Action Required - Malicious dependency requires update to latest master #184
Closed
Description
A security vulnerability has been identified that affects a large number of projects that depends on the event-stream npm package. While BoB does not directly depend on it, the package npm-run-all that we do depend on, does have it as a dependency.
Action required
- Open this issue to track the work required to ensure our contributors are notified
- Open an issue on forks of the repo and let the users know about the vulnerability and how to resolve the issue
- Send general notification on social media pointing to this issue
Community
If you have forked this repo, please update to the latest master branch. This will update the affected dependency to a version that is no longer affected, and remove the security concern.
Please prune all branches that are on your forked version of this repo. The simplest way to accomplish this from your command line is as follows:
git push origin :branch-name
# then also delete the branch locally
git branch -D :branch-name
We appreciate your assistance in this matter. Should you need any assistance, please feel free to reach out.