npm-registry-fetch@8.0.3

Vulnerabilities

1 via 1 paths

Dependencies

70

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Insertion of Sensitive Information into Log File

  • Vulnerable module: npm-registry-fetch
  • Introduced through: npm-registry-fetch@8.0.3

Detailed paths

  • Introduced through: npm-registry-fetch@8.0.3
    Remediation: Upgrade to npm-registry-fetch@8.1.1.

Overview

npm-registry-fetch is a Fetch-based http client for use with npm registry APIs

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through log files. The package supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

Remediation

Upgrade npm-registry-fetch to version 4.0.5, 8.1.1 or higher.

References