A command injection vulnerability affects all versions of package deferred-exec. The injection point is located in line 42 in lib/deferred-exec.js
deferred-exec
{ "last_known_affected_version_range": "<= 0.3.1" }