Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of the
node_modules folder through the
bin field upon installation.
npm, a properly constructed entry in the
package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the
--ignore-scripts install option.
node to version 12.14.0, 10.18.0, 8.17.0, 13.4.0 or higher.