Supply chain vulnerability in eslint-config-prettier
A recent vulnerability in the eslint-config-prettier package, identified as CVE-2025-54313, has raised concerns about potential remote code execution (RCE) attacks. This vulnerability specifically affects Windows users and has been classified as high severity.
Other packages vulnerable to this issue that shields uses in our supply chain include:
- eslint-plugin-prettier
- synckit
- @pkgr/core
- napi-postinstall
None of the vulnerable versions seems to be used in our codebase, and to date, upstream removed vulnerable versions from npm.
However, as we used ^ prefix for these package versions, anyone running npm install on a Windows machine before the fix was applied could have been affected. For example, contributors & devs of forks. With the risk being malicious code executed on the user's machine, we recommend that anyone who has run npm install on a Windows machine with these packages check their systems for any signs of compromise.
The issue does not seem to affect our CI environment, as our only Windows job test-main uses npm ci which does not install packages with the ^ prefix, and thus does not install vulnerable versions.
Currently, we are not aware of any issues in our production environment related to this vulnerability. We will continue to monitor the situation.