Nodemon: Insecure dependency

Created on 26 Nov 2018 · 15Comments · Source: remy/nodemon

https://github.com/dominictarr/event-stream/issues/116

help wanted

Source

skarbovskiy

👍76

Most helpful comment

Uninstalling nodemon and then installing it again got rid of the vulnerable sub-dependency for me.

npm uninstall nodemon
npm install --save-dev nodemon

lydell on 26 Nov 2018

🎉15 ❤7 👍5

All 15 comments

I'm trying to understand which versions of nodemon would have been affected but I don't seem to be able to follow the trail. @remy maybe you have a better view?

kbariotis on 26 Nov 2018

👍3

Fails for me on 1.18.5, as it's looking for the 3.3.6 of event-stream, which npm removed.

martdavidson on 26 Nov 2018

It's the ps-tree inclusion: https://github.com/indexzero/ps-tree/issues/33

martdavidson on 26 Nov 2018

The fix is already implemented through remy/pstree, which no longer depends on ps-tree. The problem is a newer version of nodemon is not packaged and put up on npm.

@remy, can this be expedited?

Thanks.

inderpreet99 on 26 Nov 2018

👍10

Uninstalling nodemon and then installing it again got rid of the vulnerable sub-dependency for me.

npm uninstall nodemon
npm install --save-dev nodemon

lydell on 26 Nov 2018

🎉15 ❤7 👍5

Yeah, @remy already removed the bad dependency from pstree.remy. nodemon could help force the issue by pinning to the new version of pstree.remy (and it would be very nice if it did), but the current version of nodemon is "correct" in that a fresh install of its dependencies will not include the compromised package.

dcporter on 26 Nov 2018

FYI npm audit is flagging this as a critical vulnerability. It would be nice if a patch was available through nodemon

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Malicious Package                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ flatmap-stream                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nodemon > pstree.remy > ps-tree > event-stream >             │
│               │ flatmap-stream                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/737                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

jerroydmoore on 26 Nov 2018

👎1

Would be nice to bump pstree.remy to ^1.1.2 so that people can be sure to get the fixed version. Took a little bit of finagling with cache and stuff to get the right version over here (not sure why, tbh.)

dtb on 27 Nov 2018

👍2

For me, I go direct to ps-tree and up the version to 1.2.0 in my lockfile.

lxcid on 27 Nov 2018

Failed for nodemon v^1.12.0

mateeyowt on 27 Nov 2018

so is it alright to use nodemon while on development mode or it's still insecure?

artoodeeto on 27 Nov 2018

😕1

I believe this can be closed by upgrade to the latest version.

https://github.com/remy/nodemon/commit/9920e622a41432b005bd37c255e1167caeab5060

hejiaji on 27 Nov 2018

I'm glad we're all jump on the npm audit train without actually looking at existing issues to see _why_ it's not been released yet… The issue is also marked with "help wanted", but meh.

So, copied here, verbatim, again help wanted - I can't get the test to pass yet:

I've been trying to work on a fix, but work life and personal life has been keeping me away from coding on this.

The issue is in remy/pstree - and although I fixed the core of this issue, there's a new issue that leaves processes running in the background instead of killing them (which is exactly what pstree intends to address).

The tests pass fine in a mac environment (my dev machine), but not in linux - which travis runs in. I am able to replicate with docker (this branch: /new-pstree@fix ) but I don't know what's leaving the process in the background (it's definitely that pstree.remy isn't returning all the PIDs properly).

https://github.com/remy/nodemon/issues/1459#issuecomment-441318977

Please don't comment, please help fix.

@artoodeet yes, this is safe in your own development environment so long as you're not leveraging the exploit yourself. nodemon recommends against using in production. This does not mean the issue should remain.