Wednesday, 30 May, 2018 UTC


Summary

npm cli users should make sure that they have git version 2.17.1 or later installed to protect against a recent code execution vulnerability involving git submodules.
On May 29th, a new version of git (2.17.1) was published which addressed a flaw in how git submodules are handled. The flaw allowed for code execution on a user’s system when a recursive git clone of a specially created repository was performed.
The npm cli supports git dependencies; to enable this it delegates the act of cloning these dependencies to the git command. Because of this delegation, if the system has a vulnerable version of git installed the npm cli, it could be tricked into installing a git dependency of a malicious repo that could execute code on the user’s system.
To check what version of git you have installed you can run git --version
$ git --version git version 2.17.1 
Updating git is a different process for different systems. Users should use whatever method they initially installed git with in order to update it.
Windows users can read more here: Announcing the May 2018 Git Security Vulnerability