Node module possibly infected with malware

[jcharaoui]

According to multiple reports, some malware code was introduced in two popular Node.js libraries event-stream and flatmap-stream, both of which are used (directly or indirectly) in Xen Orchestra.

Please investigate and determine if Xen Orchestra users are vulnerable to this malware and if so, how to identify and correct the problem.

Thanks!

[Findarato]

flatmap-stream is no longer accessible so building XOA from source is also broken.

[wranders]

gulp-refresh and gulp-embedlr seems to be the only packages using these two.

Might want to nix live-reloading until an alternative is found, or NPM allows flatmap-stream back because it was fixed.

EDIT: It seems a number of packages have fixed their dependencies in the frenzy, so the offending flatmap-stream package is no longer included. @Findarato Deleting the yarn.lock that was pulled from the repo and regenerating it with yarn fixed the issue. flatmap-stream is no longer included in the install. Seems that all the @julien-f or one of the other maintainers would have to do.

[julien-f]

Thanks for your report, I've updated the dependencies, flatmap-stream is no longer used!

As noted, this dependency was only used in development, no need to cut a release for this.