[ZEPPELIN-3886] Remove dependency on flatmap-stream 0.1.1 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 0.8.0, 0.8.1, 0.9.0
Fix Version/s: 0.9.0
Component/s: build, Core, Interpreters, security
Labels:
- security

Description

copy-pasting derektapley's report in ~~ZEPPELIN-3881~~

https://issues.apache.org/jira/browse/ZEPPELIN-3881?focusedCommentId=16702336&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16702336

I see that the error is do to flatmap-stream 0.1.1 not being found, which is a dependency of the event-stream library. It turns out this might actually be due to being a "poisoned' library, as some news articles recently indicate that event-stream was [backdoored to exploit a popular cryptocurrency wallet|https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/.] As such, npmjs.com has removed the dependency and the event-stream version needs to be updated to the latest, 4.0.1.

It seems that zeppelin master build is broken due to this.

Would it be possible to remove dependency of either `flatmap-stream` or `event-stream` or find a secure equivalent ?

Attachments

Issue Links

links to

GitHub Pull Request #3243

Activity

People

Assignee:: Derek Tapley

Reporter:: Ruslan Dautkhanov

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 28/Nov/18 20:04

Updated:: 24/Dec/20 03:19

Resolved:: 06/Mar/19 08:21