Vulnerabilities

 1 via 1 paths

Dependencies

 145

Source

 GitHub

Commit

 af22f42e

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity
new

Command Injection

  • Vulnerable module: @pnpm/npm-conf
  • Introduced through: command-line-basics@3.0.0

Detailed paths

  • Introduced through: es-file-traverse@brettz9/es-file-traverse#af22f42e94a2776705114aba255a63c664807894 command-line-basics@3.0.0 update-notifier@7.3.1 latest-version@9.0.0 package-json@10.0.1 registry-auth-token@5.1.0 @pnpm/npm-conf@2.3.1

Overview

@pnpm/npm-conf is a Get the npm config

Affected versions of this package are vulnerable to Command Injection via environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker can execute arbitrary code by controlling environment variables during operations in build environments.

Remediation

Upgrade @pnpm/npm-conf to version 3.0.2 or higher.

References

Command Injection vulnerability report