js · @cyclonedx/cyclonedx-npmCritical
@cyclonedx/cyclonedx-npm command injection via --workspace with unset npm_execpath
Command injection vulnerability when using --workspace option with unset or empty npm_execpath environment variable.
What changed
Command injection vulnerability when using --workspace option with unset or empty npm_execpath environment variable.
Who it affects
Users of @cyclonedx/cyclonedx-npm who invoke the CLI with --workspace <value> and have npm_execpath unset or empty.
What to do today
Upgrade to version 5.0.0 or later, or set npm_execpath environment variable before invoking the tool.
The trail
Collected→
Audited→
Written→
Published