lgtm,codescanning
* The `cwd` option from the `read-pkg` library is recognized as a sink for `js/tainted-path`.
  Affected packages are
    [read-pkg](https://npmjs.com/package/read-pkg)