Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-3886

Remove dependency on flatmap-stream 0.1.1

    XMLWordPrintableJSON

    Details

      Description

      copy-pasting Derek Tapley's report in ZEPPELIN-3881

      https://issues.apache.org/jira/browse/ZEPPELIN-3881?focusedCommentId=16702336&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16702336

       

      I see that the error is do to flatmap-stream 0.1.1 not being found, which is a dependency of the event-stream library.  It turns out this might actually be due to being a "poisoned' library, as some news articles recently indicate that event-stream was [backdoored to exploit a popular cryptocurrency wallet|https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/.]  As such, npmjs.com has removed the dependency and the event-stream version needs to be updated to the latest, 4.0.1.

       

       It seems that zeppelin master build is broken due to this.

      Would it be possible to remove dependency of either `flatmap-stream` or `event-stream` or find a secure equivalent ?

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                derektapley Derek Tapley
                Reporter:
                Tagar Ruslan Dautkhanov
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: