pkg@3.0.2 vulnerabilities

Package your Node.js project into an executable

  • latest version

    5.8.1

  • first published

    12 years ago

  • latest version published

    1 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the pkg package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Creation of Temporary File in Directory with Insecure Permissions

    pkg is a command line interface that enables packaging a Node.js project into an executable

    Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions in /tmp/pkg/, which is the hardcoded location for all included packages. A user with write access to that shared directory can replace packages and have them unknowingly executed by other users.

    Note: pkg is deprecated so no fix is expected for this issue. However, the maintainers "recommend investigating Node.js 21’s support for single executable applications".

    How to fix Creation of Temporary File in Directory with Insecure Permissions?

    There is no fixed version for pkg.

    *