In GitLab EE 11.7 up to and including 12.9, the NPM feature is vulnerable to a path traversal issue.
gitlab gitlab