Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security vulnerability linked to nodemon

See original GitHub issue

Hi,

A security vulnerability was found in event-stream https://github.com/dominictarr/event-stream/issues/116 Any version past 3.3.4 may be vulnerable.

A vulnerable version of EventStream is present in the dependency tree of bull-arena via nodemone@1.18.4

└─┬ bull-arena@2.5.0
  └─┬ nodemon@1.18.4
    └─┬ pstree.remy@1.1.0
      └─┬ ps-tree@1.1.0
        └─┬ event-stream@3.3.6 
          └── flatmap-stream@0.1.2

It is advised to upgrade to nodemon@^1.18.7 to get rid of the problematic dependency tree.

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:6 (4 by maintainers)

Top GitHub Comments

4reactions

skeggsecommented, Nov 28, 2018

Published as v2.5.1.

0reactions

eeVoskoscommented, Nov 28, 2018

There is a problem specifically with cloud deployments (namely Google AppEngine). Even if you replace the dependency in package-lock.json, npm i is run by the build system and replaces nodemon with the “malicious” version, causing build errors.

Top Results From Across the Web

Nodemon npm - Vulnerabilities & Security Analysis - Snyk

Affected versions of the package are vulnerable to Arbitrary Code Injection due to unsafe use of the eval() function. Node.js provides the eval()...

Update package-json to >=8.0.0 for vulnerability in got >= 12.0 ...

Issue. nodemon@2.0.15 requires got@^9.6.0 via a transitive dependency on package-json@6.5.0.

CVE-2020-7788 - Red Hat Customer Portal

The nodejs-nodemon packages in Red Hat Enterprise Linux and Red Hat Software Collections are affected by this vulnerability as they bundle the nodejs-ini ......

QID 160111: Oracle Enterprise Linux Security Update for nodejs and ...

Oracle Enterprise Linux has released a security update for nodejs and nodejs-nodemon security and bug fix update to fix the vulnerabilities.

Red Hat: CVE-2022-29244: Moderate: nodejs and ... - Rapid7

Rapid7 Vulnerability & Exploit Database. Red Hat: CVE-2022-29244: Moderate: nodejs and nodejs-nodemon security and bug fix update (RHSA-2022:6595).