[ https://issues.apache.org/jira/browse/TOBAGO-1962?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Henning Noeth resolved TOBAGO-1962. ----------------------------------- Resolution: Fixed Fix Version/s: 5.0.0 "package-lock.json" files are updated and 'npm-run-all' is set to version ^4.1.5 https://github.com/apache/myfaces-tobago/commit/85150caf7125abeae108be004b9a23ffb63dd21a https://github.com/apache/myfaces-tobago/commit/abfedd30a8b5d3628c3ae783c62f198aa9a193a5 For Tobago 3 and 4: There is nothing to do. The 'bootstrap.js' files are build before flatmap-stream got malicious. > flatmap-stream in package-lock.json > ----------------------------------- > > Key: TOBAGO-1962 > URL: https://issues.apache.org/jira/browse/TOBAGO-1962 > Project: MyFaces Tobago > Issue Type: Bug > Components: Themes > Affects Versions: 5.0.0 > Reporter: Henning Noeth > Assignee: Henning Noeth > Priority: Critical > Fix For: 5.0.0 > > > The flatmap-stream contain a malware which is targeting the copay > application. For more information, read the blog post at: > https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident > The flatmap-stream package can be found in the package-lock.json of the > current 5.0.0 master. This should be removed! -- This message was sent by Atlassian JIRA (v7.6.3#76005)