Vulnerability	Vulnerable Version
M Insertion of Sensitive Information into Log File org.webjars.npm:npm is a package manager for JavaScript. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. The CLI supports URLs like `<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>`. The password value is not redacted and is printed to stdout and also to any generated log files. How to fix Insertion of Sensitive Information into Log File? Upgrade `org.webjars.npm:npm` to version 6.14.8 or higher.	[,6.14.8)
H Arbitrary File Write org.webjars.npm:npm is a package manager for JavaScript. Affected versions of this package are vulnerable to Arbitrary File Write. It fails to prevent access to folders outside of the intended `node_modules` folder through the bin field. For `npm`, a properly constructed entry in the `package.json` bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the `--ignore-scripts install` option. How to fix Arbitrary File Write? Upgrade `org.webjars.npm:npm` to version 7.16.0 or higher.	[0,7.16.0)

Insertion of Sensitive Information into Log File

org.webjars.npm:npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. The CLI supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

How to fix Insertion of Sensitive Information into Log File?

Upgrade org.webjars.npm:npm to version 6.14.8 or higher.

[,6.14.8)

Arbitrary File Write

org.webjars.npm:npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field.

For npm, a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Arbitrary File Write?

Upgrade org.webjars.npm:npm to version 7.16.0 or higher.

[0,7.16.0)

Go back to all versions of this package