Vulnerability report for brettz9/eslint-plugin-query

Vulnerabilities	1 via 1 paths
Dependencies	161
Source	GitHub
Commit	2014199d

Vulnerabilities

1 via 1 paths

Dependencies

161

Source

GitHub

Commit

2014199d

high severity

new

Command Injection

Vulnerable module: @pnpm/npm-conf
Introduced through: command-line-basics@3.0.0

Detailed paths

Introduced through: eslint-plugin-query@brettz9/eslint-plugin-query#2014199d277c5d2816016c4242eae52b929ffaf2 › command-line-basics@3.0.0 › update-notifier@7.3.1 › latest-version@9.0.0 › package-json@10.0.1 › registry-auth-token@5.1.0 › @pnpm/npm-conf@2.3.1

Overview

@pnpm/npm-conf is a Get the npm config

Affected versions of this package are vulnerable to Command Injection via environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker can execute arbitrary code by controlling environment variables during operations in build environments.

Remediation

Upgrade @pnpm/npm-conf to version 3.0.2 or higher.

References

GitHub Commit
GitHub Commit
GitHub Release

Command Injection vulnerability report