Affected script: "install-scripts:install"
The script downloads and extracts a package from a remote URL without any kind of checksum or signature verification. This means it could be vulnerable to a Man-in-the-Middle attack, allowing an attacker to serve a malicious package instead of the legitimate one. Additionally, the script uses execSync
to execute shell commands with user-defined input (binPath
and pkgPath
), which could be exploited for arbitrary code execution if an attacker can manipulate these variables.
@fuel-ts/fuel-core
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |