Closed dcuenot closed 5 years ago
As the command tells you, there's currently no patch available to fix that, and probably won't ever be as the goal of the open
package is to open a too installed on your system (in this case, the browser).
Since the usage of this command is restricted to a local CLI command execution (it's not used by the server), it's not really an issue even though npm is noisy about it.
@dcuenot I just released a new version that fixed the vulnerability report, I replaced the faulty module to avoid the noise.
Hello,
When I run
npm audit
with hads in version 1.6.1, I have this report:│ Critical │ Command Injection
│ Package │ open
│ Patched in │ No patch available │ Dependency of │ hads [dev] │ Path │ hads > open │ More info │ https://nodesecurity.io/advisories/663
Did you plan to fix this issue?
Thanks in advance for your answer. Damien