npm audit report a Critical issue

Question

npm audit report a Critical issue

Closed this issue 6 years ago · 2 comments

Hello,

When I run npm audit with hads in version 1.6.1, I have this report:

│ Critical │ Command Injection
│ Package │ open
│ Patched in │ No patch available
│ Dependency of │ hads [dev]
│ Path │ hads > open
│ More info │ https://nodesecurity.io/advisories/663

Did you plan to fix this issue?

Thanks in advance for your answer.
Damien

Answer 1 · 2018-07-30T07:16:18.000Z

As the command tells you, there's currently no patch available to fix that, and probably won't ever be as the goal of the open package is to open a too installed on your system (in this case, the browser).

Since the usage of this command is restricted to a local CLI command execution (it's not used by the server), it's not really an issue even though npm is noisy about it.

Answer 2 · 2018-08-10T09:22:06.000Z

@dcuenot I just released a new version that fixed the vulnerability report, I replaced the faulty module to avoid the noise.