VYPR

npm package

zx

pkg:npm/zx

Vulnerabilities (2)

  • CVE-2025-13437MedNov 20, 2025
    affected < 8.8.5fixed 8.8.5

    When zx is invoked with --prefer-local=, the CLI creates a symlink named ./node_modules pointing to /node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later clean

  • CVE-2025-24959LowFeb 3, 2025
    affected >= 8.3.1, < 8.3.2fixed 8.3.2

    zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variable