Amazon Linux 2022 Security Advisory: ALAS-2022-048
Advisory Release Date: 2022-04-18 23:49 Pacific
Advisory Updated Date: 2022-04-22 15:14 Pacific
Severity:
Important
Issue Overview:
A flaw was found in npm. The npm ci command proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. (CVE-2021-43616)
Affected Packages:
nodejs
Issue Correction:
Run dnf update --releasever=2022.0.20220419 nodejs to update your system.
New Packages:
aarch64:
nodejs-debuginfo-16.14.0-2.amzn2022.aarch64
nodejs-devel-16.14.0-2.amzn2022.aarch64
nodejs-libs-16.14.0-2.amzn2022.aarch64
nodejs-full-i18n-16.14.0-2.amzn2022.aarch64
nodejs-libs-debuginfo-16.14.0-2.amzn2022.aarch64
nodejs-16.14.0-2.amzn2022.aarch64
v8-devel-9.4.146.24-1.16.14.0.2.amzn2022.aarch64
npm-8.3.1-1.16.14.0.2.amzn2022.aarch64
nodejs-debugsource-16.14.0-2.amzn2022.aarch64
noarch:
nodejs-docs-16.14.0-2.amzn2022.noarch
src:
nodejs-16.14.0-2.amzn2022.src
x86_64:
nodejs-libs-debuginfo-16.14.0-2.amzn2022.x86_64
nodejs-full-i18n-16.14.0-2.amzn2022.x86_64
nodejs-devel-16.14.0-2.amzn2022.x86_64
nodejs-debuginfo-16.14.0-2.amzn2022.x86_64
v8-devel-9.4.146.24-1.16.14.0.2.amzn2022.x86_64
nodejs-libs-16.14.0-2.amzn2022.x86_64
nodejs-16.14.0-2.amzn2022.x86_64
npm-8.3.1-1.16.14.0.2.amzn2022.x86_64
nodejs-debugsource-16.14.0-2.amzn2022.x86_64