[SECURITY] Backdoored dependencies

[dbendaou]

Hi guys,
Don't know if you've heard about it, but we really need to double check before adding any dependencies on the repo.

One of them as been corrupted : flatmap-stream
It's a peer dependencies from event-stream

Here is the issue on the original repo --> dominictarr/event-stream#116

It's event-stream that has been corrupted with a dependencies named flatmap-stream

[y0hami]

Thanks for making this issue, I am aware of this but I don't think this will be fixed for a while with the state of development on SUI.

[championswimmer]

The issue has been resolved, because the affected version cannot be downloaded anymore.

event-stream is an extremely popular NPM library.
Tomorrow if React or Angular gets backdoored, then who'll be responsible? Maintainers of those frameworks, or each of the millions of developers who use it?

[dbendaou]

I fully agree with you ! I was just about to share the information with you guys, and since we use event-stream it was kind of our concern too !

[y0hami]

@championswimmer I am aware that it has been removed from npm but it is still an issue for users who have the version cached. Developers have been advised to bump the version to event-stream@3.3.4 to prevent this.