2.3.0
│ │ │ │ ├── pinkie-promise@2.0.1 deduped
│ │ │ │ └─┬ strip-bom@2.0.0
│ │ │ │ └── is-utf8@0.2.1
│ │ │ ├── normalize-package-data@2.4.0 deduped
│ │ │ └─┬ path-type@1.1.0
│ │ │ ├── graceful-fs@4.1.15 deduped
│ │ │ ├── pify@2.3.0 deduped
│ │ │ └── pinkie-promise@2.0.1 deduped
│ │ ├─┬ redent@1.0.0
│ │ │ ├─┬ indent-string@2.1.0
│ │ │ │ └─┬ repeating@2.0.1
│ │ │ │ └─┬ is-finite@1.0.2
│ │ │ │ └── number-is-nan@1.0.1
│ │ │ └─┬ strip-indent@1.0.1
│ │ │ └── get-stdin@4.0.1
│ │ └── trim-newlines@1.0.0
│ ├── ip-regex@1.0.3
│ └─┬ ipify@1.1.0
│ ├─┬ got@5.7.1
│ │ ├─┬ create-error-class@3.0.2
│ │ │ └── capture-stack-trace@1.0.1
│ │ ├─┬ duplexer2@0.1.4
│ │ │ └── readable-stream@2.3.6 deduped
│ │ ├── is-redirect@1.0.0
│ │ ├── is-retry-allowed@1.1.0
│ │ ├── is-stream@1.1.0
│ │ ├── lowercase-keys@1.0.1
│ │ ├── node-status-codes@1.0.0
│ │ ├── object-assign@4.1.1 deduped
│ │ ├─┬ parse-json@2.2.0
│ │ │ └─┬ error-ex@1.3.2
│ │ │ └── is-arrayish@0.2.1
│ │ ├─┬ pinkie-promise@2.0.1
│ │ │ └── pinkie@2.0.4
│ │ ├─┬ read-all-stream@3.1.0
│ │ │ ├── pinkie-promise@2.0.1 deduped
│ │ │ └── readable-stream@2.3.6 deduped
│ │ ├─┬ readable-stream@2.3.6
│ │ │ ├── core-util-is@1.0.2
│ │ │ ├── inherits@2.0.3
│ │ │ ├── isarray@1.0.0
│ │ │ ├── process-nextick-args@2.0.0
│ │ │ ├── safe-buffer@5.1.2
│ │ │ ├─┬ string_decoder@1.1.1
│ │ │ │ └── safe-buffer@5.1.2 deduped
│ │ │ └── util-deprecate@1.0.2
│ │ ├── timed-out@3.1.3
│ │ ├── unzip-response@1.0.2
│ │ └─┬ url-parse-lax@1.0.0
│ │ └── prepend-http@1.0.4
│ └── meow@3.7.0 deduped
├─┬ live-server@1.3.1 invalid
│ ├── chokidar@1.7.0 extraneous
│ ├── colors@1.3.2 extraneous
│ ├── connect@3.5.1 extraneous
│ ├── cors@2.8.5 extraneous
│ ├── event-stream@3.3.6 extraneous
│ ├── faye-websocket@0.11.1 extraneous
│ ├── http-auth@3.1.3 extraneous
│ ├── http-proxy@1.17.0 extraneous
│ ├── morgan@1.9.1 extraneous
│ ├── object-assign@4.1.1
│ ├── opn@5.4.0 deduped
│ ├── proxy-middleware@0.15.0 extraneous
│ ├── send@0.16.2 extraneous
│ └── serve-index@1.9.1 extraneous
├─┬ opn@5.4.0
│ └── is-wsl@1.1.0
└── vsls@0.3.967And ls /Users/me/.vscode/extensions/ritwickdey.liveserver-5.2.0/node_modules:
accepts copy-descriptor flatmap-stream is-arrayish map-cache parse-glob repeating strip-indent
anymatch core-util-is follow-redirects is-binary-path map-obj parse-json requires-port through
apache-crypt cors for-in is-buffer map-stream parseurl resolve-url timed-out
apache-md5 create-error-class for-own is-builtin-module map-visit pascalcase ret to-object-path
arr-diff currently-unhandled fragment-cache is-data-descriptor math-random path-exists safe-buffer to-regex
arr-flatten debug fresh is-descriptor meow path-is-absolute safe-regex to-regex-range
arr-union decamelize from is-dotfile micromatch path-type semver trim-newlines
array-find-index decode-uri-component fsevents is-equal-shallow mime pause-stream send union-value
array-unique define-property get-stdin is-extendable mime-db pify serve-index unix-crypt-td-js
assign-symbols depd get-value is-extglob mime-types pinkie set-value unpipe
async-each destroy glob-base is-finite minimist pinkie-promise setprototypeof unset-value
