Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed.
This behavior is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Thank you Daniel Ruf for responsibly reporting the issue!
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed.
This behavior is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the previous serve binary.
This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
This PR contains the following updates:
6.11.3->6.13.4GitHub Vulnerability Alerts
CVE-2019-16775
Unauthorized File Access
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of the
node_modulesfolder through thebinfield upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed.This behavior is possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Thank you Daniel Ruf for responsibly reporting the issue!
Further information: npm blog post
CVE-2019-16776
Arbitrary File Write
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended
node_modulesfolder through thebinfield. A properly constructed entry in the package.jsonbinfield would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed.This behavior is possible through install scripts. This vulnerability bypasses a user using the
--ignore-scriptsinstall option.Thank you Daniel Ruf for reporting the issue!
Further information: npm blog post
CVE-2019-16777
Arbitrary File Overwrite
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a
servebinary, any subsequent installs of packages that also create aservebinary would overwrite the previousservebinary.This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.
Thank you to Daniel Ruf for reporting the issue!
Further information: npm blog post
Release Notes
npm/cli
### [`v6.13.4`](https://togithub.com/npm/cli/blob/master/CHANGELOG.md#6134-2019-12-11) [Compare Source](https://togithub.com/npm/cli/compare/v6.13.3...v6.13.4) ### [`v6.13.3`](https://togithub.com/npm/cli/blob/master/CHANGELOG.md#6133-2019-12-09) [Compare Source](https://togithub.com/npm/cli/compare/v6.13.2...v6.13.3) ##### DEPENDENCIES - [`19ce061a2`](https://togithub.com/npm/cli/commit/19ce061a2ee165d8de862c8f0f733c222846b9e1) `bin-links@1.1.5` Properly normalize, sanitize, and verify `bin` entries in `package.json`. - [`59c836aae`](https://togithub.com/npm/cli/commit/59c836aae8d0104a767e80c540b963c91774012a) `npm-packlist@1.4.7` - [`fb4ecd7d2`](https://togithub.com/npm/cli/commit/fb4ecd7d2810b0b4897daaf081a5e2f3f483b310) `pacote@9.5.11` - [`5f33040`](https://togithub.com/npm/pacote/commit/5f3304028b6985fd380fc77c4840ff12a4898301) [#476](https://togithub.com/npm/cli/issues/476) [npm/pacote#22](https://togithub.com/npm/pacote/issues/22) [npm/pacote#14](https://togithub.com/npm/pacote/issues/14) fix: Do not drop perms in git when not root ([isaacs](https://togithub.com/isaacs), [@darcyclarke](https://togithub.com/darcyclarke)) - [`6f229f7`](https://togithub.com/npm/pacote/6f229f78d9911b4734f0a19c6afdc5454034c759) sanitize and normalize package bin field ([isaacs](https://togithub.com/isaacs)) - [`1743cb339`](https://togithub.com/npm/cli/commit/1743cb339767e86431dcd565c7bdb0aed67b293d) `read-package-json@2.1.1` ### [`v6.13.2`](https://togithub.com/npm/cli/blob/master/CHANGELOG.md#6132-2019-12-03) [Compare