See also <a href="https://github.com/npm/cli/issues/2701" rel="nofollow">https://github.com/npm/cli/issues/2701</a><p>I think this is quite a serious issue which has been open for almost a year. I don't understand why there hasn't been a reaction from the npm developers on the issue (as far as I can see). npm 8.3.1 (the current version) is still vulnerable.<p>It might not be directly exploitable but it can leave you open for all kinds of security and/or stability issues. It is also a regression from npm 6.