search

rucken / core-nestjs

A simple application demonstrating the basic usage of permissions with NestJS (JWT, Passport, Facebook, Google+, User, Group, Permission)
https://core-nestjs.rucken.ru/swagger
MIT License
398 stars 64 forks source link

WARNING ! NPM 404 because of security incident #52

Closed sebilasse closed 5 years ago

sebilasse commented 5 years ago

Hey there, this project is not installable because of the event-stream dependency. [ several related greenkeeper issues exist ]

Also there should be a note for people used it in the past that they must update their package.json :

The malicious subdependency came with "npm-run-all": "^4.1.3" which should be upgraded to "npm-run-all": "^4.1.5" to make it work again – see these issues in npm-run-all

The npm post - “After triaging the malware, npm Security responded by removing flatmap-stream and event-stream@3.3.6 from the Registry and taking ownership of the event-stream package to prevent further abuse.”

See also https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/ https://medium.com/intrinsic/compromised-npm-package-event-stream-d47d08605502

EndyKaufman commented 5 years ago

Thank you for issue, problem is solved https://github.com/rucken/core-nestjs/blob/master/package.json#L120