Affected script: "install-scripts:install"
The script downloads and executes a binary from an external source without any verification of the source's authenticity or the integrity of the file. This creates a risk that malicious code could be served from a compromised or malicious repository, which could potentially lead to arbitrary code execution on the local system. Specifically, the package URL https://github.com/FuelLabs/sway/releases/download/v${forcVersion}/${pkgName}
assumes the file is legitimate and secure, but there is no signature verification process in place to ensure the downloaded file hasn't been tampered with. The use of execSync
to execute arbitrary shell commands with the downloaded binary also presents a risk, as it could execute harmful commands if the binary is malicious.
@fuel-ts/forc
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |