GMS-2018-46: Critical severity vulnerability that affects event-stream and flatmap-stream

November 26, 2018 (updated September 15, 2021)

The NPM package flatmap-stream is considered malicious. A malicious actor added this package as a dependency to the NPM event-stream package in version 3.3.6. Users of event-stream are encouraged to downgrade to the last non-malicious version, 3.3.4, or upgrade to the latest 4.x version.

Users of flatmap-stream are encouraged to remove the dependency entirely.

References

github.com/advisories/GHSA-mh6f-8j2x-4483
github.com/dominictarr/event-stream/issues/116

Detect and mitigate GMS-2018-46 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →