Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Action Required - Malicious dependency requires update to latest master #184

Closed
3 tasks
schalkneethling opened this issue Nov 27, 2018 · 2 comments
Closed
3 tasks

Action Required - Malicious dependency requires update to latest master #184

schalkneethling opened this issue Nov 27, 2018 · 2 comments
Labels
security security updates and code fixes

Comments

@schalkneethling
Copy link
Contributor

schalkneethling commented Nov 27, 2018
edited by jwhitlock
Loading

A security vulnerability has been identified that affects a large number of projects that depends on the event-stream npm package. While BoB does not directly depend on it, the package npm-run-all that we do depend on, does have it as a dependency.

Action required

  • Open this issue to track the work required to ensure our contributors are notified
  • Open an issue on forks of the repo and let the users know about the vulnerability and how to resolve the issue
  • Send general notification on social media pointing to this issue

Community

If you have forked this repo, please update to the latest master branch. This will update the affected dependency to a version that is no longer affected, and remove the security concern.

Please prune all branches that are on your forked version of this repo. The simplest way to accomplish this from your command line is as follows:

git push origin :branch-name

# then also delete the branch locally
git branch -D :branch-name

We appreciate your assistance in this matter. Should you need any assistance, please feel free to reach out.
@schalkneethling schalkneethling added the security security updates and code fixes label Nov 27, 2018
@schalkneethling
Copy link
Contributor Author

schalkneethling commented Nov 27, 2018
edited
Loading

Pinging users with a known fork of this repo:

@crazyrex
@ExE-Boss
@firefoxxy8
@laiyongqin
@schalkneethling
@stephanmax
@ExE-Boss
Copy link
Contributor

Done.
@schalkneethling schalkneethling mentioned this issue Jan 9, 2019
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security security updates and code fixes
2 participants
@ExE-Boss @schalkneethling