Source](https://togithub.com/npm/cli/compare/v6.13.1...v6.13.2) ##### BUG FIXES - [`4429645b3`](https://togithub.com/npm/cli/commit/4429645b3538e1cda54d8d1b7ecb3da7a88fdd3c) [#546](https://togithub.com/npm/cli/pull/546) fix docs target typo ([@richardlau](https://togithub.com/richardlau)) - [`867642942`](https://togithub.com/npm/cli/commit/867642942bec69bb9ab71cff1914fb6a9fe67de8) [#142](https://togithub.com/npm/cli/pull/142) fix(packageRelativePath): fix 'where' for file deps ([@larsgw](https://togithub.com/larsgw)) - [`d480f2c17`](https://togithub.com/npm/cli/commit/d480f2c176e6976b3cca3565e4c108b599b0379b) [#527](https://togithub.com/npm/cli/pull/527) Revert "windows: Add preliminary WSL support for npm and npx" ([@craigloewen-msft](https://togithub.com/craigloewen-msft)) - [`e4b97962e`](https://togithub.com/npm/cli/commit/e4b97962e5fce0d49beb541ce5a0f96aee0525de) [#504](https://togithub.com/npm/cli/pull/504) remove unnecessary package.json read when reading shrinkwrap ([@Lighting-Jack](https://togithub.com/Lighting-Jack)) - [`1c65d26ac`](https://togithub.com/npm/cli/commit/1c65d26ac9f10ac0037094c207d216fbf0e969bf) [#501](https://togithub.com/npm/cli/pull/501) fix(fund): open url for string shorthand ([@ruyadorno](https://togithub.com/ruyadorno)) - [`ae7afe565`](https://togithub.com/npm/cli/commit/ae7afe56504dbffabf9f73d55b6dac1e3e9fed4a) [#263](https://togithub.com/npm/cli/pull/263) Don't log error message if git tagging is disabled ([@woppa684](https://togithub.com/woppa684)) - [`4c1b16f6a`](https://togithub.com/npm/cli/commit/4c1b16f6aecaf78956b9335734cfde2ac076ee11) [#182](https://togithub.com/npm/cli/pull/182) Warn the user that it is uninstalling npm-install ([@Hoidberg](https://togithub.com/Hoidberg)) ### [`v6.13.1`](https://togithub.com/npm/cli/blob/master/CHANGELOG.md#6131-2019-11-18) [Compare Source](https://togithub.com/npm/cli/compare/v6.13.0...v6.13.1) ##### BUG FIXES - [`938d6124d`](https://togithub.com/npm/cli/commit/938d6124d6d15d96b5a69d0ae32ef59fceb8ceab) [#472](https://togithub.com/npm/cli/pull/472) fix(fund): support funding string shorthand ([@ruyadorno](https://togithub.com/ruyadorno)) - [`b49c5535b`](https://togithub.com/npm/cli/commit/b49c5535b7c41729a8d167b035924c3c66b36de0) [#471](https://togithub.com/npm/cli/pull/471) should not publish tap-snapshot folder ([@ruyadorno](https://togithub.com/ruyadorno)) - [`3471d5200`](https://togithub.com/npm/cli/commit/3471d5200217bfa612b1a262e36c9c043a52eb09) [#253](https://togithub.com/npm/cli/pull/253) Add preliminary WSL support for npm and npx ([@infinnie](https://togithub.com/infinnie)) - [`3ef295f23`](https://togithub.com/npm/cli/commit/3ef295f23ee1b2300abf13ec19e935c47a455179) [#486](https://togithub.com/npm/cli/pull/486) print quick audit report for human output ([@isaacs](https://togithub.com/isaacs)) ##### TESTING - [`dbbf977ac`](https://togithub.com/npm/cli/commit/dbbf977acd1e74bcdec859c562ea4a2bc0536442) [#278](https://togithub.com/npm/cli/pull/278) added workflow to trigger and run benchmarks ([@mikemimik](https://togithub.com/mikemimik)) - [`b4f5e3825`](https://togithub.com/npm/cli/commit/b4f5e3825535256aaada09c5e8f104570a3d96a4) [#457](https://togithub.com/npm/cli/pull/457) feat(docs): adding tests and updating docs to reflect changes