Convector CLI upgrade required

Recently a malicious code was detected in the widely used package event-stream . It is a high level vulnerability and needs immediate attention.

convector-cli uses npm-run-all when a new project is created, in previous versions of such packages like 4.1.3 it depended on ps-tree which also depended on the infected package event-stream. We fixed the dependencies issue by upgrading npm-run-all to the latest version v4.1.5 that entirely removes the dependencies from ps-tree .

The fix

We updated the github repo and the published npm package, therefore we require you to upgrade your global dependency by running:

npm update -g @worldsibu/convector-cli

If you have old projects created with Convector CLI the way to fix it is to upgrade in your root package.json file your dependency from npm-run-all to 4.1.5 instead of 4.1.3 . Then remove all node_modules by running

lerna run clean

And reinstall dependencies with

npm i

How to be sure?

As specified in the main thread, the way to check for the dependency is by running

npm ls event-stream flatmap-stream

If the result is (empty) you are all good!