npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.
Patch
Upgrade to the latest, patched version of npm (v8.11.0 or greater), run: npm i -g npm@latest
Run npm publish --dry-run or npm pack with an npm version >=7.9.0 & <8.11.0 inside the project's root directory using a workspace flag like: --workspaces or --workspace=<name> (ex. npm pack --workspace=foo)
Check the output in your terminal which will list the package contents (note: tar -tvf <package-on-disk> also works)
If you find that there are files included you did not expect, you should:
3.1. Create & publish a new release excluding those files (ref. "Keeping files out of your Package")
3.2. Deprecate the old package (ex. npm deprecate <pkg>[@​<version>] <message>)
3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposed
This PR contains the following updates:
8.9.0
->8.11.0
GitHub Vulnerability Alerts
CVE-2022-29244
Impact
npm pack
ignores root-level.gitignore
&.npmignore
file exclusion directives when run in a workspace or with a workspace flag (ie.--workspaces
,--workspace=<name>
). Anyone who has runnpm pack
ornpm publish
with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include.Patch
npm
(v8.11.0
or greater), run:npm i -g npm@latest
v16.15.1
,v17.19.1
&v18.3.0
include the patchedv8.11.0
version ofnpm
Steps to take to see if you're impacted
npm publish --dry-run
ornpm pack
with annpm
version>=7.9.0
&<8.11.0
inside the project's root directory using a workspace flag like:--workspaces
or--workspace=<name>
(ex.npm pack --workspace=foo
)tar -tvf <package-on-disk>
also works)npm deprecate <pkg>[@​<version>] <message>
) 3.3. Revoke or rotate any sensitive information (ex. passwords, tokens, secrets etc.) which might have been exposedReferences
npm-packlist
libnpmpack
libnpmpublish
Release Notes
npm/cli (npm)
### [`v8.11.0`](https://redirect.github.com/npm/cli/releases/tag/v8.11.0) [Compare Source](https://redirect.github.com/npm/cli/compare/v8.10.0...v8.11.0) ##### v8.11.0 (2022-05-25) ##### Features - [`8898710`](https://redirect.github.com/npm/cli/commit/8898710220a3d84b0a9ea2a6d9cf880e50b94c9e) [#4879](https://redirect.github.com/npm/cli/pull/4879) feat: deprecated set-script, birthday, --global, and --local ([@fritzy](https://redirect.github.com/fritzy)) - [`7307c8d`](https://redirect.github.com/npm/cli/commit/7307c8de388cd14c96c42d70b7e567ec343ad084) [#4940](https://redirect.github.com/npm/cli/pull/4940) feat(libnpmpack): bump pacote for better workspace awareness ([@nlf](https://redirect.github.com/nlf)) ##### Bug Fixes - [`400c80f`](https://redirect.github.com/npm/cli/commit/400c80f570228a2c0ffe09d6564cc88dc2f356c3) [#4913](https://redirect.github.com/npm/cli/pull/4913) fix(ci): remove node_modules post-validation ([@wraithgar](https://redirect.github.com/wraithgar)) - [`124df81`](https://redirect.github.com/npm/cli/commit/124df81391ea5810b29d2af9500ed597f076d597) [#4910](https://redirect.github.com/npm/cli/pull/4910) fix: clean up npm cache tests ([@wraithgar](https://redirect.github.com/wraithgar)) - [`ee3308a`](https://redirect.github.com/npm/cli/commit/ee3308a7a08799ec7e86237165ebaf278d9a4f9f) fix: remove dead code from get-identity ([@wraithgar](https://redirect.github.com/wraithgar)) - [`357b0af`](https://redirect.github.com/npm/cli/commit/357b0af2af2b07a58d2d837043d1d77c9495d8b5) [#4917](https://redirect.github.com/npm/cli/pull/4917) fix: pass prefix and workspaces to libnpmpack ([@nlf](https://redirect.github.com/nlf)) - [`0f89e07`](https://redirect.github.com/npm/cli/commit/0f89e0750f2ac9b5b4794b5718d047b5286283c8) [#4935](https://redirect.github.com/npm/cli/pull/4935) fix: add global getter to npm class ([@nlf](https://redirect.github.com/nlf)) ##### Documentation - [`83ed8d0`](https://redirect.github.com/npm/cli/commit/83ed8d0d4fb51716fa58608fa3c1ee8eb0a93571) [#4922](https://redirect.github.com/npm/cli/pull/4922) docs: update roadmap link in readme ([@OmriBarZik](https://redirect.github.com/OmriBarZik)) - [`ed054d4`](https://redirect.github.com/npm/cli/commit/ed054d477093be3da96968d217c244cf2efd3ef1) [#4933](https://redirect.github.com/npm/cli/pull/4933) docs: fix broken link in changelog ([@yonran](https://redirect.github.com/yonran)) ##### Dependencies - [`632ce87`](https://redirect.github.com/npm/cli/commit/632ce87bbd23707cba2c49b95d5db755b3d68638) [#4915](https://redirect.github.com/npm/cli/pull/4915) deps: `cacache@16.1.0` - [`7b2b77a`](https://redirect.github.com/npm/cli/commit/7b2b77adca730e516c1b187092374a01de7f0f56) [#4915](https://redirect.github.com/npm/cli/pull/4915) deps: `make-fetch-happen@10.1.5` - [`f3b0a24`](https://redirect.github.com/npm/cli/commit/f3b0a2407c7e213b1660ef7024c861dcb0eacb50) [#4915](https://redirect.github.com/npm/cli/pull/4915) deps: `pacote@13.4.1` - [`0df3011`](https://redirect.github.com/npm/cli/commit/0df3011ec59ba76c12fb8fbfb29ff4d601cc4bdb) [#4915](https://redirect.github.com/npm/cli/pull/4915) deps: `ssri@9.0.1` - [`dc38ab9`](https://redirect.github.com/npm/cli/commit/dc38ab96fca99069449e6c5e492062b94a1264b6) [#4919](https://redirect.github.com/npm/cli/pull/4919) deps: `npm-packlist@5.0.4` - [`353e2f9`](https://redirect.github.com/npm/cli/commit/353e2f9dc60a5d319d4105822a9e0b2ddbf82bc0) [#4940](https://redirect.github.com/npm/cli/pull/4940) deps: `pacote@13.5.0 npm-packlist@5.1.0` - [`f4d4126`](https://redirect.github.com/npm/cli/commit/f4d41265931c3c2eee433e27f4535c7a209e69fa) [#4941](https://redirect.github.com/npm/cli/pull/4941) deps: `libnpmpack@4.1.0` ### [`v8.10.0`](https://redirect.github.com/npm/cli/releases/tag/v8.10.0) [Compare Source](https://redirect.github.com/npm/cli/compare/v8.9.0...v8.10.0) ##### v8.10.0 (2022-05-11) ##### Features - [`911f55d`](https://redirect.github.com/npm/cli/commit/911f55dc6ac3672f48740d0675f67c934c01aaf4) [#4864](https://redirect.github.com/npm/cli/pull/4864) feat: add --iwr alias for --include-workspace-root ([@fritzy](https://redirect.github.com/fritzy)) - [`bfb8bcc`](https://redirect.github.com/npm/cli/commit/bfb8bccbe83753e527b43c8a3889696087dbe8f1) [#4874](https://redirect.github.com/npm/cli/pull/4874) feat: add flag --omit-lockfile-registry-resolved ([@fritzy](https://redirect.github.com/fritzy)) ([Caleb ツ Everett](mailto:calebev@amazon.com)) ##### Bug Fixes - [`48d2db6`](https://redirect.github.com/npm/cli/commit/48d2db6037487fd782f67bbcd2cf12e009ece17b) [#4862](https://redirect.github.com/npm/cli/pull/4862) fix: remove test coverage map ([@wraithgar](https://redirect.github.com/wraithgar)) - [`38cf29a`](https://redirect.github.com/npm/cli/commit/38cf29a0054544c575b6bce953f1d433dbb6a3b5) [#4868](https://redirect.github.com/npm/cli/pull/4868) fix: cleanup star/unstar ([@wraithgar](https://redirect.github.com/wraithgar)) - [`5baa4a7`](https://redirect.github.com/npm/cli/commit/5baa4a7c64319485604982f9060702a7cee8a85c) [#4857](https://redirect.github.com/npm/cli/pull/4857) fix: consolidate bugs, docs, repo command logic ([@wraithgar](https://redirect.github.com/wraithgar)) - [`5a50762`](https://redirect.github.com/npm/cli/commit/5a50762faa37ae5964ae6f12595b20b367056c0a) [#4875](https://redirect.github.com/npm/cli/pull/4875) fix(arborist): link deps lifecycle scripts ([@ruyadorno](https://redirect.github.com/ruyadorno)) ##### Dependencies - [`d58bf40`](https://redirect.github.com/npm/cli/commit/d58bf40abf7c3ff8ae400f50e5e5a19c33138707) [#4856](https://redirect.github.com/npm/cli/pull/4856) deps: `npm-packlist@5.0.3` - [`86f443e`](https://redirect.github.com/npm/cli/commit/86f443e97aa58c1a06b8eb6f523656274234bb71) [#4872](https://redirect.github.com/npm/cli/pull/4872) deps: `make-fetch-happen@10.1.3` - [`f9984e6`](https://redirect.github.com/npm/cli/commit/f9984e64e714937fa69f14850a1d3ed7ccfc934c) [#4880](https://redirect.github.com/npm/cli/pull/4880) deps: `@npmcli/arborist@5.2.0` - [`ba59915`](https://redirect.github.com/npm/cli/commit/ba599154dc8ea9f424410fb7dc382d5829215920) [#4881](https://redirect.github.com/npm/cli/pull/4881) deps: `socks-proxy-agent@6.2.0` - [`c0806ba`](https://redirect.github.com/npm/cli/commit/c0806ba2b325456199069b245446c8a86e7feae2) [#4881](https://redirect.github.com/npm/cli/pull/4881) deps: `http-proxy-agent@5.0.1` - [`cc7be6b`](https://redirect.github.com/npm/cli/commit/cc7be6b8b63a7314066e8763589a57e5a6e77d30) [#4881](https://redirect.github.com/npm/cli/pull/4881) deps: `is-core-module@2.9.0` - [`0432c7d`](https://redirect.github.com/npm/cli/commit/0432c7d8a22ddbfdf238c2b22dd3c7bd263e2d6c) [#4881](https://redirect.github.com/npm/cli/pull/4881) deps: `lru-cache@7.9.0` - [`5778820`](https://redirect.github.com/npm/cli/commit/57788204646a6aa5a384630a5640bf00efa25ce0) [#4881](https://redirect.github.com/npm/cli/pull/4881) deps: `just-diff@5.0.2` - [`893dd00`](https://redirect.github.com/npm/cli/commit/893dd0066e2315f0d9937fe05879957e1446b755) [#4881](https://redirect.github.com/npm/cli/pull/4881) deps: `ip@1.1.8` - [`6ab85bd`](https://redirect.github.com/npm/cli/commit/6ab85bd5df88ade023f7e4895d07a39228d23a33) [#4881](https://redirect.github.com/npm/cli/pull/4881) deps: `builtins@5.0.1`Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.