## Update 18-December-2019: Releases available
These releases update npm to v6.13.4 to address three vulnerabilities described below.
All current release lines were affected.
### Global `node_modules` Binary Overwrite
Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global `node_modules` Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations.
For example, if a package was installed globally and created a `serve` binary, any subsequent installs of packages that also create a `serve` binary would overwrite the first binary. This will not overwrite system binaries but only binaries put into the global `node_modules` directory.
This behavior is still allowed in local installations and also through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option.
### Symlink reference outside of `node_modules`
Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of `node_modules`. It is possible for packages to create symlinks to files outside of the `node_modules` folder through the `bin` field upon installation. A properly constructed entry in the package.json `bin` field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the `npm install` are affected.
This behavior is still possible through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option.
### Arbitrary File Write
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended `node_modules` folder through the `bin` field. A properly constructed entry in the package.json `bin` field would allow a package publisher to modify and/or gain access to arbitrary files on a user’s system when the package is installed. It is only possible to affect files that the user running `npm install` has access to.
This behavior is still possible through install scripts. This vulnerability bypasses a user using the `--ignore-scripts` install option.
### Downloads
Please note that this will be the final release of the v8.x line as support ends after December 31st, 2019.
--------------------------------------