The npm blog has been discontinued.
How npm is affected by the recently disclosed git vulnerability
npm cli users should make sure that they have git version 2.17.1 or later installed to protect against a recent code execution vulnerability involving git submodules.
On May 29th, a new version of git (2.17.1) was published which addressed a flaw in how git submodules are handled. The flaw allowed for code execution on a user’s system when a recursive git clone of a specially created repository was performed.
The npm cli supports git dependencies; to enable this it delegates the act of cloning these dependencies to the
git command. Because of this delegation, if the system has a vulnerable version of git installed the npm cli, it could be tricked into installing a git dependency of a malicious repo that could execute code on the user’s system.
To check what version of git you have installed you can run
$ git --version git version 2.17.1
Updating git is a different process for different systems. Users should use whatever method they initially installed git with in order to update it.
Windows users can read more here: Announcing the May 2018 Git Security Vulnerability