Visual Studio App Center CLI Customers – Event-Stream Package Security Update and Next Steps

Amanda Chew [MSFT]

Amanda

On November 26, 2018 the npm security team removed flatmap-stream from the popular event-stream@3.3.6 package. In late September, flatmap-stream had been added as a dependency by a GitHub developer identified as “right9control” in an apparent attempt to attack the ps-tree package running in copay, a cryptocurrency wallet. You can read about the timeline of events and more details in this NPM blog post and corresponding GitHub issue.

Some recent versions of the Visual Studio App Center CLI included the compromised version of the event-stream package, however users were not impacted as the CLI does not include the ps-tree package and the attack was specifically engineered for copay. Nonetheless, following our investigation of the issue we immediately updated the event-stream module to v3.3.4 and released a new version of the App Center CLI (v1.1.8).

Important Next Steps

We recommend that you run npm uninstall -g appcenter-cli and npm install -g appcenter-cli to uninstall and re-install the App Center CLI. This removes your cached version of event-stream@3.3.6 and ensures that event-stream@3.3.4 is used when running App Center’s CLI. If you like, you can also run npm audit in the project directory to check if your version even contains the affected version of event-stream.

We would like to thank you, the community, for your diligence in providing feedback on this issue. We read all your comments and correspondence, and sincerely appreciate your enthusiasm and engagement.

Amanda Chew [MSFT]
Amanda Chew

Program Manager 2, Visual Studio App Center

Follow Amanda   

No Comments.