Security issue - malicious package in flatmap-stream

I tried locally running the code. On running npm install, I ran into this issue

npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.0.tgz - Not found
npm ERR! 404 
npm ERR! 404  'flatmap-stream@https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.0.tgz' is not in this registry.
npm ERR! 404 
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

On further investigation, found a critical security advisory issued against flatmap-stream package. See https://github.com/advisories/GHSA-9x64-5r7x-2q53 and https://devblogs.microsoft.com/devops/blocking-malicious-event-stream-and-flatmap-stream-packages/ On quick purview, couldn't directly identify which dependency is calling this package.

I know the code need refresh but can we do away with this particular dependency? @bady @asd @praveen ?

Original Github issue https://github.com/dominictarr/event-stream/issues/116

Ah! event-stream package is depending on flatmap-stream. From package-lock.json:

    "event-stream": {
      "version": "3.3.6",
      "resolved": "https://registry.npmjs.org/event-stream/-/event-stream-3.3.6.tgz",
      "integrity": "sha512-dGXNg4F/FgVzlApjzItL+7naHutA3fDqbV/zAZqDDlXTjiMnQmZKu+prImWKszeBM5UQeGvAl3u1wBiKeDh61g==",
      "dev": true,
      "requires": {
        "duplexer": "^0.1.1",
        "flatmap-stream": "^0.1.0",
        "from": "^0.1.7",
        "map-stream": "0.0.7",
        "pause-stream": "^0.0.11",
        "split": "^1.0.1",
        "stream-combiner": "^0.2.2",
        "through": "^2.3.8"
      }
    },

Just try npm update

Which software is this? peetube?

closed via commit 6d993a4b

changed the incident status to Resolved by closing the incident