-
-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURITY] event-stream incident #268
Comments
We are aware of the issue and are trying to come up with a fix. |
I see. Thank you for the information. Is there a way to override this dependency? It should be fully compatible as I understand. |
Change `event-stream` version to fix security exploit. Refs: dominictarr/event-stream#116 dominictarr/event-stream#115 Closes #268
Looks great! |
Change `event-stream` version to fix security exploit. Refs: dominictarr/event-stream#116 dominictarr/event-stream#115 Closes #268
what if I do If the package-lock works the same as composer.lock, it will force this version on install only, If I'm not mistaken. On update it will search dor the highest version that match with the package.json I also saw this issue yesterday, and seems some packages are updating to 4.0.1 (when the flatmap dep was removed) |
No, because
The version change is there to defeat caches. For example, if you've downloaded the infected version and do |
Oh ok, I missed the information about npm removing the malicious versions. Nice to know it should be fixed. I don't work with crypto but still good to not have malicious code. |
Wouldn't it be a good idea to think of removing Overall, I'd consider removing as many dependencides as possible, but that's a matter for another discussion. |
@Atulin We currently have plans to rewrite the build process when we do 3.0 but that is a whole other project. When we do this we will be getting rid of a lot of the dependencies. |
That + removing the dependency on jQuery would be a dream come true. Glad there are steps being taken in that direction 👌 |
Change `event-stream` version to fix security exploit. Refs: dominictarr/event-stream#116 dominictarr/event-stream#115 Closes #268
There was a security issue with the npm package
event-stream
.Original issue: dominictarr/event-stream#116 (comment)
Semantic issue: Semantic-Org/Semantic-UI#6687
Please update
event-stream
to version 3.3.4:The text was updated successfully, but these errors were encountered: