parket-flow @3.0.1
Vulnerability report · Last retrieved from osv.dev July 10, 2026 at 1:30 AM UTC
OSV ID
MAL-2026-6334
Ecosystem
npm
Summary
index.js imports child_process and invokes execSync with bash and zsh shells (index.js line 1, 301, 317). Without traced execution context it is not possible to determine whether these shell invocations are part of legitimate tool functionality or whether they fetch and execute attacker-controlled content. No corroborating evidence of exfiltration, credential access, network beacons, or attacker-controlled endpoints is present in what was inspected. Recommend human review of the shell command construction and any inputs they consume before allowing or blocking.
Source: amazon-inspector (8e9b185a1b54e41a8fb900a67aab43dbb78abc4fea96e9ca05d356f6864e3bdd)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.