Severity: low

    Global node_modules Binary Overwrite



    Versions of bin-links prior to 1.1.6 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent globally-installed binaries to be overwritten by other package installs. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This behavior is still allowed in local installations.


    Upgrade to version 1.1.6 or later.

    Have content suggestions? Visit

    Advisory timeline

    1. published

      Advisory Published
      Dec 12th, 2019
    2. reported

      Reported by Daniel Ruf
      Dec 11th, 2019