Convector CLI upgrade required
Recently a malicious code was detected in the widely used package
event-stream . It is a high level vulnerability and needs immediate attention.
npm-run-all when a new project is created, in previous versions of such packages like
4.1.3 it depended on
ps-tree which also depended on the infected package
event-stream. We fixed the dependencies issue by upgrading
npm-run-all to the latest version v4.1.5 that entirely removes the dependencies from
npm update -g @worldsibu/convector-cli
If you have old projects created with Convector CLI the way to fix it is to upgrade in your root
package.json file your dependency from
4.1.5 instead of
4.1.3 . Then remove all node_modules by running
lerna run clean
And reinstall dependencies with
How to be sure?
As specified in the main thread, the way to check for the dependency is by running
npm ls event-stream flatmap-stream
If the result is
(empty) you are all good!