So event-stream 3.3.6 was removed from NPM because it depended on vulnerable flatmap-stream 0.1.1. But in Mastodon's dependency tree, we had event-stream 3.3.6 depending on flatmap-stream 0.1.0.

Anyway, because event-stream 3.3.6 was yanked from NPM all of our builds break right now

The unfortunate consequence is that Docker images for v2.6.3 cannot be built because of this. The upgrade will work fine for all existing non-Docker installations, but not fresh ones.

Show thread

Ironically the event-stream dependency can be easily avoided. I'm removing it and then bumping to v2.6.4 so everyone can upgrade. Awkward situation though, I'm sorry.

Show thread

@Gargron flatmap-stream isn't just vulnerable afaik, it's the actual cryptominer payload

@aeonofdiscord According to people who reported the vulnerabilty, the code was added to flatmap-stream 0.1.1

@Gargron what does event-stream do? :O does it affect using the api?

@vancha No, it's somewhere down the dependency tree. We're not using it directly

@Gargron Good thing I read this before trying to update my Docker install 😔

Such is life though, great work!

@gargron As a user, I appreciate you're discussing such an issue on your public timeline :)

@Gargron Awesome, I think it's great that you're getting a fix out so quickly!

RAILS_ENV=production bundle exec rails assets:precompile
rails aborted!
SyntaxError: /home/mastodon/live/lib/mastodon/version.rb:16: syntax error, unexpected <<
<<<<<<< HEAD
/home/mastodon/live/lib/mastodon/version.rb:18: syntax error, unexpected ===, expecting keyword_end
/home/mastodon/live/vendor/bundle/ruby/2.5.0/gems/bootsnap-1.3.2/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:21:in `require'
for v2.6.4 non-docker with ruby 2.5.3

@G_Dog1985 You merged something when you should't have been merging


Tbh this is a feature not a bug. At least in my eyes as a cranky old sysadmin who wants these containers to get off my lawn.

@Gargron flatmap-stream is an injection that looks for bitcoin wallets and sends them to an unknown person. should lock event-stream to 3.3.4 which does not pull in flatmap-stream at all.
Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!