Post 1616180 by vancha@fosstodon.org
 (DIR) More posts by vancha@fosstodon.org
 (DIR) Post #1611906 by Gargron@mastodon.social
       2018-11-30T17:43:17Z
       
       1 likes, 1 repeats
       
       So event-stream 3.3.6 was removed from NPM because it depended on vulnerable flatmap-stream 0.1.1. But in Mastodon's dependency tree, we had event-stream 3.3.6 depending on flatmap-stream 0.1.0.Anyway, because event-stream 3.3.6 was yanked from NPM all of our builds break right now
       
 (DIR) Post #1612413 by Gargron@mastodon.social
       2018-11-30T17:53:50Z
       
       1 likes, 0 repeats
       
       The unfortunate consequence is that Docker images for v2.6.3 cannot be built because of this. The upgrade will work fine for all existing non-Docker installations, but not fresh ones.
       
 (DIR) Post #1612414 by CrowderSoup@socialmast.xyz
       2018-11-30T17:59:40Z
       
       1 likes, 0 repeats
       
       @Gargron Good thing I read this before trying to update my Docker install 😔 Such is life though, great work!
       
 (DIR) Post #1612415 by djsumdog@hitchhiker.social
       2018-11-30T18:20:18Z
       
       0 likes, 0 repeats
       
       @CrowderSoup @Gargron I'm glad I always do a `docker pull tootsuite/mastodon:v2.6.3` on my server first to cache the image, and in this case, obviously it isn't there. 😋
       
 (DIR) Post #1616167 by Lumb@lamp.institute
       2018-11-30T17:43:53Z
       
       1 likes, 0 repeats
       
       @Gargron Okay now you're just making words up smh
       
 (DIR) Post #1616169 by level2wizard@mastodon.technology
       2018-11-30T17:44:21Z
       
       1 likes, 0 repeats
       
       @Gargron good ole npm**npm is neither good nor ole
       
 (DIR) Post #1616172 by aeonofdiscord@icosahedron.website
       2018-11-30T17:46:10Z
       
       1 likes, 0 repeats
       
       @Gargron flatmap-stream isn't just vulnerable afaik, it's the actual cryptominer payload
       
 (DIR) Post #1616175 by Gargron@mastodon.social
       2018-11-30T17:48:55Z
       
       1 likes, 0 repeats
       
       @aeonofdiscord According to people who reported the vulnerabilty, the code was added to flatmap-stream 0.1.1
       
 (DIR) Post #1616180 by vancha@fosstodon.org
       2018-11-30T17:49:23Z
       
       1 likes, 0 repeats
       
       @Gargron what does event-stream do? :O does it affect using the api?
       
 (DIR) Post #1616182 by Gargron@mastodon.social
       2018-11-30T17:50:24Z
       
       1 likes, 0 repeats
       
       @vancha No, it's somewhere down the dependency tree. We're not using it directly
       
 (DIR) Post #1616188 by kaniini@pleroma.site
       2018-11-30T17:56:00.322087Z
       
       1 likes, 0 repeats
       
       @Gargron flatmap-stream is an injection that looks for bitcoin wallets and sends them to an unknown person.  should lock event-stream to 3.3.4 which does not pull in flatmap-stream at all.
       
 (DIR) Post #1616192 by Gargron@mastodon.social
       2018-11-30T18:26:59Z
       
       1 likes, 0 repeats
       
       Ironically the event-stream dependency can be easily avoided. I'm removing it and then bumping to v2.6.4 so everyone can upgrade. Awkward situation though, I'm sorry.
       
 (DIR) Post #1616196 by dennix@octodon.social
       2018-11-30T18:30:17Z
       
       1 likes, 0 repeats
       
       @gargron As a user, I appreciate you're discussing such an issue on your public timeline :)
       
 (DIR) Post #1616198 by Maya@social.politicaconciencia.org
       2018-11-30T18:33:17Z
       
       1 likes, 0 repeats
       
       @Gargron 😂😂😂 😉
       
 (DIR) Post #1616200 by Ball@animeisgay.com
       2018-11-30T18:40:32Z
       
       1 likes, 0 repeats
       
       @Gargron I never liked docker
       
 (DIR) Post #1616202 by CrowderSoup@socialmast.xyz
       2018-11-30T18:45:51Z
       
       1 likes, 0 repeats
       
       @Gargron Awesome, I think it's great that you're getting a fix out so quickly!
       
 (DIR) Post #1616204 by indefenseofmastodon@mastodon.redflag.social
       2018-11-30T19:48:41Z
       
       1 likes, 0 repeats
       
       @Gargron Tbh this is a feature not a bug. At least in my eyes as a cranky old sysadmin who wants these containers to get off my lawn.
       
 (DIR) Post #1616207 by G_Dog1985@linuxrocks.online
       2018-11-30T20:20:16Z
       
       1 likes, 0 repeats
       
       @Gargron RAILS_ENV=production bundle exec rails assets:precompilerails aborted!SyntaxError: /home/mastodon/live/lib/mastodon/version.rb:16: syntax error, unexpected <<<<<<<<< HEAD^~/home/mastodon/live/lib/mastodon/version.rb:18: syntax error, unexpected ===, expecting keyword_end=======^~~/home/mastodon/live/vendor/bundle/ruby/2.5.0/gems/bootsnap-1.3.2/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:21:in `require' for v2.6.4 non-docker with ruby 2.5.3
       
 (DIR) Post #1616210 by Gargron@mastodon.social
       2018-11-30T20:32:29Z
       
       1 likes, 0 repeats
       
       @G_Dog1985 You merged something when you should't have been merging
       
 (DIR) Post #1616212 by hanage999@mastodon.crazynewworld.net
       2018-11-30T20:51:13Z
       
       1 likes, 0 repeats
       
       @Gargron Thank you so much for the immediate fix!