Help us understand the problem. What is going on with this article?

nodemonのセキュリティ脆弱性対処法

More than 1 year has passed since last update.

概要

event-stream@3.3.6 に攻撃コードが混入されました。
私のプロジェクトで依存を確認したところ、nodemon@1.18.6 が対象だったためその時の確認方法と対処法を記載します。

確認方法

コマンドを叩いて確認する。

ターミナル
npm ls event-stream flatmap-stream

結果が以下のように event-stream@3.3.6flatmap-stream@0.1.1 が表示されれば攻撃コード混入パッケージが依存している。

ターミナル
`-- nodemon@1.18.6
  `-- pstree.remy@1.1.0
    `-- ps-tree@1.1.0
      `-- event-stream@3.3.6
        `-- flatmap-stream@0.1.1

対処法

nodemonの再インストールで nodemon@1.18.7 以上にする。

ターミナル
npm uninstall nodemon
npm install --save-dev nodemon

依存していないことを確認

npm ls event-stream flatmap-stream
`-- (empty)

確認コマンドでnodemon以外の event-stream@3.3.6 に依存しているパッケージがあった場合は対処が必要です。

参考

Why do not you register as a user and use Qiita more conveniently?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away