VulnerableCode Package Details - pkg:npm/%40npmcli/arborist@2.0.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-9vk1-2ysq-3ygd Aliases: CVE-2021-39135 GHSA-gmw6-94gg-2rc2	UNIX Symbolic Link (Symlink) Following `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist which is included in npm v7.20.7. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.	2.8.2 Affected by 0 other vulnerabilities.
VCID-myru-vzn7-u7cf Aliases: CVE-2021-39134 GHSA-2h3h-q99f-3fhc	UNIX Symbolic Link (Symlink) Following `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.	2.8.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-9vk1-2ysq-3ygd
Aliases:
CVE-2021-39135
GHSA-gmw6-94gg-2rc2

UNIX Symbolic Link (Symlink) Following `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist which is included in npm v7.20.7. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.

2.8.2
Affected by 0 other vulnerabilities.

VCID-myru-vzn7-u7cf
Aliases:
CVE-2021-39134
GHSA-2h3h-q99f-3fhc

UNIX Symbolic Link (Symlink) Following `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.

2.8.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:30:16.992890+00:00	GitLab Importer	Affected by	VCID-9vk1-2ysq-3ygd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@npmcli/arborist/CVE-2021-39135.yml	38.4.0
2026-04-16T21:30:16.105962+00:00	GitLab Importer	Affected by	VCID-myru-vzn7-u7cf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@npmcli/arborist/CVE-2021-39134.yml	38.4.0
2026-04-11T22:43:22.388594+00:00	GitLab Importer	Affected by	VCID-9vk1-2ysq-3ygd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@npmcli/arborist/CVE-2021-39135.yml	38.3.0
2026-04-11T22:43:21.144246+00:00	GitLab Importer	Affected by	VCID-myru-vzn7-u7cf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@npmcli/arborist/CVE-2021-39134.yml	38.3.0
2026-04-02T22:53:30.356633+00:00	GitLab Importer	Affected by	VCID-9vk1-2ysq-3ygd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@npmcli/arborist/CVE-2021-39135.yml	38.1.0
2026-04-02T22:53:29.461040+00:00	GitLab Importer	Affected by	VCID-myru-vzn7-u7cf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@npmcli/arborist/CVE-2021-39134.yml	38.1.0
2026-04-01T17:11:42.298197+00:00	GitLab Importer	Affected by	VCID-9vk1-2ysq-3ygd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@npmcli/arborist/CVE-2021-39135.yml	38.0.0
2026-04-01T17:11:41.315448+00:00	GitLab Importer	Affected by	VCID-myru-vzn7-u7cf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@npmcli/arborist/CVE-2021-39134.yml	38.0.0