timdeschryver
commented
5 years ago Thanks for bringing this up @cveld ! Do you want to submit a PR for this? (I think this should be fixed by updating the dependencies)
Closed cveld closed 5 years ago
timdeschryver
commented
5 years ago Thanks for bringing this up @cveld ! Do you want to submit a PR for this? (I think this should be fixed by updating the dependencies)
cveld
commented
5 years ago Some additional analysis; cypress@3.1.1 does contain the vulnerability, refer to https://github.com/cypress-io/cypress/issues/2861. They fixed it in 3.1.2 and the latest version is currently 3.1.3. I'll submit a pull request with this specific amendment into package.json.
Minimal reproduction of the bug with instructions:
git clone https://github.com/tomastrajan/angular-ngrx-material-starter.git cd angular-ngrx-material-starter npm install
Current behavior:
The virus scanner found a vulnerability in Cypress\Cache\3.1.1\Cypress\resources\app\packages\server\node_modules\flatmap-stream\index.min.js
Expected behavior:
No vulnerabilities found.
Other information:
Your repo looks like to be using a hacked version of event-stream. E.g. see https://blog.sonatype.com/open-source-software-is-under-attack-new-event-stream-hack-is-latest-proof
I would be willing to submit a PR to fix this issue:
[ ] Yes (Assistance is provided if you need help submitting a pull request)
[ ] No