HIGH 8.6

GHSA-vv9j-gjw2-j8wp

yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Details

### Impact

`yeoman-environment` versions `>= 2.9.0` and `< 6.0.1` install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap.

The vulnerable method is `installLocalGenerators()`, which calls `repository.install()` directly without prompting the user.

### Patches

Upgrade to `yeoman-environment` `6.0.1`, which adds an interactive confirmation prompt before installation ([PR #753](https://github.com/yeoman/environment/pull/753)).

### Workarounds

None.

### Resources

- [Fix commit 78d2af7](https://github.com/yeoman/environment/commit/78d2af7e60294784b8a8b3b3b5099c6874b6a1fa)

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / yeoman-environment

Introduced in: 2.9.0 Fixed in: 6.0.1

Fix npm install yeoman-environment@6.0.1

Details

Are you affected?

Affected packages

References