Ruslan Dautkhanov created ZEPPELIN-3886:
-------------------------------------------
Summary: Remove dependency on flatmap-stream 0.1.1
Key: ZEPPELIN-3886
URL: https://issues.apache.org/jira/browse/ZEPPELIN-3886
Project: Zeppelin
Issue Type: Bug
Components: build, Core, Interpreters
Affects Versions: 0.8.0, 0.9.0, 0.8.1
Reporter: Ruslan Dautkhanov
copy-pasting [~derektapley]'s report in ZEPPELIN-3881
https://issues.apache.org/jira/browse/ZEPPELIN-3881?focusedCommentId=16702336&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16702336
{panel}
I see that the error is do to flatmap-stream 0.1.1 not being found, which is a
dependency of the event-stream library. It turns out this might actually be
due to being a "poisoned' library, as some news articles recently indicate that
event-stream was [backdoored to exploit a popular cryptocurrency
wallet|[https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/].]
As such, npmjs.com has removed the dependency and the event-stream version
needs to be updated to the latest, 4.0.1.
{panel}
It seems that zeppelin master build is broken due to this.
Would it be possible to remove dependency of either `flatmap-stream` or
`event-stream` or find a secure equivalent ?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
