{"id":38418,"date":"2019-01-16T11:18:23","date_gmt":"2019-01-16T18:18:23","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/mobile\/?p=38418"},"modified":"2019-02-16T15:29:44","modified_gmt":"2019-02-16T22:29:44","slug":"visual-studio-app-center-cli-customers-event-stream-package-security-update-and-next-steps","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/appcenter\/visual-studio-app-center-cli-customers-event-stream-package-security-update-and-next-steps\/","title":{"rendered":"Visual Studio App Center CLI Customers \u2013 Event-Stream Package Security Update and Next Steps"},"content":{"rendered":"<p>On November 26, 2018 the npm security team removed `flatmap-stream` from the popular `event-stream@3.3.6` package. In late September, `flatmap-stream` had been added as a dependency by a GitHub developer identified as \u201cright9control\u201d in an apparent attempt to attack the `ps-tree` package running in copay, a cryptocurrency wallet. You can read about the <a href=\"https:\/\/medium.com\/@cnorthwood\/todays-javascript-trash-fire-and-pile-on-f3efcf8ac8c7\">timeline of events<\/a> and more details in this <a href=\"https:\/\/blog.npmjs.org\/post\/180565383195\/details-about-the-event-stream-incident\">NPM blog post<\/a> and corresponding <a href=\"https:\/\/github.com\/dominictarr\/event-stream\/issues\/116\">GitHub issue<\/a>.<\/p>\n<p>Some recent versions of the Visual Studio App Center CLI included the compromised version of the event-stream package, however <strong>users were not impacted as the CLI does not include the `ps-tree` package and the attack was specifically engineered for copay<\/strong>. Nonetheless, following our investigation of the issue we immediately updated the `event-stream` module to v3.3.4 and released a new version of the App Center CLI (<a href=\"https:\/\/github.com\/Microsoft\/appcenter-cli\/releases\/tag\/v1.1.8\">v1.1.8<\/a>).<\/p>\n<h4>Important Next Steps<\/h4>\n<p>We recommend that you run `npm uninstall -g appcenter-cli` and `npm install -g appcenter-cli` to uninstall and re-install the App Center CLI. This removes your cached version of `event-stream@3.3.6` and ensures that `event-stream@3.3.4` is used when running App Center\u2019s CLI. If you like, you can also run `npm audit` in the project directory to check if your version even contains the affected version of `event-stream`.<\/p>\n<p>We would like to thank you, the community, for your diligence in providing feedback on this issue. We read all your comments and correspondence, and sincerely appreciate your enthusiasm and engagement.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On November 26, 2018 the npm security team removed `flatmap-stream` from the popular `event-stream@3.3.6` package. In late September, `flatmap-stream` had been added as a dependency by a GitHub developer identified as \u201cright9control\u201d in an apparent attempt to attack the `ps-tree` package running in copay, a cryptocurrency wallet.<\/p>\n","protected":false},"author":660,"featured_media":38034,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[16],"tags":[],"class_list":["post-38418","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mobiledev"],"acf":[],"blog_post_summary":"<p>On November 26, 2018 the npm security team removed `flatmap-stream` from the popular `event-stream@3.3.6` package. In late September, `flatmap-stream` had been added as a dependency by a GitHub developer identified as \u201cright9control\u201d in an apparent attempt to attack the `ps-tree` package running in copay, a cryptocurrency wallet.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/posts\/38418","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/users\/660"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/comments?post=38418"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/posts\/38418\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/media\/38034"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/media?parent=38418"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/categories?post=38418"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/tags?post=38418"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}