So event-stream 3.3.6 was removed from NPM because it depended on vulnerable flatmap-stream 0.1.1. But in Mastodon's dependency tree, we had event-stream 3.3.6 depending on flatmap-stream 0.1.0.

Anyway, because event-stream 3.3.6 was yanked from NPM all of our builds break right now

The unfortunate consequence is that Docker images for v2.6.3 cannot be built because of this. The upgrade will work fine for all existing non-Docker installations, but not fresh ones.

Ironically the event-stream dependency can be easily avoided. I'm removing it and then bumping to v2.6.4 so everyone can upgrade. Awkward situation though, I'm sorry.

Follow

@gargron As a user, I appreciate you're discussing such an issue on your public timeline :)

Sign in to participate in the conversation
Octodon

Octodon is a nice general purpose instance. more