CVE-2025-4759

Name of the Vulnerable Software and Affected Versions: lockfile-lint-api versions prior to 5.9.2

Description: The issue concerns incorrect behavior order, specifically early validation, via the resolved attribute of the package URL validation. This can be bypassed by extending the package name, allowing an attacker to install other npm packages than the intended one.

Recommendations: For versions prior to 5.9.2, update to version 5.9.2 or later to resolve the issue. As a temporary workaround, consider restricting package installations to only those that are explicitly intended, to minimize the risk of exploitation.