Fomantic-ui: [SECURITY] event-stream incident

Created on 28 Nov 2018  路  10Comments  路  Source: fomantic/Fomantic-UI

There was a security issue with the npm package event-stream.

Original issue: https://github.com/dominictarr/event-stream/issues/116#issuecomment-441759047
Semantic issue: https://github.com/Semantic-Org/Semantic-UI/issues/6687

Please update event-stream to version 3.3.4:

By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to [email protected]. This protects people with cached versions of event-stream.

priorithigh typbuild

Most helpful comment

@Atulin We currently have plans to rewrite the build process when we do 3.0 but that is a whole other project. When we do this we will be getting rid of a lot of the dependencies.

All 10 comments

We are aware of the issue and are trying to come up with a fix. event-stream is in a package called prompt-sui which is maintained by the author of SUI who is currently AFK from development it seems so we don't have an easy way to update the version.

I see. Thank you for the information.

Is there a way to override this dependency? It should be fully compatible as I understand.

@dhaavi See the PR I just created. https://github.com/fomantic/Fomantic-UI/pull/269

Looks great!
(I am not experienced with node, so I can't tell you how effective this fix is.)

what if I do npm update ? The lock file block the maximum version to 3.3.4 or it will download the 3.3.6 (which is infected if I remember correctly the version number) ?

If the package-lock works the same as composer.lock, it will force this version on install only, If I'm not mistaken. On update it will search dor the highest version that match with the package.json

I also saw this issue yesterday, and seems some packages are updating to 4.0.1 (when the flatmap dep was removed)

it will download the 3.3.6 (which is infected if I remember correctly the version number) ?

No, because

npm has yanked the malicious version

The version change is there to defeat caches. For example, if you've downloaded the infected version and do git pull and npm ... it should remove the infected version cached locally.

Oh ok, I missed the information about npm removing the malicious versions.

Nice to know it should be fixed. I don't work with crypto but still good to not have malicious code.

Wouldn't it be a good idea to think of removing prompt-sui in the future? From what I've seen, it's vanity stuff at best.

Overall, I'd consider removing as many dependencides as possible, but that's a matter for another discussion.

@Atulin We currently have plans to rewrite the build process when we do 3.0 but that is a whole other project. When we do this we will be getting rid of a lot of the dependencies.

That + removing the dependency on jQuery would be a dream come true. Glad there are steps being taken in that direction 馃憣

Was this page helpful?
0 / 5 - 0 ratings

Related issues

murbanowicz picture murbanowicz  路  5Comments

hammy2899 picture hammy2899  路  3Comments

lubber-de picture lubber-de  路  4Comments

jamessampford picture jamessampford  路  3Comments

GammaGames picture GammaGames  路  4Comments