Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: bump nodemon to remove event-stream dep #4828

Merged
merged 2 commits into from
Nov 27, 2018
Merged

fix: bump nodemon to remove event-stream dep #4828

merged 2 commits into from
Nov 27, 2018

Conversation

spencern
Copy link
Contributor

@spencern spencern commented Nov 26, 2018
edited
Loading

This fix removes a dependency on event-stream introduced by nodemon via pstree by bumping nodemon and pstree.remy through nodemon to a version that does not include pstree.

event-stream had a malicious bit of code added to version 3.3.6 which has since been removed from github and appears to have specifically targeted copay.

From the original post in the event-stream repo:

Am I affected?:
If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see [email protected] after running npm ls event-stream flatmap-stream, you are most likely affected. For example:

   $ npm ls event-stream flatmap-stream
   ...
   [email protected]
   ...

What does it do:
Other users have done some good analysis of what these payloads actually do.
dominictarr/event-stream#116 (comment)
dominictarr/event-stream#116 (comment)
dominictarr/event-stream#116 (comment)

What can I do:
By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to [email protected]. This protects people with cached versions of event-stream.

See the issue on the event-stream repo for more information: dominictarr/event-stream#116

@spencern
fix: bump nodemon to remove event-stream dep
b954938 
This fix removes a dependency on event-stream introduced by nodemon via pstree by bumping nodemon and pstree.remy through nodemon to a verson that does not include pstree.

The [event-stream issue](dominictarr/event-stream#116) appears to have specifically targeted [copay](https://github.com/bitpay/copay/issues/9346) which does appear to have caught the issue before anything was deployed.

We encourage all users of Reaction Commerce to update.
@spencern spencern requested a review from aldeed November 26, 2018 21:16
@nnnnat nnnnat self-requested a review November 26, 2018 22:23
nnnnat
nnnnat approved these changes Nov 26, 2018
View reviewed changes
Copy link
Contributor

@nnnnat nnnnat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 LGTM!

@spencern spencern removed the request for review from aldeed November 26, 2018 23:04
@spencern spencern merged commit 231757b into master Nov 27, 2018
@spencern spencern deleted the fix-bump-nodemon branch November 27, 2018 02:14
@mcdemarco mcdemarco mentioned this pull request Dec 3, 2018
Closed
@jonterrylee jonterrylee mentioned this pull request Dec 3, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nnnnat nnnnat nnnnat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spencern @nnnnat