NPM swats path traversal bug that lets evil packages modify, steal files. That's bad for JavaScript crypto-wallets
https://www.theregister.co.uk/2019/12/13/npm_path_traversal_bug/
On Wednesday, NPM, Inc, the California-based biz that has taken it upon itself to organize the world's JavaScript packages into the npm registry, warned that its command line tool, the npm CLI, has a rather serious security vulnerability. Version 6.13.4 has been rushed out with a fix.
The flaw – also present in less-than-current versions of yarn, a Facebook-spawned open-source alternative client for fetching modules from the registry – could allow a hackers to alter the files on systems of users who have installed a malicious package.
NPM swats path traversal bug that lets evil packages modify, steal files. That's bad for JavaScript crypto-wallets
Dec 13, 2019, 2:14am UTC
https://www.theregister.co.uk/2019/12/13/npm_path_traversal_bug/
> On Wednesday, NPM, Inc, the California-based biz that has taken it upon itself to organize the world's JavaScript packages into the npm registry, warned that its command line tool, the npm CLI, has a rather serious security vulnerability. Version 6.13.4 has been rushed out with a fix.
> The flaw – also present in less-than-current versions of yarn, a Facebook-spawned open-source alternative client for fetching modules from the registry – could allow a hackers to alter the files on systems of users who have installed a malicious package.