GMS-2014-2: Static file leakage
As stated on “The NPM Blog”, “it was possible, through a carefully encoded URL, to get st to serve any file it could see, not just the ones in the static content directory, and you could also list the contents of directories, so it was very easy to go looking for sensitive files.” The NPM registry relies on st, meaning that all the versions of all the npms published prior to March th may be corrupted. But there is no evidence that they have been corrupted.
References
Detect and mitigate GMS-2014-2 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →