NodeJS/npm/6.13.3
a package manager for JavaScript
https://www.npmjs.com/package/npm
Artistic-2.0
2 Security Vulnerabilities
npm Vulnerable to Global node_modules Binary Overwrite
- https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr
- https://nvd.nist.gov/vuln/detail/CVE-2019-16777
- https://github.com/advisories/GHSA-4328-8hgf-7wjr
- https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
- https://www.npmjs.com/advisories/1437
- https://access.redhat.com/errata/RHEA-2020:0330
- https://access.redhat.com/errata/RHSA-2020:0573
- https://access.redhat.com/errata/RHSA-2020:0579
- https://access.redhat.com/errata/RHSA-2020:0597
- https://access.redhat.com/errata/RHSA-2020:0602
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/
- https://security.gentoo.org/glsa/202003-48
- https://www.oracle.com/security-alerts/cpujan2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html
Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations.
For example, if a package was installed globally and created a serve
binary, any subsequent installs of packages that also create a serve
binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global node_modules directory.
This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Recommendation
Upgrade to version 6.13.4 or later.
npm CLI exposing sensitive information through logs
- https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
- https://nvd.nist.gov/vuln/detail/CVE-2020-15095
- https://github.com/advisories/GHSA-93f3-23rq-pjfp
- https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
- https://github.com/npm/cli/blob/66aab417f836a901f8afb265251f761bb0422463/CHANGELOG.md#6146-2020-07-07
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4OOYAMJVLLCLXDTHW3V5UXNULZBBK4O6/
- https://security.gentoo.org/glsa/202101-07
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>
. The password value is not redacted and is printed to stdout and also to any generated log files.
550 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
7.24.0 | Artistic-2.0 | 1 | 2021-09-16 - 21:52 | over 2 years |
7.23.0 | Artistic-2.0 | 1 | 2021-09-09 - 19:53 | over 2 years |
7.22.0 | Artistic-2.0 | 1 | 2021-09-02 - 20:00 | almost 3 years |
7.21.1 | Artistic-2.0 | 1 | 2021-08-26 - 20:19 | almost 3 years |
7.21.0 | Artistic-2.0 | 1 | 2021-08-19 - 17:26 | almost 3 years |
7.20.6 | Artistic-2.0 | 1 | 2021-08-12 - 19:47 | almost 3 years |
7.20.5 | Artistic-2.0 | 1 | 2021-08-05 - 20:41 | almost 3 years |
7.20.4 | Artistic-2.0 | 1 | 2021-08-05 - 19:17 | almost 3 years |
7.20.3 | Artistic-2.0 | 1 | 2021-07-29 - 16:04 | almost 3 years |
7.20.2 | Artistic-2.0 | 1 | 2021-07-27 - 16:25 | almost 3 years |
7.20.1 | Artistic-2.0 | 1 | 2021-07-22 - 20:27 | almost 3 years |
7.20.0 | Artistic-2.0 | 1 | 2021-07-15 - 19:47 | almost 3 years |
7.19.1 | Artistic-2.0 | 1 | 2021-07-01 - 17:26 | almost 3 years |
7.19.0 | Artistic-2.0 | 1 | 2021-06-24 - 21:31 | almost 3 years |
7.18.1 | Artistic-2.0 | 1 | 2021-06-17 - 18:54 | almost 3 years |
7.18.0 | Artistic-2.0 | 1 | 2021-06-17 - 18:12 | almost 3 years |
7.17.0 | Artistic-2.0 | 1 | 2021-06-10 - 20:39 | almost 3 years |
7.16.0 | Artistic-2.0 | 1 | 2021-06-03 - 19:46 | about 3 years |
7.15.1 | Artistic-2.0 | 1 | 2021-05-31 - 22:41 | about 3 years |
7.15.0 | Artistic-2.0 | 1 | 2021-05-27 - 20:25 | about 3 years |
7.14.0 | Artistic-2.0 | 1 | 2021-05-20 - 19:28 | about 3 years |
7.13.0 | Artistic-2.0 | 1 | 2021-05-13 - 20:06 | about 3 years |
7.12.1 | Artistic-2.0 | 1 | 2021-05-10 - 21:26 | about 3 years |
7.12.0 | Artistic-2.0 | 1 | 2021-05-06 - 19:53 | about 3 years |
7.11.2 | Artistic-2.0 | 1 | 2021-04-29 - 19:51 | about 3 years |
7.11.1 | Artistic-2.0 | 1 | 2021-04-23 - 22:46 | about 3 years |
7.11.0 | Artistic-2.0 | 1 | 2021-04-23 - 04:41 | about 3 years |
7.10.0 | Artistic-2.0 | 1 | 2021-04-15 - 17:59 | about 3 years |
7.9.0 | Artistic-2.0 | 1 | 2021-04-08 - 17:44 | about 3 years |
7.8.0 | Artistic-2.0 | 2021-04-01 - 20:05 | about 3 years | |
7.7.6 | Artistic-2.0 | 2021-03-29 - 19:23 | about 3 years | |
7.7.5 | Artistic-2.0 | 2021-03-25 - 22:05 | about 3 years | |
7.7.4 | Artistic-2.0 | 2021-03-24 - 21:19 | about 3 years | |
7.7.3 | Artistic-2.0 | 2021-03-24 - 18:15 | about 3 years | |
7.7.2 | Artistic-2.0 | 2021-03-24 - 17:16 | about 3 years | |
7.7.1 | Artistic-2.0 | 2021-03-24 - 15:02 | about 3 years | |
7.7.0 | Artistic-2.0 | 2021-03-23 - 16:54 | about 3 years | |
7.6.3 | Artistic-2.0 | 2021-03-11 - 21:22 | about 3 years | |
7.6.2 | Artistic-2.0 | 2021-03-09 - 19:29 | over 3 years | |
7.6.1 | Artistic-2.0 | 2021-03-04 - 22:12 | over 3 years | |
7.6.0 | Artistic-2.0 | 2021-02-25 - 18:35 | over 3 years | |
7.5.6 | Artistic-2.0 | 2021-02-22 - 20:58 | over 3 years | |
7.5.5 | Artistic-2.0 | 2021-02-22 - 17:51 | over 3 years | |
7.5.4 | Artistic-2.0 | 2021-02-12 - 18:13 | over 3 years | |
7.5.3 | Artistic-2.0 | 2021-02-08 - 20:53 | over 3 years | |
7.5.2 | Artistic-2.0 | 2021-02-02 - 17:39 | over 3 years | |
7.5.1 | Artistic-2.0 | 2021-02-01 - 20:55 | over 3 years | |
7.5.0 | Artistic-2.0 | 2021-01-28 - 21:44 | over 3 years | |
7.4.3 | Artistic-2.0 | 2021-01-21 - 17:09 | over 3 years | |
7.4.2 | Artistic-2.0 | 2021-01-15 - 20:57 | over 3 years | |
7.4.1 | Artistic-2.0 | 2021-01-14 - 22:10 | over 3 years | |
7.4.0 | Artistic-2.0 | 2021-01-07 - 20:56 | over 3 years | |
7.3.0 | Artistic-2.0 | 2020-12-18 - 20:34 | over 3 years | |
7.2.0 | Artistic-2.0 | 2020-12-15 - 19:47 | over 3 years | |
7.1.2 | Artistic-2.0 | 2020-12-11 - 20:50 | over 3 years | |
7.1.1 | Artistic-2.0 | 2020-12-09 - 00:56 | over 3 years | |
7.1.0 | Artistic-2.0 | 2020-12-04 - 19:57 | over 3 years | |
