npm-lockfile safely generates an npm lockfile and output it to the filename of your choice. npm-lockfile before 2.0.4 does not santize unsafe external input and invoke sensitive command execution API with the input, causing command injection vulnerability. A fix was released in version 2.0.5.
CPE | Name | Operator | Version |
---|---|---|---|
npm-lockfile | lt | 2.0.5 | |
npm-lockfile | ge | 2.0.3 |