bin-links is a
.bin/ script linker package.
Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of the
node_modules folder through the
bin field upon installation.
npm, a properly constructed entry in the
package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the
--ignore-scripts install option.
bin-links to version 1.1.5 or higher.