npm audit does not report vulnerability on event-stream@3.3.6


(Matthieu Foucault) #1

What I Wanted to Do

Had event-stream@3.3.6 as a dependency in my package-lock.json. It was installed prior to the takeover and removal from npmjs, so it was in my cache.
I would have expected the vulnerability to be displayed when running npm audit

What Happened Instead

When running npm audit, no vulnerability showed up.

Reproduction Steps

Hard to do. You need a vulnerable package that has been removed from npmjs, but still in your cache.

Details

This bug has been reported in the yarn issue tracker too: https://github.com/yarnpkg/yarn/issues/6729

An additional point: shouldn’t, in a case like this, a new version be published, in addition to the removal of the offending release. Some of my dependencies depend on event-stream@~3.0.0. If a 3.3.7 was released in addition to the removal in 3.3.6, the package would have upgraded itself by just deleting the package-lock and doing a new npm install, instead of having to clean the cache


(Bence Dányi) #2

event-stream@3.3.6 had flatmap-stream@0.1.1 as a (pinned) dependency? If yes, then npm audit should report flatmap-stream@0.1.1. AFAIK event-stream itself was not infected, and it contained nothing harmful.


(Matthieu Foucault) #3

It did not, so I guess I did not have the malicious version installed?
Regardless, event-stream is not in the advisories list indeed, just flatmap-stream, but in both the description of the flatmap advisory and the report the npm blog (and other sources), event-stream@3.3.6 is described as malicious, so I would have expected it to be reported as such.