npm@1.5.0-alpha-3 vulnerabilities

a package manager for JavaScript

  • latest version

    10.9.2

  • latest non vulnerable version

  • first published

    11 years ago

  • latest version published

    4 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the npm package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Insertion of Sensitive Information into Log File

    npm is a package manager for JavaScript.

    Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File. The CLI supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

    How to fix Insertion of Sensitive Information into Log File?

    Upgrade npm to version 6.14.6 or higher.

    <6.14.6
    • H
    Arbitrary File Write

    npm is a package manager for JavaScript.

    Affected versions of this package are vulnerable to Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field.

    For npm, a properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

    How to fix Arbitrary File Write?

    Upgrade npm to version 6.13.3 or higher.

    <6.13.3
    • L
    Unauthorized File Access

    npm is a package manager for JavaScript.

    Affected versions of this package are vulnerable to Unauthorized File Access. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation.

    For npm, a properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. This behaviour is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

    How to fix Unauthorized File Access?

    Upgrade npm to version 6.13.3 or higher.

    <6.13.3
    • H
    Arbitrary File Overwrite

    npm is a package manager for JavaScript.

    Affected versions of this package are vulnerable to Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This only affects files in /usr/local/bin.

    For npm, this behaviour is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

    How to fix Arbitrary File Overwrite?

    Upgrade npm to version 6.13.4 or higher.

    <6.13.4
    • M
    Access Restriction Bypass

    npm is a package manager for JavaScript.

    Affected versions of this package are vulnerable to Access Restriction Bypass. It might allow local users to bypass intended filesystem access restrictions due to ownerships of /etc and /usr directories are being changed unexpectedly, related to a "correctMkdir" issue.

    How to fix Access Restriction Bypass?

    Upgrade npm to version 5.7.1 or higher.

    <5.7.1
    • M
    npm Token Leak

    This vulnerability could cause the unintentional leakage of bearer tokens. A design flaw in npm's registry allows an attacker to set up an HTTP server that could collect authentication information, and then use this authentication information to impersonate the users whose tokens they collected. The attacker could do anything the compromised users could do, including publishing new versions of packages.

    How to fix npm Token Leak?

    1. Upgrade npm to ">= 3.8.3 || >= 2.15.1"
    2. Invalidate your current npm bearer tokens

    <2.15.1>=3.0.0 <3.8.4