{"id":6555,"date":"2018-12-07T07:27:49","date_gmt":"2018-12-07T12:27:49","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/vsappcenter\/?p=6555"},"modified":"2019-02-27T14:03:26","modified_gmt":"2019-02-27T19:03:26","slug":"visual-studio-app-center-cli-customers-event-stream-package-security-update-and-next-steps-2","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/appcenter\/visual-studio-app-center-cli-customers-event-stream-package-security-update-and-next-steps-2\/","title":{"rendered":"Visual Studio App Center CLI Customers &#8211; Event-Stream Package Security Update and Next Steps"},"content":{"rendered":"<p>On Nov 26, 2018, the npm security team removed `flatmap-stream` from the popular `event-stream@3.3.6` package. In late September, `flatmap-stream` had been added as a dependency by a GitHub developer identified as \u201cright9control\u201d in an apparent attempt to attack the `ps-tree` package running in copay, a cryptocurrency wallet. You can read about the <a href=\"https:\/\/medium.com\/@cnorthwood\/todays-javascript-trash-fire-and-pile-on-f3efcf8ac8c7\" rel=\"noopener\" target=\"_blank\">timeline of events<\/a> and more details in this <a href=\"https:\/\/blog.npmjs.org\/post\/180565383195\/details-about-the-event-stream-incident\" rel=\"noopener\" target=\"_blank\">NPM blog post<\/a> and corresponding <a href=\"https:\/\/github.com\/dominictarr\/event-stream\/issues\/116\" rel=\"noopener\" target=\"_blank\">GitHub issue<\/a>. <\/p>\n<p>Some recent versions of the Visual Studio App Center CLI included the compromised version of the event-stream package, however <strong>users were not impacted as the CLI does not include the `ps-tree` package and the attack was specifically engineered for copay<\/strong>. Nonetheless, following our investigation of the issue we immediately updated the `event-stream` module to v3.3.4 and released a new version of the App Center CLI (<a href=\"https:\/\/github.com\/Microsoft\/appcenter-cli\/releases\/tag\/v1.1.8\" rel=\"noopener\" target=\"_blank\">v1.1.8<\/a>). <\/p>\n<h2>Important Next Steps<\/h2>\n<p>We recommend that you run `npm uninstall -g appcenter-cli` and `npm install -g appcenter-cli` to uninstall and re-install the App Center CLI. This removes your cached version of `event-stream@3.3.6` and ensures that `event-stream@3.3.4` is used when running App Center\u2019s CLI. If you like, you can also run `npm audit` in the project directory to check if your version even contains the affected version of `event-stream`. <\/p>\n<p>We would like to thank you, the community, for your diligence in providing feedback on this issue. We read all your comments and correspondence, and sincerely appreciate your enthusiasm and engagement.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On Nov 26, 2018, the npm security team removed `flatmap-stream` from the popular `event-stream@3.3.6` package. In late September, `flatmap-stream` had been added as a dependency by a GitHub developer identified as \u201cright9control\u201d in an apparent attempt to attack the `ps-tree` package running in copay, a cryptocurrency wallet. You can read about the timeline of events [&hellip;]<\/p>\n","protected":false},"author":660,"featured_media":38034,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[16],"tags":[],"class_list":["post-6555","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mobiledev"],"acf":[],"blog_post_summary":"<p>On Nov 26, 2018, the npm security team removed `flatmap-stream` from the popular `event-stream@3.3.6` package. In late September, `flatmap-stream` had been added as a dependency by a GitHub developer identified as \u201cright9control\u201d in an apparent attempt to attack the `ps-tree` package running in copay, a cryptocurrency wallet. You can read about the timeline of events [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/posts\/6555","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/users\/660"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/comments?post=6555"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/posts\/6555\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/media\/38034"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/media?parent=6555"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/categories?post=6555"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/appcenter\/wp-json\/wp\/v2\/tags?post=6555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}