OS Command Injection in GitHub repository ljharb/npm-lockfile prior to v2.0.5.
The MITRE CVE dictionary describes this issue as: