The author of resolve-path
told me that I can submit this to here. The vulnerability already reported to the author and got a fixed!
module name: resolve-pathversion:1.3.3npm page: https://www.npmjs.com/package/resolve-path
Resolve a relative path against a root path with validation.
This module would protect against commons attacks like GET /…/file.js which reaches outside the root folder.
Stats
[8264] downloads in the last day
[48226] downloads in the last week
[210556] downloads in the last month
~[2526672] estimated downloads per year
The library failed to process path like C:../../
on Windows
require('resolve-path')("C:/windows/temp/", "C:../../")
This is a high-dependency library, for example: KoaJS is suffered from this vulnerability
[21086] downloads in the last day
[113573] downloads in the last week
[462543] downloads in the last month
~[5550516] estimated downloads per year