cli @0.4.3
A tool for rapidly building command line apps
Maintainers
Keywords
Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| glob | >= 3.1.4 | auto_approved |
Transitive Dependency Tree
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-6cpc-mj5c-m9rq |
osv | reject | AI | AI (osv): Arbitrary file write via symlink attack on predictable temp files; affects all versions < 1.0.0. Fix available in 1.0.0. Verdict generalizes to all versions in the affected range. |
SAST Findings (2)
[Always reject] Affected versions of `cli` use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the `cli` process has permission to write to. ## Proof of Concept By creating Symbolic Links at the following locations, the target of the link can be written to. ``` lock_file = '/tmp/' + cli.app + '.pid', log_file = '/tmp/' + cli.app + '.log'; ``` ## Recommendation Update to version 1.0.0 or later.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 43. Findings: 1 critical (+40), 1 low (+3), 1 info (+0).
Published to npm: