open before 6.0.0 are vulnerable to command injection when unsanitized user input is passed in.
The package does come with the following warning in the readme:
The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell.
open is now the deprecated
opn package. Upgrading to the latest version is likely have unwanted effects since it now has a very different API but will prevent this vulnerability.
publishedAdvisory publishedMay 16th, 2018
reportedInitial report by Сковорода Никита АндреевичMay 16th, 2018