For the last couple of days in the internet, you probably have seen a lot of news about event-stream npm package vulnerability and that package steals bitcoins. I was disappointed that I had to read tons on articles before actually get the answers on the following questions:
- Does it affect my projects?
- What should I do?
So I decided to put here my today research and a short overview as possible to help you find and fix the problem for your projects.
- existing information tells that targeted package which only affected by the vulnerability of the event-stream package is copay-dash. If you don’t have copay-dash, relax and continue read calmly;
- email@example.com had a vulnerability in the dependency package firstname.lastname@example.org;
- the vulnerable version of that package already removed from the npm registry;
- removing the package from the npm registry caused the issue that on npm install(fresh install, without cache) and npm audit you will get an error;
npm ERR! code ENOAUDIT
npm ERR! code E404 npm ERR! 404 Not Found: email@example.com
- if you have that error, your project has vulnerable package;
- a lot of popular packages were affected, for example, nodemon;
- search through your yarn.lock or package-lock.json and find the root package which installs firstname.lastname@example.org;
- visit github pages of packages which were affected and maybe there is already new version with a fix. So just install new version with a command like
npm install nodemon@latest -D;
- for more information about the situation read that article