CVE-2021-43616 log

Severity Medium
Remote Yes
Type Insufficient validation
The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json.
Group Package Affected Fixed Severity Status Ticket
AVG-2554 npm 8.1.4-1 8.4.1-1 Medium Fixed