You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to ask about some guidance when it comes to CVEs reported against npm's own dependencies.
We get reports on a near-weekly basis against npm dependencies such as minimatch, node-tar, brace-expansion, and undici, with CVEs usually centered around some sort of unsanitized input.
We have on previous occasions received feedback—for example regarding node-tar in npm/cli#8917—that npm is not vulnerable to a dependency's CVE due to npm-specific filtering.
I would like to better understand whether it is possible for these CVEs to be exploited within the context of standard npm usage. For example, how could an attacker actually trigger the latest brace-expansion DoS vulnerability within the expand() function through standard npm commands?
Key areas I am trying to figure out:
How are inputs routed to these dependencies?
For example, in the case of brace-expansion's DoS vulnerability (CVE-2026-13149) in the expand() function: does npm ever pass unvalidated, third-party package data (like fields in a fetched package.json or arbitrary package names) into these expansion and matching libraries? Or are these utilities only invoked on local configuration, deterministic paths, and command-line arguments explicitly provided by the system administrator?
How does the project treats these transitive CVEs?
For example, does the project distinguish between "offline/local-only CLI execution risks" (where an attacker already needs local execution privileges to exploit npm) versus "remote package-registry parsing risks" (where a malicious package published to registry metadata could trigger a crash/execution)?
Resources for self-assessment:
Are there any community resources, write-ups, or past issue analyses you would recommend that demonstrate how to audit the reachability of a sub-dependency vulnerability specifically within the npm CLI codebase?
I understand that this is a very broad question, but from our POV, it is necessary to determine how vulnerable our clients will actually be before we start blindly patching. I would appreciate it if anyone could share their insight on how the project deals with this sort of CVE report, or point me towards some resources that could help me understand the possible attack vectors of these unsanitized input CVEs.
QuestionAsk and answer questions about GitHub features and usagenpmDiscussions around programming langages, open source and software developmentWelcome 🎉Used to greet and highlight first-time discussion participants. Welcome to the community!source:uiDiscussions created via Community GitHub templates
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
🏷️ Discussion Type
Question
Body
Hi,
I would like to ask about some guidance when it comes to CVEs reported against npm's own dependencies.
We get reports on a near-weekly basis against npm dependencies such as minimatch, node-tar, brace-expansion, and undici, with CVEs usually centered around some sort of unsanitized input.
We have on previous occasions received feedback—for example regarding
node-tarin npm/cli#8917—that npm is not vulnerable to a dependency's CVE due to npm-specific filtering.I would like to better understand whether it is possible for these CVEs to be exploited within the context of standard npm usage. For example, how could an attacker actually trigger the latest brace-expansion DoS vulnerability within the
expand()function through standard npm commands?Key areas I am trying to figure out:
How are inputs routed to these dependencies?
For example, in the case of
brace-expansion's DoS vulnerability (CVE-2026-13149) in theexpand()function: does npm ever pass unvalidated, third-party package data (like fields in a fetchedpackage.jsonor arbitrary package names) into these expansion and matching libraries? Or are these utilities only invoked on local configuration, deterministic paths, and command-line arguments explicitly provided by the system administrator?How does the project treats these transitive CVEs?
For example, does the project distinguish between "offline/local-only CLI execution risks" (where an attacker already needs local execution privileges to exploit npm) versus "remote package-registry parsing risks" (where a malicious package published to registry metadata could trigger a crash/execution)?
Resources for self-assessment:
Are there any community resources, write-ups, or past issue analyses you would recommend that demonstrate how to audit the reachability of a sub-dependency vulnerability specifically within the npm CLI codebase?
I understand that this is a very broad question, but from our POV, it is necessary to determine how vulnerable our clients will actually be before we start blindly patching. I would appreciate it if anyone could share their insight on how the project deals with this sort of CVE report, or point me towards some resources that could help me understand the possible attack vectors of these unsanitized input CVEs.
Beta Was this translation helpful? Give feedback.
All reactions