Amazon Linux 2022 Security Advisory: ALAS-2022-048
Advisory Release Date: 2022-04-18 23:49 Pacific
Advisory Updated Date: 2022-04-22 15:14 Pacific
A flaw was found in npm. The npm ci command proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. (CVE-2021-43616)
Affected Packages:
nodejs
Issue Correction:
Run dnf update --releasever=2022.0.20220419 nodejs to update your system.
aarch64:
nodejs-debuginfo-16.14.0-2.amzn2022.aarch64
nodejs-devel-16.14.0-2.amzn2022.aarch64
nodejs-libs-16.14.0-2.amzn2022.aarch64
nodejs-full-i18n-16.14.0-2.amzn2022.aarch64
nodejs-libs-debuginfo-16.14.0-2.amzn2022.aarch64
nodejs-16.14.0-2.amzn2022.aarch64
v8-devel-9.4.146.24-1.16.14.0.2.amzn2022.aarch64
npm-8.3.1-1.16.14.0.2.amzn2022.aarch64
nodejs-debugsource-16.14.0-2.amzn2022.aarch64
i686:
nodejs-libs-debuginfo-16.14.0-2.amzn2022.i686
nodejs-libs-16.14.0-2.amzn2022.i686
nodejs-debugsource-16.14.0-2.amzn2022.i686
nodejs-full-i18n-16.14.0-2.amzn2022.i686
npm-8.3.1-1.16.14.0.2.amzn2022.i686
nodejs-16.14.0-2.amzn2022.i686
nodejs-devel-16.14.0-2.amzn2022.i686
nodejs-debuginfo-16.14.0-2.amzn2022.i686
v8-devel-9.4.146.24-1.16.14.0.2.amzn2022.i686
noarch:
nodejs-docs-16.14.0-2.amzn2022.noarch
src:
nodejs-16.14.0-2.amzn2022.src
x86_64:
nodejs-libs-debuginfo-16.14.0-2.amzn2022.x86_64
nodejs-full-i18n-16.14.0-2.amzn2022.x86_64
nodejs-devel-16.14.0-2.amzn2022.x86_64
nodejs-debuginfo-16.14.0-2.amzn2022.x86_64
v8-devel-9.4.146.24-1.16.14.0.2.amzn2022.x86_64
nodejs-libs-16.14.0-2.amzn2022.x86_64
nodejs-16.14.0-2.amzn2022.x86_64
npm-8.3.1-1.16.14.0.2.amzn2022.x86_64
nodejs-debugsource-16.14.0-2.amzn2022.x86_64