systeminformation is a simple system and OS information library.
Affected versions of this package are vulnerable to Command Injection. The
sanitizeShellString function does not sanitize quotation marks, which could be leveraged by an attacker to execute arbitrary commands.
const si = require('systeminformation'); si.inetLatency("`<OS command>`");
systeminformation to version 4.31.1 or higher.