CVE-2021-43616

Name of the Vulnerable Software and Affected Versions: npm versions 7.x through 8.1.3

Description: The npm ci command proceeds with an installation even if dependency information in package-lock.json differs from package.json, which is inconsistent with the documentation. This behavior makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. The npm team believes this is not a vulnerability, as it would require someone to socially engineer package.json which has different dependencies than package-lock.json, and that user would have to have file system or write access to change dependencies.

Recommendations: For npm versions 7.x through 8.1.3, consider restricting access to the npm ci command until a patch is available, and ensure that package.json and package-lock.json are handled with caution to prevent potential social engineering attacks. As a temporary workaround, manually verify the dependencies in package-lock.json and package.json before proceeding with the installation. At the moment, there is no information about a newer version that contains a fix for this issue.