Severity: Critical
CVSS Score: 10
Versions of `open` before 6.0.0 are vulnerable to command injection when unsanitized user input is passed in. The package does come with the following warning in the readme: ``` The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell. ``` ## Recommendation `open` is now the deprecated `opn` package. Upgrading to the latest version is likely have unwanted effects since it now has a very different API but will prevent this vulnerability.