Advisories for Npm/St package

An attacker is able to craft a request that results in an HTTP (redirect) to an entirely different domain.

URL encoded dots in path are not properly handled, leading to possible directory traversal.

An attacker is able to craft a request that results in an HTTP (redirect) to an entirely different domain.

As stated on "The NPM Blog", "it was possible, through a carefully encoded URL, to get st to serve any file it could see, not just the ones in the static content directory, and you could also list the contents of directories, so it was very easy to go looking for sensitive files." The NPM registry relies on st, meaning that all the versions of all the npms published prior …