Advisories for Npm/St package

2018
2017

Open Redirect

An attacker is able to craft a request that results in an HTTP (redirect) to an entirely different domain.

2014

Static file leakage

As stated on "The NPM Blog", "it was possible, through a carefully encoded URL, to get st to serve any file it could see, not just the ones in the static content directory, and you could also list the contents of directories, so it was very easy to go looking for sensitive files." The NPM registry relies on st, meaning that all the versions of all the npms published prior …