7.0.15 | Artistic-2.0 | 2020-11-27 - 17:03 | over 3 years | |
7.0.14 | Artistic-2.0 | 2020-11-23 - 20:45 | over 3 years | |
7.0.13 | Artistic-2.0 | 2020-11-20 - 20:11 | over 3 years | |
7.0.12 | Artistic-2.0 | 2020-11-17 - 20:18 | over 3 years | |
7.0.11 | Artistic-2.0 | 2020-11-13 - 19:38 | over 3 years | |
7.0.10 | Artistic-2.0 | 2020-11-10 - 19:40 | over 3 years | |
7.0.9 | Artistic-2.0 | 2020-11-06 - 20:00 | over 3 years | |
7.0.8 | Artistic-2.0 | 2020-11-03 - 23:12 | over 3 years | |
7.0.7 | Artistic-2.0 | 2020-10-30 - 18:47 | over 3 years | |
7.0.6 | Artistic-2.0 | 2020-10-27 - 18:59 | over 3 years | |
7.0.5 | Artistic-2.0 | 2020-10-23 - 19:09 | over 3 years | |
7.0.4 | Artistic-2.0 | 2020-10-23 - 18:47 | over 3 years | |
7.0.3 | Artistic-2.0 | 2020-10-20 - 18:45 | over 3 years | |
7.0.2 | Artistic-2.0 | 2020-10-16 - 20:52 | over 3 years | |
7.0.1 | Artistic-2.0 | 2020-10-15 - 23:29 | over 3 years | |
7.0.0 | Artistic-2.0 | 2020-10-13 - 04:57 | over 3 years | |
7.0.0-rc.4 | Artistic-2.0 | 2020-10-09 - 18:51 | over 3 years | |
7.0.0-rc.3 | Artistic-2.0 | 2020-10-06 - 18:58 | over 3 years | |
7.0.0-rc.2 | Artistic-2.0 | 2020-10-02 - 23:59 | over 3 years | |
7.0.0-rc.1 | Artistic-2.0 | 2020-10-02 - 21:23 | over 3 years | |
7.0.0-rc.0 | Artistic-2.0 | 2020-10-01 - 14:45 | over 3 years | |
7.0.0-beta.13 | Artistic-2.0 | 2020-09-29 - 18:59 | over 3 years | |
7.0.0-beta.12 | Artistic-2.0 | 2020-09-22 - 19:03 | over 3 years | |
7.0.0-beta.11 | Artistic-2.0 | 2020-09-16 - 16:01 | over 3 years | |
7.0.0-beta.10 | Artistic-2.0 | 2020-09-08 - 17:32 | almost 4 years | |
7.0.0-beta.9 | Artistic-2.0 | 2020-09-04 - 19:18 | almost 4 years | |
7.0.0-beta.8 | Artistic-2.0 | 2020-09-01 - 19:25 | almost 4 years | |
7.0.0-beta.7 | Artistic-2.0 | 2020-08-25 - 18:53 | almost 4 years | |
7.0.0-beta.6 | Artistic-2.0 | 2020-08-21 - 18:48 | almost 4 years | |
7.0.0-beta.5 | Artistic-2.0 | 2020-08-18 - 19:08 | almost 4 years | |
7.0.0-beta.4 | Artistic-2.0 | 2020-08-11 - 16:06 | almost 4 years | |
7.0.0-beta.3 | Artistic-2.0 | 2020-08-10 - 21:50 | almost 4 years | |
7.0.0-beta.2 | Artistic-2.0 | 2020-08-07 - 18:38 | almost 4 years | |
7.0.0-beta.1 | Artistic-2.0 | 2020-08-05 - 19:26 | almost 4 years | |
7.0.0-beta.0 | Artistic-2.0 | 2020-08-04 - 20:09 | almost 4 years | |
6.14.18 | Artistic-2.0 | 2022-12-21 - 20:27 | over 1 year | |
6.14.17 | Artistic-2.0 | 2022-04-28 - 20:38 | about 2 years | |
6.14.16 | Artistic-2.0 | 2022-01-19 - 20:41 | over 2 years | |
6.14.15 | Artistic-2.0 | 2021-08-24 - 02:53 | almost 3 years | |
6.14.14 | Artistic-2.0 | 2021-07-27 - 19:19 | almost 3 years | |
6.14.13 | Artistic-2.0 | 2021-04-12 - 15:16 | about 3 years | |
6.14.12 | Artistic-2.0 | 2021-03-25 - 21:19 | about 3 years | |
6.14.11 | Artistic-2.0 | 2021-01-08 - 02:20 | over 3 years |