Homepage

pkg@4.1.1 vulnerabilities

Package your Node.js project into an executable

  • latest version

    5.8.1

  • first published

    13 years ago

  • latest version published

    2 years ago

  • licenses detected

  • View pkg package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the pkg package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Creation of Temporary File in Directory with Insecure Permissions

    pkg is a command line interface that enables packaging a Node.js project into an executable

    Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions in /tmp/pkg/, which is the hardcoded location for all included packages. A user with write access to that shared directory can replace packages and have them unknowingly executed by other users.

    Note: pkg is deprecated so no fix is expected for this issue. However, the maintainers "recommend investigating Node.js 21’s support for single executable applications".

    How to fix Creation of Temporary File in Directory with Insecure Permissions?

    There is no fixed version for pkg.

    *
    Go back to all versions of this package