@jswork Next NPM Version Command Injection Vulnerability

A command injection vulnerability exists in the NPM package '@jswork/next-npm-version' version 1.0.1. The issue arises in the 'npmVersion' function, where the 'inName' variable is not properly sanitized before being passed to 'execSync'. This oversight allows attackers to inject arbitrary commands when the 'npmVersion' function is called to check the version of an NPM package. The injected command is executed in the context of the Node.js process, potentially leading to unauthorized command execution.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where the package is used.

Reproduction

To reproduce this vulnerability, import the '@jswork/next-npm-version' package and call the 'npmVersion' function with a crafted package name that includes a command injection payload. The injected command will be executed on the server.