Skip to content

Action Required - Malicious dependency requires update to latest master #184

Closed
@schalkneethling

Description

A security vulnerability has been identified that affects a large number of projects that depends on the event-stream npm package. While BoB does not directly depend on it, the package npm-run-all that we do depend on, does have it as a dependency.

Action required

  • Open this issue to track the work required to ensure our contributors are notified
  • Open an issue on forks of the repo and let the users know about the vulnerability and how to resolve the issue
  • Send general notification on social media pointing to this issue

Community

If you have forked this repo, please update to the latest master branch. This will update the affected dependency to a version that is no longer affected, and remove the security concern.

Please prune all branches that are on your forked version of this repo. The simplest way to accomplish this from your command line is as follows:

git push origin :branch-name

# then also delete the branch locally
git branch -D :branch-name

We appreciate your assistance in this matter. Should you need any assistance, please feel free to reach out.

Metadata

Assignees

No one assigned

    Labels

    securitysecurity updates and code fixes

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions