NodeJS/npm/6.13.3

a package manager for JavaScript

Repo Link: https://www.npmjs.com/package/npm
License: Artistic-2.0

2 Security Vulnerabilities

npm Vulnerable to Global node_modules Binary Overwrite

Published date: 2019-12-13T15:39:32Z

CVE: CVE-2019-16777

Links:

Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations.

For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory.

This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.

Recommendation

Upgrade to version 6.13.4 or later.

Affected versions: ["1.1.25", "1.2.32", "1.3.2", "1.3.4", "1.2.20", "1.2.21", "1.2.22", "1.2.23", "1.2.24", "1.2.25", "1.2.27", "1.2.28", "1.2.30", "1.2.31", "1.3.0", "1.3.1", "1.2.19", "1.1.70", "1.1.71", "1.3.5", "1.3.6", "1.3.7", "1.3.8", "1.3.9", "1.3.10", "1.3.11", "1.3.12", "1.3.13", "1.3.14", "1.3.15", "1.3.16", "1.3.17", "1.3.18", "1.3.20", "1.3.21", "1.3.22", "1.3.23", "1.3.24", "1.3.25", "1.3.26", "1.4.0", "1.4.1", "1.4.2", "1.4.3", "1.4.4", "1.4.5", "1.4.6", "1.4.7", "1.4.8", "1.4.9", "1.4.10", "1.4.11", "1.4.12", "1.4.13", "1.4.14", "1.4.15", "1.4.16", "1.2.8000", "1.4.17", "1.4.18", "1.4.19", "1.5.0-alpha-0", "1.5.0-alpha-1", "1.4.20", "1.5.0-alpha-2", "1.4.21", "1.5.0-alpha-3", "1.5.0-alpha-4", "2.0.0-alpha-5", "1.4.22", "1.4.23", "2.0.0-alpha.6.0", "1.4.24", "2.0.0-alpha.6", "2.0.0-alpha.7", "2.0.0-beta.0", "1.4.25", "2.0.0-beta.1", "1.4.26", "2.0.0-beta.2", "1.4.27", "2.0.0-beta.3", "1.4.28", "2.0.0", "2.0.1", "2.0.2", "2.1.0", "2.1.1", "2.1.2", "2.1.3", "2.1.4", "2.1.5", "2.1.6", "2.1.7", "2.1.8", "2.1.9", "2.1.10", "2.1.11", "2.1.12", "2.1.13", "2.1.14", "2.1.15", "2.1.16", "2.1.17", "2.1.18", "2.2.0", "2.3.0", "2.4.0", "2.4.1", "2.5.0", "2.5.1", "2.6.0", "2.6.1", "2.7.0", "2.7.1", "2.7.2", "2.7.3", "2.7.4", "2.7.5", "2.7.6", "2.8.0", "2.8.1", "2.8.2", "2.8.3", "2.8.4", "2.9.0", "2.9.1", "2.10.0", "2.10.1", "2.11.0", "2.11.1", "2.11.2", "2.11.3", "2.12.0", "3.0.0", "2.12.1", "2.13.0", "3.1.0", "2.13.1", "3.1.1", "3.1.2", "2.13.2", "3.1.3", "2.13.3", "3.2.0", "2.13.4", "3.2.1", "2.13.5", "3.2.2", "2.14.0", "3.3.0", "2.14.1", "2.14.2", "3.3.1", "2.14.3", "3.3.2", "2.14.4", "3.3.3", "2.14.5", "3.3.4", "2.14.6", "3.3.5", "3.3.6", "2.14.7", "2.14.8", "3.3.7", "3.3.8", "3.3.9", "3.3.10", "2.14.9", "3.3.11", "1.4.29", "3.3.12", "2.14.10", "3.4.0", "3.4.1", "2.14.11", "2.14.12", "3.5.0", "3.5.1", "2.14.13", "2.14.14", "3.5.2", "2.14.15", "3.5.3", "3.5.4", "3.6.0", "2.14.16", "2.14.17", "3.7.0", "3.7.1", "3.7.2", "2.14.18", "3.7.3", "2.14.19", "2.14.20", "3.7.4", "3.7.5", "2.14.21", "3.8.0", "2.14.22", "3.8.1", "3.8.2", "2.15.0", "2.15.1", "3.8.3", "2.15.2", "3.8.4", "3.8.5", "3.8.6", "2.15.3", "3.8.7", "2.15.4", "3.8.8", "3.8.9", "2.15.5", "3.9.0", "3.9.1", "2.15.6", "3.9.2", "3.9.3", "3.9.4", "3.9.5", "3.9.6", "3.10.0", "2.15.7", "3.10.1", "2.15.8", "3.10.2", "3.10.3", "3.10.4", "2.15.9", "3.10.5", "3.10.6", "3.10.7", "2.15.10", "3.10.8", "2.15.11", "3.10.9", "4.0.0", "4.0.1", "4.0.2", "3.10.10", "4.0.3", "4.0.5", "4.1.0", "4.1.1", "4.1.2", "4.2.0", "4.3.0", "4.4.0", "4.4.1", "4.4.2", "4.4.3", "4.4.4", "4.5.0", "2.15.12", "4.6.0", "4.6.1", "5.0.0", "5.0.1", "5.0.2", "5.0.3", "5.0.4", "5.1.0", "5.2.0", "5.3.0", "5.4.0", "5.4.1", "5.4.2", "5.5.0", "5.5.1", "5.6.0", "5.7.0", "5.7.1", "5.8.0-next.0", "5.8.0", "6.0.0-next.0", "5.9.0-next.0", "5.10.0-next.0", "6.0.0-next.1", "6.0.0-next.2", "6.0.0", "6.0.1-next.0", "5.10.0-next.1", "6.0.1", "5.10.0", "6.1.0-next.0", "6.1.0", "6.2.0-next.0", "6.2.0-next.1", "6.2.0", "6.3.0-next.0", "6.3.0", "6.4.0-next.0", "6.4.0", "6.4.1-next.0", "6.4.1", "6.5.0-next.0", "6.5.0", "6.6.0-next.0", "6.6.0-next.1", "6.6.0", "6.7.0", "6.8.0-next.0", "6.8.0-next.1", "6.8.0-next.2", "6.8.0", "6.9.0-next.0", "6.9.0", "6.9.1-next.0", "6.9.2", "6.10.0-next.0", "6.10.0", "6.10.1-next.0", "6.10.1-next.1", "6.10.1-next.2", "6.10.1", "6.10.2-next.0", "6.10.2-next.1", "6.10.2-next.2", "6.10.2-next.3", "6.10.2", "6.10.3", "6.11.0", "6.11.1", "6.11.2", "6.11.3", "6.12.0-next.0", "6.12.0", "6.12.1", "6.13.0", "6.13.1", "6.13.2", "6.13.3"]

Secure versions: [6.14.6, 6.14.7, 7.0.0-beta.0, 7.0.0-beta.1, 7.0.0-beta.2, 7.0.0-beta.3, 7.0.0-beta.4, 6.14.8, 7.0.0-beta.5, 7.0.0-beta.6, 7.0.0-beta.7, 7.0.0-beta.8, 7.0.0-beta.9, 7.0.0-beta.10, 7.0.0-beta.11, 7.0.0-beta.12, 7.0.0-beta.13, 7.0.0-rc.0, 7.0.0-rc.1, 7.0.0-rc.2, 7.0.0-rc.3, 7.0.0-rc.4, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 6.14.9, 7.0.14, 7.0.15, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 6.14.10, 7.3.0, 7.4.0, 6.14.11, 7.4.1, 7.4.2, 7.4.3, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 6.14.12, 7.7.5, 7.7.6, 7.8.0, 6.14.13, 6.14.14, 6.14.15, 6.14.16, 6.14.17, 8.11.0, 8.12.0, 8.12.1, 8.12.2, 8.13.0, 8.13.1, 8.13.2, 8.14.0, 8.15.0, 8.15.1, 8.16.0, 8.17.0, 8.18.0, 8.19.0, 8.19.1, 9.0.0-pre.0, 8.19.2, 9.0.0-pre.1, 9.0.0-pre.2, 9.0.0-pre.3, 9.0.0-pre.4, 9.0.0-pre.5, 9.0.0-pre.6, 9.0.0, 9.0.1, 9.1.0, 8.19.3, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 6.14.18, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.4.2, 8.19.4, 9.5.0, 9.5.1, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.6.6, 9.6.7, 9.7.0, 9.7.1, 9.7.2, 9.8.0, 9.8.1, 10.0.0-pre.0, 10.0.0-pre.1, 10.0.0, 10.1.0, 10.2.0, 9.9.0, 10.2.1, 10.2.2, 10.2.3, 9.9.1, 9.9.2, 10.2.4, 10.2.5, 10.3.0, 10.4.0, 9.9.3, 10.5.0, 10.5.1, 10.5.2, 10.6.0, 10.7.0]

Recommendation: Update to version 10.7.0.

npm CLI exposing sensitive information through logs

Published date: 2020-07-07T18:56:16Z

CVE: CVE-2020-15095

Links:

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.

Recommendation: Update to version 10.7.0.

548 Other Versions

Version	License	Security	Released
10.7.0	Artistic-2.0		2024-04-30 - 21:59	14 days
10.6.0	Artistic-2.0		2024-04-25 - 17:28	19 days
10.5.2	Artistic-2.0		2024-04-10 - 20:19	about 1 month
10.5.1	Artistic-2.0		2024-04-03 - 14:46	about 1 month
10.5.0	Artistic-2.0		2024-02-28 - 17:55	3 months
10.4.0	Artistic-2.0		2024-01-24 - 21:39	4 months
10.3.0	Artistic-2.0		2024-01-10 - 20:40	4 months
10.2.5	Artistic-2.0		2023-12-06 - 22:04	5 months
10.2.4	Artistic-2.0		2023-11-15 - 21:35	6 months
10.2.3	Artistic-2.0		2023-11-02 - 19:52	6 months
10.2.2	Artistic-2.0		2023-10-31 - 17:44	7 months
10.2.1	Artistic-2.0		2023-10-18 - 20:29	7 months
10.2.0	Artistic-2.0		2023-10-03 - 15:56	7 months
10.1.0	Artistic-2.0		2023-09-08 - 23:21	8 months
10.0.0	Artistic-2.0		2023-08-31 - 20:45	9 months
10.0.0-pre.1	Artistic-2.0		2023-08-31 - 19:01	9 months
10.0.0-pre.0	Artistic-2.0		2023-07-26 - 22:18	10 months
9.9.3	Artistic-2.0		2024-02-28 - 17:21	3 months
9.9.2	Artistic-2.0		2023-11-15 - 21:29	6 months
9.9.1	Artistic-2.0		2023-11-07 - 21:01	6 months
9.9.0	Artistic-2.0		2023-10-06 - 19:55	7 months
9.8.1	Artistic-2.0		2023-07-19 - 17:15	10 months
9.8.0	Artistic-2.0		2023-07-05 - 20:25	10 months
9.7.2	Artistic-2.0		2023-06-21 - 18:09	11 months
9.7.1	Artistic-2.0		2023-06-07 - 15:38	11 months
9.7.0	Artistic-2.0		2023-05-31 - 21:18	12 months
9.6.7	Artistic-2.0		2023-05-18 - 13:56	12 months
9.6.6	Artistic-2.0		2023-05-03 - 20:01	about 1 year
9.6.5	Artistic-2.0		2023-04-19 - 21:52	about 1 year
9.6.4	Artistic-2.0		2023-04-05 - 19:54	about 1 year
9.6.3	Artistic-2.0		2023-03-30 - 20:17	about 1 year
9.6.2	Artistic-2.0		2023-03-15 - 16:31	about 1 year
9.6.1	Artistic-2.0		2023-03-08 - 19:12	about 1 year
9.6.0	Artistic-2.0		2023-03-02 - 09:15	about 1 year
9.5.1	Artistic-2.0		2023-02-22 - 18:58	about 1 year
9.5.0	Artistic-2.0		2023-02-15 - 16:39	about 1 year
9.4.2	Artistic-2.0		2023-02-07 - 20:51	over 1 year
9.4.1	Artistic-2.0		2023-02-02 - 04:17	over 1 year
9.4.0	Artistic-2.0		2023-01-25 - 21:26	over 1 year
9.3.1	Artistic-2.0		2023-01-17 - 17:27	over 1 year
9.3.0	Artistic-2.0		2023-01-12 - 20:31	over 1 year
9.2.0	Artistic-2.0		2022-12-07 - 23:11	over 1 year
9.1.3	Artistic-2.0		2022-11-30 - 23:38	over 1 year
9.1.2	Artistic-2.0		2022-11-16 - 21:04	over 1 year
9.1.1	Artistic-2.0		2022-11-09 - 21:32	over 1 year
9.1.0	Artistic-2.0		2022-11-02 - 18:24	over 1 year
9.0.1	Artistic-2.0		2022-10-26 - 21:44	over 1 year
9.0.0	Artistic-2.0		2022-10-19 - 22:00	over 1 year
9.0.0-pre.6	Artistic-2.0		2022-10-19 - 20:48	over 1 year
9.0.0-pre.5	Artistic-2.0		2022-10-13 - 17:21	over 1 year
9.0.0-pre.4	Artistic-2.0		2022-10-05 - 20:30	over 1 year
9.0.0-pre.3	Artistic-2.0		2022-09-30 - 02:54	over 1 year
9.0.0-pre.2	Artistic-2.0		2022-09-23 - 05:59	over 1 year
9.0.0-pre.1	Artistic-2.0		2022-09-14 - 23:47	over 1 year
9.0.0-pre.0	Artistic-2.0		2022-09-12 - 15:40	over 1 year
8.19.4	Artistic-2.0		2023-02-14 - 17:56	about 1 year
8.19.3	Artistic-2.0		2022-11-03 - 21:17	over 1 year
8.19.2	Artistic-2.0		2022-09-13 - 23:10	over 1 year
8.19.1	Artistic-2.0		2022-09-01 - 22:40	over 1 year
8.19.0	Artistic-2.0		2022-08-31 - 22:52	over 1 year
8.18.0	Artistic-2.0		2022-08-17 - 20:29	over 1 year
8.17.0	Artistic-2.0		2022-08-10 - 18:35	almost 2 years
8.16.0	Artistic-2.0		2022-08-03 - 16:18	almost 2 years
8.15.1	Artistic-2.0		2022-07-27 - 22:51	almost 2 years
8.15.0	Artistic-2.0		2022-07-20 - 22:08	almost 2 years
8.14.0	Artistic-2.0		2022-07-13 - 17:51	almost 2 years
8.13.2	Artistic-2.0		2022-06-29 - 22:58	almost 2 years
8.13.1	Artistic-2.0		2022-06-23 - 20:52	almost 2 years
8.13.0	Artistic-2.0		2022-06-22 - 22:22	almost 2 years
8.12.2	Artistic-2.0		2022-06-15 - 20:12	almost 2 years
8.12.1	Artistic-2.0		2022-06-02 - 17:52	almost 2 years
8.12.0	Artistic-2.0		2022-06-01 - 22:03	almost 2 years
8.11.0	Artistic-2.0		2022-05-25 - 21:08	almost 2 years
8.10.0	Artistic-2.0	1	2022-05-11 - 17:04	about 2 years
8.9.0	Artistic-2.0	1	2022-05-04 - 16:54	about 2 years
8.8.0	Artistic-2.0	1	2022-04-27 - 14:51	about 2 years
8.7.0	Artistic-2.0	1	2022-04-14 - 18:48	about 2 years
8.6.0	Artistic-2.0	1	2022-03-31 - 22:35	about 2 years
8.5.5	Artistic-2.0	1	2022-03-17 - 20:12	about 2 years
8.5.4	Artistic-2.0	1	2022-03-10 - 18:53	about 2 years
8.5.3	Artistic-2.0	1	2022-03-03 - 21:29	about 2 years
8.5.2	Artistic-2.0	1	2022-02-24 - 21:22	about 2 years
8.5.1	Artistic-2.0	1	2022-02-17 - 21:35	about 2 years
8.5.0	Artistic-2.0	1	2022-02-10 - 21:36	over 2 years
8.4.1	Artistic-2.0	1	2022-02-03 - 20:13	over 2 years
8.4.0	Artistic-2.0	1	2022-01-27 - 21:09	over 2 years
8.3.2	Artistic-2.0	1	2022-01-20 - 22:01	over 2 years
8.3.1	Artistic-2.0	1	2022-01-13 - 20:34	over 2 years
8.3.0	Artistic-2.0	1	2021-12-09 - 21:15	over 2 years
8.2.0	Artistic-2.0	1	2021-12-02 - 21:55	over 2 years
8.1.4	Artistic-2.0	1	2021-11-18 - 20:46	over 2 years
8.1.3	Artistic-2.0	1	2021-11-04 - 20:35	over 2 years
8.1.2	Artistic-2.0	1	2021-10-28 - 19:53	over 2 years
8.1.1	Artistic-2.0	1	2021-10-21 - 19:29	over 2 years
8.1.0	Artistic-2.0	1	2021-10-14 - 22:10	over 2 years
8.0.0	Artistic-2.0	1	2021-10-07 - 20:11	over 2 years
7.24.2	Artistic-2.0	1	2021-10-04 - 17:16	over 2 years
7.24.1	Artistic-2.0	1	2021-09-23 - 20:36	over 2 years
7.24.0	Artistic-2.0	1	2021-09-16 - 21:52	over 2 years
7.23.0	Artistic-2.0	1	2021-09-09 - 19:53	over 2 years