Security vulnerability linked to nodemon
See original GitHub issueHi,
A security vulnerability was found in event-stream https://github.com/dominictarr/event-stream/issues/116 Any version past 3.3.4 may be vulnerable.
A vulnerable version of EventStream is present in the dependency tree of bull-arena via nodemone@1.18.4
└─┬ bull-arena@2.5.0
└─┬ nodemon@1.18.4
└─┬ pstree.remy@1.1.0
└─┬ ps-tree@1.1.0
└─┬ event-stream@3.3.6
└── flatmap-stream@0.1.2
It is advised to upgrade to nodemon@^1.18.7
to get rid of the problematic dependency tree.
Issue Analytics
- State:
- Created 5 years ago
- Reactions:1
- Comments:6 (4 by maintainers)
Top Results From Across the Web
Nodemon npm - Vulnerabilities & Security Analysis - Snyk
Affected versions of the package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval()...
Read more >Update package-json to >=8.0.0 for vulnerability in got >= 12.0 ...
Issue. nodemon@2.0.15 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0.
Read more >CVE-2020-7788 - Red Hat Customer Portal
The nodejs-nodemon packages in Red Hat Enterprise Linux and Red Hat Software Collections are affected by this vulnerability as they bundle the nodejs-ini ......
Read more >QID 160111: Oracle Enterprise Linux Security Update for nodejs and ...
Oracle Enterprise Linux has released a security update for nodejs and nodejs-nodemon security and bug fix update to fix the vulnerabilities.
Read more >Red Hat: CVE-2022-29244: Moderate: nodejs and ... - Rapid7
Rapid7 Vulnerability & Exploit Database. Red Hat: CVE-2022-29244: Moderate: nodejs and nodejs-nodemon security and bug fix update (RHSA-2022:6595).
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Published as
v2.5.1
.There is a problem specifically with cloud deployments (namely Google AppEngine). Even if you replace the dependency in package-lock.json,
npm i
is run by the build system and replacesnodemon
with the “malicious” version, causing build errors.