摘要:
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
安全等级: Low
公告ID: KylinSec-SA-2022-1833
发布日期: 2022年8月5日
关联CVE: CVE-2021-43616
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2021-43616 | KY3.4-4A | nodejs | Unaffected |
| CVE-2021-43616 | KY3.4-5 | nodejs | Unaffected |
| CVE-2021-43616 | KY3.5.1 | nodejs | Unaffected |
