Affected script: "install-scripts:install"
The install.js script fetches a package from a remote URL and runs shell commands on the system without any validation or integrity checking. This poses a severe risk as it could be exploited to download and execute malicious code. The use of execSync can lead to remote command execution if the inputs are not properly sanitized. The URLs and inputs should be sanitized and verified, ideally with cryptographic signatures, to prevent tampering and ensure the legitimacy of the files being executed.
@fuel-ts/fuel-core
's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.Name | Version | Size | License | Type | Vulnerabilities |
---|---|---|---|---|---|
node-fetch | 2.7.0 | 43.6 kB | MIT | prod |