spawn-command-with-kill, ps-tree and event-stream is not safe

sezna / nps

NPM Package Scripts -- All the benefits of npm scripts without the cost of a bloated package.json and limits of json

MIT License

1.43k stars 93 forks source link

spawn-command-with-kill, ps-tree and event-stream is not safe #190

Closed dervism closed 5 years ago

dervism commented 5 years ago

See: indexzero/ps-tree#33 dominictarr/event-stream#116

When I run npm audit in my repo I get this message: Malicious Package : nps > spawn-command-with-kill > ps-tree > event-stream > flatmap-stream

dervism commented 5 years ago

I have opened a pull request: https://github.com/kentcdodds/spawn-command-with-kill/pull/2 in spawn-command-with-kill.

german-bortoli commented 5 years ago

Can someone merge the PR ? pleaseeeee

kentcdodds commented 5 years ago

Merged... Wasn't flatmap-stream removed? The current version range for ps-tree should pick up the latest.... I don't see why this is necessary at all...

german-bortoli commented 5 years ago

Thanks @kentcdodds now what it is missing is the upgrade on npmjs.

Regards.

kentcdodds commented 5 years ago

But why? The version range that's already been published should include the fixed version. There is no longer a threat.

dervism commented 5 years ago

@kentcdodds You're right, it's not a treat now, but having the updated version of ps-tree is positive anyways. BTW: You may wanna add the range hat back on the version. I did not add it.