bin-links prior to 1.1.5 are vulnerable to an Arbitrary File Write. The package fails to restrict access to folders outside of the intended
node_modules folder through the
bin field. This allows attackers to create arbitrary files in the system. Note it is not possible to overwrite files that already exist.
Upgrade to version 1.1.5 or later.