All versions of
open are vulnerable to command injection when unsanitized user input is passed in.
The package does come with the following warning in the readme:
The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell.
No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is available.