Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential security issue with dependency, underlying maintainers seem unresponsive. #1467

Closed
parktheredcar opened this issue Nov 26, 2018 · 5 comments
Closed

Potential security issue with dependency, underlying maintainers seem unresponsive. #1467

parktheredcar opened this issue Nov 26, 2018 · 5 comments

Comments

@parktheredcar
Copy link

parktheredcar commented Nov 26, 2018
edited
Loading

There seems to be something suspicious going on in your dependency chain, and maintainers down the line aren't being super responsive. Just wanted to get this on your radar.

`-- [email protected]
  `-- [email protected]
    `-- [email protected]
      `-- [email protected]
        `-- [email protected]

indexzero/ps-tree#33

dominictarr/event-stream#116
@parktheredcar parktheredcar changed the title Security issue with dependency, underlying maintainers seem unresponsive. Potential security issue with dependency, underlying maintainers seem unresponsive. Nov 26, 2018
@cnorthwood
Copy link

Think this is a dupe of #1451

@parktheredcar
Copy link
Author

You're right, it was just still hanging around in my package-lock.json for some reason. Reinstalling nodemon cleared it out.

@indexzero
Copy link

FYI [email protected] locked to [email protected] (which if I read this thread correctly pre-dates the questionable changes).

Thanks to folks for bringing it to my attention: indexzero/ps-tree#34

@gftea
Copy link

gftea commented Dec 1, 2018

also found by Symantec
Scan type: Scheduled Scan
Event: Security Risk Found!
Security risk detected: Trojan.Malscript
File: .....node_modules\flatmap-stream\index.min.js
Location: Deleted or access blocked

@remy
Copy link
Owner

remy commented Dec 1, 2018

@gftea upgrade to the patched/latest nodemon, it would have saved you from posting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@indexzero @remy @parktheredcar @cnorthwood @gftea