CVE-2021-39135

Name of the Vulnerable Software and Affected Versions @npmcli/arborist versions prior to 2.8.2 npm versions prior to 7.20.7

Description The issue is related to the @npmcli/arborist library, which calculates dependency trees and manages the node modules folder hierarchy for the npm command line interface. If the node modules folder of the root project or any of its dependencies is replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. An attacker could exploit this by supplying a git repository and instructing the target to run npm install --ignore-scripts in the root. This may be successful because npm install --ignore-scripts is typically not capable of making changes outside of the project directory, so it may be deemed safe.

Recommendations For @npmcli/arborist versions prior to 2.8.2, update to version 2.8.2 or later. For npm versions prior to 7.20.7, update to version 7.20.7 or later. As a temporary workaround, consider verifying that the node modules folder is a real directory before running npm install. Do not run npm install on untrusted codebases without first ensuring that the node modules directory in the project is not a symbolic link.