Pkg 5.8.1 is a patch release following version 5.8.0, focusing on refinements and fixes within the popular Node.js executable packaging tool. Examining the changes highlights a key update in the dependencies: @babel/types advances from version 7.18.4 to 7.19.0. This likely addresses specific compatibility issues or incorporates new features from Babel's type system that enhance the pkg tool's ability to analyze and bundle modern JavaScript code. Additionally, prebuild-install updates from version 6.1.4 to 7.1.1, suggesting improvements in handling prebuilt binaries essential for cross-platform compatibility when creating executables.
While the core functionality remains consistent, developers will appreciate these dependency upgrades. By using the latest versions of @babel/types and prebuild-install, pkg 5.8.1 delivers improved reliability, potentially resolving edge-case issues encountered during the packaging process. These changes translate to a smoother experience for developers, particularly developers using newer JavaScript features or targeting diverse platforms. Developers should update to the latest version to leverage these advancements and ensure their Node.js applications are packaged correctly and efficiently for distribution. The increase in unpacked size from 226455 to 226525 may reflect the addition of new features. Finally the updated release date should reflect a more polished version.
All the vulnerabilities related to the version 5.8.1 of the package
Pkg Local Privilege Escalation
Any native code packages built by pkg are written to a hardcoded directory. On unix systems, this is /tmp/pkg/* which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable.
An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified.
This package is deprecated. Therefore, there will not be a patch provided for this vulnerability.
To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if /tmp/pkg/ was created.
Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21’s support for single executable applications.
Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security.
