Versions of the npm CLI prior to 6.13.4 are vulnerable to a Global node_modules Binary Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations.
Created nodejs tracking bugs for this issue:
Affects: epel-all [bug 1788303]
Affects: fedora-all [bug 1788302]
Red Hat Quay versions up to v3.2.0 are affected by the use of yarn to install client side dependencies. Red Hat Quay uses the npm package from RHEL 7 so that will be updated once a fix for RHEL 7 is available.
The issue in Yarn was assigned CVE-2019-10773, Red Hat Quay is affected by that issue, not this one.
This vulnerability is out of security support scope for the following products:
* Red Hat Openshift Application Runtimes Node.js 8
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.