Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Backdoor in event-stream dependency
See original GitHub issueThe dependency event-stream version 3.3.6 contains a backdoor via a library it uses, flatmap-stream. The linked issue explains the situation.
Since package.json specifies "event-stream": "^3.3.4",, it was possible to pull in the back door if you updated psl’s dependencies during the period of time that event-stream 3.3.6 was available.
One fix would be to lock event-stream to exactly 3.3.4.
Issue Analytics
- State:
- Created 5 years ago
- Reactions:6
- Comments:6 (1 by maintainers)
Top Results From Across the Web
A post-mortem of the malicious event-stream backdoor - Snyk
A malicious package, flatmap-stream, was published to npm and was later added as a dependency to the widely used event-stream package by ...
Read more >Backdoor in event-stream library dependency | Hacker News
A security hole and backdoor is always a failure in a software product. ... As most of them appear to be as old...
Read more >The backdoor in one of the dependencies of the EventStream library ...
It is used in many large projects for simple and convenient work with threads in Node.JS. Among others, this library handles streams in...
Read more >Vulnerability in event-stream dependency · Issue #150 - GitHub
There's a serious vulnerability in event-stream, which is used by npm-run-all. Please consider locking into v3.3.4 or lower, which appears ...
Read more >Backdoor found in event-stream library : r/node - Reddit
It isn't as far as security goes. Yarn is simply a client that fetches packages from the npm registry. If your dependency from...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thank you @lupomontero!
Hi @muraiki, thanks for reporting this and apologies for the late reply…
I have now published a new version of
psl(v1.1.31) to NPM withevent-streamlocked to version3.3.4as suggested.I have also created a separate issue to get rid of this dependency altogether in the near future.