All the vulnerabilities related to the version 1.2.6 of the package
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management
Improper Privilege Management in shelljs
Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.
Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.
Patched in shelljs 0.8.5
Recommended action is to upgrade to 0.8.5.
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
If you have any questions or comments about this advisory:
Predictable results in nanoid generation when given non-integer values
When nanoid is called with a fractional value, there were a number of undesirable effects:
Version 3.3.8 and 5.0.9 are fixed.
min-document vulnerable to prototype pollution
A vulnerability exists in the 'min-document' package prior to version 2.19.0, stemming from improper handling of namespace operations in the removeAttributeNS method. By processing malicious input involving the proto property, an attacker can manipulate the prototype chain of JavaScript objects, leading to denial of service or arbitrary code execution. This issue arises from insufficient validation of attribute namespace removal operations, allowing unintended modification of critical object prototypes. The vulnerability remains unaddressed in the latest available version.
