Ekubuyekezweni komphathi wephakheji ye-NPM 6.13.4, efakwe ekusabalaliseni kwe-Node.js futhi esetshenziselwa ukusabalalisa amamojula ngolimi lwe-JavaScript, ubuthakathaka obuthathu (, ΠΈ ), okuvumela amafayela esistimu ngokunganaki ukuthi ashintshwe noma abhalwe ngaphezulu lapho kufakwa iphakheji elilungiswe umhlaseli. Njengendlela yokuvikela, ungayifaka ngenketho ethi "-ignore-scripts", evimbela ukwenziwa kwamaphakheji esibambi akhelwe ngaphakathi. Abathuthukisi be-NPM bahlaziye amaphakheji atholakala endaweni yokugcina izinto futhi abatholanga mikhondo yezinkinga ezihlonziwe ezisetshenziselwa ukuhlasela.
I-CVE-2019-16777 ekukhishweni ngaphambi kuka-6.13.4 futhi ikuvumela ukuthi ubhale phezu kwamafayela asebenzisekayo esistimu phakathi nokufakwa kwephakheji yomhlaba wonke. Ungashintsha kuphela amafayela kunkomba eqondiwe lapho amafayela asebenzisekayo afakwa khona (ngokuvamile /usr/local/bin).
ΠΈ zivela kokukhishwayo ngaphambi komhla ka-6.13.3 futhi zikuvumela ukuthi ubhale ifayela elingenasizathu ngokwakha isixhumanisi esingokomfanekiso samafayela angaphandle kohlu lwemibhalo anamamojula (ama-node_modules) noma ngokukhohlisa inkambu yomgqomo ku-package.json (izindlela ezino-β/../β kuvunyelwe endaweni yomgqomo).
Source: opennet.ru
