Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flatmap-stream package deleted #3330

Closed
Saigredan opened this issue Nov 27, 2018 · 10 comments
Closed

flatmap-stream package deleted #3330

Saigredan opened this issue Nov 27, 2018 · 10 comments
Assignees
@jsnellbaker
Labels
bug

Comments

@Saigredan
Copy link
Contributor

Saigredan commented Nov 27, 2018
edited
Loading

Type of issue

BUG

Description

According to current news, e.g. https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/, flatmap-stream is down, which means event-stream down, which means gulp connect and gulp replace are down. That implies general problem with building Prebid.
Are there any plans to fix this issue?
@muuki88
Copy link
Collaborator

muuki88 commented Nov 27, 2018

Fix in gulp-connect avevlad/gulp-connect#259

@Saigredan
Copy link
Contributor Author

Saigredan commented Nov 27, 2018
edited
Loading

Also need a change in gulp-replace verson in package.json up to at least 0.6.0. gulp-footer is also dependent.

@GLStephen
Copy link
Collaborator

GLStephen commented Nov 29, 2018
edited
Loading

Is there any guidance regarding effected versions of Prebid or a specific date after which builds were effected?

@muuki88
Copy link
Collaborator

muuki88 commented Nov 29, 2018

AFAIK distributions aren't affected as only build dependencies (gulp-connect, gulp-replace) used the malicious dependency.

@GLStephen
Copy link
Collaborator

AFAIK distributions aren't affected as only build dependencies (gulp-connect, gulp-replace) used the malicious dependency.

Ok, thanks for the confirmation.

@jsnellbaker
Copy link
Collaborator

I will put together some changes for these gulp packages, however it seems we need to wait on the gulp-connect and gulp-footer updates. Will keep an eye on this.

@jsnellbaker jsnellbaker self-assigned this Nov 29, 2018
This was referenced Nov 29, 2018
Merged
Merged
@Saigredan
Copy link
Contributor Author

@jsnellbaker why not using temporal forks?

@jsnellbaker jsnellbaker mentioned this issue Nov 30, 2018
Merged
2 tasks
@whatisjasongoldstein
Copy link

So I'm not able to install Prebid at all right now?

@Austinb
Copy link

Austinb commented Nov 30, 2018

@whatisjasongoldstein That is correct. I cant even pull an npm update for 1.34.0 due to the package missing from NPM due to the security issue.

npm ERR! 404 Not Found: flatmap-stream@https://registry.npmjs.org/flatmap-stream/-/flatmap-stream-0.1.1.tgz

npm ERR! A complete log of this run can be found in:

Hopefully #3343 gets merged in real quick.

@Austinb
Copy link

Austinb commented Dec 5, 2018

This was merged in as part of https://github.com/prebid/Prebid.js/releases/tag/1.35.0 and appears to be working now. Was able to npm install and do a custom build without issue.

Many thanks to @jsnellbaker, @jaiminpanchal27 & @mkendall07

@jsnellbaker jsnellbaker mentioned this issue Sep 5, 2019
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsnellbaker jsnellbaker

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@GLStephen @Austinb @whatisjasongoldstein @muuki88 @Saigredan @jsnellbaker