CVE-2021-43616 log

Source
Severity Medium
Remote Yes
Type Insufficient validation
Description
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
Group Package Affected Fixed Severity Status Ticket
AVG-2554 npm 8.1.3-1 Medium Vulnerable
References
https://github.com/npm/cli/issues/2701
https://docs.npmjs.com/cli/v7/commands/npm-ci/