Better method of locking down dependencies and reviewing diffs between versions
fraggle222 opened this issue · comments
-
I'm submitting a ...
[x ] bug report
[ ] feature request
[ ] question about the decisions made in the repository
[ ] question about how to use this project -
Summary
It's possible this project is impacted by this malicious code : dominictarr/event-stream#116
Dependency listed on this page: https://libraries.io/npm/flatmap-stream/usage?page=3&requirements=0.1.1
Although the exploit targets Bitcoin wallets derived from Copay, so it may not be relevant here. Regardless, dependencies on packages controlled by malicious sources should be removed.
- Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. StackOverflow, personal fork, etc.)
Thanks for opening an issue!
I can confirm that the malicious code doesn't affect this project. (Coincidentally, I am a contributor to Copay.) I'll bump the dependencies anyways though, just to avoid scaring users.
Because this project doesn't have any dependencies for downstream consumers, vulnerabilities like this in dependencies are a bit less likely to be a problem (unless they specifically target bitcoin-ts
's build process to produce unexpected output). I'd still like to find a better way to lock down dependencies and review diffs more thoroughly. I'll probably leave this issue open until I can figure that out.
Closing in favor of: #22