BUG
According to current news, e.g. https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/, flatmap-stream is down, which means event-stream down, which means gulp connect and gulp replace are down. That implies general problem with building Prebid.
Are there any plans to fix this issue?
Fix in gulp-connect https://github.com/AveVlad/gulp-connect/pull/259
Also need a change in gulp-replace verson in package.json up to at least 0.6.0. gulp-footer is also dependent.
Is there any guidance regarding effected versions of Prebid or a specific date after which builds were effected?
AFAIK distributions aren't affected as only build dependencies (gulp-connect, gulp-replace) used the malicious dependency.
AFAIK distributions aren't affected as only build dependencies (
gulp-connect,gulp-replace) used the malicious dependency.
Ok, thanks for the confirmation.
I will put together some changes for these gulp packages, however it seems we need to wait on the gulp-connect and gulp-footer updates. Will keep an eye on this.
@jsnellbaker why not using temporal forks?
So I'm not able to install Prebid _at all_ right now?
@whatisjasongoldstein That is correct. I cant even pull an npm update for 1.34.0 due to the package missing from NPM due to the security issue.
```npm ERR! code E404
npm ERR! 404 Not Found: flatmap-stream@https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.1.tgz
npm ERR! A complete log of this run can be found in:
```
Hopefully #3343 gets merged in real quick.
This was merged in as part of https://github.com/prebid/Prebid.js/releases/tag/1.35.0 and appears to be working now. Was able to npm install and do a custom build without issue.
Many thanks to @jsnellbaker, @jaiminpanchal27 & @mkendall07
Most helpful comment
Fix in
gulp-connecthttps://github.com/AveVlad/gulp-connect/pull/259