SourceKit-LSP for VSCode and `flatmap-stream@0.1.1`

Several news said, event-stream and flatmap-stream@0.1.1 has security issues.
Unfortunately, SourceKit-LSP for Visual Studio Code depends on flatmap-stream@0.1.1.

We should uninstall the current vscode extension?

$ npm ls event-stream flatmap-stream
sourcekit-lsp@0.0.1 /workspace/sourcekit-lsp/Editors/vscode
└─┬ vscode@1.1.21
  ├─┬ gulp-remote-src-vscode@0.5.0
  │ └─┬ event-stream@3.3.6 
  │   └── flatmap-stream@0.1.1 
  ├─┬ gulp-symdest@1.1.0
  │ └── event-stream@3.3.6  deduped
  ├─┬ gulp-untar@0.0.7
  │ └── event-stream@3.3.6  deduped
  └─┬ gulp-vinyl-zip@2.1.0
    └── event-stream@3.3.6  deduped
1 Like

You should be fine as long as SourceKit-LSP doesn’t also function as a bitcoin wallet. The vulnerability was targeted to a specific npm dependency.

That being said, yeah it should be updated to remove or change that dependency, since npm yanked the bad package.

1 Like

I updated our dependency on vscode, which removes the dependency on flatmap-stream: [vscode] Update dev dependencies vscode, vsce by benlangmuir · Pull Request #21 · apple/sourcekit-lsp · GitHub

The dependency on event-stream comes from a dev dependency on vscode and is not installed into the extension itself.

1 Like