Follow

So event-stream 3.3.6 was removed from NPM because it depended on vulnerable flatmap-stream 0.1.1. But in Mastodon's dependency tree, we had event-stream 3.3.6 depending on flatmap-stream 0.1.0.

Anyway, because event-stream 3.3.6 was yanked from NPM all of our builds break right now

Β· Web Β· 6 Β· 16 Β· 18

The unfortunate consequence is that Docker images for v2.6.3 cannot be built because of this. The upgrade will work fine for all existing non-Docker installations, but not fresh ones.

Ironically the event-stream dependency can be easily avoided. I'm removing it and then bumping to v2.6.4 so everyone can upgrade. Awkward situation though, I'm sorry.

@Gargron flatmap-stream isn't just vulnerable afaik, it's the actual cryptominer payload

@aeonofdiscord According to people who reported the vulnerabilty, the code was added to flatmap-stream 0.1.1

@Gargron what does event-stream do? :O does it affect using the api?

@vancha No, it's somewhere down the dependency tree. We're not using it directly

@Gargron Good thing I read this before trying to update my Docker install πŸ˜”

Such is life though, great work!

@CrowderSoup @Gargron I'm glad I always do a `docker pull tootsuite/mastodon:v2.6.3` on my server first to cache the image, and in this case, obviously it isn't there. πŸ˜‹

@gargron As a user, I appreciate you're discussing such an issue on your public timeline :)

@Gargron Awesome, I think it's great that you're getting a fix out so quickly!

@Gargron
RAILS_ENV=production bundle exec rails assets:precompile
rails aborted!
SyntaxError: /home/mastodon/live/lib/mastodon/version.rb:16: syntax error, unexpected <<
<<<<<<< HEAD
^~
/home/mastodon/live/lib/mastodon/version.rb:18: syntax error, unexpected ===, expecting keyword_end
=======
^~~
/home/mastodon/live/vendor/bundle/ruby/2.5.0/gems/bootsnap-1.3.2/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:21:in `require'
for v2.6.4 non-docker with ruby 2.5.3

@G_Dog1985 You merged something when you should't have been merging

@Gargron

Tbh this is a feature not a bug. At least in my eyes as a cranky old sysadmin who wants these containers to get off my lawn.

@Gargron flatmap-stream is an injection that looks for bitcoin wallets and sends them to an unknown person. should lock event-stream to 3.3.4 which does not pull in flatmap-stream at all.
Sign in to participate in the conversation
Mastodon

Follow friends and discover new ones. Publish anything you want: links, pictures, text, video. This server is run by the main developers of the Mastodon project. Everyone is welcome as long as you follow our code of conduct!