Ruslan Dautkhanov created ZEPPELIN-3886: -------------------------------------------
Summary: Remove dependency on flatmap-stream 0.1.1 Key: ZEPPELIN-3886 URL: https://issues.apache.org/jira/browse/ZEPPELIN-3886 Project: Zeppelin Issue Type: Bug Components: build, Core, Interpreters Affects Versions: 0.8.0, 0.9.0, 0.8.1 Reporter: Ruslan Dautkhanov copy-pasting [~derektapley]'s report in ZEPPELIN-3881 https://issues.apache.org/jira/browse/ZEPPELIN-3881?focusedCommentId=16702336&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16702336 {panel} I see that the error is do to flatmap-stream 0.1.1 not being found, which is a dependency of the event-stream library. It turns out this might actually be due to being a "poisoned' library, as some news articles recently indicate that event-stream was [backdoored to exploit a popular cryptocurrency wallet|[https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/].] As such, npmjs.com has removed the dependency and the event-stream version needs to be updated to the latest, 4.0.1. {panel} It seems that zeppelin master build is broken due to this. Would it be possible to remove dependency of either `flatmap-stream` or `event-stream` or find a secure equivalent ? -- This message was sent by Atlassian JIRA (v7.6.3#76005)