Appcenter-cli: Don't use flatmap-stream (installing appcenter fails)

Created on 26 Nov 2018  路  7Comments  路  Source: microsoft/appcenter-cli

Hello,

The package flatmap-stream has been unpublished by npm because of potential malicious code. See https://github.com/dominictarr/event-stream/issues/116

Thus, npm install -g appcenter-cli fails right now...

Most helpful comment

Thanks everyone! We've released a version fixed at 3.3.4 just in case. Release notes are here

I've also written up an internal memo about this vulnerability so we can dissect what happened and see if there is anything better we can do to identify and mitigate against things like this happening in future. Reading up about the actual injection attack - it won't have affected our users but it would be good to use this as a learning opportunity.

@amchew - closing this 馃檪

All 7 comments

Hi @Minishlink - thanks for reporting this. We're looking in to a solution for this.

Should be able to just lock to [email protected] instead of ^3.3.4?

I am having the same issue I believe trying to install appcenter-cli

386 verbose stack flatmap-stream: No valid versions available for flatmap-stream
386 verbose stack     at pickManifest (C:\Program Files\nodejs\node_modules\npm\node_modules\npm-pick-manifest\index.js:20:11)
386 verbose stack     at fetchPackument.then.packument (C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\fetchers\registry\manifest.js:39:14)
386 verbose stack     at tryCatcher (C:\Program Files\nodejs\node_modules\npm\node_modules\bluebird\js\release\util.js:16:23)
386 verbose stack     at Promise._settlePromiseFromHandler (C:\Program Files\nodejs\node_modules\npm\node_modules\bluebird\js\release\promise.js:512:31)
386 verbose stack     at Promise._settlePromise (C:\Program Files\nodejs\node_modules\npm\node_modules\bluebird\js\release\promise.js:569:18)
386 verbose stack     at Promise._settlePromise0 (C:\Program Files\nodejs\node_modules\npm\node_modules\bluebird\js\release\promise.js:614:10)
386 verbose stack     at Promise._settlePromises (C:\Program Files\nodejs\node_modules\npm\node_modules\bluebird\js\release\promise.js:693:18)
386 verbose stack     at Async._drainQueue (C:\Program Files\nodejs\node_modules\npm\node_modules\bluebird\js\release\async.js:133:16)
386 verbose stack     at Async._drainQueues (C:\Program Files\nodejs\node_modules\npm\node_modules\bluebird\js\release\async.js:143:10)
386 verbose stack     at Immediate.Async.drainQueues [as _onImmediate] (C:\Program Files\nodejs\node_modules\npm\node_modules\bluebird\js\release\async.js:17:14)
386 verbose stack     at runCallback (timers.js:705:18)
386 verbose stack     at tryOnImmediate (timers.js:676:5)
386 verbose stack     at processImmediate (timers.js:658:5)
387 verbose cwd C:\WINDOWS\system32
388 verbose Windows_NT 10.0.17134
389 verbose argv "C:\\Program Files\\nodejs\\node.exe" "C:\\Program Files\\nodejs\\node_modules\\npm\\bin\\npm-cli.js" "install" "-g" "appcenter-cli"
390 verbose node v10.13.0
391 verbose npm  v6.4.1
392 error code ENOVERSIONS
393 error No valid versions available for flatmap-stream
394 verbose exit [ 1, true ]

Hi @Minishlink, @tedrog36 and @MrTravisB, thank you for notifying us! We're investigating this issue now.

Thanks @amchew! Seems to be working now.

Thanks everyone! We've released a version fixed at 3.3.4 just in case. Release notes are here

I've also written up an internal memo about this vulnerability so we can dissect what happened and see if there is anything better we can do to identify and mitigate against things like this happening in future. Reading up about the actual injection attack - it won't have affected our users but it would be good to use this as a learning opportunity.

@amchew - closing this 馃檪

Awesome to hear @tedrog36, and thanks for the quick fix @owenniblock! FYI @Minishlink and @MrTravisB, we've just re-released v1.1.8, you should be able to install appcenter-cli now. Please test this out, and let us know if you face any issues.

Thank you!

Was this page helpful?
0 / 5 - 0 ratings