cli @0.11.3
A tool for rapidly building command line apps
Maintainers
Keywords
Dependencies (2)
| Package | Constraint | Registry Status |
|---|---|---|
| exit | 0.1.2 | auto_approved |
| glob | ^7.0.5 | auto_approved |
Transitive Dependency Tree
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-6cpc-mj5c-m9rq |
osv | reject | AI | AI (osv): Arbitrary file write via symlink attack on predictable temp files; affects all versions < 1.0.0. Fix available in 1.0.0. Verdict generalizes to all versions in the affected range. |
SAST Findings (2)
[Always reject] Affected versions of `cli` use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the `cli` process has permission to write to. ## Proof of Concept By creating Symbolic Links at the following locations, the target of the link can be written to. ``` lock_file = '/tmp/' + cli.app + '.pid', log_file = '/tmp/' + cli.app + '.log'; ``` ## Recommendation Update to version 1.0.0 or later.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 53. Findings: 1 critical (+40), 1 medium (+10), 1 low (+3), 1 info (+0).
Commit: 42e8cecab6f7 Browse source
Published to npm: