yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...

433bf (=0.0.1), @aaqilniz/cli (=4.1.4) +556 more potentially affected by CVE-2026-42089 via yeoman-environment (>=2.9.5 <=6.0.0)

yeoman-environment NPM version =2.9.5, =4.2.0, =14.0.0, =1.0.0, =0.0.1, =1.0.0-beta.1, =1.0.0-beta.1, =0.0.5, =8.0.0, =8.3.0-pre.2022-06-22.sha-42703caf, =8.0.2, =1.0.0, =1.2.1-pre.2024-01-09.d13174d0, =2.1.0 and more Source cves: CVE-2026-42089 Source advisory: OSV:GHSA-VV9J-GJW2-J8WP...

GHSA-VV9J-GJW2-J8WP yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...

PT-2026-43442

Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...