The Node.js Secure Coding Blog

Hardening Your npm and pnpm Configs in the Age of Shai-Hulud

A copy-paste-ready .npmrc and pnpm-workspace.yaml that actually defends against the supply-chain attacks of 2025 and 2026 — with the threat model behind every directive.
May 30, 2026 ~ 9 min read
supply-chain security
package-managers
npm
Argument Injection vulnerability in git-blame@1.4.0

The git-blame npm package is vulnerable to Argument Injection via the `rev` parameter allowing arbitrary command injection.
Nov 22, 2025 ~ 2 min read
nodejs
vulnerability
command injection
Argument Injection vulnerability in `gits@0.1.8`

An Argument Injection vulnerability was discovered in the `gits` npm package that could allow attackers to execute arbitrary commands on the host
Nov 22, 2025 ~ 1 min read
nodejs
vulnerability
command injection
Command Injection vulnerability in `@fab1o/git@1.4.0`

A Command Injection vulnerability in the `@fab1o/git` npm package allows attackers to execute arbitrary commands on the host system via unsanitized user input passed to the `exec()` function.
Nov 22, 2025 ~ 1 min read
nodejs
vulnerability
command injection
Command Injection vulnerability in `git-contributors` via unsanitized CLI arguments

A Command Injection vulnerability was discovered in the `git-contributors` npm package that allows attackers to execute arbitrary commands by manipulating the options object passed to the library's API.
Nov 22, 2025 ~ 3 min read
nodejs
vulnerability
command injection
Command Injection vulnerability in `git-q@0.0.3`

Publicly disclosing a Command Injection vulnerability in the `git-q` npm package, which allows attackers to execute arbitrary commands on the host system via unsanitized user input.
Nov 22, 2025 ~ 1 min read
nodejs
vulnerability
command injection

Newer posts

Older posts