Why am I seeing npm errors for event-stream / flatmap-stream in my build logs?


On November 26th, npm was notified of a malicious package that had made its way into event-stream, a popular npm package. After triaging the malware, npm responded by removing flatmap-stream and event-stream@3.3.6 from the Registry and taking ownership of the event-stream package to prevent further abuse. Now builds which specify either of these packages as dependencies will get errors when trying to install compromised versions.

Full details of this incident can be found on the npm blog - https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident


To resolve this you must upgrade your dependencies to ensure you are not using the compromised package. If you are using it, you should update your event-stream dependency to event-stream@3.3.4 a new, uncompromised flatmap-stream package has also been added to npm - https://www.npmjs.com/package/flatmap-stream

While it is better to update the specific dependencies that depended on the compromised package, you can also resolve this by deleting and regenerating your package-lock.json and yarn.lock files.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support