Product
Versions of yeoman-environment ranging from 2.9.0 to before 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation, potentially leading to arbitrary package installation and code execution in downstream consumers when attacker-controlled project configuration is passed.