in registry teams API. ([@nomadtechie](https://togithub.com/nomadtechie)) - [`454c7dd60`](https://togithub.com/npm/cli/commit/454c7dd60c78371bf606f11a17ed0299025bc37c) [#456](https://togithub.com/npm/cli/pull/456) fix git configs for git 2.23 and above ([@isaacs](https://togithub.com/isaacs)) ##### DOCUMENTATION - [`b8c1576a4`](https://togithub.com/npm/cli/commit/b8c1576a448566397c721655b95fc90bf202b35a) [`30b013ae8`](https://togithub.com/npm/cli/commit/30b013ae8eacd04b1b8a41ce2ed0dd50c8ebae25) [`26c1b2ef6`](https://togithub.com/npm/cli/commit/26c1b2ef6be1595d28d935d35faa8ec72daae544) [`9f943a765`](https://togithub.com/npm/cli/commit/9f943a765faf6ebb8a442e862b808dbb630e018d) [`c0346b158`](https://togithub.com/npm/cli/commit/c0346b158fc25ab6ca9954d4dd78d9e62f573a41) [`8e09d5ad6`](https://togithub.com/npm/cli/commit/8e09d5ad67d4f142241193cecbce61c659389be3) [`4a2f551ee`](https://togithub.com/npm/cli/commit/4a2f551eeb3285f6f200534da33644789715a41a) [`87d67258c`](https://togithub.com/npm/cli/commit/87d67258c213d9ea9a49ce1804294a718f08ff13) [`5c3b32722`](https://togithub.com/npm/cli/commit/5c3b3272234764c8b4d2d798b69af077b5a529c7) [`b150eaeff`](https://togithub.com/npm/cli/commit/b150eaeff428180bfa03be53fd741d5625897758) [`7555a743c`](https://togithub.com/npm/cli/commit/7555a743ce4c3146d6245dd63f91503c7f439a6c) [`b89423e2f`](https://togithub.com/npm/cli/commit/b89423e2f6a09b290b15254e7ff7e8033b434d83) [#463](https://togithub.com/npm/cli/pull/463) [#285](https://togithub.com/npm/cli/pull/285) [#268](https://togithub.com/npm/cli/pull/268) [#232](https://togithub.com/npm/cli/pull/232) [#485](https://togithub.com/npm/cli/pull/485) [#453](https://togithub.com/npm/cli/pull/453) docs cleanup: typos, styling and content ([@claudiahdz](https://togithub.com/claudiahdz)) ([@XhmikosR](https://togithub.com/XhmikosR)) ([@mugli](https://togithub.com/mugli)) ([@brettz9](https://togithub.com/brettz9)) ([@mkotsollaris](https://togithub.com/mkotsollaris)) ##### DEPENDENCIES - [`661d86cd2`](https://togithub.com/npm/cli/commit/661d86cd229b14ddf687b7f25a66941a79d233e7) `make-fetch-happen@5.0.2` ([@claudiahdz](https://togithub.com/claudiahdz)) ### [`v6.13.0`](https://togithub.com/npm/cli/blob/master/CHANGELOG.md#6130-2019-11-05) [Compare Source](https://togithub.com/npm/cli/compare/v6.12.1...v6.13.0) ##### NEW FEATURES - [`4414b06d9`](https://togithub.com/npm/cli/commit/4414b06d944c56bee05ccfb85260055a767ee334) [#273](https://togithub.com/npm/cli/pull/273) add fund command ([@ruyadorno](https://togithub.com/ruyadorno)) ##### DOCUMENTATION - [`ae4c74d04`](https://togithub.com/npm/cli/commit/ae4c74d04f820a0255a92bdfe77ecf97af134fae) [#274](https://togithub.com/npm/cli/pull/274) migrate existing docs to gatsby ([@claudiahdz](https://togithub.com/claudiahdz)) - [`4ff1bb180`](https://togithub.com/npm/cli/commit/4ff1bb180b1db8c72e51b3d57bd4e268b738e049) [#277](https://togithub.com/npm/cli/pull/277) updated documentation copy ([@oletizi](https://togithub.com/oletizi)) ##### BUG FIXES - [`e4455409f`](https://togithub.com/npm/cli/commit/e4455409fe6fe9c198b250b488129171f0b4624a) [#281](https://togithub.com/npm/cli/pull/281) delete ps1 files on package removal ([@NoDocCat](https://togithub.com/NoDocCat)) - [`cd14d4701`](https://togithub.com/npm/cli/commit/cd14d47014e8c96ffd6a18791e8752028b19d637) [#279](https://togithub.com/npm/cli/pull/279) update supported node list to remove v6.0, v6.1, v9.0 - v9.2 ([@ljharb](https://togithub.com/ljharb)) ##### DEPENDENCIES - [`a37296b20`](https://togithub.com/npm/cli/commit/a37296b20ca3e19c2bbfa78fedcfe695e03fda69) `pacote@9.5.9` - [`d3cb3abe8`](https://togithub.com/npm/cli/commit/d3cb3abe8cee54bd2624acdcf8043932ef0d660a) `read-cmd-shim@1.0.5` ##### TESTING - [`688cd97be`](https://togithub.com/npm/cli/commit/688cd97be94ca949719424ff69ff515a68c5caba) [#272](https://togithub.com/npm/cli/pull/272) use github actions for CI ([@JasonEtco](https://togithub.com/JasonEtco)) - [`9a2d8af84`](https://togithub.com/npm/cli/commit/9a2d8af84f7328f13d8f578cf4b150b9d5f09517) [#240](https://togithub.com/npm/cli/pull/240) Clean up some flakiness and inconsistency ([@isaacs](https://togithub.com/isaacs)) ### [`v6.12.1`](https://togithub.com/npm/cli/blob/master/CHANGELOG.md#6121-2019-10-29) [Compare Source](https://togithub.com/npm/cli/compare/v6.12.0...v6.12.1) ##### BUG FIXES - [`6508e833d`](https://togithub.com/npm/cli/commit/6508e833df35a3caeb2b496f120ce67feff306b6) [#269](https://togithub.com/npm/cli/pull/269) add node v13 as a supported version ([@ljharb](https://togithub.com/ljharb)) - [`b6588a8f7`](https://togithub.com/npm/cli/commit/b6588a8f74fb8b1ad103060b73c4fd5174b1d1f6) [#265](https://togithub.com/npm/cli/pull/265) Fix regression in lockfile repair for sub-deps ([@feelepxyz](https://togithub.com/feelepxyz)) - [`d5dfe57a1`](https://togithub.com/npm/cli/commit/d5dfe57a1d810fe7fd64edefc976633ee3a4da53) [#266](https://togithub.com/npm/cli/pull/266) resolve circular dependency in pack.js ([@addaleax](https://togithub.com/addaleax)) ##### DEPENDENCIES - [`73678bb59`](https://togithub.com/npm/cli/commit/73678bb590a8633c3bdbf72e08f1279f9e17fd28) `chownr@1.1.3` - [`4b76926e2`](https://togithub.com/npm/cli/commit/4b76926e2058ef30ab1d5e2541bb96d847653417) `graceful-fs@4.2.3` - [`c691f36a9`](https://togithub.com/npm/cli/commit/c691f36a9c108b6267859fe61e4a38228b190c17) `libcipm@4.0.7` - [`5e1a14975`](https://togithub.com/npm/cli/commit/5e1a14975311bfdc43df8e1eb317ae5690ee580c) `npm-packlist@1.4.6` - [`c194482d6`](https://togithub.com/npm/cli/commit/c194482d65ee81a5a0a6281c7a9f984462286c56) `npm-registry-fetch@4.0.2` - [`bc6a8e0ec`](https://togithub.com/npm/cli/commit/bc6a8e0ec966281e49b1dc66f9c641ea661ab7a6) `tar@4.4.1` - [`4dcca3cbb`](https://togithub.com/npm/cli/commit/4dcca3cbb161da1f261095d9cdd26e1fbb536a8d) `uuid@3.3.3` ### [`v6.12.0`](https://togithub.com/npm/cli/blob/master/CHANGELOG.md#6120-2019-10-08) [Compare Source](https://togithub.com/npm/cli/compare/v6.11.3...v6.12.0) Now `npm ci` runs prepare scripts for git dependencies, and respects the `--no-optional` argument. Warnings for `engine` mismatches are printed again. Various other fixes and cleanups. ##### BUG FIXES - [`890b245dc`](https://togithub.com/npm/cli/commit/890b245dc1f609590d8ab993fac7cf5a37ed46a5) [#252](https://togithub.com/npm/cli/pull/252) ci: add dirPacker to options ([@claudiahdz](https://togithub.com/claudiahdz)) - [`f3299acd0`](https://togithub.com/npm/cli/commit/f3299acd0b4249500e940776aca77cc6c0977263) [#257](https://togithub.com/npm/cli/pull/257) [npm.community#4792](https://npm.community/t/engines-and-engines-strict-ignored/4792) warn