CVE-2026-42089: yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

May 26, 2026

yeoman-environment versions >= 2.9.0 and < 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap.

The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user.

References

github.com/advisories/GHSA-vv9j-gjw2-j8wp
github.com/yeoman/environment/commit/78d2af7e60294784b8a8b3b3b5099c6874b6a1fa
github.com/yeoman/environment/security/advisories/GHSA-vv9j-gjw2-j8wp
nvd.nist.gov/vuln/detail/CVE-2026-42089

Code Behaviors & Features

Detect and mitigate CVE-2026-42089 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →