pkg@3.0.6 vulnerabilities

Package your Node.js project into an executable

Direct Vulnerabilities

Known vulnerabilities in the pkg package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Creation of Temporary File in Directory with Insecure Permissions

pkg is a command line interface that enables packaging a Node.js project into an executable

Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions in /tmp/pkg/, which is the hardcoded location for all included packages. A user with write access to that shared directory can replace packages and have them unknowingly executed by other users.

Note: pkg is deprecated so no fix is expected for this issue. However, the maintainers "recommend investigating Node.js 21’s support for single executable applications".

How to fix Creation of Temporary File in Directory with Insecure Permissions?

There is no fixed version for pkg.

*