• I'm submitting a ...
  [x ] bug report
  [ ] feature request
  [ ] question about the decisions made in the repository
  [ ] question about how to use this project

• Summary
  It's possible this project is impacted by this malicious code : dominictarr/event-stream#116

Dependency listed on this page: https://libraries.io/npm/flatmap-stream/usage?page=3&requirements=0.1.1

Although the exploit targets Bitcoin wallets derived from Copay, so it may not be relevant here. Regardless, dependencies on packages controlled by malicious sources should be removed.

• Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. StackOverflow, personal fork, etc.)

Thanks for opening an issue!

I can confirm that the malicious code doesn't affect this project. (Coincidentally, I am a contributor to Copay.) I'll bump the dependencies anyways though, just to avoid scaring users.

Because this project doesn't have any dependencies for downstream consumers, vulnerabilities like this in dependencies are a bit less likely to be a problem (unless they specifically target bitcoin-ts's build process to produce unexpected output). I'd still like to find a better way to lock down dependencies and review diffs more thoroughly. I'll probably leave this issue open until I can figure that out.

Closing in favor of: #22