yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
Description
Published to the GitHub Advisory Database
May 26, 2026
Reviewed
May 26, 2026
Published by the National Vulnerability Database
Jun 16, 2026
Last updated
Jul 8, 2026
Impact
yeoman-environmentversions>= 2.9.0and< 6.0.1install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap.The vulnerable method is
installLocalGenerators(), which callsrepository.install()directly without prompting the user.Patches
Upgrade to
yeoman-environment6.0.1, which adds an interactive confirmation prompt before installation (PR #753).Workarounds
None.
Resources
References