npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.
Patch
Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
If you find that there are files included you did not expect, you should:
3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
3.2. Deprecate the old package (ex. npm deprecate <pkg>[@​<version>] <message>)
3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed
This PR contains the following updates:
7.24.1->8.11.0GitHub Vulnerability Alerts
CVE-2022-29244
Impact
npm packignores root-level.gitignore&.npmignorefile exclusion directives when run in a workspace or with a workspace flag (ie.--workspaces,--workspace=<name>). Anyone who has runnpm packornpm publishwith workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.Patch
npm(v8.11.0or greater), run:npm i -g npm@latestv16.15.1,v17.19.1&v18.3.0include the patchedv8.11.0version ofnpmSteps to take to see if you're impacted
npm publish --dry-runornpm packwith annpmversion>=7.9.0&<8.11.0inside the project's root directory using a workspace flag like:--workspacesor--workspace=<name>(ex.npm pack --workspace=foo)tar -tvf <package-on-disk>also works)npm deprecate <pkg>[@​<version>] <message>) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposedReferences
npm-packlistlibnpmpacklibnpmpublishConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.