GHSA-64g7-mvw6-v9qj: 
JavaScript vulnerability analysis and mitigation

A moderate severity vulnerability (GHSA-64g7-mvw6-v9qj, CVE-2022-0144) was discovered in shelljs npm package affecting versions prior to 0.8.5. The vulnerability was published on January 14, 2022, and is classified as an Improper Privilege Management issue (CWE-269). The vulnerability specifically affects the synchronous version of shell.exec() function in shelljs package (GitHub Advisory).

The vulnerability is related to improper privilege management in the synchronous version of shell.exec() function, where the output may be visible to other users on the same system. This issue specifically manifests in multi-user environments such as Mac, Linux, or WSL, and becomes particularly concerning when shell.exec() is executed with root privileges. Notably, other shelljs functions, including the asynchronous version of shell.exec(), are not affected by this vulnerability (GitHub Advisory).

The primary impact of this vulnerability is that output from the synchronous version of shell.exec() could be exposed to other users on the same system, potentially leading to information disclosure. This is particularly concerning in shared environments or when the function is executed with elevated privileges (GitHub Advisory).

The vulnerability has been patched in shelljs version 0.8.5. The recommended action is to upgrade to this version or later. No alternative workarounds have been provided, making the upgrade the only secure solution (GitHub Advisory).