command injection vulnerability - noted from npm audit

jeremykorb commented 5 years ago

npm audit barks an alert to a critical vulnerability with this package. It returns:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ open                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ grunt-open [dev]                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ grunt-open > open                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/663                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

mitraparthib3 commented 5 years ago

I have seen the same issue, looks like package open is not under proper maintenance.

Spongman commented 5 years ago

grunt-open should switch to using https://github.com/sindresorhus/opn instead.

jsoverson commented 5 years ago

Resolved with 0.2.4

jsoverson / grunt-open

command injection vulnerability - noted from npm audit #35