npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.
Patch
Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
If you find that there are files included you did not expect, you should:
3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
3.2. Deprecate the old package (ex. npm deprecate <pkg>[@​<version>] <message>)
3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed
This PR contains the following updates:
7.20.1
->8.11.0
GitHub Vulnerability Alerts
CVE-2022-29244
Impact
npm pack
ignores root-level.gitignore
&.npmignore
file exclusion directives when run in a workspace or with a workspace flag (ie.--workspaces
,--workspace=<name>
). Anyone who has runnpm pack
ornpm publish
with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.Patch
npm
(v8.11.0
or greater), run:npm i -g npm@latest
v16.15.1
,v17.19.1
&v18.3.0
include the patchedv8.11.0
version ofnpm
Steps to take to see if you're impacted
npm publish --dry-run
ornpm pack
with annpm
version>=7.9.0
&<8.11.0
inside the project's root directory using a workspace flag like:--workspaces
or--workspace=<name>
(ex.npm pack --workspace=foo
)tar -tvf <package-on-disk>
also works)npm deprecate <pkg>[@​<version>] <message>
) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposedReferences
npm-packlist
libnpmpack
libnpmpublish
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.