VYPR

Zx

by Google

npm: zx

Source repositories

CVEs (2)

  • CVE-2025-13437MedNov 20, 2025
    risk 0.29cvss epss 0.00

    When zx is invoked with --prefer-local=, the CLI creates a symlink named ./node_modules pointing to /node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later…

  • CVE-2025-24959LowFeb 3, 2025
    risk 0.00cvss epss 0.00

    zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment…