npm@6.9.0@6.9.0@6.9.0@6.9.0@6.9.0@6.9.0@6.9.0@6.9.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the npm@6.9.0@6.9.0@6.9.0@6.9.0@6.9.0@6.9.0@6.9.0 package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free
VulnerabilityVulnerable Version
  • M
Insertion of Sensitive Information into Log File

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. The CLI supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

How to fix Insertion of Sensitive Information into Log File?

Upgrade npm to version 6.14.6 or higher.

<6.14.6
  • H
Arbitrary File Write

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field.

For npm, a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Arbitrary File Write?

Upgrade npm to version 6.13.3 or higher.

<6.13.3
  • L
Unauthorized File Access

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation.

For npm, a properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Unauthorized File Access?

Upgrade npm to version 6.13.3 or higher.

<6.13.3
  • H
Arbitrary File Overwrite

npm is a package manager for JavaScript.

Affected versions of this package are vulnerable to Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This only affects files in /usr/local/bin.

For npm, this behaviour is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

How to fix Arbitrary File Overwrite?

Upgrade npm to version 6.13.4 or higher.

<6.13.4