The npm CLI is the command line client that allows developers to install and publish packages to npm registries.
--ignore-scripts flag.npmrc file) being leaked in logspackage-lock.json--force has not been setCode execution requiring social engineering or unlikely user interaction is typically not eligible for rewards.
Vulnerabilities which require local system access, such as local credential storage issues.
By default, commands that modify the package tree, such as npm install, run the pre- and post-install scripts. If you would like to disable this, you can set the --ignore-scripts flag. However, note that general code execution that is achieved when using the --ignore-scripts flag is considered out of scope. As stated in the npm documentation, setting the --ignore-scripts flag to true means that “npm does not run scripts specified in package.json files.” Any code execution that occurs when using the --ignore-scripts flag, other than bypassing the specific intended behavior by successfully executing a pre- or post-install script from a package.json file, is considered ineligible.
Vulnerabilities that are due to a vulnerability in an upstream dependency are out of scope and should instead be disclosed to the upstream maintainers. We may make exceptions for vulnerabilities that we deem to have a substantial impact; however, issues should still be directed to the maintainers of the upstream dependency first.