Npm · Lockfile-Lint-Api · CVE-2025-4759
Name of the Vulnerable Software and Affected Versions:
lockfile-lint-api versions prior to 5.9.2
Description:
The issue concerns incorrect behavior order, specifically early validation, via the `resolved` attribute of the package URL validation. This can be bypassed by extending the package name, allowing an attacker to install other npm packages than the intended one.
Recommendations:
For versions prior to 5.9.2, update to version 5.9.2 or later to resolve the issue. As a temporary workaround, consider restricting package installations to only those that are explicitly intended, to minimize the risk of exploitation.