Critical Path Traversal Vulnerability Found in 'basic-ftp' Package, Affects @size-limit/preset-app Dependency Chain

A critical security vulnerability has been identified in the widely used 'basic-ftp' npm package, exposing dependent applications to potential path traversal attacks. The flaw, discovered during a security audit on March 30, 2026, resides specifically within the package's `downloadToDir()` method. This vulnerability allows attackers to potentially write files outside the intended target directory, a severe risk for any system utilizing the unpatched library for file transfers.

The audit report, generated via `pnpm audit`, classifies the issue as 'critical' and confirms it affects all versions of the 'basic-ftp' package prior to version 5.2.0. The vulnerability's reach is immediate, with the audit path tracing it directly to the `apps__web>@size-limit/preset-app` dependency chain. This indicates that any web application or build process relying on this specific preset, which in turn pulls in a vulnerable version of 'basic-ftp', is currently at risk.

Organizations and developers using the affected dependency must urgently upgrade to 'basic-ftp' version 5.2.0 or later, which contains the necessary patch. The presence of this critical flaw in a core file transfer function underscores the persistent risks within software supply chains. Failure to apply the patch leaves applications vulnerable to exploitation, where attackers could overwrite or create critical system files, leading to data loss, system compromise, or service disruption.