Affected versions of this package are vulnerable to Unauthorized File Access.
It is possible for packages to create symlinks to files outside of the
node_modules folder through the
bin field upon installation.
npm, a properly constructed entry in the
package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the
--ignore-scripts install option.
npm to version 6.13.3 or higher.