All versions of package geojson2kml are vulnerable to Command Injection via the index.js file. PoC: var a =require("geojson2kml"); a("./","& touch JHU",function(){})CreditsJHU System Security LabReferenceshttps://snyk.io/vuln/SNYK-JS-GEOJSON2KML-1050412
