Impact
The reviewed advisories list kill-port-process versions earlier than 2.2.0 as affected by CVE-2019-15609 / GHSA-xp4x-j9vh-c3wf [S1][S2]. The package is used for process-management tasks around ports, so affected versions should be treated as a high-priority dependency update when they appear in a deployed Node.js service, worker, script, or image. A repository dependency match does not by itself prove that the package is present in the deployed runtime or that untrusted input reaches the helper.
Root Cause
The advisory record describes a command-injection issue in the package before the fixed 2.2.0 release [S1][S2]. The original report is linked as source context for the affected package and version range [S3]. FixVibe keeps this article at dependency-advisory level because exploitability depends on how an application installs and calls the package.
Covered by FixVibe
FixVibe GitHub repo scans now flag kill-port-process evidence in npm manifests and lockfiles when the declared or resolved version is in the affected range. The report includes the package name, file path, observed version or constraint, advisory IDs, confidence, fixed version, and explicit notes about what was not verified. This is static repository evidence: FixVibe does not run the package, trace request data flow, send command payloads, terminate processes, inspect the deployed artifact, or claim runtime exploit confirmation.
Remediation
Upgrade kill-port-process to 2.2.0 or newer using the package manager the repository actually builds from [S2]. Regenerate the active lockfile, rebuild runtime images, workers, devcontainers, and CI caches that install dependencies, then verify with npm ls kill-port-process, pnpm why kill-port-process, or yarn why kill-port-process. Review any call sites that pass port values to process-termination helpers and keep strict numeric port validation before the helper call.