All versions of package theme-core are vulnerable to Command Injection via the lib/utils.js file, which is required by main entry of the package. PoC: var a =require(«theme-core»); a.utils.sh(«touch JHU»)
