npm package security issue

[mr-loop-1]

I was trying to setup the repos for cose and fcose. Upon doing npm i on this repo, there was an error for missing package in npm archive for flatmap-stream v0.1.1.

Upon searching, I found the following discussion in the event-stream repo which indicates that it was a security vulnerability that has been removed from all versions of npm.

The packages event-stream and flatmap-stream are added as dependencies in package-lock.json and hence npm attempts to install them.

cytoscape.js-cose-bilkent/package-lock.json

Lines 5093 to 5094 in 1093cb2

	"event-stream": {
	"version": "3.3.6",

cytoscape.js-cose-bilkent/package-lock.json

Lines 5593 to 5594 in 1093cb2

	"flatmap-stream": {
	"version": "0.1.1",

When I removed package-lock.json and did npm i, neither were installed indicating that package.json packages have updated their dependencies to not include these.

A solution can be to remake package-lock.json using appropriate version of npm.

[hasanbalci]

@mr-loop-1 Thanks for informing us. I think the root of all these dependencies is the npm-run-all package. Updating it to the latest version (v4.1.5) in package.json and regenerating package-lock json file should solve the problem. I will do it.