message on engine mismatch ([@ruyadorno](https://togithub.com/ruyadorno)) - [`bbc92fb8f`](https://togithub.com/npm/cli/commit/bbc92fb8f3478ff67071ebaff551f01c1ea42ced) [#259](https://togithub.com/npm/cli/pull/259) [npm.community#10288](https://npm.community/t/npm-token-err-figgypudding-options-cannot-be-modified-use-concat-instead/10288) Fix figgyPudding error in `npm token` ([@benblank](https://togithub.com/benblank)) - [`70f54dcb5`](https://togithub.com/npm/cli/commit/70f54dcb5693b301c6b357922b7e8d16b57d8b00) [#241](https://togithub.com/npm/cli/pull/241) doctor: Make OK more consistent ([@gemal](https://togithub.com/gemal)) ##### FEATURES - [`ed993a29c`](https://togithub.com/npm/cli/commit/ed993a29ccf923425317c433844d55dbea2f23ee) [#249](https://togithub.com/npm/cli/pull/249) Add CI environment variables to user-agent ([@isaacs](https://togithub.com/isaacs)) - [`f6b0459a4`](https://togithub.com/npm/cli/commit/f6b0459a466a2c663dbd549cdc331e7732552dca) [#248](https://togithub.com/npm/cli/pull/248) Add option to save package-lock without formatting Adds a new config `--format-package-lock`, which defaults to true. ([@bl00mber](https://togithub.com/bl00mber)) ##### DEPENDENCIES - [`0ca063c5d`](https://togithub.com/npm/cli/commit/0ca063c5dc961c4aa17373f4b33fb54c51c8c8d6) `npm-lifecycle@3.1.4`: - fix: filter functions and undefined out of makeEnv ([@isaacs](https://togithub.com/isaacs)) - [`5df6b0ea2`](https://togithub.com/npm/cli/commit/5df6b0ea2e3106ba65bba649cc8d7f02f4738236) `libcipm@4.0.4`: - fix: pack git directories properly ([@claudiahdz](https://togithub.com/claudiahdz)) - respect no-optional argument ([@cruzdanilo](https://togithub.com/cruzdanilo)) - [`7e04f728c`](https://togithub.com/npm/cli/commit/7e04f728cc4cd4853a8fc99e2df0a12988897589) `tar@4.4.12` - [`5c380e5a3`](https://togithub.com/npm/cli/commit/5c380e5a33d760bb66a4285b032ae5f50af27199) `stringify-package@1.0.1` ([@isaacs](https://togithub.com/isaacs)) - [`62f2ca692`](https://togithub.com/npm/cli/commit/62f2ca692ac0c0467ef4cf74f91777a5175258c4) `node-gyp@5.0.5` ([@isaacs](https://togithub.com/isaacs)) - [`0ff0ea47a`](https://togithub.com/npm/cli/commit/0ff0ea47a8840dd7d952bde7f7983a5016cda8ea) `npm-install-checks@3.0.2` ([@isaacs](https://togithub.com/isaacs)) - [`f46edae94`](https://togithub.com/npm/cli/commit/f46edae9450b707650a0efab09aa1e9295a18070) `hosted-git-info@2.8.5` ([@isaacs](https://togithub.com/isaacs)) ##### TESTING - [`44a2b036b`](https://togithub.com/npm/cli/commit/44a2b036b34324ec85943908264b2e36de5a9435) [#262](https://togithub.com/npm/cli/pull/262) fix root-ownership race conditions in meta-test ([@isaacs](https://togithub.com/isaacs))Renovate configuration
:date: Schedule: "" (UTC).
:vertical_traffic_light: Automerge: Disabled by config. Please merge this manually once you are satisfied.
:recycle: Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "
rebase!".:no_bell: Ignore: Close this PR and you won't be reminded about this update again.
Newsflash: Renovate has joined WhiteSource, and is now free for all use. Learn more or view updated terms and privacy policies.