GMS-2019-42: Out-of-bounds Read in npmconf

June 12, 2019 (updated August 4, 2021)

Versions of npmconf allocate and write to disk uninitialized memory contents when a typed number is passed as input on Node.js Update to or later. Consider switching to another config storage mechanism, as npmconf is deprecated and should not be used.

References

github.com/advisories/GHSA-57cf-349j-352g
hackerone.com/reports/320269
nodesecurity.io/advisories/653
www.npmjs.com/advisories/653

Code Behaviors & Features

Detect and mitigate GMS-2019-42 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →