The package get-npm-package-version prior to 1.0.7 are vulnerable to Command Injection via main function in index.js.
get-npm-package-version project get-npm-package-version