npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g npm@latest . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm.
References
Link | Resource |
---|---|
https://github.com/nodejs/node/pull/43210 | Patch Third Party Advisory |
https://github.com/nodejs/node/releases/tag/v16.15.1 | Release Notes Third Party Advisory |
https://github.com/nodejs/node/releases/tag/v17.9.1 | Release Notes Third Party Advisory |
https://github.com/nodejs/node/releases/tag/v18.3.0 | Release Notes Third Party Advisory |
https://github.com/npm/cli/releases/tag/v8.11.0 | Release Notes Third Party Advisory |
https://github.com/npm/cli/security/advisories/GHSA-hj9c-8jmm-8c52 | Third Party Advisory |
https://github.com/npm/cli/tree/latest/workspaces/libnpmpack | Product Third Party Advisory |
https://github.com/npm/cli/tree/latest/workspaces/libnpmpublish | Product Third Party Advisory |
https://github.com/npm/npm-packlist | Product Third Party Advisory |
https://security.netapp.com/advisory/ntap-20220722-0007/ | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-06-13T13:40:27
Updated: 2022-07-22T18:09:17
Reserved: 2022-04-13T00:00:00
Link: CVE-2022-29244
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-06-13T14:15:09.027
Modified: 2022-10-27T16:25:40.193
Link: CVE-2022-29244
JSON object: View
Redhat Information
No data.