Icatalinao

Name of the Vulnerable Software and Affected Versions: npm versions 7.x through 8.1.3 Description: The npm ci command proceeds with an installation even if dependency information in `package-lock.json` differs from `package.json`, which is inconsistent with the documentation. This behavior makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in `package-lock.json`. The npm team believes this is not a vulnerability, as it would require someone to socially engineer `package.json` which has different dependencies than `package-lock.json`, and that user would have to have file system or write access to change dependencies. Recommendations: For npm versions 7.x through 8.1.3, consider restricting access to the `npm ci` command until a patch is available, and ensure that `package.json` and `package-lock.json` are handled with caution to prevent potential social engineering attacks. As a temporary workaround, manually verify the dependencies in `package-lock.json` and `package.json` before proceeding with the installation. At the moment, there is no information about a newer version that contains a fix for this issue.