Versions of bower
prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because bower
does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory.
Update to version 1.8.8 or later
github.com/bower/bower/commit/45c6bfa86f6e57731b153baca9e0b41a1cc699e3
github.com/nodejs/security-wg/blob/master/vuln/npm/487.json
hackerone.com/reports/473811
lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E
lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2019-5484
snyk.io/blog/severe-security-vulnerability-in-bowers-zip-archive-extraction
www.npmjs.com/advisories/776