atob duplexer glob-parent is-glob mixin-deep posix-character-classes signal-exit unzip-response
base duplexer2 got is-number morgan prepend-http snapdragon urix
basic-auth ee-first graceful-fs is-plain-object ms preserve snapdragon-node url-parse-lax
batch encodeurl has-value is-posix-bracket nan process-nextick-args snapdragon-util use
bcryptjs error-ex has-values is-primitive nanomatch proxy-middleware source-map util-deprecate
binary-extensions escape-html hosted-git-info is-redirect negotiator randomatic source-map-resolve utils-merge
braces etag http-auth is-retry-allowed node-status-codes range-parser source-map-url uuid
builtin-modules event-stream http-errors is-stream normalize-package-data read-all-stream spdx-correct validate-npm-package-license
cache-base eventemitter3 http-parser-js is-utf8 normalize-path read-pkg spdx-exceptions vary
camelcase expand-brackets http-proxy is-windows number-is-nan read-pkg-up spdx-expression-parse vsls
camelcase-keys expand-range http-shutdown is-wsl object-assign readable-stream spdx-license-ids websocket-driver
capture-stack-trace extend-shallow indent-string isarray object-copy readdirp split websocket-extensions
chokidar extglob inherits isobject object-visit redent split-string
class-utils faye-websocket internal-ip kind-of object.omit regex-cache static-extend
collection-visit filename-regex ip-regex live-server object.pick regex-not statuses
colors fill-range ipify load-json-file on-finished remove-trailing-separator stream-combiner
component-emitter finalhandler ips loud-rejection on-headers repeat-element string_decoder
connect find-up is-accessor-descriptor lowercase-keys opn repeat-string strip-bomflatmap-stream has recently been removed from npmjs.com, so this might explain why it's not listed in npm ls command.
ritwickdey
commented
5 years ago I just published a new version. Can you please confirm me after the upgrading to LiveServer@5.3.0 ?
Regaddi
commented
5 years ago flatmap-stream is not listed anymore with 5.3.0.
There's still event-stream@3.3.5 installed (as a direct dependency of live-server) but as far as I am informed, this shouldn't be malicious anymore since the malicious code has been injected through the flatmap-stream package, which is not installed anymore.
I will open up a ticket at live-server as well to update the dependency to event-stream to non-malicious version 4.0.1 and then we should be done for now 😄
Regaddi
commented
5 years ago According to https://github.com/tapio/live-server/issues/285 live-server has already been updated.
It seems like vscode-live-server is referencing an invalid version (live-server@1.4.0) which doesn't exist.
@ritwickdey You should consider using a valid version (currently 1.2.1) which pinned to non-malicious event-stream@3.3.4.
ritwickdey
commented
5 years ago Hi @Regaddi , No.. we maintain a different copy of live-server from last few months.
ritwickdey
commented
5 years ago This has been fixed! Let me know if I missed something!
I'm submitting a...
Current behavior
Liveserver 5.2.0 depends on compromised package
flatmap-stream.Expected behavior
Liveserver 5.2.0 doesn't depend on compromised package
flatmap-stream.Environment
Others
See